Microsoft Patches Office Zero-Day Bug Used by APT Group

Microsoft on Tuesday patched several memory corruption vulnerabilities in Office, including one that had been exploited in the wild by a well known advanced persistent threat (APT) actor.

Trend Micro reported earlier this week that the Russian threat group Pawn Storm (also known as APT28, Sednit, Fancy Bear, Sofacy and Tsar Team) had been leveraging an Oracle Java zero-day vulnerability in attacks against the armed forces of a NATO member country, and defense organizations in the United States and Canada.

According to iSIGHT Partners, this isn’t the only zero-day bug used recently by the group. On June 30, the threat intelligence company discovered that Pawn Storm had been exploiting an unpatched vulnerability in Microsoft Office (CVE-2015-2424). iSIGHT Partners immediately notified Microsoft and the flaw was patched when the company released its July 2015 security updates.

“When we found the exploit it appeared to be under development and evidence suggests it was deployed in Georgia,” iSIGHT Partners noted in a blog post.

The Microsoft Office zero-day exploited by the threat actor is a heap corruption vulnerability triggered during processing of a malformed Microsoft Forms Image. The flaw affects Office 2013 SP1 and prior, and it can be exploited to execute arbitrary code via a specially crafted Office document.

In the Pawn Storm attack spotted by iSIGHT, the attackers used a document named “Iran_nuclear_talks.rtf” to hide the exploit. Brian Bartholomew, senior researcher in the Cyber Espionage Threat Intelligence team at iSIGHT Partners, told SecurityWeek that the content of the lure document was ripped from a June 28 CNN article on nuclear talks with Iran.

When the document was opened, an embedded OLE object triggered the vulnerability and a dropper payload was written and executed on the targeted system. The dropper then dropped a Sofacy malware payload.

“Based on several artifacts in the exploit document and the unreliability of successful exploitation when running the exploit document, iSIGHT Partners believes the exploit document was potentially hastily thrown together, or the exploit is still being developed to be more reliable,” iSIGHT explained.

The threat group, which the security firm calls Tsar Team, has also leveraged at least one of the zero-day exploits leaked after the Hacking Team breach.

Bartholomew told SecurityWeek that iSIGHT has observed Tsar Team using one of the three Adobe Flash Player exploits (CVE-2015-5119) from the Hacking Team leak.

“While this is the only one we have observed in use by this team, it is not out of the realm of possibility that they may have repurposed any of the other five released zero-days from Hacking Team,” said Bartholomew. “5119 was re-written and in use by Tsar Team within 24 hours of the exploit being released on the Internet.

In April, FireEye reported that the threat group had used Flash Player and Windows zero-days in a highly targeted attack aimed at an international government entity.

iSIGHT Partners has been monitoring the APT actor’s activities and the company believes that the group is actually behind the hacktivist group known as Cyber Caliphate, which attacked several companies apparently in support of ISIS.