Microsoft Office flaw CVE-2015-2545 continues to be exploited by APT groups, despite having been patched recently....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Kaspersky Lab researchers reported that targets are mainly government and diplomatic organizations in Asia and recent attacks began with spear-phishing emails. How are these APT groups exploiting this flaw after it's been patched? What actions can enterprises take to prevent these attacks on the Microsoft Office flaw?
APT groups are known to only use zero-day vulnerabilities as necessary and to use whatever exploit necessary to achieve their mission. They usually start with social engineering, such as using a phishing attack to get a victim to open a malicious email attachment. Enterprises and smaller organizations have the responsibility of keeping their systems secure, which requires constant patching of all of the software on their computers. Companies that have difficulties keeping up to date with patching become easier targets for APT attacks.
The APT groups reported by Kaspersky Lab's Global Research & Analysis Team have been conducting targeted phishing attacks against organizations in several regions around Asia with malicious Word docs, exploiting a vulnerability in MS15-099, which has a patch. These APT groups are not bypassing the patch or exploiting an unpatched aspect from the vulnerability -- the patch has just not been installed. Until the patch is installed, attackers will continue to use their successful attack methods until a new vulnerability or zero-day is necessary for an attack.
An enterprise can prevent attackers from using the Microsoft Office flaw by ensuring it has comprehensive patching and vulnerability management practices in place. Small organizations lacking resources to patch regularly or looking to add an additional defense-in-depth step could use a host-based intrusion prevention system or firewall. The tool could manage outgoing connections from an endpoint so that when an exploit is run or malicious file opened, it can't be used to steal data or connect to a command-and-control system.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how to protect your enterprise against APT attack methods
Learn how APT groups exploited the Windows hot patching feature
Read about how the public cloud is being abused by APT groups
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.