Everyone loves a good cyber-espionage story, and we love to put China under the spotlight.  Why? Because their methods work.  China has some well known hacking groups that have conducted cyber-espionage-oriented attacks, such as the Elderwood Group, Unit 61398, the Nitro gang, etc.  As far as we know, most of these groups tend to use some kind of 0day exploit to gain acces of the targeted organization, and then steal terabytes of data for years.  However, by studying these hacking groups, we also learned that a successful APT doesn't always require an 0day, whatever gets the job done is more than enough, and NetTravler demonstrates just that.

According to a recent research paper by Kaspersky, the Chinese-based hacking group NetTraveler tends to get their victims infected through spear-fishing attacks using exploits that are already publicly known, specifically CVE-2010-3333 and CVE-2012-0158.  Although already patched, these vulnerabilities still remain effective, and are among the most exploited in recent attacks, for example:  Tibetan/Uyghur activists, oil industry companies, scientific research centers, universities, private companies, governments and military contractors, etc.  And of course, they've stolen more than 22 gigabytes of data because they 1337.

This is all kind of depressing (or amusing?) to hear especially when our memory is still fresh about HD Moore's talk about how many percent of the Internet still remain insecure, and NetTraveler kind of verifies that claim by shoving old exploits in the US government's faces.  Hey guess what?  As a high profile target, you can prevent that.  If you run a system update, your vulnerable software will tell you your stuff is outdated.  If you run a vulnerability scanner, the scanner will tell you you're waiting to be exploited.  If you run a penetration testing framework like Metasploit, shells will be popped, and that should be a red flag for you.

CVE-2012-0158 is a vulnerability in Microsoft Office.  There is a Metasploit module (ms12_027_mscomctl_bof.rb) that specifically targets Office 2007 and Office 2010, written by Wei Chen and Juan Vazquez.  Demo (note: target specific):

CVE-2010-3333 is a vulnerability in Microsoft Word. There is also a Metasploit module (ms10_087_rtf_pfragments_bof.rb) for it targeting Office 2003, 2010, and 2010.  Written by ex-Metasploit Exploit Developer Joshua J. Drake.  Demo:

 

 

If you're new to Metasploit and you'd like to try it out, you can download Metasploit for Linux or Windows for free.