Security firm FireEye found that Word’s recently identified zero-day flaw had been used as early as January 25 on Russian-speaking targets for cyber espionage attempts in the context of the Ukrainian conflict. Microsoft just released a patch.
The Word zero-day flaw (CVE-2017-0199), which Microsoft patched on Tuesday, has actually been exploited far more widely than the security experts at McAfee and FireEye who uncovered it initially thought. spotted last week. According to research by FireEye, it was used separately as early as January, on the one hand by groups using FinSpy spyware on Russian-speaking targets, for the probable purpose of cyber espionage, and on the other hand by groups using Latentbot , a bot targeting the financial services and insurance industry. More recently, it was also exploited with the Dridex banking trojan on a massive spam campaign.
According to FireEye, the attack targeting Russian-speaking users dates back to January 25, 2017, which is more than two months before the Word flaw was discovered. It passes through a Russian military training manual supposedly published by the People’s Republic of Donetsk, a dissident region of Ukraine supported by Russia. Once opened, the document implants FinSpy spyware used by various states, as well as other items including malware and a counterfeit document posing as a Russian decree approving a forest management plan. Also known as FinFisher, FinSpy was developed by a subsidiary of German company Gamma Group specializing in surveillance equipment. Thirty-three governments are suspected of having used it, according to a survey published in 2015 by the Canadian laboratory Citizen Lab. Since Gamma Group likely has a long list of government clients, FireEye believes other targets may have been similarly targeted with FinSpy.
Different groups drawing from the same source
The existence of Word’s zero-day flaw has also visibly circulated among other hacker groups with separate objectives since it is also exploited with malware used by cybercriminals targeting the banking sector, Latentbot and Dridex. Presumably, these different groups get their information about the flaw from the same source.
Remember that Microsoft’s April security update corrects this vulnerability, which affects the OLE (Object Linking and embedding) function of the Office office suite. Windows must also be patched because malicious RTF documents can also be opened by the WordPad text editor included in the operating system. FireEye clarifies in its post that it worked with Microsoft and published the technical details of the problem as soon as the patch was delivered.