This article is for non-technical people who want to keep themselves and their companies safe from realistic threats. Short and sweet.
In 2017 we saw a number of phishing techniques used successfully. This was largely due to the release of a handful of highly effective methods which are still being used. In this article we’ll cover what these are.
Dynamic Data Exchange (DDE) Payloads – CVE-2017-0199 / CVE-2017-8759
A technique that results in remote access without the use of macros. DDE is a protocol in MS Office products which allows applications to share data between each other. Some functions provided by this protocol allow the execution of commands, which can be abused by attackers to download malware.
What Should I Expect to See?
Expect to see a popup when you open up documents or spreadsheets with the text “This document contains fields that may refer to other files.”
PowerPoint Actions
PowerPoint includes a lot of freedom when it comes to animating your slideshows. For example, you may want to make your heading tastefully spin into view and play an audio clip when you click. This has been taken to the next level using PowerPoint actions. Open your PowerPoint and go to the “Insert” tab and select the “Action” button. You should notice “Mouse Click” and “Mouse Over” tabs. Attackers have been using the “Mouse Over” in combination with “Run program” to download and execute malware.
What Should I Expect to See?
Attackers use the PPS format to ensure it opens in presentation mode immediately. Expect to see a popup stating “Microsoft has identified a potential security concern” after opening a PPS slideshow.
Credential Phishing
This involves a more ham-handed approach which is still highly effective. A document includes a link to a remote resource on an attacker-controlled HTTPs server. The result is that when the document is loaded, a Windows authentication prompt pops up and requests your credentials before continuing. The credentials are submitted to the attacker-controlled server. These credentials can be used to gain access to your organization’s VPN or with Ruler style attacks.
What Should I Expect to See?
Expect to see a Windows authentication prompt after opening a Word document.
Microsoft Office Memory Corruption – CVE-2017-11882 (!!DANGEROUS!!)
A 17 year old memory corruption bug, discovered in 2017, which is exploited as soon as you open the Word document. The result is immediate remote access, allowing the attacker to download malware. While other techniques often present telltale signs like a warning or a request to enable macros, this doesn’t provide any warnings to the user.
What Should I Expect to See?
What can be done to help protect yourself against this nasty payload? The common delivery techniques for this payload include RTF and DOC extensions. Do not open these formats and if you see them, notify your IT administrator. Upload suspicious files to VirusTotal.
What Can You Do As An Administrator?
Blocking the following email attachments will go a long way towards protecting your organization:
- DOC
- RTF
- XLS
- PPS
- CPL
- DOCM
- XBAP
- APPLICATION
Takeaway
Be aware of these popular attack vectors in 2018. They’re still very effective and the majority of them are not yet properly detected by anti-virus vendors. Additionally, attackers are regularly tweaking their payloads to bypass them. By knowing what to expect from these you can keep yourself and organization safe. Let’s get secure!
Until next time
Keiran