Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

2012 RCE bug is still highly exploited in targeted attacks, Trend Micro finds

A remote code execution vulnerability disclosed sometime around April 2012 was named by Trend Micro to be the most commonly exploited vulnerability related to targeted attacks in the second half of 2013 – despite being issued a patch more than two years ago.

The vulnerability – CVE-2012-0158 – impacts Windows common controls, Christopher Budd, threat communications manager for Trend Micro, told SCMagazine.com in a Friday email correspondence. He said it affects a very broad range of products, but most notably Office.

“This vulnerability is broadly exploited in targeted attacks because it enables the execution of code through malformed Office documents, which are a proven attack vector through email attachments,” Budd said.

The flaw was exploited in 76 percent of targeted attacks in the back half of 2013, according to a Tuesday post by Maersk Menrige, a threats analyst with Trend Micro. The runner-up, CVE-2010-3333, a stack-based buffer overflow vulnerability in versions of Office, was exploited in only 10 percent of targeted attacks.

“Combined with the fact that people don't patch older vulnerabilities, [CVE-2012-0158 is a] reliable vulnerability to target, as shown by [it] being the number one vulnerability for targeted attacks,” Budd said.

Researchers with Trend Micro most recently saw the vulnerability being exploited in a targeted phishing attack using emails with the subject, “BREAKING: Plane Crash in Laos Kills Top Government Officials,” according to the post. Budd did not respond to a question asking who was being targeted.

“The email attachments comprised of two legitimate JPG files and an archive file, which in some cases contain TROJ_MDROP.TRX,” Menrige wrote. “Once [the CVE-2012-0158 vulnerability is] exploited, it drops a backdoor detected as a BKDR_FARFLI variant.”

The backdoor executes commands to steal information, including processor and system architecture information, computer names and usernames, network information and proxy settings, Menrige wrote, adding it also communicates with a command-and-control server located in Hong Kong.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.