Malware Peddlers Hit Office Users With Old But Reliable Exploit

Emails delivering RTF files equipped with an exploit that requires no user interaction (except for opening the booby-trapped file) are hitting European users’ inboxes, Microsoft researchers have warned. Theexploit takes advantage of a vulnerability in an older version of the Office Equation Editor, which was manually patched by Microsoft in November 2017. 

An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw

— Microsoft Threat Intelligence (@MsftSecIntel) June 7, 2019

Install updates + don't click on unknown email links: an active #malware email campaign distributes RTF files with CVE-2017-11882 exploit, allowing hackers to automatically run code.https://t.co/YBKHVzEsV8#cybersecurity #microsoft #malware #databreach #hack #ITnews #ITsec

— SecurityMetrics (@SecurityMetrics) June 10, 2019

Expert Comments: 

Roy Rashti, Cybersecurity Expert at Bitdam:

“This exploit is still being observed in attacks because, ultimately, it still works. The reason it still works is that people tend to ignore updates and patches, which makes them vulnerable to N-day exploits. 

This is the same reason that WannaCry proliferated so widely (EternalBlue, a patched exploit that worked perfectly on unpatched computers, allowed attackers to spread easily across different networks) and the very same reason that many N-day attacks are still incredibly effective. Furthermore, as this article demonstrates, one of the most exploited vulnerabilities in the wild is one dating back to 2012! 

Although this particular attack targets Microsoft Office users, anyone using a Microsoft product should ensure that their security patches are up to date, be very cautious of the source and reliability of the content they consume and implement the best solutions to prevent exposure to this kind of threat.”