Wave of Exploits Against CVE-2015-2545
Jun 15, 2016
Cyber Actors historically take old unpatched vulnerabilities and use them to drive attack campaigns against entities of interest. The latest wave of attacks against CVE-2015-2545 (Common Vulnerabilities and Exposures) conforms to those same TTPs (Tactics, Techniques, and Procedures). CVE-2015-2545 was released on 09/08/2015 and corrected with Microsofts update MS15-099. The CVE is a vulnerability in Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 that allows remote attackers to execute arbitrary code via a crafted EPS image, aka “Microsoft Office Malformed EPS File Vulnerability”.
The commonality found in the delivery phase of the attack with each of the Actor sets (APT 16, Platinum, TwoForOne, SPIVY, etc) being a weaponized document attached in an email. The malicious attachment was a DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The targets of these attacks were common as well, all of them having organizations in the high-tech, government services, media and financial services industries.
Below is a timeline of attacks using exploits to CVE-2015-2545 courtesy of Kaspersky Labs:
Once the malware establishes persistence on a target system, its remote user can then execute many different commands to perform actions on objectives. Some examples of these commands are drive enumeration, process enumeration, delete files, create processes, move files, upload files, and providing a remote shell via cmd.exe.
Another noteworthy TTP of all these attacks is the Command and Control infrastructure used by the malicious Actors. Domains such as serveftp[.]com, strangled[.]net, no-ip[.]org, and mooo[.]com have all been used previously in many other malicious Cyber campaigns.
Network administrators should always stay abreast with the latest security vulnerabilities and refer to https://web.nvd.nist.gov/view/vuln/search for a database of CVE and CCE vulnerabilities. The list of Indicators of Compromise associated with this campaign are much too large to include in this blog post, but readers and security administrators can refer to the following web articles for malicious domains, IP addresses, Hashes, and network behavior characteristics:
– Steven R.
Advanced Threat Cyber Security Analyst