MS Office exploits grow fourfold

Read time 3min 10sec
Exploits remain popular with cyber criminals.
Exploits remain popular with cyber criminals.

Exploits for Microsoft Office in-the-wild in Q1 2018 rose more than four times compared with the same period in 2017. In three months, MS Office's share of exploits used in attacks grew to almost 50%.

This was one of the findings from Kaspersky Lab's Q1 IT threat evolution report.

According to the company, attacks based on exploits are very powerful, as they do not require any additional interactions with the user and can deliver their dangerous code discreetly. They are widely used by cyber criminals looking for profit, as well as by sophisticated nation-backed state actors.

The surge in these exploits is likely to be the peak of a longer trend, as at least ten in-the-wild exploits for Microsoft Office software were identified in 2017-2018, compared to two zero-day exploits for Adobe Flash player used in-the-wild during the same time period.

Kaspersky Lab says once hackers discover a vulnerability, they prepare a ready-to-go exploit. "They then frequently use spear phishing as the infection vector, compromising users and companies through e-mails with malicious attachments. Moreover, such spear-phishing attack vectors are usually discreet and are actively used in sophisticated targeted attacks."

Adobe Flash

Late last year, Kaspersky Lab's advanced exploit prevention systems discovered a new Adobe Flash zero-day exploit used in-the-wild against its customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. Analysis of the payload enabled researchers to link this attack to a sophisticated actor known as BlackOasis.

At the same time, the company's researchers published a detailed analysis of ?VE-2017-11826, a critical zero-day vulnerability used to launch targeted attacks in all versions of Microsoft Office. The exploit for this vulnerability is an RTF document containing a DOCX document that exploits ?VE-2017-11826 in the Office Open XML parser.

Patch management

Alexander Liskin, security expert at Kaspersky Lab, says the threat landscape in the first quarter again highlighted the fact that a lack of attention to patch management is one of the most significant cyber-threats.

"While vendors usually issue patches for the vulnerabilities, users often can't update their products in time, which results in waves of discreet and highly effective attacks once the vulnerabilities have been exposed to the broad cyber-criminal community," he adds.

The figures

Some other interesting statistics from the Q1, 2018 report include that Kaspersky solutions detected and repelled 796 806 112 malicious attacks from online resources located in 194 countries around the world.

In addition, 282 807 433 unique URLs were recognised as malicious by Web antivirus components, and attempted infections by malware aimed at stealing money via online access to bank accounts were registered on 204 448 user computers.

The company's antivirus detected a total of 187 597 494 unique malicious and potentially unwanted objects, and its mobile security solutions detected 1 322 578 malicious installation packages, and 18 912 mobile banking Trojans.

To reduce the risk of infection, Kaspersky Lab advises to keep the software installed on all machines up to date, and enable the auto-update feature if it is available. In addition, the company says to regularly run a system scan to check for possible infections and ensure that all software is kept up to date.

See also