CYR3CON™’s early identification of the hacker group, Cobalt’s exploit as being “very likely” led the industry in providing the most advanced notice prior to the November 22nd breach. CYR3CON, a Next-Gen cyber threat intelligence firm, ranks and prioritizes vulnerabilities though its CyRating platform, combining advanced machine learning with automatically mined deepweb/darkweb information.

When it was first identified by NIST on July 31, there was no public knowledge of an exploit for Microsoft Office vulnerability CVE-2017-11882. It wasn’t until an exploit was discovered in the wild that CYR3CON™ found hackers discussing the vulnerability on forums in multiple languages beginning November 20th, and increasing in activity up through Nov. 23rd.

Last week, while Microsoft, Symantec and Rapid7 had posted assessments that CVE-2017-11882 was “less likely”, “low risk” or “4 of 10 severity,” hackers from the Cobalt group exploited it in an attack that was reported on Nov. 26th. It is noteworthy that these other assessments do not take darkweb/deepweb hacker conversations into account. By contrast, days prior, CYR3CON™’s automated platform, which combines machine learning with artificial intelligence, assessed the vulnerability as “likely”: 10 times greater probability of being exploited than normal. Days later, after observing hacker conversations which included discussions of multiple exploits within numerous cultural-linguistic groups, the CYR3CON™ platform revised its assessment to “very likely”: now 15-20 time more likely to be exploited. The amount of buzz surrounding this vulnerability resulted in CYR3CON™’s algorithm quickly and automatically upgrading its rating from “likely” to “very likely” within a day to reflect the increasing chance of exploitation.

The hacker group, Cobalt, allegedly with roots in Russia, is well-known for targeting banks and ATMs. According to a report by the information security company Positive Technologies, in the first half of 2017, Cobalt sent out phishing emails containing infected files to more than 3,000 recipients from 250 companies in 12 countries. Just over a year ago, they carried out large attacks against European and Asian financial institutions. Now they are sending organizations malicious emails, this time exploiting CVE-2017-11882 in Microsoft Office.

According to Microsoft, an attacker who successfully exploited the vulnerability could run arbitrary code and possibly take control of the affected system, allowing the attacker to install programs, tamper with data, or create accounts. As hackers are already using this vulnerability, CYR3CON™ recommends that it be patched immediately. Affected products include Microsoft Office 2007 through 2016. Users can find Microsoft’s patch here , and (as a quick fix) instructions on how to disable Microsoft Equation Editor 3.0, a known workaround, can be found here.

CYR3CON™ (Cyber Reconnaissance, Inc.) is a Next-Gen cyber threat intelligence firm which combines advanced machine learning with automatically mined deepweb/darkweb (D2web) information to provide predictive and actionable alerts which reduce cyber breaches. This automated approach largely removes the need for human analysts and allows clients to save time and money with an extremely scalable system. CYR3CON™ specializes in identifying cyber-threats before the breach occurs by collecting sensitive data from forums and websites within the D2web where malicious hackers organize, plan, sell and purchase malware and exploits.

To learn more, please contact your CYR3CON™ partner or visit us at Cyr3con today.