All of Minerva customers are fully protected from this campaign as from many other Office vulnerabilities even if their systems were not patched yet – regardless of their Office Suite version and without the need to update Minerva software.
Microsoft Security Intelligence issued a warning on Friday, June 8th, that they had detected an active campaign that contains RTF attachments utilising a well-known vulnerability in Microsoft Office and Wordpad software identified as CVE-2017-11882. The vulnerability affects the EQNEDT32.EXE that is responsible for insertion and editing of equations as an OLE objectsinto documents. The component fails to properly handle objects in the memory, which is exploited by the attacker to execute malicious code in the context of the logged-in user. This exploit allows the attacker to infect the endpoint simply by opening the attached file. Then the attacker can gain full control on the target system by chaining the vulnerability with Windows Kernel privilege escalation exploits like CVE-2017-11847 or CVE-2018-0802.
According to the report published by Kaspersky:
"The changes to the threat landscape in just two years are attention-grabbing. Our experts compared a distribution of attacked users by targeted platforms from the end of last year with one from just two years ago. They found that cybercriminals moved away from using Web-based vulnerabilities in favor of MS Office ones — but the extent of the change surprised even them: In the past few months, MS Office, with a more than 70% share of attacks, became the most targeted platform"
Although this vulnerability was patched back in 2017 by Microsoft, this warning displays the continuous effort to exploit unpatched endpoints, utilising the IT industry failure to apply software updates and upgrade their software.
A few of our customers has already reported about multiple prevented attempts to exploit this vulnerability.
Minerva's Malicious Document Prevention module prevents such attacks. All of Minerva customers are fully protected from this attack as from many other Office vulnerabilities – regardless of their Office Suite version and without the need to update Minerva software. This module is independent of specific document hashes, as opposed to their report by Office 365 ATP in this case, and prevents the attack in the earliest possible stage, before exploitation takes place so the payload is not even downloaded to the endpoint (before any damage has been done). Minerva empowers enterprises to take full advantage of productivity suites such as Microsoft Office without being concerned about disruption to operations and employees’ ability to successfully perform their daily business activity. With Minerva, being protected from such threats, the IT and Secuirty teams can patch the systems at their own pace without interfering with business activities
What to see it in action!? Schedule a demo!