Cybercriminals exploited a well-known Microsoft Office vulnerability (CVE-2017-0199) the most in 2017, according to new research.
The hackers usually used this flaw to spread banking trojans and ransomware, experts say.
Recorded Future released a report Tuesday detailing the top 10 vulnerabilities used by cybercriminals in 2017. Microsoft products made up seven of the 10 vulnerabilities that were exploited the most. In previous years, Adobe Flash exploits instead topped the list.
Private sector cybersecurity researchers originally became aware of the Microsoft Office-related vulnerability around April 2017. The damage was often caused by hackers sending out infected PowerPoint shows though spearphishing emails. PowerPoint is a software program within Microsoft Office.
“Attackers are using the PowerPoint Show (PPSX) format — a slide presentation that starts showing automatically — in order to reduce the chances that the victim sees anything amiss with the slides,” Mark Nunnikhoven, vice president of cloud security at Trend Micro, told DarkReading last year.
In many cases where CVE-2017-0199 was abused, a booby-trapped Powerpoint file triggered a script moniker, which allowed for remote code execution (RCE). The RCE happened through a VPN hosting service, obfuscating the attacker’s true location. The malicious component of the file is downloaded while the slideshow blankets the computer screen, making it difficult to spot. (Trend Micro broke down a step by step technical explanation for how this attack method could be carried out.)
“This weakness affects a slew of Microsoft Office products and allows attackers to download and execute a Visual Basic script containing Powershell commands from a malicious document,” the Recorded Future report reads. “It saw heavy adoption for phishing attacks and we noted a link to 11 distinct pieces of malware during 2017.”
In the past, the vulnerability was also exploited using malicious RTF documents — as seen in the DRIDEX banking Trojan, which targeted online banking users. The malware can steal information by giving the attacker control over the targeted systems, including the ability to install programs or even modify existing data.
The Powerpoint vulnerability specifically affects Microsoft Office 2007, 2010, 2013, 2016 and a few versions of Windows Vista, according to prior research by cybersecurity companies like Trend Micro, FireEye and McAfee. Microsoft has already issued a patch for the flaw but many systems remain vulnerable.
“Some of these systems are end of life supporting, which means without an explicit support agreement with Microsoft a patch is unavailable,” Nunnikhoven told DarkReading. “For other systems, the challenges in patching all systems in a timely manner leave organizations at risk.