Microsoft plugs another 0-day spreading FinSpy spyware

Microsoft has patched a flaw that attackers were using to infect Russian-speaking targets with the notorious FinSpy, a spyware program sold to law enforcement agencies around the world. 

The vulnerability used to spread FinSpy exploited a previously unknown bug in Microsoft’s .NET framework. 

Attackers have since as early as July being using a Office Rich Text Format (RTF) document rigged to exploit the flaw on target systems. The name of the document suggests the targets were Russian speaking, according to security firm FireEye, which discovered the document and reported the issue to Microsoft.

It’s the second time this year that Microsoft has patched a zero-day in its products that were being used to infect Russian-speaking targets with FinSpy. 

Following Microsoft’s April Patch Tuesday, FireEye revealed that attackers were using a remote code execution flaw in Office and WordPad to target Russian-speaking victims with a document purported to have been published by the “Donetsk People’s Republic” — the name given to the contested Russian-backed territory in Eastern Ukraine.  

The spyware itself is sold by Gamma Group, a UK-German firm with a dubious human rights record that sells the FinSpy or FinFisher ‘lawful intercept’ toolkit. The company has been widely criticized for selling its surveillance kit to repressive regimes.  

As to who’s using the malicious document to spread FinSpy, FireEye researchers only say they’re sure it’s a nation-state actor that's spying on a Russian-speaking entity.

The good news for most Windows users is that it's likely being used against a narrow set of targets. However, as FireEye points out, the Office flaw was eventually adopted by Dridex, a spamming group responsible for mass-distributing the Locky and Cerber ransomware.   

Microsoft said the vulnerability is caused by .NET Framework processing untrusted input. An attacker can only exploit the vulnerability after convincing a user to open a malicious document, according to Microsoft’s description.       

Microsoft’s Patch Tuesday update also has a fix for BlueBorne, a widespread Bluetooth flaw discovered by security firm Armis that affects Windows, all versions of Android, and possibly several billion Linux-powered IoT devices. Google patched the bug in its September 9 patch level for Android. iPhone and iPads running pre-iOS 10 are also affected. 

The flaw resides in each platform’s implementation of Bluetooth. In Microsoft’s case it affects Windows Vista through to Windows 10 and allows an attacker to conduct a man-in-the-middle attack if they're in Bluetooth range, which is about 10 meters. Notably, the attack doesn’t require victims to click a link or accept a Bluetooth connection for the attacker to steal the target’s communications.

All an attacker needs to do is scan the area for devices with Bluetooth set to on. Once the attacker obtains the target’s MAC address, they can select the exploit for that platform and establish a Bluetooth connection without the target’s knowledge. Microsoft describes it as a Bluetooth driver spoofing vulnerability.      

Microsoft’s September patch has 81 security fixes that affect Windows Edge, Exchange, Office, and Hyper-V. 

As noted by Trend Micro’s ZDI, Microsoft has patched its HoloLens augmented reality headset to fix the widespread BroadPwn vulnerability. This bug in the Broadcom’s wifi chip firmware affected Google’s Pixel phones, Samsung’s Galaxy, and the iPhone.