Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on October 15, 2014 07:00 UTC by GovCERT.ch (permalink)
Last updated on October 15, 2014 07:20 UTC
On Tuesday, Oct 14 2014, Microsoft published 8 patches that fix several vulnerabilities in the Windows operating system. An overview of the
patches and their severity is available on the Microsoft website and the ISC Handler Diary Blog.
Microsoft Security Bulletin Summary for October 2014:
InfoSec Handlers Diary Blog (incl. ISC rating on the released patches):
Several patches released by Microsoft are being classified by Microsoft and the Internet Storm Center (ISC) as critical. The most
interesting ones are MS14-058 and MS14-060, which are patching three zero-day vulnerabilities in the windows operating system. This means
that these vulnerabilities have already been identified by bad actors and are currently being exploited in order to spread malware.
MS14-058 catches two zero-day vulnerabilities (CVE-2014-4113 and CVE-2014-4148). According to the security service providers FireEye and CrowdStrike, both vulnerabilities are already being exploited in the wild and are associated with an APT called HURRICANE PANDA. More details about the attack and the two reported zero-day vulnerabilities can be found on the blogs of FireEye and Crowdstrike blog.
The 3rd zero-day vulnerability (CVE-2014-4114) is related to yet another targeted attack against various organizations. According to the security service provider iSIGHT, the malware campaign - which is named "Sandworm" - is targeting the following organizations and sectors:
According to iSIGHT, the attacks are at least partially making use of a malware called BlackEnergy, which has been already around since at least
2007. While BlackEnergy used to target random internet users in the early years, foreign actors have started to use BlackEnergy in targeted attacks against governmental bodies later. Further information about
the recent attacks involving BlackEnergy can be found on iSIGHT's blog.
Well, this is a nice story, but you may ask yourself what does that mean for you and your organizations. That's indeed a good question.
First of all: If you are a random Internet user, you are most likely safe (at least for the moment). For now (2014-10-15), there is no working exploit in the wild that random hackers could use to compromise your system. Bad actors that are having a working exploit are interested in and targeting a very limited number of organizations and sectors. However, be aware that this may change in the near future. So patching your system at the earliest moment possible is a good idea. You may want to ensure that
automatic updates are turned on. A How-To to turn on automatic updates on your computer can be found on the Windows Help portal.
Turn automatic updating on or off (English):
Aktivieren oder Deaktivieren von automatischen Updates (German):
Activer ou désactiver les mises à jour automatiques (French):
If your organization is a governmental organization, working in the energy or telecommunication sector or is an academic organization in the US, you might have to worry. According to iSIGHT, you may be on the shopping list (target list) of Sandworm. You should ensure that you deploy the two patches MS14-058 and MS14-060 in your corporate network at the earliest convenience.
For corporate networks, GovCERT.ch recommends the use of EMET (Enhanced Mitigation Experience Toolkit) and Windows AppLocker. EMET has been developed by Microsoft and is available for free. It helps you to mitigate zero-day attacks against hosts running the windows operating system. Windows AppLocker has been introduced in Win7 and is built in in any newer Windows operating system. It allows you to define policies in regards to which hosts are allowed to execute which code / executables. By this you are able to detect and prevent the execution of unknown and arbitrary code on hosts running the Windows operating system.
If you are running an IDS/IPS such as Snort or Suricata to identify malicious traffic in your network, you may want to have a look at the following rules that help you spot botnet C&C traffic related to BlackEnergy:
Unfortunately, neither FireEye, nor CrowdStrike or iSIGHT published any Indicators Of Compromise (IOCs) yet. We are sure that they will be available later. Once they are, we will update this blog post.
Back to top