April 26, 2024 at 09:57AM
Unknown threat actors targeted Ukrainian government entities using an old Microsoft Office RCE exploit (CVE-2017-8570) to deliver a malicious PowerPoint file via Signal. The attack involved a Russian VPS and Cobalt Strike Beacon for information theft. The campaign’s advanced masquerading and evasive techniques pose challenges for detection and attribution. Enhanced cyber awareness and patch management are crucial for defense.
From the meeting notes, we can summarize the key points as follows:
– Threat actors targeted government entities in Ukraine using an old Microsoft Office remote code execution (RCE) exploit (CVE-2017-8570) delivered through a malicious PowerPoint file masquerading as an old instruction manual.
– The attack involved the use of a Russian virtual private server (VPS) provider domain protected by Cloudflare, where an obfuscated script executed the CVE-2017-8570 exploit to achieve RCE in an effort to steal information.
– The payload included a loader/packer dynamic link library (DLL) that loaded a Cobalt Strike Beacon into memory and awaited instructions from the command-and-control (C2) server of the attacker.
– The campaign is notable for the threat actors’ use of several anti-analysis and unique evasion techniques to remain hidden and maintain control of infected machines, and the attackers continuously attempted to masquerade their files and activity as legitimate to evade detection.
– The attack does not appear to be linked to any known threat group, indicating it may be the work of a new group or representative of a fully upgraded tool set of a known threat actor.
– The use of the secure Signal app for the initial compromise highlights the importance of broader employee cyber awareness and the need for robust patch management systems.
In response to these findings, the team recommends broader employee cyber awareness, scanning for provided IoCs in the network, and ensuring that Office is patched to the latest version. Additionally, the reliance on older exploits stresses the importance of robust patch management systems and advanced detection mechanisms that go beyond signature-based cyber-defense approaches, incorporating behavior and anomaly detection to identify modified malicious software.