Attacks/Breaches
5/12/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Recent Word Zero-Day Used In Attacks Against Taiwan Government

Recently patched memory corruption bug in Microsoft Word abused in new targeted attacks tied to an older campaign.

A new wave of targeted attacks against the Taiwanese government have been spotted abusing Microsoft's just-patched Word zero-day memory corruption flaw (CVE-2014-1761). Microsoft publicly reported the vulnerability in late March, noting that there were "limited" targeted attacks using the flaw, and issued an update for the bug last month.

Trend Micro researchers have discovered two new targeted attacks that exploit the Word flaw, specifically one that goes after government agencies and an educational institute in Taiwan. "The existence of a patch has not deterred threat actors from exploiting this vulnerability," Trend Micro said in a blog post today.

The attacks are connected to a long-running cyber espionage campaign called Taidoor that has been around since 2009, the researchers say. The new attacks "have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability)," according to Trend Micro. The government attack uses a phishing email purportedly from a government employee, but the phony email also comes with a malicious attachment that, when opened, drops multiple backdoors. 

An email attachment is also the lure for the Taiwanese educational institution, with an email that poses as a message about free trade issues. It also drops backdoor malware. "Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement," according to Trend Micro.

The gang behind the Taidoor attacks also traditionally has used Taiwanese IP addresses for its command and control servers and email addresses.

But are these the same cyber espionage actors involved in the initial zero-day attacks from earlier this year, or a new group of attackers? Jon Clay, senior manager of global threat communications at Trend Micro, declined to comment on the group behind the attacks. "We cannot share attacker details in this case right now," Clay told us via email. He says Trend has no information on the attackers Microsoft mentioned in the Word zero-day vulnerability bulletin.

One of the biggest worries after a zero-day software vulnerability is exposed through targeted attacks by advanced persistent threat (APT) actors is how quickly cyber criminals will convert it for their own use, but there's also the very real threat of other APT groups capitalizing on the flaws as well for their own use.

"Zero-day code is shared regularly within the underground market. Many zero-days are built into exploit kits that are sold within the underground, so anyone is able to utilize the exploit once it is known," Clay says.

Trend Micro also saw a different targeted attack using the Word exploit against a Taiwanese mailing service. The attack also uses an email document attachment, but drops the PlugX remote access Trojan and backdoor for stealing files. "PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system," according to Trend's analysis.

Meanwhile, Secunia reports that there have been eight zero-day vulnerabilities found so far this year among the top 50 applications installed worldwide. There were 14 total last year among those applications. "A quick count makes it 8 zero days so far this year, in four months. That is above average, if we look back this same time last year. So the zero-day trend is heading the way we anticipated. We know that there is a big market for this, and the trend seems to confirm it," says Kasper Lingaard,director of research and security at Secunia.

Says Trend Micro's Clay: "The criminal underground will use any and all zero-day exploits that are disclosed as quickly as they can, in an effort to maximize their window of opportunity while the vulnerabilities are still unpatched."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio