Andrea Danti - Fotolia
Microsoft Office flaw CVE-2015-2545 continues to be exploited by APT groups, despite having been patched recently. Kaspersky Lab researchers reported that targets are mainly government and diplomatic organizations in Asia and recent attacks began with spear-phishing emails. How are these APT groups exploiting this flaw after it's been patched? What actions can enterprises take to prevent these attacks on the Microsoft Office flaw?
APT groups are known to only use zero-day vulnerabilities as necessary and to use whatever exploit necessary to achieve their mission. They usually start with social engineering, such as using a phishing attack to get a victim to open a malicious email attachment. Enterprises and smaller organizations have the responsibility of keeping their systems secure, which requires constant patching of all of the software on their computers. Companies that have difficulties keeping up to date with patching become easier targets for APT attacks.
The APT groups reported by Kaspersky Lab's Global Research & Analysis Team have been conducting targeted phishing attacks against organizations in several regions around Asia with malicious Word docs, exploiting a vulnerability in MS15-099, which has a patch. These APT groups are not bypassing the patch or exploiting an unpatched aspect from the vulnerability -- the patch has just not been installed. Until the patch is installed, attackers will continue to use their successful attack methods until a new vulnerability or zero-day is necessary for an attack.
An enterprise can prevent attackers from using the Microsoft Office flaw by ensuring it has comprehensive patching and vulnerability management practices in place. Small organizations lacking resources to patch regularly or looking to add an additional defense-in-depth step could use a host-based intrusion prevention system or firewall. The tool could manage outgoing connections from an endpoint so that when an exploit is run or malicious file opened, it can't be used to steal data or connect to a command-and-control system.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how to protect your enterprise against APT attack methods
Learn how APT groups exploited the Windows hot patching feature
Read about how the public cloud is being abused by APT groups
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.