Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/21/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Office: The Go-To Platform for Zero-Day Exploits

Malicious Office documents are the weapon of choice among cybercriminals, who use files to access remotely hosted malicious components.

Email is a common means of delivering cyberattacks, and Microsoft Office documents are commonly attached to malicious emails. More threat actors are using Word and Excel files to deliver zero-day exploits that are getting more dangerous and even harder to detect.

Researchers at Menlo Security dug further into the connection between Microsoft Office documents and cybercrime. They found attackers are increasingly using malicious Office docs for endpoint exploitation but instead of attaching files packed with malicious macros, they use Office docs to call remotely hosted malicious components, launching exploits in the browser.

Using Office documents in emailed cyberattacks is not new. Some companies send legitimate files with macros enabled; knowing this, threat actors began to use them as a means of infecting endpoints. Unfortunately for them, security tools have become more adept and users have become more security savvy. Fewer are clicking "enable macros" to launch attacks.

As a result, threat actors are shifting their strategies. They don't want the user to click anything for a malicious document to be exploited.

"There is a shift in the TTPs that the attackers are using," explains Vinay Pidathala, Menlo's director of security research. "In late 2017 and early 2018, pretty much all the zero-days getting exploited have used Word, and used remote malicious components to exploit the endpoint."

CVE-2017-0199: Where the Trouble Started

Several vulnerabilities have allowed these exploits to happen, Pidathala says. CVE-2017-0199, published in 2016, is one. The Microsoft Office/WordPad remote code execution vulnerability exploits a logic flaw in Microsoft Word. It appeared in the wild in 2016, when an attack used Word files containing an embedded object that fetched a remote resource from the Web.

This bug lets attackers run code on target systems using the Object Linking and Embedding (OLE) technology in Windows to deliver malware. Anyone who successfully exploited the flaw could control target systems, create new accounts, and view, edit, and delete data.

CVE-2017-0199 was "the start of it all," says Pidathala. Attackers could remotely host their malicious content online; by opening the doc, their target could fetch the resource and get it onto the endpoint without an application displaying any warnings about potential infection.

The trend of remotely hosting cyberthreats continued to grow. A more current example can be seen in CVE-2018-8174, a Windows VBScript Engine Remote Code Execution Vulnerability, which exploits the library used by Internet Explorer to render Web pages. The so-called "Double Kill" bug could let an attacker execute code with the current user's privileges.

An attack starts with a spearphishing email with a malicious RTF file attached. The document contains an OLE object; when activated, it downloads and renders an HTML page through a library that contains the engine behind Internet Explorer. VBScript on the page uses the exploit to download a payload to the endpoint.

It's worth noting Microsoft has patched both CVE-2017-0199 and CVE-2018-8174; however, both individuals and businesses may be behind on their patching and should be aware.

Why Office Documents?

Microsoft Office is an increasingly common platform to launch these attacks because many applications that were once exploited in the browser can also be accessed using a Word document, Pidathala explains.

With CVE-2018-8174, for example, attackers could have targeted a vulnerable version of IE directly without using Word as a conduit. However, links sent in malicious emails will open in IE if clicked, even if the target uses a different default browser. Attackers don't need to use Word either; they could leverage other Office document types to achieve the same goals.

Internet Explorer isn't the default browser on many Windows systems, he continues, especially with the arrival of Edge in Windows 10. However, by embedding an Internet Explorer zero-day and delivering it through Word, an attacker can hit targets who don't have IE set by default.

The reason we're seeing a rise in remotely hosted components is because most security systems differentiate "good" vs. "bad" content, researchers explain. A malicious document only containing a link won't trigger most sandboxes or antivirus solutions to block it.

"Most controls can't detect these kinds of things because of the blended nature of the threat," Pidathala continues. Businesses often allocate less resources toward prevention; typically, industry techniques focus on remediation after the infection has been detected.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
CVE-2020-4580
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.