Attacks Detected with New Microsoft Office Zero-Day

I was down all afternoon because I just had DSL 1000 mbps fiber installed. Now I am blazing fast.

Only 22 of VT vendors detecting RTF hashes posted on the Proofpoint web site. Eset detects one but not the other of the hashes so far. I couldn't find any hashes for the any .hta download so far.

 

https://arstechnica.com/security/20...y-is-only-1-of-3-microsoft-bugs-under-attack/

 

-Correction- According to bleepingcomputer.com here: https://www.bleepingcomputer.com/ne...oft-patched-3-bugs-exploited-in-live-attacks/ , this vulnerability was patched in April, 2017 Win Update.

As far as CVE-2017-0210 goes, the CVE is "reserved," so no info on it currently available from "official" sources. This is the unpatched vulnerability in IE10 and 11.

Symantec has a write-up on it I am posting below. Appears to me as long as you're using advanced EPM, you're OK since your running with low token privileges. If you're using an e-mail client and IE10 or 11 is your default browser, I would disable all active content rendering in the e-mail client if not already done so. Also if your security solution network protection includes IDS protection, you should be OK.

https://www.symantec.com/security_response/vulnerability.jsp?bid=97512&om_rssid=sr-advisories

 

-Correction- According to bleepingcomputer.com here: https://www.bleepingcomputer.com/ne...oft-patched-3-bugs-exploited-in-live-attacks/ , this vulnerability was patched in April, 2017 Win Update.

As far as the still unpatched Word EPS vulnerability, instructions here on how to disable that filter: https://support.microsoft.com/en-us...-for-graphic-filters-for-microsoft-office-365

To remove all graphics filters or alternatively; remove the EPS filter from the allow list.

 

As far as the current state of Windows security goes, bleepingcomputer.com "says it all."

https://www.bleepingcomputer.com/ne...oft-patched-3-bugs-exploited-in-live-attacks/

 

"Recently patched Microsoft Word exploit was used by both governments and criminal hackers

There's a new twist in the recently patched Microsoft Office zero-day that suggests the bug was being used on a larger scale than first thought..."

http://www.zdnet.com/article/recent...was-exploited-for-surveillance-and-espionage/

"Microsoft Word exploit linked to cyberspying in Ukraine conflict

The attack appears to have occurred in January, before Microsoft became aware of the flaw..."

http://www.networkworld.com/article...ying-in-ukraine-conflict.html#tk.rss_security

 

No great surprise.

As I posted in reply #3 link, .hta files have been use in the past to bypass Applocker. They have also been employed in ransomware attacks. Malware like Kovter has used it. Another great malware example is a malicious .hta embedded in a Windows help file:

https://www.secureworks.com/blog/tales-from-the-trenches-remote-access-tools​

Simply put, mshata.exe can run the same .html code that browsers use. The problem is that the restrictions that browser's employ to restrict .htlm code don't apply to mshta.exe.
Mshta.exe using a script, can for example run previously downloaded or any existing program using a shell as shown in the other link posted in reply #3 and above.

So how do you stop .hta based malware? Block any script execution from it using a HIPS or anti-exec. -EDIT- If you don't use a HIPS or anti-exe, do what Sophos recommends in this article: https://nakedsecurity.sophos.com/20...the-rise-of-malicious-javascript-attachments/ for javascript attachments. Change the .hta file association to open with notepad.exe instead of mshta.exe.

 

A few good examples of .hta and Word OLE malware creation using the Empire hack tool here: https://enigma0x3.net/2016/03/15/phishing-with-empire/ .

In this instance the malicious .hta file is not used in a Word doc but is loaded on a hosting web site. If you weren't tech smart enough to notice the .hta extension on the download, you would be nailed.

The Word OLE example uses a .bat script malware disguised as a .xls icon.

 

This is a Microsoft screw-up that "keeps on giving."

As noted below, not only were Office products affected but also Wordpad and God knows what else. Additionally by combining the existing exploits, it was possible to bypass Protected View mode.

Now for the "grand finale." There is an issue with the April cumulative Win Update: https://www.askwoody.com/2017/born-...moval-tool-update-kb-890830-causing-problems/ where the MSRT update is aborting causing all other updates not to install. So best you check that all Win Updates were successfully installed. I know I have a corrupted Win app that's aborting causing boot slow downs that I will have to repair.

I propose that we no longer use the acronym MS to refer to Microsoft, but instead use ***.

https://www.bleepingcomputer.com/ne...r-espionage-and-mundane-malware-distribution/

-EDIT- I just noticed something in the bleepingcomputer.com above posted article that I underlined.

If indeed the wording "powershell commands" is correct, then blocking related script execution from mshta.exe would not stop this malware. Hopefully, running Powershell in "Constrained Mode" would but that remains to be validated.

-EDIT2- Whew. All you can do from a .hta file is invoke powershell.exe. Example here:

https://www.pentestgeek.com/phishing/phishing-frenzy-hta-powershell-attacks-with-beef

On the other hand, the .hta could use a js/ws script to start a downloaded .Net program which in turn could call Powershell assemblies directly. This is where "Constrained Language" mode would save your butt.

 

*** in action:

https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/

 

Trying to keep up with all these updates wow. So bottom line, the MS patches that were rolled out this week do NOT contain a fix for the zero day exploits?

 

No. The patches were in the April Win cumulative update. So apply those if not already done so.

 

Ok so if I am fully patched, we are good to go or not?

 

As long as you have verified all Win updates for April were installed. I posted above, the MSRT update is abending and on some installations blocked the other updates from installing. It abended on my PC but it appears all other updates installed OK on my PC.

A ******* MS mess as usual.

 

Gotcha. Will have to verify for both home and my end users at work. Thank you.

 

Recap article on this fiasco here: http://www.reuters.com/article/us-microsoft-cyber-idUSKBN17S32G . Microsoft security response or more appropriate lack of it is inexcusable.

 

https://arstechnica.com/security/20...-blocking-in-the-wild-attacks-is-eerily-good/

 

http://thehackernews.com/2017/04/microsoft-word-zero-day.html

Has anyone seen a sample of the email?

What happens if I don't open the malicious Word file attachment?

https://www.bleepingcomputer.com/news/security/attacks-detected-with-new-microsoft-office-zero-day/

http://www.zdnet.com/article/hacker...-new-microsoft-office-zero-day-vulnerability/

A bit of contradiction here...

----
rich

 

Good luck on this. Publically available malware samples don't include .doc files. Originator sources never release them due to privacy issues

The .doc file had an embedded OLE link within the doc. itself. What I never fully understood about this particular attack instance was Word Trust Center settings for ActiveX by default will alert about an active content execution as noted here: https://support.office.com/en-us/ar...ur-files-b7ff2e8a-4055-47d4-8c7d-541e19f62bea . Of course, the alert could be overridden by the user or the ActiveX default setting overridden if not specifically prohibited via GP/SRP.

This article goes into ActiveX/active content security settings in detail: https://technet.microsoft.com/en-us/library/cc179076.aspx with doc. Trust status being the primary security conditioning factor.

 

This is why I pointed out the contradiction in the writeups, whether all versions or just current versions are affected.

I use Word 95 (aka Word 7) which uses the Word Basic programing language, not Visual Basic. Whether or not the OLE links in this attack would work -- probably so, but would await testing to be sure.

Also, I ask about the email, since sometimes an embedded object in the email itself can be triggered by a HTML email program. Nothing is said about this, nonetheless, it is always informative to view these emails. That would have no effect here, since I use a text based email program.

I was just curious as to how the rest of this attack would work here. The Word document acts as a downloader to bring in an HTA file (disguised as RTF) to do the dirty work. The code in that file has three components that would fail here.

One, it calls wscript.exe, which I do not use, so is disabled.



Two, the code closes the running process of Winword and calls up another instance of Winword to trick the user. The hard coded path is the default path to the shortcut to Winword.exe. That would fail here, since my copy of Winword is is not installed in the default location, and there is no shortcut on the Start Menu:



(It's always been common practice in my circle of security-minded friends to not install MSOffice in the default location - on another partition, ideally.)

Third, the HTA code calls powershell, which is not installed on my computer.

Let me know if you come across a copy of one of the emails.

----
rich

 

I uninstalled PowerShell 2.0 on my Win 10 1607 build via Control Panel -> Windows Features uninstall. Noticed afterwards that like an IE11 uninstall, PowerShell 2.0 directories were still in place.

Recently I updated my NVidia graphics card drivers. They also use the Vulcan software. Got an alert from my Eset HIPS rule monitoring Powershell 2.0 execution that the Vulcan uninstaller wanted to run Powershell 2.0.

Bottom line - nothing in Win 10 that is Microsoft related is actually uninstalled. Rather is appears to be in some disabled state but can be directly executed as shown. I haven't tried to physically remove the PowerShell 2.0 directories but that would leave related registry entries in place. Guess I could use Revo Uninstaller Pro but not worth the effort since I directly monitor PowerShell 2.0 use. Also as noted, some legit software does use Powershell 2.0.