The story of one geographically and industrially targeted zero-day

Friday 6 October 09:30 - 10:00, Green room

Denis Legezo (Kaspersky Lab)

Lately, we have observed a zero-day vulnerability in the InPage text processing and publishing software being used in attacks in Middle Asia, the Arabian Peninsula and North Africa. The discovery of these attacks was interesting because the actor we have identified as being behind some of them had previously relied on old and previously known exploits, such as an MS Office TIFF exploit, but in recent times has shown technical progress and in some cases has changed tactics.

The software exploited in this case, InPage, supports Urdu, Arabic, Pushtu and other regional languages. In choosing vulnerable software, threat actors can target precise regions, social groups, and even industries of specific interest. In this presentation we’ll look in detail at the latest developments in the attack campaign, and will disclose technical details about the InPage exploit and how it works. Note that this exploit has also been used in attacks against Asian and African banks.



Denis Legezo

Denis Legezo works at Kaspersky Lab as a security researcher within the Global Research and Analysis Team, focusing on targeted attack research. He received his degree from the Cybernetics and Applied Mathematics facility of Moscow State University in 2002. His diploma topic was directly related to information security. He started his career as a programmer in various public and commercial companies. Before joining Kaspersky Lab in the beginning of 2014, he worked as a technical expert for one of the Russian system integrators. He has presented his research at RSA Conference, ATEA and MBLT Dev.







Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.