Attacks/Breaches
5/12/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Recent Word Zero-Day Used In Attacks Against Taiwan Government

Recently patched memory corruption bug in Microsoft Word abused in new targeted attacks tied to an older campaign.

A new wave of targeted attacks against the Taiwanese government have been spotted abusing Microsoft's just-patched Word zero-day memory corruption flaw (CVE-2014-1761). Microsoft publicly reported the vulnerability in late March, noting that there were "limited" targeted attacks using the flaw, and issued an update for the bug last month.

Trend Micro researchers have discovered two new targeted attacks that exploit the Word flaw, specifically one that goes after government agencies and an educational institute in Taiwan. "The existence of a patch has not deterred threat actors from exploiting this vulnerability," Trend Micro said in a blog post today.

The attacks are connected to a long-running cyber espionage campaign called Taidoor that has been around since 2009, the researchers say. The new attacks "have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability)," according to Trend Micro. The government attack uses a phishing email purportedly from a government employee, but the phony email also comes with a malicious attachment that, when opened, drops multiple backdoors. 

An email attachment is also the lure for the Taiwanese educational institution, with an email that poses as a message about free trade issues. It also drops backdoor malware. "Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement," according to Trend Micro.

The gang behind the Taidoor attacks also traditionally has used Taiwanese IP addresses for its command and control servers and email addresses.

But are these the same cyber espionage actors involved in the initial zero-day attacks from earlier this year, or a new group of attackers? Jon Clay, senior manager of global threat communications at Trend Micro, declined to comment on the group behind the attacks. "We cannot share attacker details in this case right now," Clay told us via email. He says Trend has no information on the attackers Microsoft mentioned in the Word zero-day vulnerability bulletin.

One of the biggest worries after a zero-day software vulnerability is exposed through targeted attacks by advanced persistent threat (APT) actors is how quickly cyber criminals will convert it for their own use, but there's also the very real threat of other APT groups capitalizing on the flaws as well for their own use.

"Zero-day code is shared regularly within the underground market. Many zero-days are built into exploit kits that are sold within the underground, so anyone is able to utilize the exploit once it is known," Clay says.

Trend Micro also saw a different targeted attack using the Word exploit against a Taiwanese mailing service. The attack also uses an email document attachment, but drops the PlugX remote access Trojan and backdoor for stealing files. "PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system," according to Trend's analysis.

Meanwhile, Secunia reports that there have been eight zero-day vulnerabilities found so far this year among the top 50 applications installed worldwide. There were 14 total last year among those applications. "A quick count makes it 8 zero days so far this year, in four months. That is above average, if we look back this same time last year. So the zero-day trend is heading the way we anticipated. We know that there is a big market for this, and the trend seems to confirm it," says Kasper Lingaard,director of research and security at Secunia.

Says Trend Micro's Clay: "The criminal underground will use any and all zero-day exploits that are disclosed as quickly as they can, in an effort to maximize their window of opportunity while the vulnerabilities are still unpatched."

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.