Elite Creepy Hackers Keep Exploiting Zero-Days to Distribute FinSpy Surveillance Software
In today's Patch Tuesday release, Microsoft has fixed a zero-day vulnerability in the company's .Net framework. Security firm FireEye published a blog post following this release revealing that the exploit was embedded in a Word document, which when opened, exploited a zero-day vulnerability in Microsoft's .Net framework to distribute spyware.
The vulnerability triggered the target computer to install the notorious FinSpy surveillance software. FinSpy is a spyware developed by the Gamma Group that has remained in all kinds of bad news thanks to its support of authoritarian regimes' surveillance tactics. The company buys/discovers/uses expensive vulnerabilities to enable its clients to spy on their targets. The document in question apparently was intended to infect an unnamed "Russian speaker."
"These exposures demonstrate the significant resources available to 'lawful intercept' companies and their customers," security researchers wrote. "Furthermore, Finspy has been sold to multiple clients, suggesting the vulnerability was being used against other targets."
The security company informed Microsoft of the vulnerability, which also works against the company's favorite Windows 10. Tracked as CVE-2017-8759, the exploit has been fixed today.
Not the first flaw exploited by FinSpy (FinFisher) this year
FireEye noted that this is the second known zero day security vulnerability that has been used to distribute FinSpy. The attackers' capability to work even against the Windows 10 - Microsoft's most secure operating system version - shows significant resources available to these companies that offer interception technologies to governments.
"The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode," Microsoft wrote in its own blog post. "The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes."
In total, Microsoft released fixes to over 80 security vulnerabilities today. The company added that the criminal hackers who distributed the FinSpy using this latest vulnerability are members of the NEODYMIUM group that has previously used similar zero day exploits with spear-phishing attachments that install FinFisher spyware.
More details on the group are available over at Microsoft.