CVE-2017-11882: Two-Decades-Old Vulnerability in Microsoft Office Still Actively Leveraged For Malware Delivery

Despite being patched for three years already, hackers reportedly rely on an old remote code execution vulnerability in Microsoft Office (CVE-2017-11882) to infect victims with malware. According to the threat analysis report from HP Bromium, the flaw accounts for nearly three-quarters of all exploits leveraged in Q4 2020.

CVE-2017-11882 Description

CVE-2017-11882 is a memory corruption glitch in Microsoft Office’s Equation Editor that enables remote code execution on vulnerable devices. Hackers might exploit the flaw by tricking users into opening a specially crafted file. Upon successful exploitation, adversaries obtain the ability to run arbitrary code in the context of a current user. If the user is logged in with administrative privileges, attackers would be able to take full control over the targeted instance.

The vulnerability was introduced to Microsoft Office almost 20 years ago and patched by the vendor in 2017 with its November Patch Tuesday release. However, the official remediation never stopped adversaries from active exploitation in the wild. Since 2017 the vulnerability has been continuously used to deliver various malware samples, including Loki, FormBook, Pony, ZBOT, Ursnif, Agent Tesla, and more. The extreme popularity of the Equation Editor exploits, including CVE-2017-11882, stems from the fact that Microsoft Office users often fail to update their systems timely, leaving a door open for hackers.

CVE-2017-11882 Exploit In The Wild

The joint inquiry from the Department of Homeland Security, the FBI, and the US government puts CVE-2017-11882 on the list of flaws most frequently used by advanced threat actors in their malicious operations. As per the report, Chinese, North Korean, and Russian hackers are continuously leveraging the Microsoft Office bug since at least 2016. 

According to HP Bromium analysis, this trend only intensified in 2020, making CVE-2017-11882 the top exploit for Q3-Q4 2020. Particularly, in the third quarter of 2020, the Microsoft Office vulnerability accounted for almost 90% of exploits in use. And during Q4 2020, 74% of all cyber-attacks leveraging unpatched exploits relied on CVE-2017-11882.

Detection and Mitigation

In a view of extreme CVE-2017-11882 popularity, users are urged to update their services as soon as possible to stay secure. To detect possible cyber-attacks leveraging the vulnerability against your systems, you can download a fresh community Sigma rule from our keen Threat Bounty developer Aytek Aytemur

https://tdm.socprime.com/tdm/info/vXBEcFu7I9p6/Zbvhg3gBcFeKcPZnWpvo

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black, Sentinel One, Microsoft Defender ATP

MITRE ATT&CK: 

Tactics: Execution, Discovery

Techniques: Exploitation for Client Execution (T1203), Query Registry (T1012), System Information Discovery (T1082)

Also, you can explore the full list of CVE-2017-1182 detections available in Threat Detection Marketplace. Stay tuned to our blog for further updates.

Subscribe to Threat Detection Marketplace for free and reach the industry-first SOC content library aggregating 100K+ detection and response rules easily convertible to various formats and applicable to your security solution in use. Inspired to develop your own Sigma rules? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty