Attackers Use Microsoft Office To Push BlackEnergy Malware

itwbennett writes: Researchers at SentinelOne reverse engineered the latest variant of the BlackEnergy 3 rootkit (the same malware used in recent attacks against Ukraine's critical infrastructure) and found indicators that suggest it is being used by insiders and that it is the byproduct of a nation-sponsored campaign. 'BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn't patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document,' writes CSO's Steve Ragan.

To all the idiots ...

[Billly+Gates]

... Who turn off Windows update. All I can say is told you so.

Re:To all the idiots ...

[Gravis+Zero]

Turning off Windows Update puts you are grave risk of malware infection. Turning it on makes it a certainty. The only winning move is not to play. Use Linux. :)

Re:To all the idiots ...

[rtb61]

I assume you meant https://www.libreoffice.org/ Libre Office rather than Linux although subtlety in there no M$ Office on Linux of course, although in this case you could call it M$ 'open' Orifice, eww, that's bad ;).

Re:To all the idiots ...

there no M$ Office on Linux of course

Wrong. You can use Office 365 on Linux.

Re:To all the idiots ...

[antdude]

Linux can get infections too. The only winning move is not to use computers. ;)

Re:To all the idiots ...

[ChunderDownunder]

Wine or Android?

Re:To all the idiots ...

[Zaowulf]

Thanks for that, Steve Rodgers.

Re:To all the idiots ...

[armanox]

Web version.

Re:This raises some very interesting questions.

1) If I don't want systemd installed on my Linux computer, does that make systemd a form of malware if it is installed?

No, unwanted software is not malware. If I install Ubuntu but don't want Gnome installed on my computer that does not make Gnome a form of malware.

2) If systemd prevents a Linux installation from booting properly, does that make systemd a form of malware?

No, an application that crashes is not malware.

3) If systemd comes with a Linux distribution, and the distribution's installer does not include a menu for easily choosing an init system other than systemd, is that Linux distribution considered to be infected with malware?

No, see response to point 1.

Re:BIZX

[NotInHere]

Cool, thanks for the news. Google seems to confirm what you say: http://www.streetinsider.com/C...

Or here as well: http://www.marketwired.com/pre...

Looking forward to have the same overlords as www.MyRatePlan.com, www.VoipReview.org and www.Voip-Info.org!

Re:BIZX

[110010001000]

Did Netcraft confirm it? I heard they bought it for a half bottle of whiskey.

Ukraine's critical infrastructure

[tetraverse]

HELLO Ukraine, don't run your critical infrastructure on a malicious Excel document. Microsoft, the company that made typing dangerous.

Re:Ukraine's critical infrastructure

[Darinbob]

I for one, would like to welcome our new Putin Jugend overlords.

Re:BIZX

[NotInHere]

Google confirms, slashdot is dying. And its google, not netcraft. Google is never wrong.

Re:TRANSLATION

[110010001000]

30 million unique visitors? They wish.

Re:TRANSLATION

[Dunbal]

The C:\ prompt is pretty iconic too, but nobody uses it anymore.

Nation-sponsored campaign?

[AHuxley]

If any nation is using an imported, outdated consumer OS for its critical infrastructure something is strange.
Open networks that face the internet, commercial OS's and older applications should be replaced with more robust solutions.

Re "... deployed in NATO countries, and more broadly across the European Union" Would an older vulnerability that might not exist or be updated even be of interest to an advanced nation-sponsored effort?
The penetration products offered to nations are new, fancy and work on the most modern OS without been found or noticed. AV fails to detect them during their useful operation.
Other products have been crafted to only go after very bespoke systems and evade traditional logs, tracking, AV or firewalls eg Equation Group.
The software used by nations is modern and always works ie not hoping to guess that all systems are not updated and access will be lucky.
What nation would risk all on old code that is of no use and will quickly be discovered hoping for an application or OS version will align with their access?
Nations can afford to win using the best code that is mission ready that no other party has seen as it is bespoke no matter what new upgrades or commercial security products are in place.
The "constantly changing attack vectors" is not new. An old consumer OS left open the internet is not a national energy policy.
Having industrial networks facing the internet is not a great idea.

Re:TRANSLATION

[malditaenvidia]

I'm stuck on Windows NT 4.0, you insensitive clod.

Re: TRANSLATION

[guruevi]

Anyone managing a Windows machine has used DOS, unlike Linux you pretty much cannot manage the damn system without. (I wish I was kidding)

Re: TRANSLATION

[Dutch+Gun]

I'm not sure how many people are expecting to manage a Linux system using DOS.

Re: BIZX

[Redmancometh]

Oh my..an SEO company..if we thought Dice was bad..

Re:This raises some very interesting questions.

[Darinbob]

It depends maybe if the software that's unwanted causes noticeable loss in performance, has unwanted side effects or causes other programs to stop working, etc. The software update may cause more damage than real malware, then the only real difference is intentional versus unintentional harm to your computer.

Re:TRANSLATION

[Bite+The+Pillow]

How do you catch 30 million unique rabbits?

PAY CMDRTACO 100 KILODOLLARS AND UNIQUE UP ON THEM.

It's interesting how...

... I no longer feel shocked by reading "microsoft" and "malware/virus" in the same sentence. When you read some news about OS X, or some FUD about Linux, and malware there is room for some banter. But with microsoft it is kind of expected. Isn't it sad that the name of a company is that linked to malware?

Re:This raises some very interesting questions.

[parkinglot777]

Not really. I should think of using set. Malware is a subset of unwanted software. An unwanted software may or may not have any effect on your computer and/or your info entered or stored via/in the computer but rather occupies spaces in storage. A malware is both unwanted and intend to do something that in turn harm the user and/or computer. However, some malware may have a side effect but its creator doesn't intend to have (e.g. leaves a computer vulnerable and that allows other malwares in).

Re:When is a patch not a patch?

[clodney]

'BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn't patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document,' writes CSO's Steve Ragan.

A vulnerability that is still present if user behavior allows triggering the payload is NOT PATCHED. It's a workaround, at best.

Nonsense. If the user is running as administrator, then the user triggering the payload is perfectly acceptable as far as Windows is concerned, because an admin user is allowed to do whatever they want to the machine. And before you say that it is still MS fault because users need to run as admin - that hasn't been true in years. Some sites still allow users to be admins of their own machines, but that is a policy decision, not something that Windows forces on them.