Attacks/Breaches
5/12/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Recent Word Zero-Day Used In Attacks Against Taiwan Government

Recently patched memory corruption bug in Microsoft Word abused in new targeted attacks tied to an older campaign.

A new wave of targeted attacks against the Taiwanese government have been spotted abusing Microsoft's just-patched Word zero-day memory corruption flaw (CVE-2014-1761). Microsoft publicly reported the vulnerability in late March, noting that there were "limited" targeted attacks using the flaw, and issued an update for the bug last month.

Trend Micro researchers have discovered two new targeted attacks that exploit the Word flaw, specifically one that goes after government agencies and an educational institute in Taiwan. "The existence of a patch has not deterred threat actors from exploiting this vulnerability," Trend Micro said in a blog post today.

The attacks are connected to a long-running cyber espionage campaign called Taidoor that has been around since 2009, the researchers say. The new attacks "have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability)," according to Trend Micro. The government attack uses a phishing email purportedly from a government employee, but the phony email also comes with a malicious attachment that, when opened, drops multiple backdoors. 

An email attachment is also the lure for the Taiwanese educational institution, with an email that poses as a message about free trade issues. It also drops backdoor malware. "Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement," according to Trend Micro.

The gang behind the Taidoor attacks also traditionally has used Taiwanese IP addresses for its command and control servers and email addresses.

But are these the same cyber espionage actors involved in the initial zero-day attacks from earlier this year, or a new group of attackers? Jon Clay, senior manager of global threat communications at Trend Micro, declined to comment on the group behind the attacks. "We cannot share attacker details in this case right now," Clay told us via email. He says Trend has no information on the attackers Microsoft mentioned in the Word zero-day vulnerability bulletin.

One of the biggest worries after a zero-day software vulnerability is exposed through targeted attacks by advanced persistent threat (APT) actors is how quickly cyber criminals will convert it for their own use, but there's also the very real threat of other APT groups capitalizing on the flaws as well for their own use.

"Zero-day code is shared regularly within the underground market. Many zero-days are built into exploit kits that are sold within the underground, so anyone is able to utilize the exploit once it is known," Clay says.

Trend Micro also saw a different targeted attack using the Word exploit against a Taiwanese mailing service. The attack also uses an email document attachment, but drops the PlugX remote access Trojan and backdoor for stealing files. "PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system," according to Trend's analysis.

Meanwhile, Secunia reports that there have been eight zero-day vulnerabilities found so far this year among the top 50 applications installed worldwide. There were 14 total last year among those applications. "A quick count makes it 8 zero days so far this year, in four months. That is above average, if we look back this same time last year. So the zero-day trend is heading the way we anticipated. We know that there is a big market for this, and the trend seems to confirm it," says Kasper Lingaard,director of research and security at Secunia.

Says Trend Micro's Clay: "The criminal underground will use any and all zero-day exploits that are disclosed as quickly as they can, in an effort to maximize their window of opportunity while the vulnerabilities are still unpatched."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.