Cyber security trends can be hard to nail down because attacker strategies constantly evolve. But a new report from Sophos suggests that criminals have finally turned away from an old Microsoft Office exploit and instead are favouring two new ones.
However, the report also emphasizes the importance CISOs have to put in their patching strategy because even the new exploits have fixes out for them.
Sophos says that data gathered recently from customers shows the four-year old CVE-2012-0158 vulnerability, which allows remote attackers to execute arbitrary code via a crafted Web site, Office document, or .rtf file has been supplanted in exploit kits by CVE-2015-1641, also a remote execution attack and CVE-2015-2545, which allows remote attackers to execute arbitrary code via a crafted EPS image that would be embedded in a document or email.
The vendor believes there are three reasons for the switch:
–the Angler exploit kit has been upgraded to drop the older Office exploit and added the two newer ones;
–in the past weeks, Microsoft Word Intruder (MWI) kit, which generates booby-trapped .rft files, also dropped the older exploits and added support for CVE-2015-1641; and cybercriminal groups that actively distribute FareIt malware and Zbot Trojan, switched from using the DL-2 exploit kit to a solution using CVE- 2015-2545.
In addition to adding support for the new exploits the MWI kit now has added support for decoy documents, the ability to drop two different payload files can be dropped and the payload is stored at the end of the file, Sophos noted.
The ability to include decoy documents– which cover the tracks of the malware’s activity during infection by showing some innocent content, like an embedded image of a document to distract the victim while the exploit executes — is troubling to infosec pros.S
Sophos says CVE-2015-1641 hasn’t significantly changed from the previously known implementations. The file that triggers the exploit, document.xml, was stripped down to a minimal size and only the necessary parts were included, the report says.
As for CVE-2015-2545, it is being distributed through emails with attached documents purporting to be for payment copy, quotations, or product order lists. The attachment is a Microsoft Word document in DOCX format or an MHTML file, either of which contains an embedded PostScript file that exploits a vulnerability in the way Microsoft Office handles encapsulated PostScript (EPS) files. The vulnerability affects Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1.
For more on this exploit see this report from Kaspersky Labs.
“The groups that are currently using the two new Office exploits are very active cybercrime groups,” Sophos warns. Expect more of them to adopt it. Which means CISOs have to ensure their patching team is aware fixes are available.