How malware from 2007 is affecting email security in 2019
Recent Mimecast threat intelligence research highlights the increased use of the CVE-2017-11882 vulnerability in MS Office 2007
Every week, cybersecurity threat intelligence efforts uncover complex, dynamic cyber threats and malware that can be difficult for network defences to keep up with. The increase in the variety and volume of attacks through malware is inevitable given the desire of financially – and criminally – motivated actors to obtain personal and confidential information. These threats will be covered in the Mimecast Threat Intelligence report to be released in November 2019.
While many cyber threats are advanced and multifaceted, however, others take advantage of dated vulnerabilities. Microsoft Office especially makes a tempting target, due to its ubiquity and the widespread use of its outdated versions, as evidenced by recent attacks exploiting its vulnerabilities.
First published in 2017, NIST states, “Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka ‘Microsoft Office Memory Corruption Vulnerability’. This CVE ID is unique from CVE-2017-11884.
Threat intelligence data shows this same exploit is being attacked relentlessly in every region, including Europe, Australia and New Zealand. Researchers found a wide-ranging malware attack against the chemical, pharmaceutical and government sectors in July in Germany. Of the 4,574 detections on July, 73% were Trojans with varying degrees of complexity, and many attempted to take advantage of this particular MS Office exploit.
Cyber attacks are on the rise globally. Last year, a major attack on Singapore’s government health database stole the personal information of about 1.5 million people, which included Prime Minister Lee Hsien Loong.
The education sector in Australia was also a target of cyberattacks in June and July 2019, in which substantial data related to staff, students and visitors, was compromised. The attacks included a breach at the Australian National University, which affected almost 200,000 people. The data stolen included names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, student academic records, tax file numbers, payroll information, bank account and passport details. In some cases, the records went back almost 20 years. The Australian Catholic University and Nagle Catholic College also experienced cyberattacks of their own.
Carl Wearn, head of E-Crime and Cyber Investigation at Mimecast, pointed out that this MS Office 2007 vulnerability was commonly exploited in the attacks in Australia and Germany, indicating a renewed focus on attacking Windows machines using malicious invoicing and delivery notes.
Wearn observed that the Australian education sector was a key target and particularly vulnerable. Given the widespread use of individually-owned devices that leverage collaborative networks, the education sector faced an increased risk of attacks that targeted research data or intellectual property, which could possibly even impact national security if attackers were to gain access to highly sensitive research.
This vulnerability illustrates the significant dangers of using older, unpatched software within an organisation. In this case, ZDNet reported that patches have been available since 2017. However, researchers believe it is likely that a significant number of machines remain unpatched and vulnerable given the extent to which this exploit is still being attacked.
Wearn states that malicious activity can occur during rapidly escalating campaigns over a single day, but can also be carried out through far more determined and persistent attacks taking place over several days or even a week.
Even among developed countries, Australia faces a greater risk of cyberattacks than others. The Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, which compared 11 countries and their cybersecurity standing, revealed that Australia is the nation most under attack with 90% of Australian companies report receiving up to 5,000 threats a day.
Long-term, vulnerabilities in software that are no longer vendor-supported are likely to present an additional, enduring problem due to the expense of upgrading infrastructure, software and licensing. Attackers do not care what they have to use or exploit to gain access to secured systems or compromise them and are known to utilise any and all available means via malware or an exploit to do so.
As always, awareness, practising safe online behaviours and using updated software are the best ways to minimise the chances of becoming a target.