Zero-day vulnerability in Microsoft Office

Improper input validation
CVE-2017-0199

The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.

This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.

Known malware:

Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A

Vulnerability details

Advisory: SB2017040901 - Remote code execution in Microsoft Office

Vulnerable component: Microsoft Office

CVE-ID: CVE-2017-0199

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper Input Validation

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Word or RTF files containing Dridex botnet ID 7500, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may result in compromise vulnerable system.

Note: the vulnerability is being actively exploited.

Known APT campaigns:

CopyKittens targeting Northern Cyprus

In April 2017 CopyKittens has been spreading malicious emails containing a zero-day vulnerability CVE-2017-0199 through a compromised account that belonged to one of the Ministry of Northern Cyprus employee.

BlackTech group

BlackTech group is a cyber espionage group mainly targeting companies in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.

The threat group is linked to PLEAD in 2012, Shrouded Crossbow in 2010, and Waterbear cyber operations. To perform attacks BlackTech used a novel right-to-left override (RTLO) technique.

Public Exploits:

Latest references in media:

- Cobalt Group Pushes Revamped ThreadKit Malware [2018-12-11 19:40:23]

- Cobalt Bank Robbers Use New ThreadKit Malicious Doc Builder [2018-12-11 16:20:29]

- Gathering Insights on the Reemergence and Evolution of Old Threats Through Managed Detection and Response [2018-10-31 13:10:21]

- Hackers tamper with exploit chain to drop Agent Tesla, circumvent antivirus solutions | ZDNet [2018-10-16 13:10:11]

- New Technique Recycles Exploit Chain to Keep Antivirus Silent [2018-10-16 01:50:19]

- KeyBoy Abuses Popular Office Exploits for Malware Delivery [2018-10-10 19:20:08]

- Creators of Tools for Building Malicious Office Docs Ditch Old Exploits [2018-09-12 22:30:05]

- New Silence hacking group suspected of having ties to cyber-security industry | ZDNet [2018-09-05 13:30:10]

- IT threat evolution Q2 2018. Statistics [2018-08-06 12:00:56]

- Hacking group combines spear-phishing with mass malware campaign | ZDNet [2018-08-02 15:00:13]

- FELIXROOT Backdoor Has Resurfaced In Environmental Spam Campaign [2018-07-30 15:31:00]

- Office Vulnerabilities Chained to Deliver Backdoor [2018-07-30 13:40:07]

- FELIXROOT Backdoor is back in a new fresh spam campaign [2018-07-30 09:30:09]

- FBI boss: We went to the moon, why can't we have crypto backdoors? – and more this week [2018-07-28 10:30:01]

- Hackers Distributing FELIXROOT Backdoor using Microsoft Office Vulnerabilities [2018-07-27 02:50:54]

- Hacking campaign uses old Microsoft Office flaws to create backdoors, steal files | ZDNet [2018-07-26 16:30:08]

- Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign [2018-07-26 16:30:04]

- Five Threats to Financial Services: Banking Trojans [2018-07-25 16:25:00]

- Password-stealing, eavesdropping malware targets Ukrainian government | ZDNet [2018-07-18 17:40:09]

- QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine [2018-07-18 11:10:10]

- RATs Bite Ukraine in Ongoing Espionage Campaign [2018-07-17 20:00:13]

- Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis [2018-07-11 20:50:50]

- Cyber-Espionage Campaigns Target Tibetan Community in India [2018-06-27 19:20:10]

- Microsoft Office: The Go-To Platform for Zero-Day Exploits [2018-06-21 19:21:10]

- Microsoft Office: The Go-To Platform for Zero-Day Exploits [2018-06-21 19:10:08]

- 2017-6-26 Global Cyber Attack Reports [2018-06-19 01:35:46]

- IT threat evolution Q1 2018. Statistics [2018-05-14 12:12:44]

- Internet Explorer (IE) Zero-day Vulnerability to Perform Remote Hacking [2018-05-13 09:37:28]

- Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack [2018-05-10 07:40:45]

- The King is dead. Long live the King! [2018-05-09 08:07:49]

- MS Office Document Exploit Kit Distributing New Exploits and Malware [2018-03-31 07:37:08]

- Microsoft Products Are Hackers’ Favorite — Report [2018-03-29 12:38:47]

- New ThreadKit exploit builder used to spread banking Trojan and RATs [2018-03-28 14:43:53]

- Attackers Shift From Adobe Flaws to Microsoft Products [2018-03-27 23:18:25]

- The Top Vulnerabilities Exploited by Cybercriminals [2018-03-27 17:40:51]

- New "ThreadKit" Office Exploit Builder Emerges [2018-03-27 17:40:49]

- You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report [2018-03-22 18:12:51]

- Chinese Intelligence Agencies Are Doctoring the Country's Vulnerability Database [2018-03-10 15:15:14]

- China's Vulnerability Database Altered to Hide Govt. Influence [2018-03-09 22:21:41]

- Malicious RTF Excel Sheet Distribting & Install RAT via VBA Macro code [2018-02-23 14:12:36]

- Malicious RTF Persistently Asks Users to Enable Macros [2018-02-21 14:31:44]

- Don't Fall Victim to IP Theft and Corporate Espionage [2018-02-01 13:51:09]

- North Korea Group 123 involved in at least 6 different hacking campaigns in 2017 [2018-01-18 17:50:06]

- New Attack Group Fires RATs and Disc Wipers at Targets [2018-01-18 12:50:02]

- North Korea's finest spent 2017 distributing RATs, wipers, and phish [2018-01-18 07:40:02]

- Threat Actors Quickly Adopt Effective Exploits [2018-01-17 17:01:21]

- Most Common Exploits of 2017 in Microsoft Office, Windows [2018-01-16 19:10:02]

- Microsoft Office Docs New Vessel for Loki Malware [2017-12-19 22:30:03]

- Exploits and fileless malware drive record new malware surge [2017-12-19 07:30:06]

- Patchwork Cyberspies Adopt New Exploit Techniques [2017-12-12 18:01:19]

- Untangling the Patchwork Cyberespionage Group [2017-12-11 13:33:54]

- Iranian Cyberspies Exploit Recently Patched Office Flaw [2017-12-07 20:00:19]

- New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit [2017-12-07 18:30:01]

- Cobalt Hackers Exploit 17-Year-Old Vulnerability in Microsoft Office [2017-11-27 19:50:06]

- China Delays Vulnerability Disclosure Process on Important Bugs [2017-11-17 14:11:52]

- China May Delay Vulnerability Disclosures For Use in Attacks [2017-11-16 21:32:18]

- Beijing Delays Bug Reports While Hackers Exploit Flaws — Report [2017-11-16 14:11:07]

- APT Trends report Q3 2017 [2017-11-14 11:06:12]

- IT threat evolution Q3 2017. Statistics [2017-11-10 11:54:53]

- Spam and phishing in Q3 2017 [2017-11-03 11:29:33]

- Gaza Cybergang - updated 2017 activity [2017-10-30 10:06:24]

- Overlay Technique from Brazilian Banking Trojans Making Resurgence [2017-10-20 17:20:03]

- Cyber espionage – China-Linked group leverages recently patched .NET Flaw [2017-10-19 10:00:23]

- Recently Patched .NET Flaw Exploited by China-Linked Cyberspies [2017-10-18 16:21:20]

- Mysterious cyber espionage campaign uses 'torpedo' lure to trick you into downloading malware | ZDNet [2017-10-18 12:20:04]

- BlackOasis APT leverages new Flash zero-day exploit to deploy FinSpy [2017-10-17 09:11:24]

- This sneaky phishing attack hijacks your chats to spread malware | ZDNet [2017-10-06 17:10:03]

- SophosLabs’ Gabor Szappanos awarded for AKBuilder research [2017-10-06 16:12:03]

- Ongoing Email Exchanges Hijacked in Spear-Phishing Attacks [2017-10-06 14:41:29]

- Hackers Hijack Ongoing Email Conversations to Insert Malicious Documents [2017-10-06 11:22:13]

- Spoofed IRS notice delivers RAT through link updating trick [2017-09-22 11:52:16]

- Microsoft patches second FinSpy zero-day exploit this year [2017-09-14 17:33:33]

- September Patch Tuesday, patch your Windows now to avoid ugly surprises [2017-09-13 19:31:08]

- .NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware [2017-09-12 20:40:42]

- FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY [2017-09-12 19:20:22]

- Targeted Attacks Leverage PowerPoint File for Malware Delivery [2017-09-06 19:13:33]

- Autodesk A360 Drive Used to Spread Malware [2017-09-06 17:17:35]

- A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs [2017-09-06 01:54:06]

- Autodesk’s A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs [2017-09-05 12:21:24]

- IT threat evolution Q2 2017. Statistics [2017-08-31 02:05:00]

- Spam and phishing in Q2 2017 [2017-08-31 02:05:00]

- Security Affairs newsletter Round 124 – News of the week [2017-08-20 18:11:31]

- Attackers turn to auto-updating links instead of macros to deliver malware [2017-08-18 10:30:27]

- Leaked Exploits Fueled Millions of Attacks in Q2: Kaspersky [2017-08-17 19:41:52]

- Exploit Packages Lead to Five Million Attacks in Q2 [2017-08-16 14:21:10]

- CVE-2017-0199: Crooks exploit PowerPoint Slide Show files to deliver malware [2017-08-15 17:43:21]

- New Office attack flops but shows how easily crooks weaponise vulns [2017-08-15 17:40:01]

- Attackers Combine Office Exploits to Avoid Detection [2017-08-15 10:41:33]

- Office Exploit Gets New Life With PowerPoint Variation [2017-08-15 10:30:34]

- PowerPoint Slide Show Files Used to Install Malware [2017-08-14 23:51:10]

- Hackers are using a remote code execution vulnerability in Microsoft office to hack computers remotely using PowerPoint files. [2017-08-14 20:50:03]

- CVE-2017-0199: New Malware Abuses PowerPoint Slide Show [2017-08-14 11:20:07]

- Malware campaign targets Russian-Speaking companies with a new Backdoor [2017-08-11 10:51:40]

- Kaspersky Details APT Trends for Q2 2017 [2017-08-10 20:00:48]

- Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity [2017-08-08 22:40:27]

- Campaign Targets Russian-Speaking Enterprises With New Backdoor [2017-08-08 18:32:30]

- Backdoor-carrying Emails Set Sights on Russian-speaking Businesses [2017-08-07 15:21:15]

- Cobalt Hackers Now Using Supply Chain Attacks [2017-08-02 19:12:56]

- SystemD wins top gong for 'lamest vendor' in Pwnie security awards [2017-07-28 22:50:02]

- Experts detailed the new Operation Wilted Tulip campaign of the CopyKittens APT [2017-07-25 19:12:16]

- Security Eesearchers have unveiled Cyber Espionage Attacks by CopyKittens Hackers [2017-07-25 17:12:33]

- Iranian 'CopyKittens' Conduct Foreign Espionage [2017-07-25 15:01:13]

- Video Game Firms Targeted With "Paranoid" PlugX Malware [2017-06-28 14:20:28]

- Security Alert: New ransomware outbreak combines attack vectors, delivers malware cocktail [2017-06-28 13:40:57]

- Petya Ransomware Spreading Via EternalBlue Exploit [2017-06-27 23:40:10]

- Complex Petya-Like Ransomware Outbreak Worse than WannaCry [2017-06-27 22:10:15]

- Following the Trail of BlackTech’s Cyber Espionage Campaigns [2017-06-22 14:50:07]

- SophosLabs analysis: why the surge in Word docs hiding ransomware? [2017-06-20 15:30:46]

- Word exploits weaponised in quick time [2017-06-12 18:20:06]

- Zusy Malware Installs Via Mouseover – No Clicking Required [2017-06-07 20:40:12]

- Privileges and Credentials: Phished at the Request of Counsel [2017-06-07 00:40:14]

- WikiLeaks Reveals Two CIA Malware Frameworks [2017-05-16 12:40:28]

- EPS Processing Zero-Days Exploited by Multiple Threat Actors [2017-05-09 19:20:17]

- Security Affairs newsletter Round 109 – News of the week [2017-05-07 17:40:53]

- Chinese TA459 APT exploits CVE-2017-0199 flaw to target Financial firms [2017-05-03 15:31:01]

- The Best Twitter Cybersecurity Accounts You Should Follow [2017-05-02 12:20:12]

- China-Linked Spies Use Recent Zero-Day to Target Financial Firms [2017-05-02 11:40:19]

- The Best Twitter Cybersecurity Accounts You Should Follow [2017-05-02 11:30:20]

- Iranian Hackers Exploit Recent Office 0-Day in Attacks: Report [2017-05-01 15:10:33]

- WikiLeaks Reveals CIA Tool ‘Scribbles’ For Document Tracking [2017-04-29 01:00:29]

- The Week in Ransomware - April 28th 2017 - Cerber, Mordor, and CVE-2017-0199 [2017-04-29 00:30:28]

- The Week in Ransomware - April 28th 2017 - [2017-04-28 23:40:32]

- Sneaky 'fileless' malware flung at Israeli targets [2017-04-28 14:30:01]

- The massive attack against Israel was alleged launched by the Iranian OilRig APT group [2017-04-28 09:20:33]

- The Massive attack against Israel was alleged launched by the Iranian OilRig APT group [2017-04-28 09:10:45]

- Hackers exploited a Word hole for months [2017-04-27 12:30:02]

- Security Affairs newsletter Round 108 – News of the week [2017-04-25 11:30:24]

- SMSVova Spyware Hiding in ‘System Update’ App Ejected From Google Play Store [2017-04-22 14:10:13]

- Windows attacks via CVE-2017-0199 – Practical exploitation! (PoC) [2017-04-17 18:30:35]

- Security Affairs newsletter Round 107 – News of the week [2017-04-16 13:00:04]

- Why Did Microsoft Wait Six Months To Patch a Critical Word Zero-Day? [2017-04-15 15:00:23]

- Google Making Life Difficult for Ransomware to Thrive on Android [2017-04-14 16:00:41]

- CVE-2017-0199 Zero Day exploit used to deliver FINSPY spyware [2017-04-13 19:40:22]

- Office 0-Day Abused in Latentbot, WingBird Attacks [2017-04-13 14:30:31]

- Recent Microsoft 0-Day Used for Cyber-Espionage and Mundane Malware Distribution [2017-04-13 12:30:23]

- It turns out that not just cyber criminals, but also Governments were also using Microsoft Word 0-Day Exploit for hacking [2017-04-13 10:50:12]

- Office Zero Day Delivering FINSPY Spyware to Victims in Russia [2017-04-12 21:00:34]

- Microsoft Word exploit linked to cyberspying in Ukraine conflict [2017-04-12 20:10:21]

- April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks [2017-04-12 18:11:44]

- CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware [2017-04-12 17:10:10]

- Microsoft fixes 45 flaws, including three actively exploited vulnerabilities [2017-04-12 15:50:19]

- Microsoft releases security patches for actively exploited critical zero-day vulnerabilities [2017-04-12 12:30:20]

- Microsoft’s New Look Patch Tuesday Fixes 46 Bugs [2017-04-12 12:00:37]

- In the Mess of Its New Security Updates Format, Microsoft Patched 3 Bugs Exploited in Live Attacks [2017-04-12 11:30:34]

- Microsoft Patch Tuesday fixes three flaws actively exploited in attacks in the wild [2017-04-12 10:30:14]

- Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own [2017-04-12 10:30:03]

- Microsoft Patches Office, IE Flaws Exploited in Attacks [2017-04-12 09:20:22]

- Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes [2017-04-12 01:30:01]

- Microsoft Patches Three Vulnerabilities Under Attack [2017-04-12 00:20:13]

- Microsoft's April 2017 Patch Tuesday Comes with 61 Security Updates [2017-04-11 23:40:34]

- Microsoft kicks security bulletins to the curb in favor of security update guide [2017-04-11 21:50:09]

- CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler [2017-04-11 19:40:14]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.