Hackers Exploited Microsoft Word Security Flaw for Months as Microsoft Investigated
Hackers used the software to spy on Russian speakers and steal from millions of online bank accounts
The security bug officially known as CVE-2017-0199 was unusually dangerous, and it took an unusually long time for experts to fix it.
Located in Microsoft Word, it allowed hackers to take control of personal computers, leaving little sign of their presence. Unlike other cases in which companies find and fix such vulnerabilities before they can be exploited, Reuters reports, hackers used this one to spy on unknown Russian speakers and steal from millions of online bank accounts located in Australia and other countries.
The flaw was first discovered in July 2016 by Ryan Hanson, consultant at security company Optiv Inc. It was a weakness in how Word processed documents from other file formats, and it let Hanson put in a link to a malicious program that could seize control of a computer.
In October, he notified Microsoft about this and other flaws he had found. But Microsoft did not immediately fix the problem. Customers could fix the issue by changing the settings, but the company worried that by telling them how to do it, it would also be telling cyber criminals how to break in.
Nor did Microsoft create a patch to be issued in its monthly software updates. It did not believe anyone was using Hanson's method to take control of computers, and it wanted to research the problem thoroughly and figure out a comprehensive solution.
As the tech giant investigated, hackers struck.
It is not known how they first found the flaw, but they began to exploit it in January 2017. Researchers said that they first sent emails to victims trying to get them to click on a link to Russian-language documents about that country's military issues and locations held by Russian-supported rebels in the eastern part of Ukraine. When users click the link, their computers became infected with eavesdropping software.
Security experts believe this may have been part of routine government espionage on the part of Ukraine, Russia, or one of their neighbors or allies.
Security researchers at FireEye found these attacks in March and warned Microsoft, which prepared a patch to be issued on April 11. Then cyber-disaster struck.
A Big Mistake
McAfee, another cyber-security company, detected some attacks using the bug on April 6. It figured out that the flaw had not yet been patched and contacted Microsoft—then blogged about the discovery on April 7.
There was enough detail in this blog post to enable other hackers to mimic the attacks. FireEye researcher John Hultquist said that a program for exploiting the flaw went up for sale on underground markets for criminal hackers by April 9. Attacks were mainstream by the next day: one hacker used the bug to send documents that had been booby-trapped with banking-fraud software to millions of computers located in Australia.
Microsoft issued the patch on April 11, as scheduled. But attacks continued even then as computer owners lagged behind in installing it.
According to Michael Gorelik, vice president at the cybersecurity company Morphisec, employees at Israel's Ben-Gurion University were hacked after the patch was issued. The attackers, who were connected to Iran, seized control of their email accounts and sent infected documents to the employees' contacts at tech companies as well as to medical professionals.
It is not known how many computers were infected or how much money was stolen in the end.