CVE-2017-8759: A new Zero-Day Used to Distribute FINSPY

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.
The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

One of the flaw have been already been used in wild

Windows .NET Framework RCE (CVE-2017-8759)

Researchers at FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Researchers analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.

This vulnerability resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

This vulnerability can be exploited as:

This zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

There are 3 more publicly disclosed vulnerabilities affecting Windows 10:
  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

There are more vulnerabilities that are patched like BlueBorne. So the best thing to protect is to update as soon as possible.

 

Advertisements

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s