Hackers have been exploiting Microsoft Office vulnerabilities to spread various forms of malware. Depending on the campaign’s purpose and scale, the malware could be designed to steal various login credentials and spy on targets’ activities, drop ransomware and cryptocurrency miners, DDoS malware, among others. A recent report conducted by Kaspersky revealed that approximately 70% of all attacks the company detected in the first quarter of 2018 were trying to leverage a Microsoft Office vulnerability. The number is much bigger than previous years.
Did you know that even old vulnerabilities are often used in current campaigns as users repeatedly have been failing to patch their systems? According to a 2017 RAND report, the average life expectancy of vulnerabilities is nearly seven years. So, don’t be surprised by the fact that some of the vulnerabilities in this list are a couple of years old.
According to Kaspersky, two of the most exploited Microsoft Office vulnerabilities were discovered in 2017: CVE-2017-11882 and CVE-2018-0802.
Starting last year, a number of of zero-day exploits for Microsoft Office started to pop up, Kaspersky pointed out. These campaigns at first appear to be targeted but they quickly shift their focus to attack a wider range of targets. This happens when attackers start using malicious document builders.
One interesting example illustrating the quick pace of turning a campaign from targeted to public is CVE-2017-11882, an equation editor vulnerability which was patched by Microsoft on November 14, 2017 as part of Patch Tuesday. The vulnerability is located in Microsoft Equation Editor, a Microsoft Office component, and is a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000.
From the official advisory: “A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system.”
Malware associated with this vulnerability includes AgentTesla, Andromeda, BONDUPDATER, HAWKEYE, LCG Kit, Loki, POWRUNNER, QuasarRAT, REMCOS RAT, ThreadKit Exploit Kit.
Even though this vulnerability is relatively old, it was exploited in active spam campaigns detected this June. As we reported, an active malware campaign which is using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit. The exploit allows attackers to automatically run malicious code without the need of any user interaction.
This is another remote code execution vulnerability in the Equation Editor of Microsoft Office software which is triggered when the software fails to properly handle objects in memory. Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 is vulnerable due to the way objects are handled in memory.
Why attackers love exploiting Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802
The explanation is that attackers prefer simple, logical bugs, Kaspersky said. That is why these two equation editor vulnerabilities are one of the most exploited bugs in Microsoft Office. The bugs are “reliable and work in every version of Word released in the past 17 years”. And what is most important is that creating an exploit for either one of them doesn’t require advanced skills and specific technical knowledge. And the reason for this is because “the equation editor binary didn’t have any of the modern protections and mitigations you’d expect from an application in 2018”, the researchers noted.
According to an analysis by Recorded Future, CVE-2017-0199 is the most exploited MS Office bug for 2017. The bug was detected by FireEye researchers in April, 2017. The issue resides in MS Office RTF documents, and it could allow attackers to download and execute a Visual Basic script containing PowerShell commands, with the condition that the user opens a document containing an embedded exploit.
The researchers analyzed a number of Office documents exploiting CVE-2017-0199 that downloaded and executed malicious payloads from several well-known malware families. The bug was notably used by the so-called Gorgon Group operating out of Pakistan which primarily targeted government organizations in the U.K. and the United States.
Malware associated with CVE-2017-0199 includes DMShell++, njRAT, Pony, QuasarRAT, REMCOS RAT, SHUTTERSPEED, Silent Doc Exploit Kit, Threadkit Exploit Kit. The vulnerability allowed malware to be inserted in documents by abusing the auto-update of embedded links.
This is one more of the top Microsoft Office vulnerabilities. According to the official advisory, Microsoft Office is prone to a remote code-execution vulnerability which can be leveraged to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts could result in denial of service conditions.
The vulnerability has been exploited to distribute Formbook, QuasarRAT, Sisfader RAT, Threadkit Exploit Kit, and Trickbot malware. It is noteworthy that the Sisfader RAT maintains persistence by installing itself as a service when launched from malicious RTF files.
The vulnerability was patched in June 2019 Patch Tuesday, and is considered quite serious. According to Allan Liska, senior solutions architect at Recorded Future, “this is another memory corruption vulnerability that requires an attacker to send a specially crafted Microsoft Word document for a victim to open, alternatively an attacker could convince a victim to click on a link to a website hosting a malicious Microsoft Word document.”
What is worse is that the flaw affects all versions of Microsoft Word on both Windows and Mac operating systems, as well as Office 365. “Given that Microsoft Word Documents are a favorite exploitation tool of cybercriminals, if this vulnerability is reverse engineered it could be widely exploited,” the researcher added.
As it turns out, attackers love exploiting Microsoft Office vulnerabilities. The flaws we listed above are definitely severe but they are just a small portion of the arsenal used by threat actors. Patching the operating system as soon as a security fix arrives is highly important but sometimes it may not be enough as evident by the plenty of zero-day exploits (targeting not only Microsoft products but also a range of other software). As many of the exploit campaigns are spread via email and require the user interaction of opening a malicious email/file/link, adopting phishing security awareness becomes a top priority for both enterprise and home users.