Malicious actors are exploiting a 17-year-old vulnerability to infect machines with malware using a component of the Cobalt Strike penetration tool.
An attack under this campaign begins when a user receives a spam email from Visa announcing a change to its payWave service in Russia. The email comes with a password-protected archive that’s named “Изменения в системе безопасности.doc Visa payWave.doc.” Those behind this operation might have protected the archive with a password to lull the user into a false sense of security and thereby trick them into believing that Visa took precautions to protect the contents of the document.
From there, the attacker can seize control of the infected system and potentially move laterally in the network.
Fortinet security researchers Jasper Manual and Joie Salvio explain this campaign reveals the danger of users not patching their systems of known vulnerabilities on a timely basis:
Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.
To protect against attacks such as these, users should update their systems regularly, and organizations should invest in a vulnerability management solution that can help them detect and prioritize all known bugs.
For information on how Tripwire’s solutions can help strengthen a company’s vulnerability management program, click here.