As reported on Tuesday, the Sandworm exploit has been used since at least 2009, but early last month, the so-called Sandworm hacker group started using the zero-day bug that affects all supported versions of Microsoft Windows. It then reportedly took Microsoft six weeks to develop a patch for the problem.According to Trend Micro, following news that CVE-2014-4114 was being used in attacks against the North Atlantic Treaty Organisation (NATO) and several European industries and sectors, researchers Kyle Wilhoit and Jim Gogolinski - and the rest of the Trend Micro team - discovered new and worrying attacks using the vulnerability.
"Our researchers have just found active attacks against organisations using supervisory control and data acquisition (SCADA) system software as an apparent first step in APT-style targeted attacks," says the security vendor in its advisory.
SCADA-based systems are a type of industrial control system that typically monitor and control industrial processes that exist in the physical world. SCADA-based systems are usually deployed in large-scale processes that can include multiple sites, and large distances, covering industrial, infrastructure, and facility-based processes, such as nuclear power plants.
Trend Micro says it has seen the Sandworm exploit being used to target Microsoft Windows PCs running the GE Intelligent Platform's CIMPLICITY HMI solution suite with a spear-phishing email.
The email, says the security vendor, has a malicious attachment that is opened by the CIMPLICITY application and attempts to exploit the sandworm vulnerability in Microsoft Windows.
"If the attack against the Microsoft Windows system running CIMPLICITY is successful it attempts to download the Black Energy malware onto the system," says Trend, adding that Black Energy is a malware family associated with targeted attacks that gives complete and remote control over a compromised system.
Good example of an advanced attack
Tony Marques, a cyber-security consultant with the Encode Group, said that this latest usage of Sandworm is a good example of increasingly advanced attacks using a layered vector style of infection.
There is, he explained, growing evidence of malware commoditisation in so far as it appears attackers have a vast catalogue of proven malware that can be readily combined into an effective weapon.