As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
Today there is a new critical alert that requires the mission-critical community’s immediate attention.
Security researchers have discovered recent attempts by cyberattackers to infect machines with malicious Microsoft Word documents containing VBA macros and JavaScript — their goal is to plant a backdoor and create persistence. These documents are disguised as documentation or information related to the new Windows 11 Alpha release to entice users into interacting. The key recommendation to remediate the threat is to block the indicators of compromise (IOCs) identified in this advisory.
Security researchers have moderate confidence in attributing this threat campaign to FIN7, which is a prominent threat group that seems to be financially motivated. FIN7 typically targets U.S.-based companies. The has been known to utilize a variation of JavaScript backdoors since at least 2018, specifically targeting point-of-sale (POS) systems.
The cyberattackers are utilizing the anticipation around the new Windows 11 Alpha release to entice end-users to interact with the specific Word documents, which will be running the VBA macro and JavaScript backdoor on the machine.
According to the U.S. Department of Justice, FIN7 is responsible for stealing million 15 million credit-card records from 6,500 POS terminals since 2018. Additionally, the group reportedly has ties to other cyberattack groups, such as Carbanak and the notorious REvil ransomware gang. This campaign of malicious Word documents creates a backdoor for cyberattackers on the compromised machine, which then provides them with full access to the device and the potential to move laterally within the network. Future collaboration with other threat groups such as REvil would enable the seamless distribution of ransomware or other forms of malware through the backdoor created by this threat.
This threat can affect any device that supports the use of JavaScript and utilizes the Microsoft Office suite. Additionally, FIN7 is known to target POS systems across multiple industries specifically targeting personal identifiable information (PII) and credit card information. The backdoor created by this threat potentially can lead to a plethora of future compromises.
MCP recommends the following actions:
For more in-depth information about the recommendations, please visit the following links:
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.