Ukraine had its systems subjected to attacks involving the exploitation of an almost seven-year-old Microsoft Office remote code execution vulnerability, tracked as CVE-2017-8570, to facilitate Cobalt Strike deployment late last year, reports The Hacker News.
Intrusions commenced with the distribution of a PowerPoint file of an old U.S. Army mine clearing blade manual believed to have been shared through the Signal instant messaging app that includes a script for leveraging the high-severity Office flaw, a report from Deep Instinct revealed. Such a script then enables a JavaScript code-containing HTML file, allowing not only persistence but also a Cisco AnyConnect VPN client-spoofing payload that eventually results in a Cobalt Strike compromise.
Uncertainties in the attack campaign remain as while the lures may have targeted military personnel, attackers leveraged domains unrelated to the military industry, according to researchers. The findings follow a report from Ukraine's Computer Emergency Response Team detailing attacks by a sub-cluster of the Russian state-backed threat operation Sandworm against almost 20 critical infrastructure entities across the country.