Ukraine Targeted by a Geo-Poli-Cyber™ motivated attack that Exploited a 7-Year-Old Microsoft Office Flaw.

– Anatomy of a Geo-Poli-Cyber™ motivated attack – Researchers have discovered a targeted operation against Ukraine that has leveraged a seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.

– “By definition, this is a 100% Geo-Poli-Cyber™ motivated attack” said a senior Cyber Survivability executive at the MLi Group. “In essence, if you cannot name the threat, you cannot mitigate the threat.” The exert emphasized.

By Survivability News Investigator 738

Anatomy of a Failed Mitigation of a Geo-Poli-Cyber™ Motivated Attack.

Researchers have discovered a targeted operation against Ukraine that has leveraged a seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.

“By definition, this is a 100% Geo-Poli-Cyber™ motivated attack” said a senior Cyber Survivability executive at the MLi Group.

 “In essence, if you cannot name the threat, you cannot mitigate the threat.” The exert emphasized.

The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file (“signal-2023-12-20-160512.ppsx”) as the starting point, with the filename implying that it may have been shared via the Signal instant messaging app.

Continued Failure

“To continue calling it a ‘cyber-attack’, or ‘nation state’ is at the core of why the best in cyber security strategies and solutions continue failing to effectively mitigate risks and threats, or defend national sovereignties, critical infrastructures, and corporate structures,” the senior Cyber Survivability executive at the MLi Group concluded.

Some Technical Detail.

That having said, there is no actual evidence to indicate that the PPSX file was distributed in this manner, even though the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered two different campaigns that have used the messaging app as a malware delivery vector in the past.

Just last week, the agency disclosed that Ukrainian armed forces are being increasingly targeted by the UAC-0184 group via messaging and dating platforms to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT, as well as open-source programs such as sigtop and tusc to exfiltrate data from computers.

“The PPSX (PowerPoint slideshow) file appears to be an old instruction manual of the U.S. Army for mine clearing blades (MCB) for tanks,” security researcher Ivan Kosarev said. “The PPSX file includes a remote relationship to an external OLE object.”

This involves the exploitation of CVE-2017-8570 (CVSS score: 7.8), a now-patched remote code execution bug in Office that could allow an attacker to perform arbitrary actions upon convincing a victim to open a specially crafted file, to load a remote script hosted on weavesilk[.]space.

The heavily obfuscated script subsequently launches an HTML file containing JavaScript code, which, in turn, sets up persistence on the host via Windows Registry and drops a next-stage payload that impersonates the Cisco AnyConnect VPN client.

The payload includes a dynamic-link library (DLL) that ultimately injects a cracked Cobalt Strike Beacon, a legitimate pen-testing tool, directly into system memory and awaits for further instructions from a command-and-control (C2) server (“petapixel[.]fun”).

The DLL also packs in features to check if it’s being executed in a virtual machine and evade detection by security software.

Deep Instinct said it could neither link the attacks to a specific threat actor or group nor exclude the possibility of a red teaming exercise. Also unclear is the exact end goal of the intrusion.

“The lure contained military-related content, suggesting it was targeting military personnel,” Kosarev said.

“But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (weavesilk[.]com) and a popular photography site (petapixel[.]com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”

Sandworm Targets Critical Infra in Ukraine

The disclosure comes as CERT-UA revealed that about 20 energy, water, and heating suppliers in Ukraine have been targeted by a Russian state-sponsored group called UAC-0133, a sub-cluster within Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear), which is responsible for a bulk of all the disruptive and destructive operations against the country.

The attacks, which aimed to sabotage critical operations, involve the use of malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variant BIASBOAT, in addition to GOSSIPFLOW and LOADGRIP.

While GOSSIPFLOW is a Golang-based SOCKS5 proxy, LOADGRIP is an ELF binary written in C that’s used to load BIASBOAT on compromised Linux hosts.

Are you Citizen-Journalist Material?

Have a tip or scoop? Do you have info about corruption that needs to be investigated and responsibly exposed ? Get in touch securely via WhatsApp at +44 7771 927378 | Signal at +447766 098270


Receive Exclusives, Features & News Updates

Subscribe



What Are
Geo-Poli-
Cyber™ Risks?

What Is Geo-Poli-Cyber™?

MLi Group created the terms Poli-Cyber™ and Geo-Poli-Cyber™ (GPC™) in 2012 and 2013 based on the philosophy that if you cannot identify and name the threat, you cannot mitigate that threat.

Geo-Poli-Cyber™ attacks are political, ideological, terrorist, extremist, ‘religious’, and/or geo-politically motivated.

More Sinister Than Financial Motivations

Geo-Poli-Cyber™ attacks are significantly different from financially motivated cyber-attacks in damage, scale, magnitude as well as in risk mitigation strategies and solutions.

Click to read more