Friday, May 27, 2016

Missing 2015 MS Office Patch targeted by APT actors

Computers running vulnerable versions of Microsoft Office (missing MS15-099) are actively targeted by multiple advanced threat actors. Although this zero-day attack was patched in September 2015, advanced attackers continue to exploiting this vulnerability, suggesting widespread patching failures.

Kaspersky Labs compiled a list that included: Platinum, APT16, EvilPost, and SPIVY.

Code-name Researcher Discovery date Activity area MS15-099 exploitation Reference
Platinum Microsoft August 2015 (zero-day discovery) India, Malaysia, Indonesia, China Resume for technical position PLATINUM: Targeted attacks in South and Southeast Asia, Windows Defender Advanced Threat Hunting Team
EvilPost FireEye / Kaspersky November 2015 Japan Japanese national defense topics The EPS Awakens, Threat Research Blog
APT16 FireEye December 2015 Taiwan, China Taiwanese opposition party (Democratic Progressive Party) document The EPS Awakens - Part 2, Threat Research Blog
SPIVY Palo Alto Networks March 2016 Hong Kong Hong Kong pro-democracy documents New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Danti Kaspersky March 2016 India, Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal, and Philippines forged Indian government communication targeting Indian embassies in Hungary, Denmark, Colombia and Ministry of Foreign Affairs CVE-2015-2545: overview of current threats, Danti attacks



Common tactics among this list of attackers:
  • Spear phishing emails
  • Weaponized MS Office file attachment
  • Exploitation of weak institutional patch practices (Platinum excluded)
  • Thorough understanding of target to include appropriate language/grammar and/or appropriate local customs

True zero-day vulnerabilities are costly tools to acquire. Attackers conserve their private arsenal of zero-day tools because discovery equates to tool loss.

Failing to apply patches distorts this economy, allowing advanced attackers to penetrate with virtually no cost.

Make attackers pay. Patch your systems.


SOURCES:
Kaspersky: Danti and Co: Beware of Long-Forgotten Vulnerabilities!
Kaspersky: CVE-2015-2545: overview of current threats
Microsoft: PLATINUM: Targeted attacks in South and Southeast Asia
Microsoft: Microsoft Security Bulletin MS15-099 - Critical
Palo Alto Networks: New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
FireEye: The EPS Awakens, Threat Research Blog
FireEye: The EPS Awakens - Part 2, Threat Research Blog

No comments:

Post a Comment

Share your thoughts.

Subscribe to: Post Comments (Atom)