Threat actors are seen leveraging an old Microsoft Office vulnerability, CVE-2017-8570, to deploy the notorious Cobalt Strike Beacon, targeting systems in Ukraine.
The attack begins with the exploitation of CVE-2017-8570, a vulnerability first identified in 2017 that allows attackers to execute arbitrary code via specially crafted files for making initial access.
The attackers used a malicious PPSX file, masquerading as an old US Army instruction manual for mine-clearing tank blades that bypassed the traditional security controls.
It included a remote relationship to an external OLE object, utilizing a “script:” prefix before an HTTPS URL to conceal the payload, avoid on-disk storage, and complicate analysis.
This technique highlights the attackers’ sophistication and focus on stealth and persistence
The Cobalt Strike Beacon used in this attack was configured to communicate with a C&C server, cleverly disguised as a popular photography website but hosted under suspicious conditions.
The Beacon’s configuration included a cracked version of the software, indicated by a license_id of 0, and detailed instructions for C&C communications, including the domain name, URI, and public key for encrypted exchanges.
This attack underscores the importance of vigilance and advanced detection capabilities in the cybersecurity domain.
Organizations are advised to update their systems regularly to patch known vulnerabilities like CVE-2017-8570.
Employ advanced threat detection solutions to identify and mitigate sophisticated threats, such as those posed by custom Cobalt Strike loaders.
Despite the detailed analysis, the operation could not be attributed to any known threat actor. This lack of attribution adds complexity to the defense against these attacks, as understanding the adversary is critical to predicting and mitigating their tactics and techniques.