Andrea Danti - Fotolia
Microsoft Office flaw CVE-2015-2545 continues to be exploited by APT groups, despite having been patched recently. Kaspersky Lab researchers reported that targets are mainly government and diplomatic organizations in Asia and recent attacks began with spear-phishing emails. How are these APT groups exploiting this flaw after it's been patched? What actions can enterprises take to prevent these attacks on the Microsoft Office flaw?
APT groups are known to only use zero-day vulnerabilities as necessary and to use whatever exploit necessary to achieve their mission. They usually start with social engineering, such as using a phishing attack to get a victim to open a malicious email attachment. Enterprises and smaller organizations have the responsibility of keeping their systems secure, which requires constant patching of all of the software on their computers. Companies that have difficulties keeping up to date with patching become easier targets for APT attacks.
The APT groups reported by Kaspersky Lab's Global Research & Analysis Team have been conducting targeted phishing attacks against organizations in several regions around Asia with malicious Word docs, exploiting a vulnerability in MS15-099, which has a patch. These APT groups are not bypassing the patch or exploiting an unpatched aspect from the vulnerability -- the patch has just not been installed. Until the patch is installed, attackers will continue to use their successful attack methods until a new vulnerability or zero-day is necessary for an attack.
An enterprise can prevent attackers from using the Microsoft Office flaw by ensuring it has comprehensive patching and vulnerability management practices in place. Small organizations lacking resources to patch regularly or looking to add an additional defense-in-depth step could use a host-based intrusion prevention system or firewall. The tool could manage outgoing connections from an endpoint so that when an exploit is run or malicious file opened, it can't be used to steal data or connect to a command-and-control system.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how to protect your enterprise against APT attack methods
Learn how APT groups exploited the Windows hot patching feature
Read about how the public cloud is being abused by APT groups
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.