Zero-day vulnerabilities are considered one of the most dangerous as cybercriminals can exploit these undisclosed flaws to launch massive attacks. A recently patched zero-day flaw that affected all versions of Microsoft Word saw hackers exploit the bug to launch widespread cyberespionage campaigns and steal millions from bank accounts by infecting systems with banking Trojans, even as Microsoft worked to investigate the bug.
According to reports, it took nine months for the tech giant to patch the vulnerability, after it was first uncovered by Optiv security consultant Ryan Hanson, who alerted Microsoft about it in October 2016.
FireEye researcher John Hultquist told Reuters that the wave of attacks involved one or more people who likely created hacking tools for an unknown government and capitalised by selling the tool to cybercriminals.
Microsoft reportedly acknowledged that it could have fixed the issue in January 2017, but the company said that it was in a tricky situation at the time. If it had notified customers about the flaw, that would also alert hackers about a new way to compromise systems. Although the firm could have released a patch to fix the issue, it chose not and focussed on probing it further. Reports suggest that Microsoft was not aware of the attacks and wanted to take more time to come up with a comprehensive solution.
"We performed an investigation to identify other potentially similar methods and ensure that our fix addresses [sic] more than just the issue reported," a Microsoft employee told Reuters on the condition of anonymity. "This was a complex investigation."
Attacks began in January
Although it is unclear how hackers stumbled onto the Word flaw, the zero-day attacks began in January. Reuters reported that the first known attack targeted Russian and Ukrainian military computer systems, which were infected with spyware made by Gamma Group, a private surveillance firm that sells its services to various international governments.
In March, FireEye security researchers found evidence of the attacks and alerted Microsoft and the firm confirmed the same. McAfee, which also did a "quick but in-depth research" on the attacks, had alerted Microsoft about the same. However, in an unusual move McAfee disclosed the details of the vulnerability in a blog before Microsoft could issue a patch. Reuters reports McAfee vice president Vincent Weafer as blaming "a glitch in our communications with our partner Microsoft" for the timing of the disclosure.
Nonetheless, just days following the disclosure of the vulnerability, a tool to exploit the flaw was put up for sale in underground markets, according to Hultquist. Hackers soon began ramping up attacks on "millions" of Word users – a majority of whom were located in Australia – with the Dridex banking malware.
Hultquist added that in the days leading up to Microsoft issuing the patch, hackers could have sold the exploit to Dridex hackers or the original creators of the exploit could have used it themselves to cash in one last time.
Reuters reported that that attacks continued even after Microsoft issued a patch on 11 April. According to Michael Gorelik, VP of security firm Morphisec, Israel's Ben-Gurion University staff were hacked by Iran-linked hackers after Microsoft released its patch.
Security experts said that the delay in Microsoft fixing the flaw was uncommon as firms are generally given anywhere between 30 to 90 days to release patches. A spokesperson for Optiv told the news agency that the firm was currently working with Hanson, who first uncovered the Word flaw, attempting to figure out if the researcher's work was in any way responsible for the global hacking spree.
It remains unclear as to how many people were affected by the attacks and how much money the hackers managed to steal.