April 27, 2024 at 08:54AM
Cybersecurity researchers have detected a targeted cyber attack on Ukraine utilizing a seven-year-old vulnerability in Microsoft Office to deliver Cobalt Strike. The attack involves exploiting a PowerPoint file to execute remote code, leading to the injection of a malicious payload. The attack’s exact purpose and the responsible threat actor remain unclear.
Based on the meeting notes, the key takeaways are:
1. Cybersecurity researchers have uncovered a targeted operation against Ukraine using a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.
2. The attack chain involved the use of a PowerPoint slideshow file as the starting point, potentially distributed via the Signal instant messaging app.
3. The attack targeted Ukrainian armed forces, using messaging and dating platforms to serve malware and exfiltrate data from computers.
4. Further details revealed the exploitation of a now-patched remote code execution bug in Office, which allowed an attacker to perform arbitrary actions and load remote scripts.
5. The attackers disguised their activities by using domain names unrelated to military content, such as weavesilk[.]space and petapixel[.]fun, posing a challenge for detection and attribution.
6. Additionally, about 20 energy, water, and heating suppliers in Ukraine were targeted by a Russian state-sponsored group called UAC-0133, employing various malware, including Kapeka and its Linux variant BIASBOAT.
7. Sandworm, linked to Unit 74455 within the GRU, is known to be active since at least 2009 and is engaged in the full spectrum of espionage, attack, and influence operations.
These takeaways highlight the sophisticated nature of the cyber attacks targeting Ukraine and the involvement of state-sponsored threat groups, emphasizing the need for robust cybersecurity measures and vigilance.