Earlier this 12 months, a South Korean superior persistent menace (APT) exploited a essential vulnerability in WPS Workplace to spy on high-level entities in China. It turned out to not be the one essential concern within the vastly widespread workplace software program.
WPS Workplace is a free-to-use competitor to Microsoft Workplace, with 600 million month-to-month lively customers as of this June. It is notably broadly adopted in its house nation of China, the place it enjoys an extra of 90% market share in cellular workplace software program, and might be discovered throughout authorities companies, telecommunications corporations, and different main sectors. Simply final week, when the service went down for a half day, it precipitated main disruptions to business throughout the nation.
Its ubiquity — to not point out its dealing with of typically delicate paperwork — makes WPS Workplace a lovely goal for hackers focusing on Chinese language organizations and people. Such was the case for APT-C-60 (aka Pseudo Hunter), a South Korea-aligned cyberespionage group that has beforehand focused entities inside Korea itself. Earlier this 12 months, it delivered a customized backdoor dubbed “SpyGlace” to WPS customers by way of an arbitrary code execution exploit.
In accordance with China-based DBAPPSecurity, the purpose of the marketing campaign was to acquire intelligence on China-South Korea relations.
An RCE Bug in WPS Workplace
On the final day of February this 12 months, researchers from ESET observed an odd spreadsheet doc uploaded to VirusTotal.
The spreadsheet was truly encased in an MHTML file, quick for MIME encapsulation of mixture HTML paperwork. MHTML is a Net archive file format used to smush all the contents of a webpage right into a single file. It could actually do the identical for different sorts of content material, as was the case right here, the place APT-C-60 used an MHTML export of a Microsoft Excel (XLS) file.
If victims opened the file, they had been offered with a spreadsheet referencing the Hong Kong-based Coremail e mail service. Unusually, rather than regular rows and columns was a picture overlay of rows and columns. A sufferer who tried clicking on what gave the impression to be a cell the truth is activated the picture file, which hid a malicious hyperlink. That single click on would then set off the obtain of APT-C-60’s malicious backdoor.
What in WPS may have allowed for such a harmful one-click exploit?
Supply: ESET
The difficulty lay with promecefpluginhost.exe, a plug-in part in WPS Workplace for Home windows that didn’t correctly validate file paths used to load plug-ins into this system. Moderately than merely load malware straight by way of the insecure part, APT-C-60 used a customized protocol handler registered by WPS — ksoqing://, which permits for the execution of exterior functions — to execute wps.exe and launch promecefpluginhost.exe, tricking it into loading its insufficiently vetted malicious code rather than a legit plug-in.
Tracked as CVE-2024-7262, the underlying concern was given a essential 9.3 out of 10 rating on the CVSS vulnerability-severity scale. It impacts WPS Workplace for Home windows from model 12.2.0.13110 — launched a couple of 12 months in the past — to the time of its patch again in March, with model 12.1.0.16412. That, nevertheless, is not the tip of the saga.
A Second Bug in WPS Workplace
Sooner or later in March, with none fanfare, WPS’ developer, Kingsoft, utilized a twofold repair for CVE-2024-7262.
“The very first thing that they did is to verify the signature of the library that shall be loaded [by promecefpluginhost.exe] — that it is their very own package deal which is signed by the corporate,” explains Romain Dumont, malware researcher with ESET, which launched a weblog publish on the double-fix on Aug. 28. “After which they tried to sanitize one of many parameters that was susceptible, however they missed one other parameter that enables the identical kind of vulnerability.”
By the tip of April, not solely was CVE-2024-7262 nonetheless being actively exploited, however the different improperly sanitized parameter had not been addressed. Now tracked as CVE-2024-7263, the latter concern earned its personal essential 9.3 severity score. Dumont assesses that it was possible patched sooner or later in the course of the spring.
With each essential bugs now being accounted for, Dumont urges all WPS customers to patch instantly. “This vulnerability is triggered by a single click on inside the applying on the hidden hyperlink,” he says. “Attempt to preserve your pc up to date, and be cautious.”
