Endpoint

9/14/2017
01:10 PM
50%
50%

Microsoft Office Zero-Day Spread Surveillance Software

FireEye discovered CVE-2017-8759 flaw patched by Microsoft this week.

FireEye researchers recently discovered a malicious Microsoft Office RTF document using CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. They reported details of the flaw to Microsoft, which issued a patch earlier this week.

CVE-2017-8759 lets an attacker inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Word document in which threat actors used the injection to download and execute a Visual Basic script containing PowerShell commands.

When successfully exploited, the vulnerability downloads several components and launches FINSPY surveillance software. The malware, also reported as FinFisher or WingBird, can be bought as part of a "lawful intercept" capability, referring to functions in telecommunications that let law enforcement wiretap individuals. Analysts say "with moderate confidence" the malicious document was used by a nation-state to target a Russian-speaking victim for cyberespionage.

This marks the second zero-day flaw used to distribute FINSPY that FireEye has discovered this year, which the company says demonstrates the many resources available to "lawful intercept" companies and customers. FINSPY has been sold to several clients, suggesting broader use.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10997
PUBLISHED: 2018-06-17
Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.
CVE-2018-11218
PUBLISHED: 2018-06-17
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.
CVE-2018-11219
PUBLISHED: 2018-06-17
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.
CVE-2018-10377
PUBLISHED: 2018-06-17
PortSwigger Burp Suite before 1.7.34 has Improper Certificate Validation of the Collaborator server certificate, which might allow man-in-the-middle attackers to obtain interaction data.
CVE-2018-10969
PUBLISHED: 2018-06-17
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.