On the heels of the news that the “sandworm” vulnerability (CVE-2014-4114) was being used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors, Trend Micro’s researchers Kyle Wilhoit and Jim Gogolinski and the rest of the Trend Micro FTR team have discovered new, worrying attacks utilizing this vulnerability. Our researchers have just found active attacks against organizations using supervisory control and data acquisition (SCADA) system software as an apparent first step in APT-style targeted attacks.
These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email. The email has a malicious attachment that is opened by the CIMPLICITY application and attempts to exploit the “sandworm” vulnerability in Microsoft Windows. If the attack against the Microsoft Windows system running CIMPLICITY is successful it attempts to download the Black Energy malware on to the system.
Black Energy is a malware family associated with targeted attacks that gives complete, remote control over a compromised system. Two members of the Black Energy malware family BLACKEN.A and BLACKEN.B have already been seen in other attacks using the “sandworm” vulnerability.
Another interesting thing our researchers have found is that the spear phishing emails are spoofed to appear to come from Oleh Tiahnybok who is a Ukrainian politician with outspoken anti-Russian views.
Microsoft has release a security update that protects against attempts to exploit the “sandworm” vulnerability, MS14-060. Based on this current activity and previous activity, this security update should be prioritized for immediate deployment as soon as possible, especially by those in the critical infrastructure sector.
Trend Micro offers protections against attempts to exploit this vulnerability with Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin. We also offer protections against BLACKEN.A and BLACKEN.B through Office Scan and our other endpoint security products.
You can find more detailed information on the “sandworm” vulnerability in this posting.
More detail from our researchers on these new SCADA-focused attacks can be found here.
Please add your thoughts in the comments below or follow me on Twitter; @TrendMicro.