Major vendors dismissed top vulnerability for malware delivery

Paulo Shakarian
Jan 10 · 2 min read

Recent reporting by Cisco on information stealing malware — designed to hide from most anti-virus solutions — is leveraging Microsoft Office vulnerability CVE-2017–11882.

Does this vulnerability sound familiar? It should.

  • Sonicwall listed it as the most exploited vulnerability in Sep. 2018
  • Cofense found it was the top vulnerability for delivering malware in Aug. 2018 (accounting for 37% of malware deliveries)
  • FireEye reported in July it was used in a recent campaign to distribute the FLEXIROOT backdoor
  • In June, the same vulnerability was reported in the Betabot and Trickbot malware

Cyber criminals are getting a lot of mileage out of this vulnerability but it’s a vulnerability that came out in mid-2017 — so why hasn’t it been patched? Let’s see what type of advisories were put out:

  • On Nov. 13, 2017, Symantec reported “very low risk”; the same day Rapid7 reported a severity of 4 (out of 10).
  • The next day (Nov. 14th, 2017), NIST reported (and as of late October, remains unchanged) a CVSS score is “High” — so below the “Critical” level that most firms refer to when determining the need for rapid patching. NIST also gives an “exploitability” score of 1.8 — near the low end of the spectrum.
  • On Nov. 21st, Microsoft labeled the vulnerability as “Exploitation Less Likely”
  • On Nov. 27th, FORTINET reports an exploit for the vulnerability in the wild used by the Cobalt hacking group

Could the use of this exploit been known? CYR3CON Priority automatically identified hacker conversation on November 20, 2017 that led it to apply the machine-learning driven CyRating of the vulnerability as “Likely” (10 times more likely to be exploited than normal) and by Nov. 23rd, after observing hacker conversations that included discussions about multiple exploits and spanned multiple cultural-linguistic groups, Priority revised its assessment to “very likely” or 15–20 times more likely to be exploited.

This assessment was not only ahead of the Cobalt hacker attack in 2017, it informed users of what would become one of the most exploited vulnerabilities of 2018.

If your enterprise is focused on “Critical” vulnerabilities, you may still be vulnerable to this attack.

CYR3CON

Predicting and preventing third-party cyber threat using Artificial Intelligence

Paulo Shakarian

Written by

CEO and Co-Founder of CYR3CON

CYR3CON

CYR3CON

Predicting and preventing third-party cyber threat using Artificial Intelligence

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade