Achieving full R\W primitive with CVE-2019-0539
Our last attack trend blog focused on n-days and zero-days. However, this time I will discuss an evolved “everyday” attack we’ve seen recently – phishing links inside files. This type of attack doesn’t require advanced hacking skills as an attacker simply sends an email trying to trick the employee into willingly submitting his username & password to a shady website that looks like a legit, well-known website.
Typically those phishing links are sent directly inside the email body, but we’re starting to observe a trend in our customers – attackers embed their phishing links inside an email attachment instead of the email body. This way they are able to avoid traditional cyber security solutions that scan all links inside the email body. This trick will also bypass an organization that is using url-rewrite solutions.
Here’s an example of an excel document our engine caught, it looks like a “locked” file and there’s a big link in the center:
When clicking on the link, a web page pretends to be “Excel online” and ask for user credentials in order to view the file:
This file is still reported clean on VirusTotal:
Clearly there is a gap between what major solutions see and this everyday approach utilized by hackers.
First, confirm your email protection technology is able to detect such files before they reach the user and second, ensure your users are warned of such techniques in case they break through.
We’ve spotted CVE-2017-8570, a.k.a the “Composite Moniker” in the wild alive and kicking.
Resume files can be dangerous, especially when they are encrypted word documents.