How hackers use Microsoft Excel against him
Hi, Habr! I present to you the translation of the article “How Hackers Turn Microsoft Excel's Own Features Against It” by Lily Hay Newman.
Elena Lacey, getty images
Surely for many of us Microsoft Excel is a boring program. She knows a lot of things, but still this is not Apex Legends. Hackers look at Excel differently. For them, Office 365 applications are another attack vector. Two recent finds clearly demonstrate how the native functionality of the programs can be used against them.
On Thursday, experts from cyber threats Mimecast told how Excel's built-in Excel feature can be used to attack at the operating system level. Power Query automatically collects data from specified sources, such as databases, tables, documents, or websites, and inserts them into a spreadsheet. This function can also be used to the detriment if the linked website contains a malicious file. By sending such specially prepared tables, the hackers hope to get the system-level rights and / or the ability to install backdoors.
')
“Malefactors do not need to invent anything, it is enough to open Microsoft Excel and use its own functionality,” says Mimecast manager, Meni Farjon. “This method is also reliable for all 100. The attack is relevant on all versions of Excel, including the latest, and may work on all operating systems, programming languages, because we are not dealing with a bug, but with the function of the program itself. For hackers, this is a very promising direction. ”
Farjon explains that as soon as Power Query connects to the dummy site, attackers can use the Dynamic Data Exchange (Dynamic Data Exchange). Through this protocol in Windows data is exchanged between applications. Usually, programs are strictly limited in rights and DDE acts as an intermediary for the exchange. Attackers can upload DDE-compliant attack instructions to the site, and Power Query will automatically load them into a table. In the same way, you can download other types of malware.
However, before the DDE connection is established, the user must accept the operation. And most users agree with all requests without looking. Due to this high percentage of successful attacks.
In the "Security Report" in 2017, Microsoft already offered solutions. For example, disable DDE for specific applications. However, the type of attack detected by Mimecast describes the launch of code on devices that do not have the ability to disable DDE. After the company reported the vulnerability in June 2018, Microsoft responded that it was not going to change anything. Farjon says that they waited a whole year before they told the world about the problem, hoping that Microsoft would change its position. And while there is no evidence that this type of attack is used by attackers, it is difficult to notice because of the nature of its behavior. “Most likely, hackers will take advantage of this opportunity, unfortunately,” says Farjon. - “This attack is easy to implement, it is cheap, reliable and promising.”
In addition, Microsoft’s own security team warned everyone last week that attackers are actively using another Excel feature that allows them to access the system even with all the latest patches installed. This type of attack uses macros and is aimed at Korean users. Macros are already not the first year with a lot of problems for Word and Excel. They are a set of programmable instructions that can not only facilitate, but also complicate the work, if they are not used according to the scenario conceived by the developers.
It is clear that Office 365 users want to see more and more new features, but each new component of the program carries potential risks. The more complex the program, the more potential attack vectors for hackers. Microsoft said that Windows Defender is able to prevent such attacks, because it knows what to pay attention to. But the findings of Mimecast serve as an extra reminder that there will always be workarounds.
“It’s getting more and more difficult to penetrate into the network of any organization, if you use traditional methods,” says senior "Bezopasnik" Ronnie Tokazovsky from Agari, specializing in email security. “If you don’t even need to break anything for a successful attack, then you’re already following the path of least resistance, and the Windows version doesn’t matter.”
Microsoft stated that both macros and Power Query are easily managed at the administrator level. Group Policy allows you to customize the behavior for all devices in your organization at once. But if for the user's security, the built-in function has to be disabled, the question “Does it need it?”
Elena Lacey, getty images
Surely for many of us Microsoft Excel is a boring program. She knows a lot of things, but still this is not Apex Legends. Hackers look at Excel differently. For them, Office 365 applications are another attack vector. Two recent finds clearly demonstrate how the native functionality of the programs can be used against them.
On Thursday, experts from cyber threats Mimecast told how Excel's built-in Excel feature can be used to attack at the operating system level. Power Query automatically collects data from specified sources, such as databases, tables, documents, or websites, and inserts them into a spreadsheet. This function can also be used to the detriment if the linked website contains a malicious file. By sending such specially prepared tables, the hackers hope to get the system-level rights and / or the ability to install backdoors.
')
“Malefactors do not need to invent anything, it is enough to open Microsoft Excel and use its own functionality,” says Mimecast manager, Meni Farjon. “This method is also reliable for all 100. The attack is relevant on all versions of Excel, including the latest, and may work on all operating systems, programming languages, because we are not dealing with a bug, but with the function of the program itself. For hackers, this is a very promising direction. ”
Farjon explains that as soon as Power Query connects to the dummy site, attackers can use the Dynamic Data Exchange (Dynamic Data Exchange). Through this protocol in Windows data is exchanged between applications. Usually, programs are strictly limited in rights and DDE acts as an intermediary for the exchange. Attackers can upload DDE-compliant attack instructions to the site, and Power Query will automatically load them into a table. In the same way, you can download other types of malware.
However, before the DDE connection is established, the user must accept the operation. And most users agree with all requests without looking. Due to this high percentage of successful attacks.
In the "Security Report" in 2017, Microsoft already offered solutions. For example, disable DDE for specific applications. However, the type of attack detected by Mimecast describes the launch of code on devices that do not have the ability to disable DDE. After the company reported the vulnerability in June 2018, Microsoft responded that it was not going to change anything. Farjon says that they waited a whole year before they told the world about the problem, hoping that Microsoft would change its position. And while there is no evidence that this type of attack is used by attackers, it is difficult to notice because of the nature of its behavior. “Most likely, hackers will take advantage of this opportunity, unfortunately,” says Farjon. - “This attack is easy to implement, it is cheap, reliable and promising.”
In addition, Microsoft’s own security team warned everyone last week that attackers are actively using another Excel feature that allows them to access the system even with all the latest patches installed. This type of attack uses macros and is aimed at Korean users. Macros are already not the first year with a lot of problems for Word and Excel. They are a set of programmable instructions that can not only facilitate, but also complicate the work, if they are not used according to the scenario conceived by the developers.
It is clear that Office 365 users want to see more and more new features, but each new component of the program carries potential risks. The more complex the program, the more potential attack vectors for hackers. Microsoft said that Windows Defender is able to prevent such attacks, because it knows what to pay attention to. But the findings of Mimecast serve as an extra reminder that there will always be workarounds.
“It’s getting more and more difficult to penetrate into the network of any organization, if you use traditional methods,” says senior "Bezopasnik" Ronnie Tokazovsky from Agari, specializing in email security. “If you don’t even need to break anything for a successful attack, then you’re already following the path of least resistance, and the Windows version doesn’t matter.”
Microsoft stated that both macros and Power Query are easily managed at the administrator level. Group Policy allows you to customize the behavior for all devices in your organization at once. But if for the user's security, the built-in function has to be disabled, the question “Does it need it?”
Source: https://habr.com/ru/post/458278/
All Articles