The vulnerability, officially designated CVE-2017-0199, is a remote code execution bug in the way the software programs parse specially crafted files, Microsoft explained in an advisory. Adversaries can exploit this vulnerability and infect victims with malware by tricking them into opening or previewing specially crafted Word files.
While such attacks have been observed in the wild since at least January 2017, malicious use of the bug exploded this month after McAfee published a report about it five days prior to Microsoft issuing a patch on April 11, Reuters reported. In a statement, Vincent Weafer, VP of McAfee Labs said that McAfee experienced "a glitch in our communications with our partner Microsoft that impacted a coordinated response to these attacks, which is being corrected.”
The April 6 McAfee report revealed that the root cause of the vulnerability specifically lies within the Windows Object Linking and Embedding (OLE) feature. "The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file," McAfee's post explains. "Because .hta is executable, the attacker gains full code execution on the victim's machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft."
The Iran government-linked OilRig threat group is among the entities accused of actively using the exploit. Threat prevention company Morphisec reported in a blog post on Thursday that OilRig leveraged the Microsoft Office vulnerability in a politically motivated campaign that targeted more than 250 individuals at Israeli high-tech development companies, medical organizations and education organizations.
The attacks, which took place from April 19-24, delivered a fileless variant of the Helminth backdoor trojan via communications sent from compromised Ben-Gurion University email accounts. The Helminth malware, in turn, would then connect with a command-and-control server and download a customized version of the post-exploitation tool Mimikatz to collect information on infected machines and their connected networks.
"Every few years, a new logic bug CVE in OLE object linking is identified... This kind of vulnerability is rare but powerful" reads Morphisec's analysis, which also cites earlier reports from the Israel National Cyber Event Readiness Team (CERT-IL) and The Marker. "It allows attackers to embed OLE objects (or links in the case of CVE-2017-0199) and bypass Microsoft validation of OLE execution without warning." In such attacks, the adversaries do not have to trick victims into enabling malicious macros, a request that can often raise a red flag with users.
Earlier this month, FireEye reported that the same vulnerability was apparently being exploited by both nation-state and cybercriminal hackers.
In January 2017, the nation-state group reportedly began using CVE-2017-0199 for a campaign targeting Russian speaking-victims with FinSpy, a surveillance tool sold by the UK-based Gamma Group, a company that sells its wares to various government organizations. According to FireEye, the campaign used lure documents that referenced a supposed forest management plan from the Russian Ministry of Defense and a military training manual purportedly published in the disputed Donetsk region of Ukraine.
Beginning in March, the cybercriminal group leveraged the exploit in a financially-motivated campaign to infect victims with the modular, highly obfuscated Latentbot malware, which can be used to steal credentials, wipe drives and data, disable security software and perform remote desktop functions, FireEye reported.
After McAfee published its controversially timed report, cybercriminals also used the exploit in spam campaigns leveraging Dridex banking malware, FireEye reported. A separate analysis from Proofpoint, published earlier this month, reported that this campaign sent emails with malicious documents to millions of recipients, primarily in Australia.
"This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails," the Proofpoint blog post explains.
According to Reuters, Ryan Hanson, a consultant at the security firm Optiv, originally found the flaw in July 2016 and disclosed it to Microsoft in October. While Microsoft could have quickly addressed the bug by instructing users to change their Microsoft Word settings, doing so would have caught the attention of even more black-hat actors, who likely would have taken advantage of users who did not follow the recommendations, Reuters explained. And although Microsoft may have been able to issue a patch sooner, it instead chose to look more closely into Hanson's discovery before acting.
“This was a complex investigation that took time to thoroughly investigate and patch," said a Microsoft spokesperson, in a statement provided to SC Media. "We performed an investigation to identify other potentially similar methods, and ensure that our fix addresses more than just the issue reported.”