The latest in our 12 vulns of Christmas series looks at a slightly older Office and Windows vulnerability that has again achieved a maximum OVS score, in part due to the popularity of the Microsoft products it affects.
CVE-2017-0199 is a critical vulnerability affecting different versions of Microsoft Office and Windows, which enables adversaries to execute arbitrary code via a crafted document, enabling them to take control of the infected host. Phishing is the most likely infection vector for exploiting this technique, as it would involve using social engineering techniques to have victims download and open the malicious file. The vulnerability could be exploited in order to drop further malware onto the victim’s machine upon execution, such as trojans or backdoors, which would provide attackers with persistent access on the victim’s device.
Although the first known sample of an exploit for the vulnerability was detected on 23 November 2016, FireEye first reported on the vulnerability on 8 April 2017. Microsoft then released a patch for the vulnerability on 11 April 2017, and a Metasploit module for the exploit was released on 14 April 2017.
Due to the potential infection vector associated to this vulnerability, Orpheus analysts assessed that CVE-2017-0199 was likely to be exploited by cybercriminal actors, as phishing remains the most popular infection vector for cybercriminals. While exploitation in the wild had been detected since November 2016, the confirmed reports of exploitation came in August 2017 with the vulnerability being exploited by REMCOS RAT operators, who used spear-phishing emails to deliver their payload. Operators of the FELIXROOT backdoor, likely Russian cybercriminals, were also seen exploiting CVE-2017-0199 in malicious emails to target Ukrainian users. Silence, another Russian cybercriminal group, also exploited the vulnerability in September 2018 during a campaign to target ATM networks in various Eastern European countries.
Nation-state actors who use social engineering and spear-phishing for cyberespionage operations have also integrated CVE-2017-0199 exploits into their arsenals, particularly Chinese state groups. In one instance, the Chinese National Vulnerability Database operated by China’s Ministry of State Security has been accused of purposefully delaying reporting on the vulnerability in order to avoid organisations effectively mitigating against the vulnerability while Chinese groups were still exploiting it.
Chinese cyber espionage campaigns exploiting CVE-2017-0199 include RedAlpha, a persistent campaign detected in June and August 2018, February 2019 which targeted Tibetan organisations using RATs such as njRAT and ExileRAT. Chinese group APT40 was also observed using the vulnerability in March 2019 to target governments and naval groups to support its Belt and Road Initiative.
Kazakhstan, Pakistan, Iran and North Korea have leveraged the vulnerability to compromise both domestic and foreign organisations across different cyber espionage campaigns, leveraging RATs such as njRAT, RemcosRAT and Qasar to achieve persistent access. In once instance, the vulnerability was observed being exploited by a Hamas activist group, Gaza CyberGang, to target regional actors.
We have collected data for malware samples submitted to VirusTotal in the last 3 months that were tagged as exploiting CVE-2017-0199. We were able to find 2900 samples over this period, indicating that – despite its age – exploitation of this vulnerability continues in the wild.
By examining the file extensions of the malicious files, we were able to ascertain that the most common phishing attachments exploiting this vulnerability remain .docx, .xml, .rtf, .eml and .doc files. We were also able to ascertain that threat actors are also using PowerPoints (44 samples) and Excel files (41 samples) to exploit the vulnerability.
Because of this long history of exploitation by sophisticated threat actors for cyber espionage and evidence of its continued exploitation as demonstrated by VirusTotal data, we recommend organisations apply relevant patches in order to mitigate risk associated to phishing attachments exploiting CVE-2017-0199. We recommend the following mitigation tactics:
- Configuring endpoint protection to scan the most common filetypes exploiting this vulnerability when received in corporate mailboxes
- Apply the official Microsoft patch as soon as possible
- Train employees to react to phishing and social engineering attempts in order to limit exposure