Earlier this yr, a South Korean superior persistent risk (APT) exploited a crucial vulnerability in WPS Workplace to spy on high-level entities in China. It turned out to not be the one crucial difficulty within the vastly common workplace software program.
WPS Workplace is a free-to-use competitor to Microsoft Workplace, with 600 million month-to-month energetic customers as of this June. It is notably extensively adopted in its house nation of China, the place it enjoys an extra of 90% market share in cell workplace software program, and could be discovered throughout authorities companies, telecommunications corporations, and different main sectors. Simply final week, when the service went down for a half day, it triggered main disruptions to trade throughout the nation.
Its ubiquity — to not point out its dealing with of generally delicate paperwork — makes WPS Workplace a lovely goal for hackers focusing on Chinese language organizations and people. Such was the case for APT-C-60 (aka Pseudo Hunter), a South Korea-aligned cyberespionage group that has beforehand focused entities inside Korea itself. Earlier this yr, it delivered a customized backdoor dubbed “SpyGlace” to WPS customers by way of an arbitrary code execution exploit.
In response to China-based DBAPPSecurity, the intention of the marketing campaign was to acquire intelligence on China-South Korea relations.
An RCE Bug in WPS Workplace
On the final day of February this yr, researchers from ESET seen an odd spreadsheet doc uploaded to VirusTotal.
The spreadsheet was really encased in an MHTML file, brief for MIME encapsulation of combination HTML paperwork. MHTML is a Internet archive file format used to smush the entire contents of a webpage right into a single file. It could actually do the identical for different varieties of content material, as was the case right here, the place APT-C-60 used an MHTML export of a Microsoft Excel (XLS) file.
If victims opened the file, they had been introduced with a spreadsheet referencing the Hong Kong-based Coremail electronic mail service. Surprisingly, rather than regular rows and columns was a picture overlay of rows and columns. A sufferer who tried clicking on what gave the impression to be a cell in reality activated the picture file, which hid a malicious hyperlink. That single click on would then set off the obtain of APT-C-60’s malicious backdoor.
What in WPS might have allowed for such a harmful one-click exploit?
Supply: ESET
The difficulty lay with promecefpluginhost.exe, a plug-in part in WPS Workplace for Home windows that didn’t correctly validate file paths used to load plug-ins into this system. Reasonably than merely load malware immediately by way of the insecure part, APT-C-60 used a customized protocol handler registered by WPS — ksoqing://, which permits for the execution of exterior purposes — to execute wps.exe and launch promecefpluginhost.exe, tricking it into loading its insufficiently vetted malicious code rather than a authentic plug-in.
Tracked as CVE-2024-7262, the underlying difficulty was given a crucial 9.3 out of 10 rating on the CVSS vulnerability-severity scale. It impacts WPS Workplace for Home windows from model 12.2.0.13110 — launched a couple of yr in the past — to the time of its patch again in March, with model 12.1.0.16412. That, nonetheless, is not the top of the saga.
A Second Bug in WPS Workplace
In some unspecified time in the future in March, with none fanfare, WPS’ developer, Kingsoft, utilized a twofold repair for CVE-2024-7262.
“The very first thing that they did is to verify the signature of the library that shall be loaded [by promecefpluginhost.exe] — that it is their very own bundle which is signed by the corporate,” explains Romain Dumont, malware researcher with ESET, which launched a weblog put up on the double-fix on Aug. 28. “After which they tried to sanitize one of many parameters that was susceptible, however they missed one other parameter that permits the identical sort of vulnerability.”
By the top of April, not solely was CVE-2024-7262 nonetheless being actively exploited, however the different improperly sanitized parameter had not been addressed. Now tracked as CVE-2024-7263, the latter difficulty earned its personal crucial 9.3 severity ranking. Dumont assesses that it was possible patched in some unspecified time in the future through the spring.
With each crucial bugs now being accounted for, Dumont urges all WPS customers to patch instantly. “This vulnerability is triggered by a single click on within the appliance on the hidden hyperlink,” he says. “Attempt to maintain your laptop up to date, and be cautious.”