As reported on Tuesday, the Sandworm exploit has been used since at least 2009, but early last month, the so-called Sandworm hacker group started using the zero-day bug that affects all supported versions of Microsoft Windows. It then reportedly took Microsoft six weeks to develop a patch for the problem.According to Trend Micro, following news that CVE-2014-4114 was being used in attacks against the North Atlantic Treaty Organisation (NATO) and several European industries and sectors, researchers Kyle Wilhoit and Jim Gogolinski - and the rest of the Trend Micro team - discovered new and worrying attacks using the vulnerability.
"Our researchers have just found active attacks against organisations using supervisory control and data acquisition (SCADA) system software as an apparent first step in APT-style targeted attacks," says the security vendor in its advisory.
SCADA-based systems are a type of industrial control system that typically monitor and control industrial processes that exist in the physical world. SCADA-based systems are usually deployed in large-scale processes that can include multiple sites, and large distances, covering industrial, infrastructure, and facility-based processes, such as nuclear power plants.
Trend Micro says it has seen the Sandworm exploit being used to target Microsoft Windows PCs running the GE Intelligent Platform's CIMPLICITY HMI solution suite with a spear-phishing email.
The email, says the security vendor, has a malicious attachment that is opened by the CIMPLICITY application and attempts to exploit the sandworm vulnerability in Microsoft Windows.
"If the attack against the Microsoft Windows system running CIMPLICITY is successful it attempts to download the Black Energy malware onto the system," says Trend, adding that Black Energy is a malware family associated with targeted attacks that gives complete and remote control over a compromised system.
Good example of an advanced attack
Tony Marques, a cyber-security consultant with the Encode Group, said that this latest usage of Sandworm is a good example of increasingly advanced attacks using a layered vector style of infection.
There is, he explained, growing evidence of malware commoditisation in so far as it appears attackers have a vast catalogue of proven malware that can be readily combined into an effective weapon.
"All a skilled threat actor has to do is wrap the malware with new external characteristics to defeat signature-based detection tools. Ultimately, attack profiling combined with data analytics to implement a containment strategy is the only way to combat these advanced attacks," he said.
Lucas Zaichkowsky, enterprise defence architect with AccessData, meanwhile, said that Microsoft released three critical bulletins on Tuesday, including a patch for the 'Sandworm' vulnerability.
"System administrators should have applied these patches immediately because infected servers can be used to scan internal systems, enabling attackers to quickly move laterally, dropping other backdoors that will ensure they have persistent access, enabling them steal from internal systems," he said.
In a targeted attack scenario, Zaichkowsky notes that attackers will move quickly to steal privileged user accounts and progress through the internal network. For example, he said, they might compromise a web server that isn't considered sensitive, but they will use that as the source of their initial hacking activity, already behind perimeter defences.
In the wild
"Sandworm is believed to have been in the wild since 2009. Companies should immediately set up network intrusion detection systems to detect attacks and enable logging that would allow them to record any exploitation of the vulnerability. That will allow them to know if they've been attacked so that the appropriate incident response and resolution steps can be taken," he said.
"Integrating security point solutions will provide IT teams with overall visibility, enabling them to detect and correlate real-time information so that they can immediately respond to indicators of compromise, whether they are triggered by an employee clicking on a link in a phishing email, an external attacker or an unpatched or mis-configured system," he added.
Dai Kennett, a consultant with Context Information Security, said that it comes as no surprise that attackers have been using this vulnerability to leverage attacks against SCADA systems, as the current attitude of the ICS community is very blasé toward security, and the underlying systems plus software remains highly vulnerable.
"Organisations have learnt from the Stuxnet embarrassment that security is important and that there are real world repercussions for not prioritising it. New critical vulnerabilities and toolkits are being made to be as flexible as possible when engaging with a target system, and I fully believe that this is only the beginning," he explained.