23 Oct 14. NATO falls victim to ‘Sandworm’ vulnerability. A new piece of malware detected recently has exposed a NATO server, breached an American university and compromised systems across Europe by exploiting a major security gap in Microsoft operating systems. In at least some of the attacks, a ‘weaponized PowerPoint document’ was used to exploit the vulnerability and give access to the attackers, according to cybersecurity analysts at iSIGHT Partners. The vulnerability affects all versions of Windows from Vista SP2 through Windows 8.1, though Windows XP is apparently immune. Windows Server 2008 and 2012 are also vulnerable. The firm announced its discovery of the malware on Oct 14. One attack on NATO’s system left a command and control server open to the public for a time, according to iSIGHT senior marketing director Steve Ward. Another targeted an academic institution in the U.S. that specializes in Russian policy and geopolitics. The group allegedly responsible for the attacks, dubbed ‘Sandworm,’ also targeted the Ukrainian government, an unnamed Western European government, private sector energy firms in Poland and a number of European telecommunication companies. ‘Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,’ according to the iSIGHT team. An analysis of the targets and the lures employed to trick users into downloading the malware suggests the attackers are from Russia, Ward said, though they have yet to identify who or whether they are connected to the Russian government. “We’re 100 percent sure what we’re looking at is cyber espionage,” Ward said, noting that the attackers seemed to be looking for proprietary information on opinions and strategies to deal with Russia, particularly with regard to Ukraine. The security gap allows attackers to embed arbitrary code within an OLE packager (a linking and embed function in Microsoft systems) that is called and executed when the user opens a related Microsoft program, such as PowerPoint. In a blog post exposing the vulnerability, iSIGHT noted that the attackers must develop a specific code to engineer a breach, as well as convince the end user to open the file containing the malware. ‘This will cause the reference files to be downloaded in the case of INF [installation software] files, to be executed with specific commands,’ iSIGHT reported. While the malware must be target-specific, the widespread nature of the vulnerability makes it potentially dangerous for any users on a Microsoft platform. (Source: Defense News)
22 Oct 14. UK renews SIGINT push. Britain is reviving plans to update battlefield signals intelligence capabilities, the first of its kind since a Lockheed Martin contract to re-equip land forces was axed in 2009. A few lines in the UK Defence Contracts Bulletin this month signaled that the Landseeker signals intelligence and jamming program, quietly shelved along with dozens of other programs during budget-cutting measures in 2010, is back on the radar. “Funding has been allocated to conduct a Landseeker concept and assessment phase. The Defence Contracts Bulletin announcement was placed in order to notify industry of the project’s existence. The funding category and main gate [the development and production approval date] will be established as the study activities progress with the program’s exact requirements defined during the concept and assessment phase,” said a Defence Ministry spokesman. The MoD will not talk about timelines or cost at this early stage of the program, but executives here said they expect main gate approval around 2017. The program, they said, would likely be a Category B project, between £100m and £250m (US $160m and $400m), but it could be higher depending on the scope of the Royal Signals Regiment requirement. One industry executive here said details of exactly how the La