Patch/Configuration Management, Phishing, Email security

Hackers use six-year old Microsoft Office bug to spread Agent Tesla

Threat actors have been observed leveraging a six-year old bug – CVE-2017-11882 – to spread Agent Tesla to vulnerable versions of Microsoft Office.

In a Dec. 19 blog post, Zscaler researchers said CVE-2017-11882 is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises because of a weakness in how the software manages system memory for objects.

The researchers said the Agent Tesla infection starts when the threat actors distribute spam emails with malicious attachments in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.

First discovered in 2014, Agent Tesla operates as an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers, according to the researchers.

The fact that the threat actor uses a 2017 vulnerability highlights a depressing truth for security professionals: many organizations are not only failing to update software, they’re running end-of-life (EOL) versions that are well outside of support, said John Bambenek, president of Bambenek Consulting.

“This makes them easy pickings for breaches,” said Bambenek. “As long as software companies are aggressively EOL’ing software quicker than organizations can afford to upgrade, the internet will continue to be divided into the secure and the security ‘have nots.’” 

Callie Guenther, senior manager, cyber threat research at Critical Start, added that despite being old, the CVE-2017-11882 vulnerability remains effective because of its ability to execute code with user-level privileges. Guenther said the phishing campaigns cleverly use decoy Excel documents in invoice-themed messages, making it a potent threat.

“This attack underscores that older vulnerabilities, if left unpatched, can remain viable avenues for exploitation,” said Guenther. “Despite being identified years ago, CVE-2017-11882 continues to be a threat, indicating that many systems remain unpatched or use outdated software versions.”

Patrick Harr, chief executive officer at SlashNext, said it’s important for security pros to understand the harm that can come from falling victim to remote access trojan malware. Harr said it lets cybercriminals secretly take control of victims’ computers, enabling data theft, espionage, and access to sensitive systems.

“Access often gets sold to carry out more impactful attacks, including ransomware attacks,” explained Harr. “The best way to stop Agent Tesla is to ensure your phishing protection can effectively detect and stop malicious file attachments, including Office files, .html files, and files delivered outside of email.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.