APT-C-60 [1] [2] [3] [4] [5] [6] [7] [9] [10], a cyber-espionage group aligned with South Korea [1] [6], recently targeted victims in East Asia by exploiting two critical zero-day vulnerabilities in Kingsoft WPS Office for Windows.

Description

ESET researchers discovered the vulnerabilities [1] [3] [7], identified as CVE-2024-7262 and CVE-2024-7263 [7], allowing for arbitrary code execution through malicious documents [3]. The attackers used a booby-trapped spreadsheet in MHTML format with a hidden hyperlink to trigger the exploit [5], enhancing its legitimacy with a spreadsheet image. APT-C-60 deployed a custom backdoor called SpyGlace [1], taking advantage of a flaw in the plugin component promecefpluginhost.exe. Chinese-based DBAPPSecurity confirmed APT-C-60’s exploitation of the vulnerability to distribute malware in China [5], aiming to gather intelligence on China-South Korea relations [8]. Following a coordinated disclosure process [7] [9] [10], Kingsoft promptly patched the vulnerabilities [3], urging users to update their software to protect against these critical security risks. The vulnerabilities affected WPS Office for Windows versions 12.2.0.13110 to 12.1.0.16412 and were rated as critical.

Conclusion

This attack underscores the importance of robust security measures, timely patching [6] [7], and awareness of geopolitical motivations in cyber espionage activities [6]. Recommendations include updating software [6], implementing endpoint security solutions [6], conducting security awareness training [6], deploying intrusion detection systems [6], and establishing an incident response plan to defend against sophisticated threats like APT-C-60 [6].

References

[1] https://securityonline.info/eset-uncovers-zero-day-vulnerabilities-in-wps-office-exploited-by-apt-c-60/
[2] https://thehackernews.com/2024/08/apt-c-60-group-exploit-wps-office-flaw.html
[3] https://cyberunfolded.in/blog/understanding-zero-day-attacks-on-wps-a-comprehensive-analysis
[4] https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/
[5] https://www.infosecurity-magazine.com/news/south-korean-spies-exploit-wps/
[6] https://www.krofeksecurity.com/apt-c-60-group-exploits-wps-office-flaw-for-spyglace-backdoor-deployment/
[7] https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/
[8] https://www.darkreading.com/vulnerabilities-threats/south-korean-apt-exploits-1-click-wps-office-bug-nabs-chinese-intel
[9] https://www.helpnetsecurity.com/2024/08/28/cve-2024-7262-cve-2024-7263/
[10] https://cyber.vumetric.com/security-news/2024/08/28/apt-group-exploits-wps-office-for-windows-rce-vulnerability-cve-2024-7262/