Friday 5 October 11:30 - 12:00, Green room
Gabor Szappanos (Sophos)
It has never been easier to attack Office vulnerabilities than nowadays. Office exploits have always been high-value assets for criminal groups because Microsoft Office documents are very efficient in delivering their malicious content - users tend to open them without a second thought. The presentation will look deeper into the dramatic changes that have happened in the past 12 months in the Office exploit scene – a scene that looked stale in the past couple of years, with about one or two new vulnerabilities appearing every year that made their way to the commercial exploit builders. There has always been a hunger for new exploitable Office vulnerabilities in cybercrime, but the most important builders supported exploits that had been fixed for a couple of years already. That hurt the efficiency of the malware delivery process. 2017 brought a drastic change in many respects. The number of widely used exploits multiplied compared to the previous five years. More importantly, these exploits turned out to be much simpler. The previous major vulnerabilities were complex memory corruption vulnerabilities, and working with them required deep knowledge of document file formats and advanced understanding of the concepts of exploitation. The new vulnerabilities of last year are much simpler logic bugs (CVE-2017-0199, CVE-2017-8759) or very simple classic stack overflows (CVE-2017-11882, CVE-2018-0802) – easier to understand and more robust to detection evasion tweaking.
It is no longer the privilege of skilled hackers to create builders for these exploits – average programming skills are now sufficient. As a result, we have seen a lot of these builders showing up on Github, free for the taking. This fact triggered a decline in the usage of the commercial exploit builders: their usual customers switched to the free offerings. The presentation will look at this transition, and at the efforts of the commercial exploit builder developers to keep up with the changing trends. The easy availability of these builders enabled many cybercrime actors to use the exploits with little-to-no investment, resulting in the multiplied number of Office exploit-related attacks in the past 12 months.
The life cycle of an Office exploit starts with initial zero-day targeted attacks, then at some point a few well-resourced cybercrime groups start using it. Later, the exploit ends up in builders which leads to an explosion of use by many groups hitting the general user population.
This cycle can usually take a few months, as we have seen this process happening with many exploits in the past few years. However, last year, driven by the great demand for fresh Office exploits, this cycle was pushed down to weeks.
The presentation will reconstruct timeline one of the hottest Office exploits (CVE-2017-0199) that featured the following typical scenarios in its life cycle:
Gabor Szappanos graduated from the Eotvos Lorand University of Budapest with a degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants.
He started anti-virus work in 1995, and has been developing freeware anti-virus solutions in his spare time. In 2001, he joined VirusBuster, where he was responsible for taking care of macro viruses and script malware. In 2002, he became the head of the VirusBuster virus lab. In 2012, he joined Sophos as a principal malware researcher.
Between 2008 and 2016, Gabor was a member of the board of directors of AMTSO (the Anti-Malware Testing Standards Organization).
Jérôme Segura (Malwarebytes)
John Lambert (Microsoft)
Spencer Hsieh (Trend Micro)