Unpatched Zero-Day Exploit Detected Targeting Microsoft Office
Threat Overview:
A previously undisclosed vulnerability has been identified in the wild, affecting unpatched versions of Microsoft Office and Microsoft Windows Operating Systems.
The vulnerability relates to the Windows OLE (Object Linking and Embedding) function, found in Microsoft Windows and Office software, which allows an application to link to and embed content in other documents, and is being leveraged by malicious actors as a targeted attack vector for the installation of multiple malware variants. Analysis of the attack chain reveals an adversary sending the victim an email containing a word document as an attachment. When the targeted user opens this specifically crafted word document, the exploit, the winword.exe application is launched, triggering the download of a malicious HTA (HTML Application) file from a remote server controlled by the attacker. The .hta file is executable, allowing remote code execution capabilities on the target computer. The .hta file is disguised as an RTF (Rich Text Format) document in an attempt to evade current security countermeasures.
Importantly, this RTF is intended to act as a decoy, while the malicious HTML application continues to run in the background, downloading additional payloads and executing a malicious script to install malware onto the users system. The original winword.exe process is terminated in an attempt to hide a user prompt generated by the OLE2link.
Detection:
- The malicious office documents are detected as Malware.Binary.Rtf
- This vulnerability is bypassing most mitigations
- Attacks leveraging this vulnerability have been detected in the wild as far back as January 2017
Remediation & Mitigation
Microsoft is expected to release a patch shortly, which should be applied as soon as it is available. In the interim, the following measures can be taken to mitigate the impact of delivery of malware:
- The use of Office Protected View when opening files can also help to stop the attack, with the exploit being disabled and subsequently prevented from executing when Office Protected View is used.
- Symantec Email Security.Cloud customers should consider implementing a custom rule to detect attachment types associated with this attack, and either tag the subject of the original email upon delivery to the recipient inbox, or trigger an alert to the end user advising them that they have received a potentially malicious email, and to refrain from opening the attachment unless received from a trusted sender. For support or guidance in doing this, please contact your InfoTrust Account Manager.
- Advise users to refrain from opening office attachments from untrusted senders or locations.
see our
Related resources
Overnight we have seen yet another Global Ransomware Outbreak, again beginning in Europe. It’s not yet known of the full extent of the outbreak, but this advisory is designed to provide the most up to date information for our customers as at 9.48am on Wednesday 28th June 2017 AEST.
If you are using Symantec Email Security.cloud or up to date Symantec Endpoint Protection 14, indications at this stage are that you are protected. However, you should still patch your Microsoft systems with MS17-010, if not already done following the Wannacry outbreak.
This morning the Australian Prime Minister, Scott Morrison, announced that the Australian Cyber Security Centre (ACSC) had been tracking a sustained, state-sponsored cyber-attack on the Government and Private sector.
The finer details are still coming to light, but here are a few Incident Response best practices and prudent measures you should consider as an answer to questions likely being asked by your Executive suite and Board, such as:
Has our business been impacted by this attack and what should we do?
We're Here To Help