Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Office Zero-Day Bug Used by APT Group

Microsoft on Tuesday patched several memory corruption vulnerabilities in Office, including one that had been exploited in the wild by a well known advanced persistent threat (APT) actor.

Microsoft on Tuesday patched several memory corruption vulnerabilities in Office, including one that had been exploited in the wild by a well known advanced persistent threat (APT) actor.

Trend Micro reported earlier this week that the Russian threat group Pawn Storm (also known as APT28, Sednit, Fancy Bear, Sofacy and Tsar Team) had been leveraging an Oracle Java zero-day vulnerability in attacks against the armed forces of a NATO member country, and defense organizations in the United States and Canada.

According to iSIGHT Partners, this isn’t the only zero-day bug used recently by the group. On June 30, the threat intelligence company discovered that Pawn Storm had been exploiting an unpatched vulnerability in Microsoft Office (CVE-2015-2424). iSIGHT Partners immediately notified Microsoft and the flaw was patched when the company released its July 2015 security updates.

“When we found the exploit it appeared to be under development and evidence suggests it was deployed in Georgia,” iSIGHT Partners noted in a blog post.

The Microsoft Office zero-day exploited by the threat actor is a heap corruption vulnerability triggered during processing of a malformed Microsoft Forms Image. The flaw affects Office 2013 SP1 and prior, and it can be exploited to execute arbitrary code via a specially crafted Office document.

In the Pawn Storm attack spotted by iSIGHT, the attackers used a document named “Iran_nuclear_talks.rtf” to hide the exploit. Brian Bartholomew, senior researcher in the Cyber Espionage Threat Intelligence team at iSIGHT Partners, told SecurityWeek that the content of the lure document was ripped from a June 28 CNN article on nuclear talks with Iran.

When the document was opened, an embedded OLE object triggered the vulnerability and a dropper payload was written and executed on the targeted system. The dropper then dropped a Sofacy malware payload.

“Based on several artifacts in the exploit document and the unreliability of successful exploitation when running the exploit document, iSIGHT Partners believes the exploit document was potentially hastily thrown together, or the exploit is still being developed to be more reliable,” iSIGHT explained.

The threat group, which the security firm calls Tsar Team, has also leveraged at least one of the zero-day exploits leaked after the Hacking Team breach.

Bartholomew told SecurityWeek that iSIGHT has observed Tsar Team using one of the three Adobe Flash Player exploits (CVE-2015-5119) from the Hacking Team leak.

“While this is the only one we have observed in use by this team, it is not out of the realm of possibility that they may have repurposed any of the other five released zero-days from Hacking Team,” said Bartholomew. “5119 was re-written and in use by Tsar Team within 24 hours of the exploit being released on the Internet.

In April, FireEye reported that the threat group had used Flash Player and Windows zero-days in a highly targeted attack aimed at an international government entity.

iSIGHT Partners has been monitoring the APT actor’s activities and the company believes that the group is actually behind the hacktivist group known as Cyber Caliphate, which attacked several companies apparently in support of ISIS.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet