Bekker's Blog

Blog archive

Menlo Security Detects Use in the Wild of Old Office Flaw

Researchers at Menlo Security on Tuesday documented newly discovered attacks in the wild leveraging an old flaw in Microsoft Office -- underscoring once again the importance of applying older patches.

Microsoft first patched the vulnerability, CVE-2017-11182, in late 2017. The flaw is in the Equation Editor of Microsoft Office, which allows users to embed mathematical equations or formulas inside Office documents.

A small number of attacks turned up in Menlo Security's regular operations over a two-week period in late May and early June. The company offers cloud proxy with isolation, executing browsing and documents in its remote browsing solution to prevent active content from hitting a customers' endpoints.

Menlo detected three different attacks against five companies, all using the Equation Editor flaw but each attempting to deliver a different Remote Access Trojan. None of the attacks, which were found in Hong Kong and in North America and involved real estate, entertainment and banking targets, went out to more than two employees at a single company.

"We think that it was targeted and it was targeting very few important individuals," said Vinay Pidathala, director of security research at Menlo Security, in an interview. "We believe they did the reconnaissance and they targeted the individuals."

The finding reinforces and amplifies the advice from the CISA and the FBI last month listing the 10 vulnerabilities most routinely exploited by "foreign cyber actors." CVE-2017-11882 was high on that list. In fact, the FBI singled out the Equation Editor flaw as a favorite of state-sponsored attackers.

"Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft's OLE technology," the CISA/FBI alert noted.

The agencies then called on the private sector to patch the threats to help with U.S. network security. "A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

On a separate trend, Pidathala noted that the three specific attacks all hosted their payloads on SaaS platforms, including Microsoft OneDrive.

"As enterprises are moving to the cloud, they're adopting cloud storage solutions like Box, Dropbox and OneDrive. By posting their malware on these websites, [attackers] are able to make it more believable. Also, a lot of security appliances might whitelist or might not inspect traffic that comes from OneDrive, because it's a trusted source. So by hosting their weaponized payloads on these popular platforms, they're able to get by," Pidathala said.

For more detail on the attack and the RATs involved, visit Pidathala's blog post here.

Posted by Scott Bekker on June 30, 2020