Recent reporting by Cisco on information stealing malware — designed to hide from most anti-virus solutions — is leveraging Microsoft Office vulnerability CVE-2017–11882.
Does this vulnerability sound familiar? It should.
- Sonicwall listed it as the most exploited vulnerability in Sep. 2018
- Cofense found it was the top vulnerability for delivering malware in Aug. 2018 (accounting for 37% of malware deliveries)
- FireEye reported in July it was used in a recent campaign to distribute the FLEXIROOT backdoor
- In June, the same vulnerability was reported in the Betabot and Trickbot malware
Cyber criminals are getting a lot of mileage out of this vulnerability but it’s a vulnerability that came out in mid-2017 — so why hasn’t it been patched? Let’s see what type of advisories were put out:
- On Nov. 13, 2017, Symantec reported “very low risk”; the same day Rapid7 reported a severity of 4 (out of 10).
- The next day (Nov. 14th, 2017), NIST reported (and as of late October, remains unchanged) a CVSS score is “High” — so below the “Critical” level that most firms refer to when determining the need for rapid patching. NIST also gives an “exploitability” score of 1.8 — near the low end of the spectrum.
- On Nov. 21st, Microsoft labeled the vulnerability as “Exploitation Less Likely”
- On Nov. 27th, FORTINET reports an exploit for the vulnerability in the wild used by the Cobalt hacking group
Could the use of this exploit been known? CYR3CON Priority automatically identified hacker conversation on November 20, 2017 that led it to apply the machine-learning driven CyRating of the vulnerability as “Likely” (10 times more likely to be exploited than normal) and by Nov. 23rd, after observing hacker conversations that included discussions about multiple exploits and spanned multiple cultural-linguistic groups, Priority revised its assessment to “very likely” or 15–20 times more likely to be exploited.
This assessment was not only ahead of the Cobalt hacker attack in 2017, it informed users of what would become one of the most exploited vulnerabilities of 2018.
If your enterprise is focused on “Critical” vulnerabilities, you may still be vulnerable to this attack.