The Russian cyber espionage and cybercrime worlds once again have collided in a newly discovered cyberspying campaign that uses a zero-day flaw found in all supported versions of Microsoft Windows.
SLC Security Services LLC is aware of the Zero Day and will be rolling out an IDS signature in the next 4 hours to supported customers via our feeds. If you have a signature subscription your IDS/IPS and firewall alerting will automatically be updated with the updated signatures. We will automatically page your security contacts if any of the signatures trip. We have not seen any commercial vendors roll out signatures for this yet but we will be monitoring and updating this post when the signatures are updated by other security vendors.
A cyberespionage campaign believed to be based in Russia has been targeting government leaders and institutions for nearly five years, according to researchers with iSight Partners who have examined code used in the attacks.
Also this particular worm is exploiting similar code to another snort rule that we previously released in July so it was already covered by the ruleset. The additional rule today will indicate the variant by the type of payload attached (1 of 3).
This attack was being used since 2009 according to our research and the research posted by other security vendors. The attack would have largely gone undetected if not for a mistake in attacking a honeypot setup at a single location that determined the traffic from the malware was not normal activity.