Microsoft issues advisory to users after macro-less malware attacks

GRAHAM CLULEY em 09/11/2017 no site The State of Security

Hackers have been found exploiting a freshly-uncovered vulnerability in Microsoft’s software to install malware on business computers.

According to security researchers, since last month a Russia-linked hacking group known as APT28 have been using a Microsoft protocol called Dynamic Data Exchange (DDE) to run malicious code through a poisoned Word document.

Targeted attacks linked to APT28 (also sometimes known as the “Fancy Bear” hacking gang) have taken advantage of the recent New York City terror incident in an attempt to plant spyware via the method.

DDE, as its name suggests, allows messages and data to be shared between applications. Last month, it was discovered that it was possible to launch attacks exploiting DDE through Word documents, Excel spreadsheets, and Outlook even when macros have not been enabled.

Now, of course, attacks exploiting Microsoft Office documents are nothing new – and most of us who work in the security industry know to be wary of enabling macros when opening files because of the potential for malicious code to be executed.

But with this DDE attack, you see no prompt to enable macros. This lack of a warning allows attackers to side-step an obstacle which has often acted as a final safety net for their intended victims.

Instead, the most you might notice that’s unusual is a pop-up message box asking if you want to update the document with data from linked files.

“This document contains links that may refer to other files. Do you want to update the document with the data from the linked files?”

Microsoft, in a security advisory released yesterday, has described how the technique could be used in a typical email attack:

In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.

So, after decades of email-based malware attacks, we’re back to some tried-and-trusted advice: be very wary of opening unsolicited email attachments.

And as Microsoft considers the functionality of DDE to be a feature rather than a bug, it seems unlikely that it will be patching the technique anytime soon.

According to Microsoft’s advisory, concerned Microsoft Office users are advised to check their DDE-related security settings and disable the automatic update of data from linked fields to mitigate the threat. Currently, this mitigation may require some tinkering in the Registry and so should be done cautiously.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc-

Europol warns ransomware has taken cybercrime ‘to another level’

GRAHAM CLULEY

Em 28/09/2017 no site The State of Security

Europol, the European Union’s police agency, has warned of the significantly rising threat posed by ransomware.

As Associated Press reports, delegates at an international conference were told by Europol Executive Director Rob Wainwright that ransomware had taken the cybercrime threat to “another level.”

An 80-page report published by the agency highlighted the growing threat posed by ransomware attacks:

“Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating ‘ransomworms’, as observed in the WannaCry and Petya/NotPetya cases. Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile.”

“Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.”

Europol is right to highlight the significant impact that ransomware is having on business and home computers alike.

As we have previously discussed, multinationals like household goods manufacturer Reckitt Benckiser, and the Maersk shipping conglomerate have reported that the attacks have caused $100 million and $300 million in lost revenue respectively.

Meanwhile the impact felt by the WannaCry ransomware earlier in the year on the UK’s National Health Service and other large organisations is well-documented.

It’s no wonder that Europol is calling for more resources to be put in place around the world to target cybercrime gangs, and for greater co-ordination between law enforcement agencies.

As The Register reports, a similar message of the rise of ransomware has come from the UK’s Metropolitan Police’s cybercrime-fighting division speaking at the Cyber Security in Healthcare event in London:

“Three years ago [the main threat] was the inception of DDoS attacks or the criminal damage of computers; two years ago it was data breaches like TalkTalk, this year its been the use of ransomware attacks on individuals and corporate systems. Next year it will be more of the same.”

We can talk long and hard about the need for companies and home computer users to have better protection in place, to keep a strict regime of patching against vulnerabilities, and to make sure that a secure backup regime is in place.

But Europol argues that we also need to tackle the rampant rise of ransomware from the other end of the problem. That means giving law enforcement agencies more resources to investigate organised multinational cybercrime gangs in order to bring the perpetrators to justice.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc