Attacks/Breaches
5/12/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Recent Word Zero-Day Used In Attacks Against Taiwan Government

Recently patched memory corruption bug in Microsoft Word abused in new targeted attacks tied to an older campaign.

A new wave of targeted attacks against the Taiwanese government have been spotted abusing Microsoft's just-patched Word zero-day memory corruption flaw (CVE-2014-1761). Microsoft publicly reported the vulnerability in late March, noting that there were "limited" targeted attacks using the flaw, and issued an update for the bug last month.

Trend Micro researchers have discovered two new targeted attacks that exploit the Word flaw, specifically one that goes after government agencies and an educational institute in Taiwan. "The existence of a patch has not deterred threat actors from exploiting this vulnerability," Trend Micro said in a blog post today.

The attacks are connected to a long-running cyber espionage campaign called Taidoor that has been around since 2009, the researchers say. The new attacks "have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability)," according to Trend Micro. The government attack uses a phishing email purportedly from a government employee, but the phony email also comes with a malicious attachment that, when opened, drops multiple backdoors. 

An email attachment is also the lure for the Taiwanese educational institution, with an email that poses as a message about free trade issues. It also drops backdoor malware. "Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement," according to Trend Micro.

The gang behind the Taidoor attacks also traditionally has used Taiwanese IP addresses for its command and control servers and email addresses.

But are these the same cyber espionage actors involved in the initial zero-day attacks from earlier this year, or a new group of attackers? Jon Clay, senior manager of global threat communications at Trend Micro, declined to comment on the group behind the attacks. "We cannot share attacker details in this case right now," Clay told us via email. He says Trend has no information on the attackers Microsoft mentioned in the Word zero-day vulnerability bulletin.

One of the biggest worries after a zero-day software vulnerability is exposed through targeted attacks by advanced persistent threat (APT) actors is how quickly cyber criminals will convert it for their own use, but there's also the very real threat of other APT groups capitalizing on the flaws as well for their own use.

"Zero-day code is shared regularly within the underground market. Many zero-days are built into exploit kits that are sold within the underground, so anyone is able to utilize the exploit once it is known," Clay says.

Trend Micro also saw a different targeted attack using the Word exploit against a Taiwanese mailing service. The attack also uses an email document attachment, but drops the PlugX remote access Trojan and backdoor for stealing files. "PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system," according to Trend's analysis.

Meanwhile, Secunia reports that there have been eight zero-day vulnerabilities found so far this year among the top 50 applications installed worldwide. There were 14 total last year among those applications. "A quick count makes it 8 zero days so far this year, in four months. That is above average, if we look back this same time last year. So the zero-day trend is heading the way we anticipated. We know that there is a big market for this, and the trend seems to confirm it," says Kasper Lingaard,director of research and security at Secunia.

Says Trend Micro's Clay: "The criminal underground will use any and all zero-day exploits that are disclosed as quickly as they can, in an effort to maximize their window of opportunity while the vulnerabilities are still unpatched."

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.