3、InPage软件0day漏洞被用于攻击亚洲金融机构
标题:InPage zero-day exploit used to attack financial institutions in Asia
作者信息:November 23, 2016. 8:59 am By Denis Legezo
//BEGIN
In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document. InPage, in case you are wondering, is publishing and text processing software, mostly popular with Urdu and Arabic speaking users.
Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document. The shellcode appeared to trigger on several versions of InPage. We don’t observe any public mentions of such exploit so we consider it a zero-day. All our attempts to contact InPage so far have failed.
乌尔都语和阿拉伯语的用户一般使用InPage来处理文档,其生成的文件扩展名为inp.(类似我们使用Office的Word产生的DOC文档)
从其官方网站上看,其用户大致分布为:加拿大5万;美国10万;英国20万;中东1万;南非5000;欧洲1万;巴基斯坦100万;印度60万;日本2000;孟加拉国5000以及其他用户5000,因此InPage的用户最多的位于印巴地区。
根据安全公司的研究发现,一些目标特别受到黑客们的青睐:这些目标持续不断接到各种钓鱼邮件,老的有利用2012年的漏洞,新的有一个甚至没有见过的inp文件格式(就是上面提到的),这个扩展名的格式吸引了安全人员的注意。从直觉判断,很可能是一个全新的攻击方式、甚至为0day。
果然,经过仔细研究发现,这些看似普通的文档,实则含有Shellcode,它会加密隐藏自身同时还会加密一个恶意的EXE文件。
//END
By all appearances, this newly discovered exploit has been in the wild for several years. In some way, it reminds us of other similar exploits for Hangul Word Processor, another language/region-specific text processing suite used almost exclusively in South Korea. HWP has been plagued by several exploits in the past, which have been used by various threat groups to attack Korean interests.
Despite our attempts, we haven’t been able to get in touch with the InPage developers. By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems. The best defense against exploits is always a multi-layered approach to security. Make sure you have an internet security suite capable of catching exploits generically, such as Kaspersky Internet Security. Installing the Microsoft EMET tool can also help, as well as running the most recent version of Windows (10). Finally, default deny policies, also known as whitelisting can mitigate many such attacks.
The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.
Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as most of the others from Top35 ASD’s list.
从目前的分析结果看,这个所谓的0day漏洞已经存在了多年。分析其原因发现地区性的字符处理软件都可能存在这个类似的问题。比如韩国的HWP(Hangul Word Processor)也是这样情况:基本上只是在韩国使用这个文字处理软件,世界上其他地区的人很少使用这类软件(是不是也类似中国的WPS?).这就使得这类攻击的传播受到地域限制,虽然这样,但是这同样也给发现增加了难度。与韩国HWP不同,目前的这个InPage的开发者好像还不是很容易联系上,这样对修复其致命漏洞肯定是不利的。预防此类攻击据说有4种方法:第一采用白名单的方式;第二种升级应用程序到最新版,以修补最新发现的漏洞;第三种升级操作系统;第四种限制管理员权限。除了最后一种,前三者通过安全软件或者良好的配置习惯就可以完成。
相关链接:http://www.inpage.com/
点评:APT攻击者肯定喜欢这种方式。 |