While ways to defend against malware and cyberattacks have gotten better, malware creators have kept the pace, becoming equally as crafty, using varied means to distribute the malicious code to their victims. One of the easiest ways they can do that is by taking advantage of a software vulnerability, as is the case in a newly unveiled report.
According to Reuters, at the root of CVE-2017-0199, a patch from April 11 issued by Microsoft, sits a flaw in its Word application, which was first reported to the firm back in October of last year. So why the delay?
It all started in July of 2016, when Ryan Hanson, a 2010 Idaho State University graduate and consultant at security firm Optiv, discovered a flaw in the way Word processes documents which are in a different format than its native one. By exploiting this bug, he was able to insert a link to a malicious program, which then gave him access to a victim's computer. After spending a couple of months attempting to see if the flaw could be combined with others to increase the danger level of the initial bug, Hanson contacted Microsoft.
At this point, Microsoft could have notified customers to change settings in their Word application, but in doing so, it would've also told hackers how to exploit the flaw. A patch could've also been made available, but since the Redmond giant wasn't aware of anyone making use of this flaw, it decided to dig a little deeper, ensuring it could provide a complete solution. Speaking on behalf of the company, a spokesperson who asked to remain anonymous, stated: "We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported".
Unbeknownst to Microsoft, in January of 2017, cyber crimes making use of this attack vector began, with the first victims being sent emails which urged them to click on links to Russian-language sites. These were allegedly about the military situation in Russia, as well as Russian rebels in Ukraine. Once the links were clicked, the victims' computers were infected with eavesdropping software created by Gamma Group, a private company which "sells to agencies of many governments".
Fast-forward two months, and security researchers at FireEye discovered that Latenbot, a notorious piece of financial hacking software, was being distributed by exploiting this very same flaw in Word. As such, they warned Microsoft, which stated it would have a patch ready by next Patch Tuesday, April 11. This would've been the end of the saga, if only word hadn't gotten out to researchers at McAfee.
On April 6, the security firm discovered some more attacks making use of this Word flaw, and after some "quick but in-depth research" contacted Microsoft. However, unlike FireEye and Optiv, McAfee decided to not keep quiet about the issue until the patch came out, and instead published an extensive blog post on its finding on April 7. As you might've guessed, the post gave enough detail that anyone who would've wanted to take advantage of the flaw could mimic it quite easily. McAfee's VP, Vincent Weafer, stated that the unfortunate timing of the post was due to "a glitch in our communications with our partner Microsoft".
A mere two days after that McAfee post, a piece of software which exploited the flaw was already on the underground market. The very next day, millions of computers in Australia were infected via documents which contained the Dridex banking-fraud software.
The attacks did not stop there, as even after the patch was issued, Ben-Gurion University employees in Israel were hacked by a group linked to Iran. The attack took over "their email accounts and sent infected documents to their contacts at technology companies and medical professionals", according to Michael Gorelik VP of cybersecurity firm Morphisec.
Optiv stated it is currently comparing what Hanson told Microsoft with the details used by cybercriminals in the wild, to determine if their researcher could be responsible for the massive hacking spree.
At the time of this writing, it is still unknown exactly how many victims were infected or indeed how much money may have been lost.
One last thing to keep in mind is that CVE-2017-0199 fixes the vulnerability in all flavours of Office from 2007 to 2016, as well as a Remote Code Execution flaw via Windows API in Vista SP2, Windows 7 32 an 64 bit, as well as 32bit and 64bit editions of Server 2008 and Server 2008 R2. It goes without saying that if you have not updated your system, it's strongly recommended you do so.