With the growing size of software every year, it’s entirely possible that some unattended vulnerability can allow hackers to take advantage of the software and compromise computers.
The case of MS Office is no different. A recently patched 17-year-old remote code execution bug (CVE-2017-11882) is known to have acted as the Nitrous boost for the Cobalt malware which uses the famous tool Cobalt Strike used for penetration testing.
The bug exists in MS Office when the software fails to properly handle the objects in memory. If a user has admin rights, the scope of the attack worsens as an attacker can issue commands and take control of the machine.
The security patch was made available to the users earlier this month. According to Fortinet, the actors were quick to take advantage of the vulnerability and tried to fulfill their deeds.
The security firm notes that the attackers used “trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.” They were able to load the Cobalt module with writing it as a physical file.
Submitted by: Arnfried Walbrecht