Friday, December 22, 2023

Reviewing 2023’s High Impact Zero-days against Office and Chrome

Used by millions of people each day, productivity applications like Microsoft Office and Google Chrome are popular targets for software exploitation by threat actors. This attack trend is ongoing and 2023 was no exception. As the year draws to an end, we look back and review examples of how attackers are exploiting high impact zero-day vulnerabilities in these popular productivity applications, the drivers behind this trend, and how to reduce this attack surface using hardware-based process isolation.

Office is a popular target for attackers

Ever since the earliest Office macro malware emerged in 1995 (WM/Concept.A), Office file formats have remained a top way for threat actors to compromise endpoints and establish footholds within networks. In Q3 this year, Office threats totaled 34% of malware caught by our HP Sure Click solution. Over the last two years, Microsoft have hardened Office’s security policy, for example, blocking macros originating from the web, making it tougher for attackers to execute code using macros. As a result, we have seen the distribution of Office malware shift significantly in favor of exploits. Today, fewer threats rely on VBA macros to install malware, while more rely on exploiting software vulnerabilities in Office. We found that 91% of Excel threats in Q3 relied on exploits to achieve code execution, rather than macros. This attack trend is highlighting the need to protect Office applications against software exploitation leading to endpoint compromise.

Over the course of 2023, Microsoft disclosed and patched 29 vulnerabilities in Office. Many of these were found by Microsoft or other security researchers and patched before they were publicly disclosed. But two vulnerabilities, CVE-2023-36884 and CVE-2023-36761, were zero-days that were actively exploited by threat actors in the wild before patches were available. In these cases, the exploits were used for installing backdoors on endpoints, or accessing sensitive authentication information to enable lateral movement within a target network.

These zero-days illustrate attackers’ capability to discover and operationalize vulnerabilities against Office, as well as a desire to deliver attacks through this vector because they tend to be poorly detected and require minimal user interaction to trigger. While not every threat actor has the skills and resources to invest in zero-day exploitation, we often see copycat behavior where lower capability attackers begin using the exploit in their campaigns where there are code examples that are easy to operationalize.

CVE-2023-36884 is a high severity remote code execution vulnerability patched by Microsoft on 11 July. According to public reporting, a threat actor exploited this vulnerability in June to infect PCs. This resulted in a minimum window of vulnerability of 11 days, measured from the earliest known exploitation date in the wild to when a patch became available. This exposure window represents a best-case time interval, since it excludes the time necessary for testing and deploying the patch that are normal parts of an enterprise vulnerability management process. The mechanism of the vulnerability was similar to CVE-2022-30190, also known as “Follina”, meaning it was detected by some signatures before disclosure (41% of anti-virus scanners on VirusTotal). However, CVE-2023-36884’s similarity to Follina, and the fact that it was still only detected less than half the time, highlights the difficulty of completely mitigating classes of software vulnerability through patching alone.

The second known Office zero-day of the year, CVE-2023-36761, was an information disclosure vulnerability. Successful exploitation enabled attackers to exfiltrate sensitive information from the compromised PC, namely NTLM hashes that are used for authenticating clients in Windows networks. Attackers can use NTLM hashes to move laterally within a network and gain access to high privilege systems. It is not known how long the vulnerability had been exploited by attackers before it was patched on 12 September. It is therefore unclear how effective signature-based security controls would have been at blocking this exploit, but historically detection has been poor where the exploit is not similar to previously known vulnerability patterns.

Web browsers are not spared from vulnerabilities either

In addition to malicious Office files, which are usually sent to targets by email, web browser downloads are a frequent infection vector. In our HP Wolf Security Threat Insights Report for Q3, we noted malicious browser downloads were the second most popular endpoint infection vector, at 11% of threats. More concerning is when the infection does not require user interaction, such as exploiting vulnerabilities in the web browser, unlike browser downloads which typically require opening a file downloaded from the Internet.

In 2023, 179 high or critical severity vulnerabilities were patched in Google Chrome. Eight of these vulnerabilities were zero-days that were already being exploited by attackers in the wild before a patch existed. Note that those vulnerabilities also apply to Microsoft Edge, which is based on the Chromium browser project.

Date Zero-day Vulnerability Description CVE
20/12/2023 Heap buffer overflow in WebRTC CVE-2023-7024
29/11/2023 Integer overflow in Skia in Google Chrome CVE-2023-6345
28/09/2023 Heap buffer overflow in vp8 encoding in libvpx in Google Chrome CVE-2023-5217
12/09/2023 Heap buffer overflow in libwebp in Google Chrome CVE-2023-4863
05/09/2023 Type confusion in V8 in Google Chrome CVE-2023-4762
05/06/2023 Type confusion in V8 in Google Chrome CVE-2023-3079
19/04/2023 Integer overflow in Skia in Google Chrome CVE-2023-2136
14/04/2023 Type confusion in V8 in Google Chrome CVE-2023-2033

Is your vulnerability window larger than your risk appetite?

When it comes to addressing software exploitation against productivity applications like Office and Chrome, the vulnerability window is usually larger than an organization’s risk appetite and since even good detection cannot completely close this window, only preventive defense measures can help. One potential preventive measure is to isolate risky activities in a micro virtual machine, as HP Sure Click does. In addition to the security that the attack is isolated, the organization’s security team receives actionable threat intelligence that speeds up investigations and security decision making.

Zero-day protection solutions exist on the market today, but they are few and far between. In fact, Microsoft announced in November the deprecation of its threat containment feature, Windows Defender Application Guard (WDAG) for Office. Instead, Microsoft is focusing on Defender for Endpoint attack surface reduction rules, together with Protected View and Windows Defender Application Control, which improve security but at the risk of adding configuration complexity and user friction. Still, at HP, we believe that defending endpoints against zero-day exploitation requires comprehensive, hardware-enforced isolation. HP Sure Click is our solution for this, which applies the principle of least privilege to applications like Office and Chrome that interact with untrustworthy inputs, such as documents that originate outside your environment or browsing the web, while remaining transparent to users by not getting in the way of their workflows.

HP Threat Containment

HP threat containment solutions use hardware-based process isolation to help organizations protect data on their endpoints from zero-days, phishing, or ransomware attacks. Both Sure Click Enterprise and Wolf Pro Security provide threat containment and secure browser isolation, protecting users from browser exploits and downloading malware from malicious websites. HP threat containment protects the endpoint, regardless of network connectivity, when the user clicks on risky files such as Office files and PDFs. Sure Click Enterprise and Wolf Pro Security also protect the PC from malicious executables and scripts. With the combination of different security tools, endpoint isolation significantly reduces threats to the endpoint, which in turn protects an organization’s network. HP is committed to continuing to develop state of the art endpoint security technology like threat containment.

The post Reviewing 2023’s High Impact Zero-days against Office and Chrome appeared first on HP Wolf Security.

from HP Wolf Security

No comments:

Post a Comment