Earlier this 12 months, a South Korean superior persistent risk (APT) exploited a vital vulnerability in WPS Workplace to spy on high-level entities in China. It turned out to not be the one vital situation within the massively standard workplace software program.
WPS Workplace is a free-to-use competitor to Microsoft Workplace, with 600 million month-to-month lively customers as of this June. It is notably broadly adopted in its dwelling nation of China, the place it enjoys an extra of 90% market share in cellular workplace software program, and might be discovered throughout authorities companies, telecommunications firms, and different main sectors. Simply final week, when the service went down for a half day, it prompted main disruptions to business throughout the nation.
Its ubiquity — to not point out its dealing with of generally delicate paperwork — makes WPS Workplace a beautiful goal for hackers concentrating on Chinese language organizations and people. Such was the case for APT-C-60 (aka Pseudo Hunter), a South Korea-aligned cyberespionage group that has beforehand focused entities inside Korea itself. Earlier this 12 months, it delivered a customized backdoor dubbed “SpyGlace” to WPS customers through an arbitrary code execution exploit.
In line with China-based DBAPPSecurity, the goal of the marketing campaign was to acquire intelligence on China-South Korea relations.
An RCE Bug in WPS Workplace
On the final day of February this 12 months, researchers from ESET seen an odd spreadsheet doc uploaded to VirusTotal.
The spreadsheet was truly encased in an MHTML file, brief for MIME encapsulation of mixture HTML paperwork. MHTML is a Internet archive file format used to smush all the contents of a webpage right into a single file. It may well do the identical for different sorts of content material, as was the case right here, the place APT-C-60 used an MHTML export of a Microsoft Excel (XLS) file.
If victims opened the file, they have been offered with a spreadsheet referencing the Hong Kong-based Coremail e mail service. Surprisingly, instead of regular rows and columns was a picture overlay of rows and columns. A sufferer who tried clicking on what gave the impression to be a cell the truth is activated the picture file, which hid a malicious hyperlink. That single click on would then set off the obtain of APT-C-60’s malicious backdoor.
What in WPS might have allowed for such a harmful one-click exploit?
Supply: ESET
The problem lay with promecefpluginhost.exe, a plug-in element in WPS Workplace for Home windows that didn’t correctly validate file paths used to load plug-ins into this system. Relatively than merely load malware instantly through the insecure element, APT-C-60 used a customized protocol handler registered by WPS — ksoqing://, which permits for the execution of exterior functions — to execute wps.exe and launch promecefpluginhost.exe, tricking it into loading its insufficiently vetted malicious code instead of a authentic plug-in.
Tracked as CVE-2024-7262, the underlying situation was given a vital 9.3 out of 10 rating on the CVSS vulnerability-severity scale. It impacts WPS Workplace for Home windows from model 12.2.0.13110 — launched a few 12 months in the past — to the time of its patch again in March, with model 12.1.0.16412. That, nevertheless, is not the tip of the saga.
A Second Bug in WPS Workplace
In some unspecified time in the future in March, with none fanfare, WPS’ developer, Kingsoft, utilized a twofold repair for CVE-2024-7262.
“The first thing that they did is to check the signature of the library that will be loaded [by promecefpluginhost.exe] — that it’s their own package which is signed by the company,” explains Romain Dumont, malware researcher with ESET, which launched a weblog put up on the double-fix on Aug. 28. “And then they tried to sanitize one of the parameters that was vulnerable, but they missed another parameter that allows the same type of vulnerability.”
By the tip of April, not solely was CVE-2024-7262 nonetheless being actively exploited, however the different improperly sanitized parameter had not been addressed. Now tracked as CVE-2024-7263, the latter situation earned its personal vital 9.3 severity ranking. Dumont assesses that it was doubtless patched sooner or later through the spring.
With each vital bugs now being accounted for, Dumont urges all WPS customers to patch instantly. “This vulnerability is triggered by a single click on within the applying on the hidden hyperlink,” he says. “Try to keep your computer updated, and be cautious.”
