pps file on PowerPoint versions earlier than 2016 displays this prompt
Exploit symantec endpoint manager rce Patch#
However, when the file is opened on older versions of PowerPoint, it displays a security warning asking whether the user wants to open driver.inf depending on the environment, such as the version of the operating system and the patch applied.įigure 3. Nothing happens when the file is opened on PowerPoint 2016. The exploit takes advantage of how the patch is designed to only warn users, rather than completely prevent malware infections without user interaction. However, the exploit for this particular campaign is a slight variation of similar exploits observed in the past.
Exploit symantec endpoint manager rce code#
pps files likely exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114). Topics range from military/defense, hospital, naval disputes, and even malware removal. We have also confirmed an older flaw being exploited, the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).įrom what we can confirm, the documents contain copies of publicly available content taken from legitimate websites. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in April 2015. The PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in October 2014. These websites host two different types of malicious files: a PowerPoint file (.pps) and a rich text file with a Word. Several domains predominantly used in the attacks are hosted on two servers with the IP addresses 212.83.146.3 and 37.58.60.195. The domains are registered under names that pose as legitimate sources for Chinese intelligence. The malicious sites link to files hosted on different domains, which appear to be solely used for malicious purposes. A customized website with content related to the Chinese military A customized website with content related to a Chinese public hospitalįigure 2. Each website is customized for the intended target, and contains specialized topics related to the targeted industries.įigure 1.
These websites are hosted on the same domains as the mailing list provider. The newsletter includes a link to the attacker’s website, which has content focusing on topics related to China to draw the target’s interest.
The threat actor mainly relies on a legitimate mailing list provider to send newsletters to a select number of targets. Our first observation of an attempted attack related to this campaign dates back to November 2015, although Symantec telemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier. Although approximately half of the attacks focus on the US, other targeted regions include China, Japan, Southeast Asia, and the United Kingdom. While most of the interest still lies in the public sector, more recent attacks were found targeting the following industries:Īccording to Symantec telemetry, targeted organizations are located in dispersed regions.
However, the group has since expanded its focus to include a broader range of industries. Two security companies, Cymmetria and Kaspersky, each recently released reports on the campaign, most of which are in line with our observations.Īs other researchers observed, Patchwork originally targeted governments and government-related organizations. Symantec Security Response has been actively monitoring Patchwork, also known as Dropping Elephant, which uses Chinese-themed content as bait to compromise its targets’ networks. Our research into the group found that it’s been attacking a broad range of industries-including aviation, broadcasting, and finance-to drop back door Trojans. The Patchwork attack group has been targeting more than just government-associated organizations.
0 kommentar(er)
