Headline
Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack
The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive.
Source: Yuriy Tuchkov via Alamy Stock Photo
An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure.
The threat actor initiated the attack using a malicious PowerPoint file (.PPSX) sent as an attachment through a message on secure messaging platform Signal. This file, which masqueraded as an old instruction manual by the US Army for mine-clearing blades for tanks, had in fact a remote relationship to an external script hosted on a Russian virtual private server (VPS) provider domain protected by Cloudflare.
The script executed the CVE-2017-8570 exploit to achieve RCE, according to a Deep Instinct blog post on the attack this week, in an effort to steal information.
Underneath the Hood of a Tricky Cyberattack
In terms of the technical nitty-gritty, the obfuscated script masqueraded as Cisco AnyConnect APN configuration and was responsible for setting persistency, decoding, and saving the embedded payload to disk, which happened in several stages to evade detection.
The payload includes a loader/packer dynamic link library (DLL) named “vpn.sessings” that loads a Cobalt Strike Beacon into memory and awaits instructions from the command-and-control (C2) server of the attacker.
Mark Vaitzman, threat lab team leader at Deep Instinct, notes that the penetration testing tool Cobalt Strike is very commonly used among threat actors, but this particular beacon makes use of a custom loader that relies on several techniques that slow down analysis.
“It is continuously updated to provide attackers with a simple way to move laterally once the initial footprint is set,” he says. "[And] it was implemented in several anti-analysis and unique evasion techniques."
Vaitzman notes that in 2022, a severe CVE allowing RCE was found in Cobalt Strike — and many researchers predicted that threat actors would alter the tool to create open source alternatives.
“Several cracked versions can be found on underground hacking forums,” he says.
Beyond the tweaked version of Cobalt Strike, he says, the campaign is also notable for the lengths to which the threat actors continuously attempt to masquerade their files and activity as a legitimate, routine OS and common applications operations, to remain hidden and maintain the control of infected machines as long as possible. In this campaign, he says, the attackers took this “living off the land” strategy further.
“This attack campaign shows several masquerading techniques and a smart way of persistence that has not been documented yet,” he explains, without divulging details.
Cyberthreat Group Has Unknown Make & Model
Ukraine has been targeted by multiple threat actors on multiple occasions during its war with Russia, with the Sandworm Group serving as the aggressor’s primary cyberattack unit.
But unlike in most attack campaigns during the war, the threat lab team couldn’t link this effort to any known threat group, which may indicate that this is the work of a new group or representative of a fully upgraded tool set of a known threat actor.
Mayuresh Dani, manager of security research at Qualys Threat Research Unit, points out the use of geographically disparate sources to help the threat actors dispel attribution also make it difficult for security teams to provide targeted protection based on geographical locations.
“The sample was uploaded from Ukraine, the second stage was hosted and registered under a Russian VPS provider, and the Cobalt beacon [C2] was registered in Warsaw, Poland,” he explains.
He says that what he found most interesting about the chain of attack was that the initial compromise was accomplished via the secure Signal app.
“The Signal messenger has been largely used by security-focused personnel or those who are involved in sharing clandestine information, such as journalists,” he notes.
Beef Up Cyber Armor With Security Awareness, Patch Management
Vaitzman says that because most of cyberattacks start with phishing or link-luring via emails or messages, broader employee cyber awareness plays an important role in mitigating such attack attempts.
And for security teams, “We also recommend scanning for the provided IoCs in the network, as well as making sure that Office is patched to the latest version,” Vaitzman says.
Callie Guenther, senior manager of cyber threat research at Critical Start, says that from a defense perspective, the reliance on older exploits also stresses the importance of robust patch management systems.
“Additionally, the sophistication of the attack underscores the need for advanced detection mechanisms that go beyond signature-based cyber-defense approaches,” she says, “incorporating behavior and anomaly detection to identify modified malicious software.”
About the Author(s)
Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.
Related news
By Deeba Ahmed Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself! This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report