How Malware From 2007 is Affecting Email Security in 2019

First published in 2017, NIST states, “Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka ‘Microsoft Office Memory Corruption Vulnerability’. This CVE ID is unique from CVE-2017-11884.”

Threat intelligence data shows this same exploit is being attacked relentlessly in every region, and this is a significant uptick in normal behaviors.

Every week, cybersecurity threat intelligence efforts uncover complex, dynamic cyber threats and malware that can be difficult for network defenses to keep up with. Increasing variety and volume of attacks via malware is inevitable given the desire of financially – and criminally – motivated actors to obtain personal and confidential information. These threats will be covered in the Mimecast Threat Intelligence report to be released in November.

While many cyber threats are advanced and multifaceted, however, others take advantage of dated vulnerabilities.

Researchers found a wide-ranging malware attack against the chemical and pharmaceutical sector and the government sector in July in Germany; of the 4,574 detections on July 18, 73 percent were Trojans with varying degrees of significant obfuscation, and many attempted to take advantage of this particular exploit. In Jersey on July 10, the banking sector was attacked on a higher scale than on any other day and again, the attackers sought to exploit this same vulnerability. The education sector in Australia also experienced this exploit from July 18-19.

“This MS Office 2007 vulnerability was exploited in each of these attacks in Australia, Germany, and Jersey, indicating a renewed focus on attacking Windows machines using malicious invoicing and delivery notes,” said Carl Wearn, head of E-Crime and Cyber Investigation at Mimecast.

At the same time, researchers believe it’s important to take a step back to understand the business implications behind these malware exploits: Germany is Europe’s largest pharmaceutical market, and the fourth-largest in the world according to Germany Trade and Invest. Banking is key to Jersey’s economy, far outstripping business in any other industry.

Wearn also noted the Australian education sector was a key target; he believes the data suggests education may be particularly vulnerable given the use of individually-owned devices that leverage collaborative networks, lending the potential for the exfiltration of research data or intellectual property, or which may even impact national security if attackers gain access to highly sensitive research.

These sectors will almost certainly remain an attractive target to criminals who are leveraging malware to attack for monetary gain, strategic or competitive advantage.

This vulnerability illustrates the significant dangers of using older, unpatched software within an organization. In this case, ZDNet reported that patches have been available since 2017. However, researchers believe it is likely that a significant number of machines remain unpatched and vulnerable given the extent to which this exploit is still being attacked.

Wearn states this malicious activity can occur during rapidly escalating campaigns over a single day, but can also be through far more determined and persistent attacks taking place over several days or even a week.

Long-term, vulnerabilities in software that are no longer vendor-supported are likely to present an additional, enduring problem due to the expense of upgrading infrastructure, software and licensing. Threat actors do not care what they have to use or exploit to gain access to secured systems or compromise them, and are known to utilize any and all available means via malware or an exploit to do so.