I’ve been following Kevin Beaumont on Twitter for a while, he’s a security architect from Liverpool, and quite a regular blogger.
On Tuesday lunchtime I read a tweet from him :
By 7.30 that evening, one of the AV vendors has started to identify this type of file as malicious.
By 1am, Beaumont has discovered a word document that uses the DDE vulnerability to start Internet Explorer and open a website where the malicious code is stored. What’s more interesting is that the site where the malware is stored is a US Government website (now shut down)
Then by 8am on the 11th, here’s a copy of the email which has the DDE Vulnerability embedded in it.
Finally at 5pm on Wednesday, there’s a write-up from Talos (part of Cisco) about the whole malware chain
What’s also interesting is that the hackers use DNS to exfiltrate data, which is quite an esoteric way of doing it, but most companies won’t spot it as DNS is a perfectly legitimate service to have running.
If you managed to follow this to the end, this is clearly a very sophisticated hacking attempt, here’s the core elements of campaign :
1. Use of DDE exploit, which is not commonly known, and won’t be patched by Microsoft
2. Lack of Anti-virus firms picking up this attack vector
3. Use of legit sounding emails (Purporting to be from the SEC relating to EDGAR (company filing system in the US)
4. Malware is downloaded from a legit US Government website
This all goes to show how sophisticated attackers are, and how important it is to stay vigilant
In subsequent blog post Beaumont goes on the make the point that Microsoft will have to do something about this, as it is so difficult to protect against. His suggestion which makes good sense to me is to disable DDE by default, and enable it via a registry key.
On Tuesday lunchtime I read a tweet from him :
Just tried this. It works. 100% reliable code execution in Office with macros disabled, no patch available: https://t.co/CohsXGV2kz— Beaumont Porg, Esq. (@GossiTheDog) October 10, 2017
Having read the article at Sensepost, they have discovered a way to run code (what is called in IT security nerd circles as ‘RCE – Remote Code Execution’) in Office documents without the use of Macros. Macros are a traditional way of getting malware to run, but companies often block macros, and some anti-virus services are configured to remove them, so not a reliable way to get malware on your victim’s machine. Using this DDE feature is a newer and easier way to potentially deliver malware.
Clearly this is a big deal. Reading the full post from Sensepost, they have reported it to Microsoft and Microsoft have said this is expected behaviour and therefore they won’t be patching it. This means that customers are vulnerable to this attack vector and will have to find another way to protect themselves.
The main point of this article is to illustrate how quickly things move and this threat evolves. From the Sensepost article no anti-virus spotted this as a suspicious file.
Beaumont then goes on to test this himself, being able to create a word document that will start the calculator program from it, and showing that none of the malware protection running on his machine detect this exploit. This is now 6pm on Tuesday the 10th of October
Clearly this is a big deal. Reading the full post from Sensepost, they have reported it to Microsoft and Microsoft have said this is expected behaviour and therefore they won’t be patching it. This means that customers are vulnerable to this attack vector and will have to find another way to protect themselves.
The main point of this article is to illustrate how quickly things move and this threat evolves. From the Sensepost article no anti-virus spotted this as a suspicious file.
Beaumont then goes on to test this himself, being able to create a word document that will start the calculator program from it, and showing that none of the malware protection running on his machine detect this exploit. This is now 6pm on Tuesday the 10th of October
Hoho, this works undetected (popping calc.exe in screenshot) with Kaspersky, Malwarebytes Anti-Exploit and Cisco Immunet/AMP installed. pic.twitter.com/JoDK3fgxk7— Beaumont Porg, Esq. (@GossiTheDog) October 10, 2017
By 7.30 that evening, one of the AV vendors has started to identify this type of file as malicious.
Okay, got detection for this in the wild rolling now. Not my file either. Also here's EventID to detect usage in OMS. pic.twitter.com/M3S6HapjrO— Beaumont Porg, Esq. (@GossiTheDog) October 10, 2017
By 1am, Beaumont has discovered a word document that uses the DDE vulnerability to start Internet Explorer and open a website where the malicious code is stored. What’s more interesting is that the site where the malware is stored is a US Government website (now shut down)
I’m going to bed. Check this out, PowerShell malware being served from .gov server https://t.co/mKmViHqD0U— Beaumont Porg, Esq. (@GossiTheDog) October 11, 2017
Then by 8am on the 11th, here’s a copy of the email which has the DDE Vulnerability embedded in it.
Thanks to @James_inthe_box @mzbat @SevenLayerJedi etc. The US gov (compromised) payload server has now been taken offline. Here was email. pic.twitter.com/G49fyYdIck— Beaumont Porg, Esq. (@GossiTheDog) October 11, 2017
Finally at 5pm on Wednesday, there’s a write-up from Talos (part of Cisco) about the whole malware chain
— Beaumont Porg, Esq. (@GossiTheDog) October 11, 2017
With apologies to Talos, I think we blew up a threat actor - oops. Great research: https://t.co/4aD67c9vW0
What’s also interesting is that the hackers use DNS to exfiltrate data, which is quite an esoteric way of doing it, but most companies won’t spot it as DNS is a perfectly legitimate service to have running.
An excellent way to exfil data from segregated networks is DNS, as seen with FIN7 DDE stuff today. TCP-over-DNS, works really well.— Beaumont Porg, Esq. (@GossiTheDog) October 11, 2017
If you managed to follow this to the end, this is clearly a very sophisticated hacking attempt, here’s the core elements of campaign :
1. Use of DDE exploit, which is not commonly known, and won’t be patched by Microsoft
2. Lack of Anti-virus firms picking up this attack vector
3. Use of legit sounding emails (Purporting to be from the SEC relating to EDGAR (company filing system in the US)
4. Malware is downloaded from a legit US Government website
This all goes to show how sophisticated attackers are, and how important it is to stay vigilant
In subsequent blog post Beaumont goes on the make the point that Microsoft will have to do something about this, as it is so difficult to protect against. His suggestion which makes good sense to me is to disable DDE by default, and enable it via a registry key.