Recently,ESETSecurity researchersexposeSouth Korean cyber espionage organizationAPT-C-60utilizeWPS Office WindowsVulnerabilities in the version, targeting the East Asian regionAmong usersCarry out espionage activities.

ESETSecurity researchersDuring the investigation process, the staffDiscovery,Network hacker organizations related to South KoreaAPT-C-60utilizeWPS Office WindowsZero day code execution vulnerability in version（CVE-2024-7262loopholeandCVE-224-7263 vulnerability），Through malicious intentURL Execute external applications in the document to carry out attack activities.WPS OfficeImproper handling of custom protocol handlers allows attackers to exploit malicious intentURLExecute external applications in the document.CVE-2024-7263It is due to Kingsoft's support forCVE-2024-7262Incomplete patching resulted in some parameters not being fully validated, allowing attackers to exploit the vulnerability again.

The organization has created a system containing malicious hyperlinksWPSDocuments (such asDOCTheDOCXTheXLSTheXLSXThese hyperlinks are hidden under the bait image in the same format，Once the user clicks on these links, specific plugins will be executed（promecefpluginhost.exe）, load maliciousDLLfile（ksojscore.dll）, ultimately download and executeSpyGlaceBackdoor program. Attackers useSpyGlaceBackdoor programs can achieve remote control of the victim's computer, steal sensitive information, monitor network communication, and carry out malicious activities such as data destruction. These activities pose a serious threat to the victims' business operations, data security, and personal privacy.

ESETcompany

WPS OfficeHaving a wide user base in the Asian region, with over 10000 active users worldwidefivea hundred millionThis APT-C-60The attack activities mainly target target systems in East Asia, especially those that useWPS OfficeOrganizations and individuals. These targets may include government agencies, enterprises, research institutions, etc., whose sensitive data becomes the main target of attackers' theft.ESETSecurity researchersDuring the investigation, the staff discovered these two vulnerabilities and contacted Kingsoft. Kingsoft fixed these vulnerabilities in subsequent versions, but did not publicly disclose them initiallyCVE-2024-7262The utilization situation in the wild. Because the wild exploitation of this vulnerability increases its risk of further exploitationTherefore, ESEThe final decision is to publish a blog post to warn users.

ESETIt is a globally renowned computer security software company headquartered in Bratislava, Slovakia, founded inone thousand nine hundred and ninety-twoyear.In English,ESETIt can be understood asEssential Solution Against Evolving Threats(Essential solution for virus evolution).The main business scope is Internet securityThe most well-known product isNOD32Antivirus software. Dedicated to cybersecurity research, with a global presencethirteenA research and development center and hundreds of experts.Not only for individual users, but also to provide comprehensive security solutions for enterprises, including antivirusAnti spyware softwareFirewall and other functions.

 APT-C-60utilizeWPSSecurity vulnerabilities

according toESETSaid,The mastermind behind this attack activityAPT-C-60It is a cyber espionage organization associated with South Korea, with“APT”representative“Advanced Persistent Threat”（Advanced Persistent Threat）This type of threat typically has a high degree of concealment, persistence, and targeting, and can lurk in the target network for a long time, stealing sensitive information or engaging in other malicious activities. These types of organizations often have clear intelligence gathering and target penetration capabilities, and using software vulnerabilities for espionage activities is one of their common methods.

This eventWarningThe situation of network security is becoming increasingly severe,Cyber espionage organizations are constantly searching for new vulnerabilities and more efficient attack methods，Any software may have security vulnerabilities. Enterprises and organizations also need to strengthen their network security construction and management, enhance their network security protection capabilities, and ensure business operations and data security.Software service providerComprehensive security measures should be deployed, including firewalls, intrusion detection systems, endpoint security solutions, etc., to prevent potential security threats.

For ordinary usersUsing the popular appWhen using public software, one still needs to remain vigilant,Regularly update office software and other commonly used software to obtain the latest security patches and protection features. For documents and links from unknown sources, users should remain highly vigilant and avoid opening or clicking on them at will to prevent potential security threats.