SDN Blog

Sandworm the latest Zero Day Exploit

Posted on Thursday, October 16, 2014 in Cybersecurity

Blog written by

October is National Cyber Security Awareness Month. So, it seems appropriate, another critical and long-term vulnerability was brought to light this week.[i] Dubbed Sandworm by ISIGHT Partners, the security firm that discovered the exploit, the security flaw (CVE – 2014 – 4114) has existed for years affecting all current versions of Microsoft Windows from Vista to 8.1 and including Server 2008 and 2012.[ii] 

What is a Zero Day Exploit?

A zero day exploit is a previously unknown security flaw that developers have had zero days to correct.  

How Does Sandworm Work?

Sandworm exploits a vulnerability in Microsoft’s Object Linking and Embedding (OLE) technology where the OLE can link to an untrusted information file (INF). In this case, it will cause the referenced file to download and execute with specific commands thus allowing the attacker system access. [iii] Once compromised, an attacker may install or update malware on the targeted system and potentially steal passwords or private data.

As with many security vulnerabilities, human error is often at the root. Sandworm is no different in this respect because it utilized a sophisticated spear phishing campaign. Attackers sent legitimate looking emails with a modified PowerPoint attachment. When the target opened the malicious file, their computer was exposed. This sophisticated social engineering campaign at the heart of Sandworm highlights the need for strong security practices at home and work.      

What is SDN Communications doing?

On the same day as the exploit was announced, SDN Communications evaluated its Windows based systems, identified potentially vulnerable systems and began the process of installing security patches.

How can I protect my business or home computer?

This is a critical vulnerability and both businesses and consumers that rely on Windows systems should take it very seriously. While a malicious PowerPoint presentation was the chosen method of delivery in the current exploit, it is possible that other seemingly innocent files such as Word or Excel could be used to deliver malicious code. The good news is that Microsoft released patches the same day the vulnerability was announced. If your system is set to automatically download and install updates, you may already be protected.  If you are unsure, you can follow instructions on Microsoft’s website on how to check and install updates for Windows Vista, Windows 7, or Windows 8 respectively.

Additionally, companies should implement a multi-layered approach to information security[iv] including the following best practices:

  1. Develop acceptable use polices for technology and Information Security training
  2. Implement, monitor, enforce, and review Information Security policies
  3. Maintain hardware and software with current patches
  4. Educate users to recognize social engineering and to exercise caution when opening email attachments, especially from unknown sources.

 


[i] http://www.washingtonpost.com/world/national-security/russian-hackers-use-zero-day-to-hack-nato-ukraine-in-cyber-spy-campaign/2014/10/13/f2452976-52f9-11e4-892e-602188e70e9c_story.html

[ii] http://www.isightpartners.com/2014/10/cve-2014-4114/

[iii] http://www.isightpartners.com/2014/10/cve-2014-4114/

[iv] (Information Technology for Management, 2013)