How hackers are exploiting Microsoft’s Equation Editor function of Microsoft to spread ransomware in Office

A group of cybersecurity specialists has revealed the detection of multiple attacks related to the exploitation of an old Microsoft Office flaw (tracked as CVE-2017-11182). This flaw, patched in 2017, allows threat actors to embed equations or mathematical formulas in some Office documents.

The researchers detected three attacks targeting five different companies, all of them related to the flaw, found in the Office’s Equation Editor Feature. The attackers’ primary goal was to deliver a remote access Trojan on at least two computers from each affected company.

The attacks were detected in Hong Kong and North America, compromising real estate companies, banking institutions and entertainment agencies.

Vinay Pidathala, director of research at security firm Menlo, said: “We believe that these attacks were targeting specific users as a way to try to engage relevant actors within the attacked companies.”

The finding reinforces and amplifies the advice of CISA and the FBI last month that lists the 10 most routinely exploited vulnerabilities by “threat actors abroad.” Intelligence agencies say CVE-2017-11882 was high on that list, in fact, the FBI points out that Editor Equation is one of the most exploited flaws by hacking groups sponsored by foreign governments.

“Of the top 10, the three most frequently used vulnerabilities in attacks by states-sponsored actors such as China, Iran, North Korea and Russia are CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158. Three of these vulnerabilities are related to Microsoft technology,” mentions the alert jointly released by CISA and the FBI.

Both agencies called on the private sector to repair threats to help with the security of U.S. networks, as “a concerted campaign to fix these vulnerabilities would introduce frictions in the operational trade of foreign adversaries and force them to develop or acquire exploits that are more expensive and less effective.”

In a separate trend, Pidathala noted that the three specific attacks hosted their payloads on SaaS platforms, including Microsoft OneDrive.

“As businesses are moving to the cloud, they are adopting cloud storage solutions like Box, Dropbox, and OneDrive. By posting your malware on these websites, attackers can make it more credible. In addition, many security devices might or may not inspect traffic coming from OneDrive, because it’s a reliable source. So, by hosting your armed payloads on these popular platforms, it’s easier for them to pass,” Pidathala said.