Kaspersky: Old Microsoft Office Vulnerabilities Behind Most Exploits in Q2
Older versions of Microsoft Office suite are an invitation for attackers.
New Kaspersky research shows Microsoft Office exploits increased during the second quarter. They accounted for 82% of the total number of exploits across different platforms. That includes Adobe Flash, Android, Java and more.
Old versions of applications remain the main targets for attackers. Corresponding vulnerabilities affected nearly 547,000 users in the last quarter.
Moreover, the number of users affected by the Microsoft MSHTML Remote Code Execution vulnerability, which was previously spotted in targeted attacks, skyrocketed by eight times. This zero-day vulnerability in Internet Explorer’s engine MSHTML was first reported last September. The engine is a system component that Microsoft Office applications use to handle web content. When exploited, it enables the remote execution of malicious code on victims’ computers.
Alexander Kolesnikov is a malware analyst at Kaspersky.
Kaspersky’s Alexander Kolesnikov
“What is common for the mentioned vulnerabilities is the possibility of making variations of the exploit to change the file structure,” he said. “It may help to bypass some protection systems other than our solution. For example, if such antivirus is installed on the device, and there is also no patch for Microsoft Office suite, then attackers can easily circumvent the security system and reach their goal. Also, these vulnerabilities are popular due to being simple in terms of exploitation and implementation. An attacker without deep technical knowledge is able to write an exploit for them.”
Older Versions an Invitation for Attackers
Kaspersky said older versions of Microsoft Office suite are an invitation for attackers. For instance, cybercriminals used two vulnerabilities to attack almost 487,000 users via older versions of Microsoft Office suite programs. Those programs remain popular and are still a highly attractive target for criminals. Exploiting these vulnerabilities, attackers typically distributed malicious documents to damage the memory of the Equation Editor component and ran malicious code on the victim’s computer.
Another vulnerability affected more than 60,000 users. If exploited successfully, this vulnerability enables attackers to control a victim’s computer, and view, change or delete data without their knowledge.
“All of the mentioned vulnerabilities were found in consequence of a targeted attack,” Kolesnikov said. “An exploit file was discovered either from the victims’ computer or on VirusTotal. After that, these vulnerabilities went popular for a wide range of purposes and became workhorses for attackers. For instance, now they are used to spread miners or ransomware, or even for targeted attacks as well.”
Further Exploits Expected in Q3
Attackers will definitely use these vulnerabilities this quarter and beyond, Kolesnikov said.
“Despite the fact that some of them date back to 2017-2018, they are still used in new attacks,” he said. “The reason is simple. Phishing accounts for a large share of attacks on companies, with documents being the most convenient way to infect a device. If a new, similar vulnerability appears, it will also quickly become popular among attackers.”
To prevent attacks via Microsoft Office vulnerabilities, Kaspersky researchers recommend implementing the following measures:
Provide your security operations center (SOC) team with access to the latest threat intelligence (TI).
Receive relevant and up-to-date information on threats to be aware of and the tactics, techniques and procedures (TTPs) used by attackers.
Use se a security solution that provides vulnerability management components. Also, EDR and MDR can help detect and prevent attacks at an early stage.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author
You May Also Like