Microsoft Office flaw CVE-2015-2545 continues to be exploited by APT groups, despite having been patched recently....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Kaspersky Lab researchers reported that targets are mainly government and diplomatic organizations in Asia and recent attacks began with spear-phishing emails. How are these APT groups exploiting this flaw after it's been patched? What actions can enterprises take to prevent these attacks on the Microsoft Office flaw?
APT groups are known to only use zero-day vulnerabilities as necessary and to use whatever exploit necessary to achieve their mission. They usually start with social engineering, such as using a phishing attack to get a victim to open a malicious email attachment. Enterprises and smaller organizations have the responsibility of keeping their systems secure, which requires constant patching of all of the software on their computers. Companies that have difficulties keeping up to date with patching become easier targets for APT attacks.
The APT groups reported by Kaspersky Lab's Global Research & Analysis Team have been conducting targeted phishing attacks against organizations in several regions around Asia with malicious Word docs, exploiting a vulnerability in MS15-099, which has a patch. These APT groups are not bypassing the patch or exploiting an unpatched aspect from the vulnerability -- the patch has just not been installed. Until the patch is installed, attackers will continue to use their successful attack methods until a new vulnerability or zero-day is necessary for an attack.
An enterprise can prevent attackers from using the Microsoft Office flaw by ensuring it has comprehensive patching and vulnerability management practices in place. Small organizations lacking resources to patch regularly or looking to add an additional defense-in-depth step could use a host-based intrusion prevention system or firewall. The tool could manage outgoing connections from an endpoint so that when an exploit is run or malicious file opened, it can't be used to steal data or connect to a command-and-control system.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how to protect your enterprise against APT attack methods
Learn how APT groups exploited the Windows hot patching feature
Read about how the public cloud is being abused by APT groups
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.