South Korean Hacker Group Actively Exploits Vulnerability in WPS, Fixed in Latest Version
Brook.X
Previously, Landian.news reported a critical security vulnerability in Kingsoft's WPS Office, which has been weaponized by hacker groups for exploitation. According to WPS officials, only the international version of WPS 2023 is affected, with other versions remaining unaffected.
As usual, Kingsoft has repaired the vulnerability but has been reluctant to issue a comprehensive security bulletin to warn users about potential attacks. For instance, Kingsoft did not disclose that the vulnerability was being actively exploited.
This prompted the cybersecurity firm ESET, which discovered the vulnerability, to release a new detailed report urging users and businesses to immediately upgrade to the latest version and be wary of attacks launched by the South Korean hacker group.
Timeline of the Vulnerability:
The vulnerability (CVE-2024-7262) was discovered by cybersecurity company ESET, which found that it had been exploited by hackers since at least February 2024, categorizing it as a zero-day exploit.
ESET responsibly notified Kingsoft of the vulnerability, and the latter quietly released a new version in March 2024 that fixed the issue but did not announce that the vulnerability had been actively exploited.
ESET later discovered that Kingsoft's fix was incomplete and another vulnerability (CVE-2024-7263) still existed. After being notified, Kingsoft completed the fix in May 2024.
The actual affected versions are from WPS 12.2.0.13110 (released in August 2023) to 12.2.0.17119 (released in May 2024), meaning users should at least upgrade to the version released after May 2024.
Active Exploitation by South Korean Hacker Group APT-C-60:
Despite the fix, there are still users and businesses that have not upgraded to the latest version for various reasons, making the vulnerability still exploitable. Thus, the South Korean hacker group APT-C-60 began actively exploiting this vulnerability.
The CVE-2024-7262 vulnerability lies in the WPS custom protocol handler, the ksoqing:// protocol, which is used to quickly open WPS. Due to inadequate validation and cleanup, hackers can create malicious hyperlinks that trigger arbitrary code execution (RCE).
In actual attacks, APT-C-60 created MHTML files and added bait images and malicious hyperlinks to the files, such as using picture-made click-to-load documents. When a user genuinely clicks on the picture, they actually trigger the malicious hyperlink.
Once clicked, the malicious hyperlink triggers the vulnerability, and then APT-C-60 executes specific plugins (promecefpluginhost.exe) through base64 encoded commands, which is a backdoor program named SpyGlace by ESET.
ESET also warns that this method of attack is very cunning, as it has enough deception to entice users to click on seemingly harmless files, thus triggering the vulnerability. It remains an important security habit for users, especially corporate users, to be cautious in opening emails or other files downloaded from the internet.
