Attackers Actively Targeting Microsoft Windows Zero-Day

Attackers are actively targeting a Windows zero-day vulnerability using malicious PowerPoint files, according to Microsoft, which issued an advisory this week warning users to be aware of malicious file attachments and links to attack websites attempting to exploit the flaw.

The issue may stem from a targeted attack campaign conducted by a group called Sandworm, which is targeting a zero-day vulnerability patched by Microsoft last week as part of its regular Patch Tuesday updates. McAfee Labs researchers said the patch was "not robust enough," enabling the Sandworm group to bypass the update.

"Users who have installed the official patch are still at risk," said Haifei Li, a senior vulnerability researcher at McAfee, in an advisory to customers on Wednesday. "This finding has significant impact because attacks leveraging the vulnerability are still very active."

[Related: Microsoft Fixes Zero-Day Flaws Used In Targeted Attack Campaigns]

Sponsored post

While PowerPoint files are being actively used by attackers, any Microsoft Office file can be used to exploit the vulnerability. The issue appears to impact object, linking and embedding (OLE) in Windows, which allows applications to share functionality, including the ability to create and edit data. All currently supported versions of Windows are impacted except Windows Server 2003, Microsoft said in its advisory.

Servers or workstations that open documents with embedded OLE objects are primarily at risk, Microsoft said in its advisory. An attacker can send an email file attachment to trick users into opening the file or click a link to visit a malicious website that targets the zero-day vulnerability.

"If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," Microsoft said in its advisory.

Solution providers tell CRN that workarounds and temporary fixes are available until a permanent fix is created. Microsoft also hasn't ruled out an out-of band, emergency security update to fix the issue.

Interest is rising in new threat detection capabilities as security firms uncover zero-day attacks tied to targeted attack campaigns. The litany of high-profile data breaches and news about dangerous targeted attack campaigns have organizations more aware about security, but the issue is not an easy issue to fix, said Mark Robinson, president of Findlay, Ohio-based solution provider CentraComm.

"[Organizations] finally think they closed all the front doors to hackers, but now everyone is finding every hidden back door known to man," Robinson said. "There's always a different door for an attacker to walk through."

Trend Micro's analysis of the OLE vulnerability uncovered a new evasion technique that makes exploits difficult to detect. The security vendor said it detected attacks against Taiwanese manufacturers and government agencies.

In addition to email attachments, attackers have had success spreading malware using file-sharing services. A new targeted attack campaign is using Google Drive accounts as part of an apparent reconnaissance operation against government agency officials, according to Trend Micro, which recently uncovered the account abuse.

The attacks are similar to campaigns waged against users of Dropbox, Evernote and Sendspace, services that provide storage and file-sharing capabilities for users. The malware checks the kind of files stored in the service and then uploads similar malicious file types. The attack uses refresh tokens, which are used to provide Google Drive access to third-party services over an extended period of time.

Google has been made aware of aware of the threat, according to Kervin Alintanahin, a Trend Micro threat researcher who provided analysis of the malware, called Drigo. The file names reveal the targeted entities are government agencies, Trend Micro said, adding that the attack could be part of a reconnaissance operation that supports a targeted attack campaign.

"The more information they can gather, the more vector of attack they can use on their target," Alintanahin said.

The Drigo malware has been used in attack campaigns that date back as far as 2012.