A new wave of targeted attacks against the Taiwanese government have been spotted abusing Microsoft's just-patched Word zero-day memory corruption flaw (CVE-2014-1761). Microsoft publicly reported the vulnerability in late March, noting that there were "limited" targeted attacks using the flaw, and issued an update for the bug last month.
Trend Micro researchers have discovered two new targeted attacks that exploit the Word flaw, specifically one that goes after government agencies and an educational institute in Taiwan. "The existence of a patch has not deterred threat actors from exploiting this vulnerability," Trend Micro said in a blog post today.
The attacks are connected to a long-running cyber espionage campaign called Taidoor that has been around since 2009, the researchers say. The new attacks "have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability)," according to Trend Micro. The government attack uses a phishing email purportedly from a government employee, but the phony email also comes with a malicious attachment that, when opened, drops multiple backdoors.
An email attachment is also the lure for the Taiwanese educational institution, with an email that poses as a message about free trade issues. It also drops backdoor malware. "Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement," according to Trend Micro.
The gang behind the Taidoor attacks also traditionally has used Taiwanese IP addresses for its command and control servers and email addresses.
But are these the same cyber espionage actors involved in the initial zero-day attacks from earlier this year, or a new group of attackers? Jon Clay, senior manager of global threat communications at Trend Micro, declined to comment on the group behind the attacks. "We cannot share attacker details in this case right now," Clay told us via email. He says Trend has no information on the attackers Microsoft mentioned in the Word zero-day vulnerability bulletin.
One of the biggest worries after a zero-day software vulnerability is exposed through targeted attacks by advanced persistent threat (APT) actors is how quickly cyber criminals will convert it for their own use, but there's also the very real threat of other APT groups capitalizing on the flaws as well for their own use.
"Zero-day code is shared regularly within the underground market. Many zero-days are built into exploit kits that are sold within the underground, so anyone is able to utilize the exploit once it is known," Clay says.
Trend Micro also saw a different targeted attack using the Word exploit against a Taiwanese mailing service. The attack also uses an email document attachment, but drops the PlugX remote access Trojan and backdoor for stealing files. "PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system," according to Trend's analysis.
Meanwhile, Secunia reports that there have been eight zero-day vulnerabilities found so far this year among the top 50 applications installed worldwide. There were 14 total last year among those applications. "A quick count makes it 8 zero days so far this year, in four months. That is above average, if we look back this same time last year. So the zero-day trend is heading the way we anticipated. We know that there is a big market for this, and the trend seems to confirm it," says Kasper Lingaard,director of research and security at Secunia.
Says Trend Micro's Clay: "The criminal underground will use any and all zero-day exploits that are disclosed as quickly as they can, in an effort to maximize their window of opportunity while the vulnerabilities are still unpatched."