Thursday, October 16, 2014

Weaponized Powerpoint in the Wild

This post was written by Jaeson Schultz.
 
On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.

In this case, attackers crafted a malicious Powerpoint document. Upon execution the Powerpoint document would extract two embedded OLE objects: a .inf file, and another executable. The .inf file is used to make changes to the host system, and launch the malicious executable. A key is added to the registry to keep the malware running after a system restart. While it has been alleged that this specific attack was initially used by threat actors in a specific region, Cisco Talos expects other attackers to begin using this technique as well because of the simplicity of the attack vector.

Here is a list of the IP address Indicators of Compromise:
95.143.193.131
46.165.222.6
78.46.40.239
144.76.119.48
37.220.34.56
46.4.28.218
95.143.193.182
5.61.38.31
94.185.80.66
95.211.122.36

The malicious Powerpoint document has a SHA256 hash value of:
70B8D220469C8071029795D32EA91829F683E3FBBAA8B978A31A0974DAEE8AAF

coveragetable
Advanced Malware Protection (AMP) customers are protected from this threat. Similarly, customers deploying Cisco IronPort Web Security Appliances (WSA) and users of Cisco Cloud Web Security (CWS) are also protected. Customers using Cisco IronPort Email Security Appliance (ESA) are protected from malicious attachments exploiting this vulnerability. Snort signatures 32186 and 32187 provide coverage for this vulnerability.

2 comments:

  1. Does it affect Windows XP Professional x64? I'm asking because you stated that it affects "all supported versions of Microsoft Windows" and XP Pro x64 is in a kind of grey area. Officially Microsoft no longer supports it, but technically they still do till July 2015.

    ReplyDelete
  2. Hi Andy,

    Thanks for reading our blog. I think you can rest easy. Windows XP is not affected by CVE-2014-4114. I believe the earliest version of Windows to contain this OLE packager vulnerability is Vista SP2.

    Sincerely,
    Jaeson Schultz

    ReplyDelete

Post a Comment