Word vulnerability used for targeted attacks in Taiwan

A recently patched Word vulnerability is being used in at least three targeted attacks in Taiwan

skullkey2

On Monday, researchers at Trend Micro said a vulnerability in Microsoft Word (CVE-2014-1761), disclosed in March and patched during April's monthly update, is being used as part of a series of targeted attacks in Taiwan.

In one attack, an email (allegedly from a government employee) is sent to a victim with a malicious attachment.

The attachment uses a document name pertaining to a national poll in order to look legitimate, and once accessed, attempts to infect the system with malware by leveraging a number of vulnerabilities – including the recently patched Word flaw. The same attack vector has also been used at an educational institute.

"We have determined that these two attacks have ties to the Taidoor – a campaign that has been active since 2009 – through the similar network traffic structure. The attacks described above have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used," Trend Micro explained in a blog post.

Another attack leveraging the Word flaw targeted a mailing service in Taiwan, only this time the attachment is masked as a list of new books from a publishing house.

If successful, the malware delivered (PlugX RAT) in these attacks enables total control over the infected system.

"PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system," the post added.

Additional details about the Taidoor campaign can be viewed here.

The takeaway lesson in this case centers on patch management and awareness training. Keeping systems updated will help stop targeted attacks that rely on fixed vulnerabilities. Likewise, training users to spot suspicious emails – while easier said than done – will also help keep the success rate for attacks like this to a minimum.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.