Earlier this 12 months, a South Korean superior persistent menace (APT) exploited a important vulnerability in WPS Workplace to spy on high-level entities in China. It turned out to not be the one important situation within the massively in style workplace software program.
WPS Workplace is a free-to-use competitor to Microsoft Workplace, with 600 million month-to-month energetic customers as of this June. It is notably extensively adopted in its residence nation of China, the place it enjoys an extra of 90% market share in cell workplace software program, and might be discovered throughout authorities companies, telecommunications corporations, and different main sectors. Simply final week, when the service went down for a half day, it brought on main disruptions to trade throughout the nation.
Its ubiquity — to not point out its dealing with of typically delicate paperwork — makes WPS Workplace a beautiful goal for hackers concentrating on Chinese language organizations and people. Such was the case for APT-C-60 (aka Pseudo Hunter), a South Korea-aligned cyberespionage group that has beforehand focused entities inside Korea itself. Earlier this 12 months, it delivered a customized backdoor dubbed “SpyGlace” to WPS customers through an arbitrary code execution exploit.
In response to China-based DBAPPSecurity, the goal of the marketing campaign was to acquire intelligence on China-South Korea relations.
An RCE Bug in WPS Workplace
On the final day of February this 12 months, researchers from ESET seen an odd spreadsheet doc uploaded to VirusTotal.
The spreadsheet was truly encased in an MHTML file, brief for MIME encapsulation of mixture HTML paperwork. MHTML is a Net archive file format used to smush the entire contents of a webpage right into a single file. It will possibly do the identical for different sorts of content material, as was the case right here, the place APT-C-60 used an MHTML export of a Microsoft Excel (XLS) file.
If victims opened the file, they had been introduced with a spreadsheet referencing the Hong Kong-based Coremail e mail service. Unusually, rather than regular rows and columns was a picture overlay of rows and columns. A sufferer who tried clicking on what seemed to be a cell in truth activated the picture file, which hid a malicious hyperlink. That single click on would then set off the obtain of APT-C-60’s malicious backdoor.
What in WPS may have allowed for such a harmful one-click exploit?
Supply: ESET
The problem lay with promecefpluginhost.exe, a plug-in element in WPS Workplace for Home windows that didn’t correctly validate file paths used to load plug-ins into this system. Reasonably than merely load malware immediately through the insecure element, APT-C-60 used a customized protocol handler registered by WPS — ksoqing://, which permits for the execution of exterior functions — to execute wps.exe and launch promecefpluginhost.exe, tricking it into loading its insufficiently vetted malicious code rather than a legit plug-in.
Tracked as CVE-2024-7262, the underlying situation was given a important 9.3 out of 10 rating on the CVSS vulnerability-severity scale. It impacts WPS Workplace for Home windows from model 12.2.0.13110 — launched a couple of 12 months in the past — to the time of its patch again in March, with model 12.1.0.16412. That, nonetheless, is not the top of the saga.
A Second Bug in WPS Workplace
Sooner or later in March, with none fanfare, WPS’ developer, Kingsoft, utilized a twofold repair for CVE-2024-7262.
“The very first thing that they did is to verify the signature of the library that will likely be loaded [by promecefpluginhost.exe] — that it is their very own bundle which is signed by the corporate,” explains Romain Dumont, malware researcher with ESET, which launched a weblog publish on the double-fix on Aug. 28. “After which they tried to sanitize one of many parameters that was weak, however they missed one other parameter that enables the identical kind of vulnerability.”
By the top of April, not solely was CVE-2024-7262 nonetheless being actively exploited, however the different improperly sanitized parameter had not been addressed. Now tracked as CVE-2024-7263, the latter situation earned its personal important 9.3 severity ranking. Dumont assesses that it was seemingly patched sooner or later throughout the spring.
With each important bugs now being accounted for, Dumont urges all WPS customers to patch instantly. “This vulnerability is triggered by a single click on within the appliance on the hidden hyperlink,” he says. “Attempt to maintain your laptop up to date, and be cautious.”