May 25, 2024


The Internet Generation

This Microsoft Office exploit was patched years ago, but is still being abused by hackers

Despite the fact that software program corporations routinely challenge patches to reduce vulnerabilities from remaining exploited, customers often neglect to put in them and cybercriminals are nicely conscious of this.

Menlo labs recently noticed a amount of assaults in which cybercriminals carry on to exploit an previous vulnerability, tracked as CVE-2017-11882, in Microsoft Office even with the point that it was patched a lot more than two several years in the past. These assaults specific firms in the actual estate, amusement and banking industries in both of those Hong Kong and North The usa.

The vulnerability made use of in the assaults exists in Microsoft’s Equation Editor in Office that allows users to embed mathematical equations or formulas within any place of work doc.

In accordance to a recent report from the FBI, CVE-2017-11882 is just one of the top rated 10 vulnerabilities that is routinely exploited by cybercriminals.

Leveraging older vulnerabilities

The first assault noticed by Menlo labs made use of an RTF file to bring about CVE-2017-1182 in Microsoft Office. If a person opens the Phrase doc located on on the web page, the vulnerability is triggered an an HTTP ask for to a web page is made. The web page then redirects to Femto uploader which downloads an executable. As soon as the executable is opened on an endpoint, an additional HTTP ask for to is made where by the attacker’s malicious payload is downloaded from. The payload has the NetWire distant entry trojan (RAT) which is made use of to steal qualifications and payment card details.

The next assault Menlo labs noticed in the wild was hosted on which seems to be like a well-known file sharing web site. This web site was made use of to host a malicious Microsoft Excel file that helps make a HTTP ask for to down load the Agent Tesla malware when opened. Agent Tesla is a RAT that is capable of stealing qualifications, having screenshots and downloading additional data files.

The ultimate assault exploiting CVE-2017-1182 made use of the entice of Authorization as its filename and the file by itself was hosted on OneDrive. When a person opens the malicious Excel file, it downloads and executable containing possibly the Houdini or H-Worm RAT.

In a website publish, Director of Protection Exploration at Menlo Labs, Vinay Pidathala offered even further perception on the firm’s discovery, declaring:

“The point that CVE-2017-11882 is continuing to be exploited speaks not only to the trustworthiness of the exploit, but to the point that there are corporations out there that are nevertheless working with outdated software program. Patching programs and operating techniques to shield them from safety problems is critical, but the shortage of cybersecurity experts put together with the at any time modifying enterprise natural environment helps make it more challenging for enterprises to place a suitable patch management system in put.”