Andrea Danti - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can APT groups be stopped from exploiting a Microsoft Office flaw?

APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks work and how to prevent them.

Microsoft Office flaw CVE-2015-2545 continues to be exploited by APT groups, despite having been patched recently. Kaspersky Lab researchers reported that targets are mainly government and diplomatic organizations in Asia and recent attacks began with spear-phishing emails. How are these APT groups exploiting this flaw after it's been patched? What actions can enterprises take to prevent these attacks on the Microsoft Office flaw?

APT groups are known to only use zero-day vulnerabilities as necessary and to use whatever exploit necessary to achieve their mission. They usually start with social engineering, such as using a phishing attack to get a victim to open a malicious email attachment. Enterprises and smaller organizations have the responsibility of keeping their systems secure, which requires constant patching of all of the software on their computers. Companies that have difficulties keeping up to date with patching become easier targets for APT attacks.

The APT groups reported by Kaspersky Lab's Global Research & Analysis Team have been conducting targeted phishing attacks against organizations in several regions around Asia with malicious Word docs, exploiting a vulnerability in MS15-099, which has a patch. These APT groups are not bypassing the patch or exploiting an unpatched aspect from the vulnerability -- the patch has just not been installed. Until the patch is installed, attackers will continue to use their successful attack methods until a new vulnerability or zero-day is necessary for an attack.

An enterprise can prevent attackers from using the Microsoft Office flaw by ensuring it has comprehensive patching and vulnerability management practices in place. Small organizations lacking resources to patch regularly or looking to add an additional defense-in-depth step could use a host-based intrusion prevention system or firewall. The tool could manage outgoing connections from an endpoint so that when an exploit is run or malicious file opened, it can't be used to steal data or connect to a command-and-control system.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how to protect your enterprise against APT attack methods

Learn how APT groups exploited the Windows hot patching feature

Read about how the public cloud is being abused by APT groups

This was last published in October 2016

Dig Deeper on Email and Messaging Threats-Information Security Threats