Exploit kits now adopting recent Office vulnerabilities: Report

Cyber security trends can be hard to nail down because attacker strategies constantly evolve. But a new report from Sophos suggests that criminals have finally turned away from an old Microsoft Office exploit and instead are favouring two new ones.

However, the report also emphasizes the importance CISOs have to put in their patching strategy because even the new exploits have fixes out for them.

Sophos says that data gathered recently from customers shows the four-year old CVE-2012-0158 vulnerability, which allows remote attackers to execute arbitrary code via a crafted Web site, Office document, or .rtf file has been supplanted in exploit kits by CVE-2015-1641, also a remote execution attack and  CVE-2015-2545, which allows remote attackers to execute arbitrary code via a crafted EPS image that would be embedded in a document or email.

The vendor believes there are three reasons for the switch:

–the Angler exploit kit has been upgraded to drop the older Office exploit and added the two newer ones;

–in the past weeks, Microsoft Word Intruder (MWI) kit, which generates booby-trapped .rft files, also dropped the older exploits and added support for CVE-2015-1641; and cybercriminal groups that actively distribute FareIt malware and Zbot Trojan, switched from using the DL-2 exploit kit to a solution using CVE- 2015-2545.

In addition to adding support for the new exploits the MWI kit now has added support for decoy documents, the ability to drop two different payload files can be dropped and the payload is stored at the end of the file, Sophos noted.

The ability to include decoy documents– which cover the tracks of the malware’s activity during infection by showing some innocent content, like an embedded image of a document to distract the victim while the exploit executes — is troubling to infosec pros.S

Sophos says CVE-2015-1641 hasn’t significantly changed from the previously known implementations. The file that triggers the exploit, document.xml, was stripped down to a minimal size and only the necessary parts were included, the report says.

As for CVE-2015-2545, it is being distributed through emails with attached documents purporting to be for payment copy, quotations, or product order lists. The attachment is a Microsoft Word document in DOCX format or an MHTML file, either of which contains an embedded PostScript file that exploits a vulnerability in the way Microsoft Office handles encapsulated PostScript (EPS) files. The vulnerability affects Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1.

For more on this exploit see this report from Kaspersky Labs.

“The groups that are currently using the two new Office exploits are very active cybercrime groups,” Sophos warns. Expect more of them to adopt it. Which means CISOs have to ensure their patching team is aware fixes are available.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now