Most attacks that are targeting vulnerabilities in Microsoft Office to compromise victims’ systems are currently leveraging two security issues that were discovered last year, SophosLabs researchers warn.
Over the past several weeks, CVE-2015-1641 and CVE-2015-2545 have emerged as the most popular Office exploits out there, dethroning CVE-2012-0158, a four-year old vulnerability that experts suggested might be called “the bug that just won’t die.” Still leveraged in many attacks, the bug fuels only a small percentage of them now, although it was abused in approxiately half of incidents in Q4 2015.
According to a new report from SophosLabs, CVE-2015-1641 now accounts for nearly 66% of attacks, although it has been on the charts for only several months, while CVE-2015-2545 fuels around 17% of attacks after recently entering the cybercrime stage and making a sudden impact. CVE-2012-0158 is now the third most popular Office exploit, leveraged in less than 12% of attacks.
The switch to newer exploits isn’t surprising, because users gradually patch older security flaws and attacks are no longer as successful. What might be surprising is that cybercriminals stayed with CVE-2012-0158 for so long and that they suddenly moved to a new vulnerability.
SophosLabs researchers, however, say that this makes perfect sense. Cybercriminals “rely on the availability of published exploit kits. As such, until these kits utilize the newer exploit code, the criminals typically do not incorporate them downstream.”
Thus, the sudden shift in exploit usage is attributed to the most widely used AK-1 kit being upgraded to AK-2, which dropped the older flaw to the newer, more impactful CVE-2015-1641, and to Microsoft Word Intruder (MWI), another popular crimeware kit, also adding support for the newer vulnerability. Additionally, the cybercriminal groups that actively distributed FareIt and Zbot are believed to have switched from the DL-2 exploit kit to a solution using the CVE-2015-2545 exploit.
The inclusion of CVE-2015-1641 in AK-2 happened a while ago, but its availability in MWI is something new, SophosLabs’ report suggests. The kit was recently updated with some other functionality as well, including decoy documents, which are displayed before triggering the exploit. The typical payloads in the malicious documents created with it include the Zeus and Fareit Trojans, NetWiredRC and Nanocore backdoors, PredatorPain keylogger and the LuminosityLink RAT, researchers say.
The CVE-2015-2545 vulnerability started its lifecycle as many other Office exploits do: high-end APT groups were using it at the 0-day stage, before an official patch was released for it. This remote code execution flaw was abused by an APT group dubbed Platinum and TwoForOne before Microsoft released a patch in September 2015. However, other groups started using it after the patch, including EvilPost and APT16, as well as NetTraveler.
According to Sophos, from a criminal’s point of view, CVE-2015-2545 and CVE-2015-1641 appear as good replacements for the CVE-2012-0158 exploit, especially since the latter is already included in MWI and AK-2 exploit kits.
“We can expect that more cybercrime groups will discover this possibility, and we will see an increase in the use of the new Office exploits in the general user base,” SophosLabs’ Gabor Szappanos says. “The good news is that both vulnerabilities have long been fixed and patches are available. Time to install those Office security updates!”
