Our corporate business team has an upcoming "software updater" feature in our Protection Service which they want to market. So they asked our lab analyst @TimoHirvonen to provide them with an example demonstrating the amount of time it takes to go from vulnerability to exploit.
Here's the timeline Timo came up regarding CVE-2012-1535:
As you can see, it doesn't take much time at all to commoditize a vulnerability into an exploit.
And then Timo got curious (as he often does) and decided to research the exploit itself, Exploit:SWF/CVE-2012-1535.B.
He did some searching and found this Digital4rensics Blog post, which links to a VirusTotal report on a doc file called 110630_AWE Platinum Partners.doc. Symantec has a CVE-2012-1535 post that shows a censored screenshot of the e-mail (or at least similar) with the document attached. And Contagio has a list of multiple Word docs using the same exploit.
So Timo located a few examples:
110630_AWE Platinum Partners.doc turned out the be the most interesting. According to the Digital4rensics Blog linked to above, AWE Limited is an Australian Oil & Gas company. But that didn't sound right to Timo. He recognized the name Tybrin in one of the other docs, and connected it to Jacobs' TYBRIN Group, which does U.S. Department of Defense work.
So then, let's take a look at the decoy document dropped by 110630_AWE Platinum Partners.doc:
"Working together to keep our world safe and secure by ensuring warheads are always available."
Warheads?
That doesn't sound related to an oil and gas company…
Searching on LinkedIn for people named in the decoy document lead to another organization called AWE, this time in UK:
It appears that AWE stands for Atomic Weapons Establishment.
Regardless of the content of the files, we don't know who was targeted with this attack and we don't know who submitted these documents to VirusTotal.
SHA1 of 110630_AWE Platinum Partners.doc: 51bb2d536f07341e3131d070dd73f2c669dae78e SHA1 of decoy: 0eb24ffa38e52e4a1e928deb90c77f8bc46a8594
