Zero-day vulnerability in Microsoft Office

Stack-based buffer overflow
CVE-2012-0158

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies.

The vulnerability appeared to operate in 2014 in the Western Australian time zone. Examples of such groups include the 'Shiqiang Gang' (as reported by McAfee), 'PLEAD' (as reported by Trend Micro), 'NetTraveler' (as reported by Kaspersky) and 'APT12' (as reported by FireEye).

The vulnerability has been exploited in Red October attacks in 2012 and attacks targeting Chinese media organizations, personnel at government agencies in Europe, Middle East and Central Asia in 2013. The exploit was successfully used in breach attack against NewYork Times in August of 2013. The vulnerability was still exploited in 2016. Exploit for this vulnerability was used in Pawn Storm campaign as well.

Known malware:

TROJ_DROPPER.IK
BKDR_HGDER.IK.

Vulnerability details

Advisory: SB2012041002 - Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office

Vulnerable component: Microsoft Office

CVE-ID: CVE-2012-0158

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-121 - Stack-based buffer overflow

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow in MSCOMCTL.OCX ActiveX control. A remote attacker can create a specially crafted Web page that passes an overly long string argument, trick the victim into viewing it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

China-based group KeyBoy

KeyBoy is a threat actor believed to operate from China.

Firstly its malicious activity has been observed in summer 2016 in attacks targeting Tibetan Community. In the hacking campaigns not only against Tibet, but also Hong Kong, Taiwan, and Uyghur the group has been exploiting vulnerabilities CVE-2012-0158╨▒ CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770.

Researchers for Trend Micro linked KeyBoy to Operation Tropic Trooper, campaign targeting Taiwan and the Philippines since 2012.

BlackTech group

BlackTech group is a cyber espionage group mainly targeting companies in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.

The threat group is linked to PLEAD in 2012, Shrouded Crossbow in 2010, and Waterbear cyber operations. To perform attacks BlackTech used a novel right-to-left override (RTLO) technique.

PLEAD campaign

The campaign gained the moniker тАЬPLEADтАЭ in reference to the backdoor commands that the malware issues. Attacks, related to this campaign, have been around since 2012. The PLEAD campaign was the second attack to target governmental entities in Taiwan in the first half of 2014.

Operation "Red October" (Rocra)

The malware attack was first detected in 2007 and was being used to target mainly diplomatic and government agencies in Eastern Europe, former USSR members, countries in Central Asia, Western Europe and North America, some African countries, such as Kenya, Uganda, Ethiopia, Chad, The Sudan and Eritrea.

Kaspersky Lab discovered the operation program in October 2012 and uncovered it in January 2013.

Public Exploits:

- Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027) (Metasploit) [Exploit-DB]

External links:

https://technet.microsoft.com/library/security/ms12-027
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/CVE-2012-0158-An-Anatomy-of-a-Prol...
https://securingtomorrow.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild/
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-exploitation-seen-in-variou...
https://sentinelone.com/item-news/cve-2012-0158-allocated-2011-patched-2012-still-actively-exploited...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25656
https://www.virusbulletin.com/blog/2014/10/cve-2012-0158-continues-be-used-targeted-attacks/
https://www.alienvault.com/blogs/security-essentials/cmstar-apt-malware-cve-2012-0158
http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html
http://blog.9bplus.com/same-cve-2012-0158-different-builder/
http://blog.malwaretracker.com/2013/08/cve-2012-0158-exploit-evades-av-in-mime.html
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-now-being-used-in-more-tibe...
https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
https://blogs.sophos.com/2016/07/01/the-word-bug-that-just-wont-die-cve-2012-0158-the-cybercrime-gif...

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.