The window to patch vulnerabilities is shrinking rapidly:
Russian-state hackers wasted no time exploiting a critical Microsoft Office vulnerability that allowed them to compromise the devices inside diplomatic, maritime, and transport organizations in more than half a dozen countries, researchers said Wednesday.
The threat group, tracked under names including APT28, Fancy Bear, Sednit, Forest Blizzard, and Sofacy, pounced on the vulnerability, tracked as CVE-2026-21509, less than 48 hours after Microsoft released an urgent, unscheduled security update late last month, the researchers said. After reverse-engineering the patch, group members wrote an advanced exploit that installed one of two never-before-seen backdoor implants.
The entire campaign was designed to make the compromise undetectable to endpoint protection. Besides being novel, the exploits and payloads were encrypted and ran in memory, making their malice hard to spot. The initial infection vector came from previously compromised government accounts from multiple countries and were likely familiar to the targeted email holders. Command and control channels were hosted in legitimate cloud services that are typically allow-listed inside sensitive networks.
"The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize new vulnerabilities, shrinking the window for defenders to patch critical systems," the researchers, with security firm Trellix, wrote. "The campaign's modular infection chain—from initial phish to in-memory backdoor to secondary implants was carefully designed to leverage trusted channels (HTTPS to cloud services, legitimate email flows) and fileless techniques to hide in plain sight."
The 72-hour spear phishing campaign began January 28 and delivered at least 29 distinct email lures to organizations in nine countries, primarily in Eastern Europe. Trellix named eight of them: Poland, Slovenia, Turkey, Greece, the UAE, Ukraine, Romania, and Bolivia. Organizations targeted were defense ministries (40 percent), transportation/logistics operators (35 percent), and diplomatic entities (25 percent).
[...] Trellix attributed the campaign to APT28 with "high confidence" based on technical indicators and the targets selected. Ukraine's CERT-UA has also attributed the attacks to UAC-0001, a tracking name that corresponds to APT28.
"APT28 has a long history of cyber espionage and influence operations," Trellix wrote. "The tradecraft in this campaign—multi-stage malware, extensive obfuscation, abuse of cloud services, and targeting of email systems for persistence—reflects a well-resourced, advanced adversary consistent with APT28's profile. The toolset and techniques also align with APT28's fingerprint."
Trellix has provided a comprehensive list of indicators organizations can use to determine if they have been targeted.
(Score: 5, Informative) by Dr Spin on Tuesday February 10, @07:28AM (5 children)
That using Microsoft products ...
.. IS compromising your security!
Warning: Opening your mouth may invalidate your brain!
(Score: 4, Touché) by turgid on Tuesday February 10, @10:49AM
Nah, see, there's a legal agreement and money changing hands. That's called accountability. It's someone else's fault.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2, Insightful) by Anonymous Coward on Tuesday February 10, @02:12PM (2 children)
It's not just Microsoft. We do computers completely wrong. Mixing system and user, data and control, are just some of the dumbest things there is. It is total insanity that an entire system can be brought down by a text file with the right unicode combo, or by a desktop window manager!
(Score: 3, Funny) by turgid on Tuesday February 10, @07:53PM (1 child)
Rewrite it in Rust!!!
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Informative) by Bentonite on Thursday February 12, @04:40AM
That will just ensure that the whole system can be brought down by a simple ASCII text file, as Rust is designed to panic() when absolutely anything is wrong (for example an empty text file), rather than handling the case; https://doc.rust-lang.org/rust-by-example/error/option_unwrap.html [rust-lang.org]
(Score: 3, Insightful) by ikanreed on Tuesday February 10, @11:18PM
The particular form of MS horeshit today is "why does my spreadsheet need to communicate online in the first place?"
It reeks of bloat that serves their corporate interests above my interests as a user
(Score: 3, Informative) by shrewdsheep on Tuesday February 10, @11:36AM (3 children)
While this is certainly exacerbated by the fact that M$ is closed source, the implications are broader. There constantly working many teams in parallel: CVE scanners, patch reverse engineers, exploit developers, root kit developers, endpoint evasion engineers, phishing engineers and more. Coupled with high incentives, this allows for strikes like this. Several countries likely fund teams like these: US, Russia, China, North Korea, probably the UK and possibly more.
M$ will have to change daily practice: it's no longer best practice to roll out a patch before disclosing a CVE. The open source is certainly better, disclosing the CVE and suggesting immediate measures, followed by a patch but is not invulnerable to these developments.
Whatever people might do on the internet in your wildest fantasies... is actually done.
(Score: 1, Insightful) by Anonymous Coward on Tuesday February 10, @01:35PM (1 child)
Do you think the hackers will find it even more difficult to use the source code, diffs etc from OSS patches to write an exploit?
IMO it should be even easier. Heck some AIs might even be able to automatically get more of the exploits right than if you had them write exploits based on the Windows Update binaries.
There have been plenty of exploitable bugs in OSS. You probably don't want to smoke whatever the log4j or PHP developers were smoking.
(Score: 1) by khallow on Wednesday February 11, @11:58AM
Closed source means that MS are the only ones with direct access to the code.
Indeed. Criminals aren't the only ones who can use AI to find exploits. But in the absence of MS revealing the code an outside security researcher can't access the code legally to do the above. Infiltrating MS and stealing the code on the other hand isn't beyond a number of governments and criminal organizations. It's basically an obstruction to legal discovery of security holes and related issues.
And plenty of developers who can fix those exploitable bugs.
(Score: 5, Touché) by RedGreen on Tuesday February 10, @06:28PM
"M$ will have to change daily practice:"
HAHAHA that is a good one you are killing me. Just why the hell would them incompetent morons at Microsoft change a God damn thing. The useless clowns keep throwing truckloads of money at them for the privilege of buying their total garbage software that has been nothing more than a virus/trojan delivery system at this point for literally decades. As long as this continues it is business as usual from them they have absolutely zero incentive to change the trash software development they do.
"Cervantes definitely was prescient in describing a senile Don fighting against windmills." -- larryjoe on /.
(Score: 4, Informative) by jb on Wednesday February 11, @06:26AM
If your country's diplomatic corps really cares so little about security that they actually run Microsoft Office, then your country desperately needs to hang its diplomatic corps' CIO for treason. Deliberately telling your diplomats that it's somehow okay to run software that's been known FOR DECADES to be the most insecure of its ilk is no different to telling your diplomats that it's somehow okay to take all your meetings in a cafe known to be run by your enemy's intelligence service. Either way it ought to be an open and shut case of treason.