Office bugs on the rise

Presented at VB2018, Oct. 5, 2018, 11:30 a.m. (30 minutes).

It has never been easier to attack *Office* vulnerabilities than nowadays. *Office* exploits have always been high-value assets for criminal groups because *Microsoft Office* documents are very efficient in delivering their malicious content - users tend to open them without a second thought. The presentation will look deeper into the dramatic changes that have happened in the past 12 months in the *Office* exploit scene - a scene that looked stale in the past couple of years, with about one or two new vulnerabilities appearing every year that made their way to the commercial exploit builders. There has always been a hunger for new exploitable *Office* vulnerabilities in cybercrime, but the most important builders supported exploits that had been fixed for a couple of years already. That hurt the efficiency of the malware delivery process. 2017 brought a drastic change in many respects. The number of widely used exploits multiplied compared to the previous five years. More importantly, these exploits turned out to be much simpler. The previous major vulnerabilities were complex memory corruption vulnerabilities, and working with them required deep knowledge of document file formats and advanced understanding of the concepts of exploitation. The new vulnerabilities of last year are much simpler logic bugs (CVE-2017-0199, CVE-2017-8759) or very simple classic stack overflows (CVE-2017-11882, CVE-2018-0802) - easier to understand and more robust to detection evasion tweaking. It is no longer the privilege of skilled hackers to create builders for these exploits - average programming skills are now sufficient. As a result, we have seen a lot of these builders showing up on *Github*, free for the taking. This fact triggered a decline in the usage of the commercial exploit builders: their usual customers switched to the free offerings. The presentation will look at this transition, and at the efforts of the commercial exploit builder developers to keep up with the changing trends. The easy availability of these builders enabled many cybercrime actors to use the exploits with little-to-no investment, resulting in the multiplied number of *Office* exploit-related attacks in the past 12 months. The life cycle of an *Office* exploit starts with initial zero-day targeted attacks, then at some point a few well-resourced cybercrime groups start using it. Later, the exploit ends up in builders which leads to an explosion of use by many groups hitting the general user population. This cycle can usually take a few months, as we have seen this process happening with many exploits in the past few years. However, last year, driven by the great demand for fresh *Office* exploits, this cycle was pushed down to weeks. The presentation will reconstruct timeline one of the hottest *Office* exploits (CVE-2017-0199) that featured the following typical scenarios in its life cycle: * Zero-day APT activities * Enthusiastic security researchers playing with the exploit * APT groups experimenting with bypassing virus scanners * The appearance of exploit builders (both commercial and free) * The explosion of the usage in cybercrime

Presenters:

  • Gabor Szappanos - Sophos
    Gabor Szappanos Gabor Szappanos graduated from the Eotvos Lorand University of Budapest with a degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants. He started anti-virus work in 1995, and has been developing freeware anti-virus solutions in his spare time. In 2001, he joined VirusBuster, where he was responsible for taking care of macro viruses and script malware. In 2002, he became the head of the VirusBuster virus lab. In 2012, he joined Sophos as a principal malware researcher. Between 2008 and 2016, Gabor was a member of the board of directors of AMTSO (the Anti-Malware Testing Standards Organization). @GaborSzappanos

Links:

Similar Presentations: