What is old is new again.
That could be the mantra for cybersecurity vulnerabilities. The focus is on discovering new vulnerabilities before attackers can use them, but according to an August 2023 cybersecurity advisory published by CISA, “In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.”
The most recent example of this phenomenon is the announcement by Fortinet that a decade-old piece of malware, which exploits vulnerabilities first discovered in 2017, has been used to attack Taiwanese organizations.
Anatomy of the SmokeLoader Malware
According to the Fortinet report, cybercriminals are using malware called SmokeLoader. The malware is deployed by exploiting two Microsoft Office vulnerabilities following a successful phishing attack that asks users to open an attachment. The vulnerabilities utilized in this attack are CVE-2017-0199 and CVE-2017-11882.
SmokeLoader is modular and adaptable. Normally it is used to install other malicious code but for this specific attack it is the payload. It can deploy nine plugins, retrieved from a command and control (C2) server which perform specific tasks such as extracting login credentials, collecting email addresses and cookies from browsers. The trojan also employs evasion techniques and establishes persistence by altering registry keys, thus ensuring it remains following system reboots.
Malware code, like any other software application, is constantly being modified and updated. Although first deployed in 2011, SmokeLoader has been revised a number of times to improve its functionality, evasive techniques, and obfuscation to improve anti-analysis capabilities. One key capability added in the past few years is the ability to detect security products. In those cases the malware will not install.
Old Vulnerabilities Remain Active
There are a number of reasons older vulnerabilities are exploited by attackers. The first is they work. Attackers will run a test attack to see if a vulnerability is still active, if it is they are set to exploit it. Existing vulnerabilities have exploit kits available on the internet which allow low skilled hackers to launch attacks. The longer a vulnerability has been around, the more time is available for offensive research to perfect exploitation techniques.
Not all vulnerabilities are exploited when they are discovered. Some of that comes much later. Saeed Abbasi, Product Manager - Threat Research Unit at Qualys wrote in a blog post that recent analysis indicates that exploits for older vulnerabilities have been growing. "It is a stark reminder that cybersecurity is not just about staying ahead but also about not falling behind."
It is easier to exploit known vulnerabilities when organizations use older software. John Bambenek, President of Bambenek Consulting related that “this particular campaign uses exploits in native Office from 2017 (as opposed to Office 365) and is a reminder that even though tools may be end-of-life’d by the software manufacturer, they may still remain in use and be exploited by attackers. Not everywhere in the world is it possible to have a three year technology refresh cycle.”
Look Both Ways
Most organizations focus on closing the most recently discovered vulnerabilities. These vulnerabilities are important and need to be taken seriously, but as it turns out, organizations must monitor all potential avenues of attack. Sometimes, software flaws are overlooked or forgotten. An organization might not realize that it still has software that can be exploited. All vulnerabilities, both old and new, must be afforded the appropriate priority based on criticality. Keeping one eye on the past and one on the future is not easy, but it can be accomplished.
Proactive Mitigation Steps
There are a number of actions, both technical and structural, organizations can take to mitigate the risks exposed by this SmokeLoader incident. The first line of defense is to patch software, with an emphasis on those vulnerabilities that are most critical. There are many other actions organizations can take.
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, a Plano, Texas-based provider of Managed Detection and Response (MDR) cybersecurity solutions recommends security teams conduct threat hunts to “actively search for IoCs [indicators of compromise] related to SmokeLoader in network logs and endpoints, focusing on unusual C2 communications and known hash values.” She also encourages organizations to have an Incident Response program that has playbooks that provide containment, forensic analysis, and communication protocols.
As mentioned, software hygiene is important but in actuality not all patches can be applied. To determine what to patch, security teams should leverage threat intelligence. Understanding what threats are most active, and which vulnerabilities are being exploited, both new and old, it is possible to prioritize. Knowing that SmokeLoader is being employed again is part of that threat intelligence.
The last line of defense are employees. Many attacks begin with a phishing campaign. Creating a culture of security within the workforce is critical as is phishing awareness training that focuses on real-world examples, such as this attack.
CISOs Take Note
This SmokeLoader attack highlights that old exploits exist. Complacency in cybersecurity is not an option. Security teams need to understand that all vulnerabilities can be exploited; their age is irrelevant. It is crucial to prioritize actively exploited vulnerabilities by leveraging threat intelligence. IT teams also need to be given the resources to conduct thorough assessments, testing, and remediation for the most critical threats.
Security leaders need to assess their current defense, in light of the types of attacks being launched by cybercriminals. Immediate action is required to improve vulnerability management.
