FireEye, Inc. (NASDAQ : FEYE) announced that its analysts have identified three new vulnerabilities “zero day” in Microsoft Office products. These three vulnerabilities, exploited to the a at the end of march 2017, have been patched by Microsoft on may 9.
Download the free guide
Boost your gains
FireEye has detected several examples of document malware exploiting vulnerabilities in CVE-2017-0261, CVE-2017-0262 present in EPS (Encapsulated PostScript). FireEye has also discovered documents malware using a combination of vulnerabilities, including the vulnerability CVE-2017-0262 as well as an escalation of privileges (EOP) exploiting the vulnerability CVE-2017-0263.
These three vulnerabilities have been used by the actors of threats to Russian Turla Group and APT28.
FireEye has coordinated with the Microsoft Security Response Center (MSRC) for responsible disclosure of this information.
The flaw, CVE-2017-0261 allows an attacker to run a malicious program on a victim’s computer when opening a Microsoft Office file. This vulnerability has been used by Turla group, a Russian specialist in cyber espionage, but has also a financial incentive.
The other two vulnerabilities (CVE-2017-0262 and CVE-2017-0263) have been operated by the group APT28 targeting entities, diplomatic and defence in Europe.
These events lead analysts from FireEye to put forward two important conclusions :
The cyber espionage is a threat dynamic and full of resources
The use of exploits zero day by Turla Group and APT28 highlights their ability in the use of methods costly and technically sophisticated if necessary. The actors of cyber espionage Russian use of exploits, zero day in addition to techniques that are less complex. Although these players are based on techniques of phishing identifiers and macros to carry out operations in the past, the use of these more sophisticated methods demonstrates important ways. In fact, the use of methods less sophisticated technically when they are sufficient rather a operational maturity, and thinking ahead in order not to implement exploits that are costly when they are required.
An ecosystem of dynamic threat
The use of the flaw CVE-2017-0261 by multiple actors is further proof that cyber espionage and criminal activities are evolving in an ecosystem shared. Actors sponsored by nation-states, such as those that have exploited the vulnerability CVE-2017-0199 to disseminate FINSPY, often rely on the same sources for their exploits that actors motivated criminal. This ecosystem is shared creates a problem of proliferation to the target affected by one or the other of these threats.
The flaw, CVE-2017-0261 has been used as a zero day by both actors sponsored by nation states and cyber criminals, and FireEye believes that the two actors have obtained the vulnerability from the same source. Has the following vulnerability CVE-2017-0199, this is the second vulnerability, majoring in 2 months, which has been used for cyber-espionage and criminal activities.
About FireEye :
FireEye is the security specialist network based on the intelligence. Functioning as a seamless extension and extensible security operations client network, FireEye offers a unique platform that combines security technologies with innovative building intelligence on the threats of the government, and the consulting services Mandiant world-renowned. Thanks to this approach, FireEye eliminates the complexity and efforts related to cyber security for organizations having difficulties to anticipate, prevent and respond to cyber attacks. FireEye has over 5600 customers in 67 countries, including over 40% of companies listed in the Forbes Global 2000.
Download the free guide
Boost your gains