Have you heard of the MWI exploit kit that is on the market for criminals to use in both opportunistic and targeted attacks? Near the turn of the century one-off Trojans were taking off along with Macro viruses within Microsoft office documents. Then came a more mature and fuller suite of tools and attacks options including movement towards automation and scalability. Thing big…really big…think global profits! Soon talks of cyber-war were happening in small groups at conferences and within private locations. Today we have a very mature adversarial marketplace for hacktivism, espionage, eCrime and more. Read my blog, I am calling this maturation nexus Cyber-Gomorrah. MWI is just one more troublesome reality as we look to defend our staff, our people, and our country.
MWI is focused upon both a BUILDER and web based C&C management of hostile DOC and RTF files. What does this mean? It means a script kiddie (SKID) or complete noob could buy this tool and create a hostile file that attempts to exploit lots of vulnerabilities within Microsoft Word. Actors using MWI can simply log into their C&C to see who, where, and when an infection has taken place and then remotely control compromised host(s) as desired. The good news is this kit is still in the early stages of development and can be buggy according to some. Emergence of new kits like this force the good guys to audit against specific CVE’s and vectors to help lower risk to such attacks. 4D5A Security recommends doing the following to help lower risk against MWI:
- user-awareness training: make sure everyone knows about MWI on a high level and the dangers that a DOC or RTF file might carry. This is a best practice anyway as Dridex, a common e-mail threat today, also uses DOC files (but with macros that must be run) to compromise a host. Either way, DOC/RTF can be hostile. If it’s coming from an external address treat it with extra caution or have it checked by IT first. Better yet if it doesn’t make you too many enemies, run it through something like a FireEye appliance BEFORE it even gets to be delivered to the end user.
- Technical controls for the vector: already mentioned is a sandboxing and identification/preventative control. Also mark all external emails as [EXTERNAL] so that employees are trained and know this is from outside the organization and should be treated with greater caution (less trust!). Consider blocking certain attachment types that you don’t need or at least within larger groups of individuals that don’t need to accept such risk for their day to day jobs.
- Audit CVEs (vulnerabilities): Make sure you’re patched and don’t have any non-compliant machines. If you haven’t patched this may now be the ammo you need to prioritize it as a form of risk reduction. honestly you should be auditing and performing assessments regularly to ensure you’re not vulnerable to attack. CVE’s specific to MWI at the time of this writing include the following: CVE-2010-3333, CVE-2012-0158, CVE-2013-3906, and CVE-2014-1761. Naturally the more recent vector, CVE-2014-1761, should be the most likely to be unpatched so start there if you must prioritize.
- Technical controls for the compromise: Consider getting to know MWI better and implementing RegEx and/or signatures to detect potential infection by the kit, such as “&act=1” as a URI parameter associated with a call for “image.php” and “id=#”, etc. Also consider monitoring for known IOCs linked to the kit, as a best practice just in case they show up in your network (unlikely but possible). For example, known historical servers are 220.127.116.11, 18.104.22.168, and 22.214.171.124 (to mention a few). Also recognize that at least one attack in the wild installed Chthonic (Zeus like variant) as the payload; if that shows up you should also be looking for MWI as a possible vector for that incident.
- Have a trained incident response team ready; if you’re not prepared with trained and experienced staff you can’t minimize damage very well when an intrusion takes place!
The above should get you started and may help you craft user-awareness training for Security and IT if not your entire organization. Awareness of emergent TTPs is essential in a proper security stance. For more information on MWI visit sites such as CheckPoint and FireEye.