Kapersky Lab Discovers Zero-Day Vulnerability Attacks on Asian and African Banks

Kapersky Lab discovers zero-day vulneribility inpage editor

Just after signing a memorandum of understanding (MoU) with the Smart Africa Alliance last month, Kaspersky Lab has discovered attacks which appear to be using a zero-day exploit for the InPage text editor.  The exploit was used in attacks against banks in some Asian and African countries.

A zero-day vulnerability refers to a hole in a software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero-day attack. Uses of zero-day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero-day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

InPage is a software package used by Urdu- and Arabic-speaking people and organizations around the world, having has some 19 million users, 10 million in Pakistan, six million in India, two million in the UK, and one million in the US. The text editor is widely used by media and print shops, as well as governmental and financial institutions, such as banks, that work with texts written in Perso-Arabic scripts.

Attacked organizations identified by Kaspersky Lab researchers are located in Myanmar, Sri-Lanka and Uganda.

IT News Africa reports that It is not the first time that Kaspersky Lab sees specific “local” software used to infect victims in a cyber attack. In 2013 the company’s researchers observed similar tactics in the attacks attributed to the Icefog campaign. That time the attacker used malicious HWP documents which are made to work with Hangul Word Processor, a proprietary word processing application used extensively in South Korea.

Kaspersky Labs analyst Denis Legezo who found the attacks said,

“The use of vulnerabilities in specific software with a relatively low global presence and a very narrow target audience is an easy-to-understand tactic. The attackers adjust their tactics to their target’s behavior by developing exploits for custom software which doesn’t always receive the kind of scrutiny that big software companies apply to their products. Since local software is not a common target of exploit writers, vendors are not very responsive to vulnerability reports and existing exploits remain workable for a long time”

If you are a user of Kaspersky Lab Protection packages,  then you have already been protected against this attack for quite some time – and the protection has worked well in blocking a number of malicious InPage documents. Kaspersky Lab products successfully detect the InPage exploit with the following detection name: HEUR:Exploit.Win32.Generic.

To avoid loss of valuable information and in the case of banks, money, security experts advise financial organizations to check their systems for the presence of these threats and to take the following measures:

  • Make sure you have a corporate-grade internet security suite capable of catching exploits generically, such as Kaspersky Endpoint Security for Business.
  • Instruct your staff not to open attachments or URLs in emails sent from unknown sources.
  • Use the most recent versions of software on endpoints in your company. Avoid using software known to be vulnerable. To automate these tasks use Vulnerability Assessment and Patch Management solutions.
  • Subscribe to a professional threat intelligence service like Kaspersky Lab’s APT reporting service to get instant access to actionable information on the most recent cyber-attacks which may target your organization.
  • Educate your staff in cybersecurity. The malware sample that enabled the discovery of the exploit was found with the help of specifically created Yara rules. Invest in the education of your security staff so that they are able to do the same on their own and therefore protect your organization from sophisticated targeted attacks.
The following two tabs change content below.
Frederick Damasus is a tech enthusiast and blogger who has a passion for creativity and innovation. He is a self-taught graphic designer and currently delving into web design and development. He loves photography and volunteers his spare time to inspire children in orphanages through dance. He is a trained Petroleum Engineer but found himself in the AID/Development sector. He currently serves as the M&E/ICT Manager at the Center for Creative Development Strategies, an NGO based in Port Harcourt, Rivers State, Nigeria.

Leave a comment

Your email address will not be published. Required fields are marked *