A security flaw in Microsoft Office has been used in criminal operations as well as espionage operations against Russian-speaking targets since January, according to a report from the security firm FireEye.

Similarities in the code suggest the criminal hackers and espionage groups received the vulnerability from the same source.

The security vulnerability, which uses Microsoft Word's ability to parse HTML content to download malicious code, was first reported last week by McAfee. Microsoft released a patch for the bug on Tuesday.

ADVERTISEMENT

McAfee reported seeing instances of the bug in the wild, typically in attacks from March and April but occasionally as far back as November. McAfee did not, however, provide much additional information on the attacks it had seen.

According to a report from FireEye, the flaw was being used to spread commercially available militarized spyware known as FinFisher or FinSpy to Russian-speaking targets since January. FinFisher is produced by the contractor Gamma.

The FinFisher attacks leveraged Word documents containing files purportedly from the Russian Ministry of Defense to trick victims into opening the documents, including guides and forestry plans.

In March, the same vulnerability was used to install the Latentbot malware on English-speaking targets. Latentbot has typically been used for financial reasons, using remote desktop and other functionalities to steal credentials to use for criminal ends.

Both the FinFisher and Latentbot attacks use the same code to take advantage of the vulnerability, with the same date and time stamp appearing in each.

"That could mean that the person who sold the vulnerability to the espionage group also used it in their own criminal attacks, that someone in espionage had a side-job in crime or that the person selling the vulnerability also sold it to criminals," said John Hultquist, manager of cyber espionage analysis for FireEye's iSIGHT Intelligence division.

The FireEye report is not the first report of specific attack campaigns using the Office vulnerability. In the hours leading up to Microsoft releasing the patch, researchers found attacks using the vulnerability to spread the Dridex banking Trojan.

But FireEye believes these attacks only began after the McAfee blog post and likely reverse engineered the vulnerability from the blog post. The campaigns FireEye discovered appear to be the first known campaigns taking advantage of the vulnerability before the public announcement there was a vulnerability.

Because the espionage attacks were conducted using popular commercial malware purchased by dozens of nations, there is little to go on to determine who the attacker is.

"Internationally, a lot of operations target Russia," said Hultquist.

But purchasing a previously unknown vulnerability to transmit the FinFisher malware says a lot about the high value placed on the Russian-speaking targets, Hultquist said. Undiscovered vulnerabilities, often called zero days, are expensive. Every time an attacker uses one, it loses value, because it has been exposed to the public.

Espionage groups often prefer to use well-worn vulnerabilities — often ones that manufacturers have patched, but that targets may not have gotten around to patching — to protect their more valuable techniques. Once anyone anywhere in the world knows attackers are using a vulnerability, everyone can fight against it.

"We're using information from an attack connected to the Russian military to protect American businesses," said Hulquist. "It stresses the international nature of how defending against these attacks works."

In a statement, Microsoft acknowledged it had seen this type of attack being used prior to McAfee's announcement. But the company emphasized that an update had been released and customers that "applied the update, or have automatic updates enabled, are already protected."

"Prior to public disclosure last Friday, our engineers were aware of a small number of attempts to use this vulnerability through targeted spam designed to convince users to open a malicious attachment," said a Microsoft spokesperson.

This story was updated at 2:44 p.m.