Sandworm, Hurricane Panda and the new Duqu all lose 0days, 14 IE flaws closed
Update (2014.10.15) – administrative notes for preparation… Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.
This morning was possibly one of the most information rich in the history of Microsoft’s patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog actor was losing an IE 0day being patched, and that seemed unusual. This month, several vulnerabilities abused with 0day exploits by known APT actors are being patched and the actors are being publicly noted. So today Microsoft pushes out eight security bulletins MS14-056 through MS14-063, including three rated critical.
The most interesting of today’s vulnerabilities are two that are enabled by Windows functionality, but are useful for spearphishing targets with Office-type data file attachments – an Excel file, PowerPoint Show, Word document, and so on. The first of the two remind us of the Duqu attacks. MS14-058 patches yet another kernel level font handling flaw CVE-2014-4148, the same kind of issue seen in the Duqu spearphish exploits. This one is rated critical by Microsoft. No one particular actor has been associated with this attack or exploit just yet.
The Windows OLE vulnerability patched with MS14-060 is surprisingly rated “Important” by Microsoft. The APT known as the “Sandworm team” deployed CVE-2014-4114 in incidents against targets alongside other known exploits. The group was known for deploying new variants of the BlackEnergy bot in cyber-espionage campaigns, hitting geopolitical and military targets. In one incident, the team sent spearphish as a PowerPoint slide deck containing the 0day OLE exploit to Ukrainian government and US academic organizations. When opened, the slides dropped newer variants of BlackEnergy to the victim systems. These newer variants of BlackEnergy maintain functionality dedicated to cyber espionage tasks.The most interesting characteristics of these BlackEnergy trojans are the custom plugins or modules, but that’s for a different blog post. Our GReAT researchers Maria Garnaeva and Sergey Lozhkin spoke about interesting BlackEnergy functionality at the May 2014 PHDays conference.
Another group known as Hurricane Panda attempted to exploit CVE-2014-4113 in targeted environments. This escalation of privilege issue can present a real problem in situations where an attacker has gotten in to a network and is attempting to burrow in further. This bug also exists in Windows kernel code, and is patched by the same MS14-058 bulletin mentioned above.
The Internet Explorer update addresses fourteen vulnerabilities, rated critical for IE6 through IE11. They do not affect Server Core installations.
More can be read about October 2014 Microsoft Security Bulletins here.