For the past few months, Global cyber security company Kaspersky Lab’s Global Research and Analysis Team are observing a wave of cybere spionage attacks being conducted by different groups across the Asia-Pacific and the Far East regions. They have found that they all share one common feature, that is of infecting their victims with malware. It is found that the attackers use an exploit for the CVE-2015-2545 vulnerability. In 2015 this particular weakness in Microsoft Office software was patched up, but it seems that it is still of use to these threat actors. We knew that the Platinum, APT16, EvilPost, and SPIVY groups used the exploit, and now we find that they are joined by this new and previously unknown group called Danti.
To silently infect targeted machines with malware, cyber espionage groups and cybercriminals widely use the malicious tool exploit. Many years ago, the defining characteristic of sophisticated threat actors were to use the so-called zero-day vulnerabilities those that are used in the wild before the vendor of the affected software releases the patch, but now the things have changed. In today’s world we find that the cyber espionage groups are more likely to use exploits for known vulnerabilities, simply because it is cheaper and can deliver an acceptable rate of infection.
The Chief Security Expert at Kaspersky Lab Research Center in APAC, Alex Gostev said that we expect to see more incidents with this exploit, and we continue to monitor new waves of attacks and the potential relationship with other attacks in the region. Waves of attacks conducted with the help of just one vulnerability suggests two things: firstly, that threat actors tend not to invest many resources into the development of sophisticated tools, like zero-day exploits, when one-day exploits will work almost as well. Secondly, that the patch-adoption rate in the target companies and government organisations is low. We urge companies to pay closer attention to patch-management in their IT infrastructure in order to protect themselves from known vulnerabilities at the very least.
