Three different hacking groups found exploiting Microsoft Office EPS processing vulnerabilities

Security researchers have discovered three different hacking groups exploiting security flaws in Microsoft Office's Encapsulated PostScript (EPS) to target victims worldwide. In a blog post published on Tuesday (9 May), FireEye detailed three zero-vulnerabilities being exploited by various threat actors including Fancy Bear, Turla and a third group targeting Middle Eastern banks.

Researchers said they detected three new zero-day Microsoft Office vulnerabilities being exploited by hackers in the wild. Towards the end of March, FireEye detected a malicious malware-spreading document that targeted an unknown vulnerability in EPS and flaw in Windows' Graphics Device Interface (GDI). The GDI security flaw was recently patched, they noted.

FireEye discovered a second unknown EPS vulnerability after April's Microsoft Patch Tuesday as well as a new Escalation of Privilege (EOP) zero-day.

Russian cybercrime group Turla and an "unknown financially motivated actor" were found exploiting the first EPS zero-day, researchers said.

Meanwhile, the notorious Russia-linked hacker group Fancy Bear, also known as APT28, was found to be using the second EPS vulnerability as well as the new EOP zero-day. Fancy Bear has been previously tied to the recent DNC hack last year.

"Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities", FireEye said. "The unidentified financial group targeted regional and global banks with offices in the Middle East."

The trio of hackers used malicious documents to deliver three different payloads to their targets. While the unknown financially motivated group used the remote access Trojan Netwire, Turla used "Shirime" and FancyBear used Gamefish.

"The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads," researchers said.

FireEye said it has been working with the Microsoft Security Response Center to responsibly disclose details about these vulnerabilities. The security firm said EPS processing has become a "ripe exploitation space for attackers."

"The use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary," researchers said. "Russian cyber espionage actors use zero-day exploits in addition to less complex measures.

"Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods – when sufficient – reflects operational maturity and the foresight to protect costly exploits until they are necessary."

Researchers added that the exploitation of such vulnerabilities by multiple threat actors is "further evidence that cyber espionage and criminal activity exist in a shared ecosystem." It added that nation state actors often pull from the same sources for exploits as criminal hackers as well.

"This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat," researchers said.