Millions hit with banking malware using new Microsoft Word zero-day
Millions of email users were affected this week by a hacking campaign exploiting a newly discovered vulnerability in Microsoft’s Office suite of software applications — just days after it was controversially made public Friday by cybersecurity outfit McAfee.
The news comes as FireEye, another security company that independently discovered the vulnerability last month, revealed it has also been used to help install the “lawful intercept” software known as FinFisher or FinSpy on computers used by Russian-speakers and in a campaign using LatentBot, an information-stealing and remote-access malware package associated with financially motivated cybercriminals.
But on Monday evening East Coast time, the vulnerability was exploited in a massive campaign of spam email directed at millions of computer users in Australia. The email was designed to look as if it had come from a printer or scanner on the recipient’s own network. It bore a malicious attachment, known as a lure, designed to infect targeted computers with the Dridex malware, a well-known crimeware package which steals users’ banking logins and passwords so their accounts can be taken over and drained of funds, according to a blog post from cybersecurity company Proofpoint.
Proofpoint vice-president of threat research Bryan Burns told CyberScoop the huge gout of spam Monday, timed for the start of the business day in Australia, was the most recent wave of a massive new Dridex campaign in recent weeks. Last year, Dridex “went under the radar a little bit” when the criminal organizations pushing it were using their spam email infrastructure to distribute Locky ransomware instead, he said. “Since March 30, we have seen a significant new campaign” of Dridex malicious spam.
Burns said he did not know how the cybercriminals behind the campaign got hold of the exploit that used the vulnerability. But he added, “It certainly seems likely” that they had learned of it through McAfee’s public report last week. Other waves of Dridex spam this year have leveraged known vulnerabilities and used email attachments that require the user to unzip them before they attack the targeted computer.
In a brief statement sent to CyberScoop via email, McAfee Labs Vice President Vincent Weafer noted the company had not published any technical details in their blog post Friday. It was “a report of an in-the-wild attack on customers’ systems detected last week, not a vulnerability disclosure,” he said.
“We had a glitch in our communications with our partner Microsoft that impacted a coordinated response to these attacks, which is being corrected,” he added. Microsoft declined several requests for a more detailed account of their work on the new vulnerability, known as a zero-day because it had not been disclosed before.
But the technical details Microsoft made public Tuesday show that the flaw had already been reported from two other sources, in addition to FireEye last month, before McAfee made its existence known. It is rated “critical” — the highest possible severity — because it enables a hacker to completely take over a targeted machine when the user merely opens an attachment.
Until Tuesday when Microsoft issued a security update to its software, the exploit hackers built to take advantage of the vulnerability would work even on a computer that was running the latest software and was fully patched. It’s this characteristic that makes zero-days so prized — most exploits rely on vulnerabilities that have already been disclosed and patched, meaning they work only on older software.
The sensitivity of zero-day vulnerabilities was underlined by the controversy surrounding McAfee’s decision to go public on Friday, even while Microsoft was finalizing the patch they distributed Tuesday.
“McAfee has proven FireEye correct to work privately with Microsoft while a patch was being produced,” said Sergio Caltagirone, director of threat intelligence and analysis at Dragos, Inc. “As soon as McAfee went public the exploit was used by Dridex and likely others against unprotected users greatly increasing the threat and damage.”
Some security researchers like those at Google’s Project Zero, have almost religiously strict disclosure policies. Project Zero releases vulnerabilities 90 days after reporting them to the vendor, come what may. In 2015, they disclosed details of a vulnerability in Windows 8.1 just days before Microsoft were scheduled to release their patch.
Caltagirone, who previously was director of threat intelligence at Microsoft, said there was rarely any good reason for the kind of unilateral disclosure McAfee practiced. “Researchers who threaten Microsoft to release [a vulnerability] prior to patch … act on arrogance,” he told CyberScoop.
“Patches are difficult and some take significant time to engineer and test,” he said. Researchers who try and force early patching with a disclosure threat are “only forcing bad patches which will do more harm than any malware to millions of customers.”
Microsoft learned of the vulnerability as long ago as last October, according to another of the researchers who independently discovered it, Ryan Hanson, a security consultant at Optiv.
“When I disclosed it” to Microsoft, Hanson tweeted, “it was not being used in the wild, so I’m sure they chose to do a deeper fix.”
“Having been a software engineer for over eight years, I’m familiar with the downsides of quick spot fixes,” Hanson continued.
Caltagirone also hit out at those who criticized Microsoft for not patching the vulnerability sooner.
“No other software company in the world faces the number of environments and configurations like Microsoft on which their patch must deploy and work perfectly. … A single patch failure across millions of customers is costly to Microsoft and customers. No patch is the same and it’s difficult to assess from the outside what it took to complete the patch,” he said.
