CyberheistNews Vol 7 #45 [HEADS-UP] Skeleton in the Closet: 17-Year Old MS Office Flaw Allows Malware Install When User Opens File

CyberheistNews Vol 7 #45
[HEADS-UP] Skeleton in the Closet: 17-Year Old MS Office Flaw Allows Malware Install When User Opens File

Here is a new pain in the neck! Patch this one ASAP before the bad guys exploit it.

While the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.

The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document. Here is how it looks, (when you see the CALC coming up, that means the attacker was able to run any executable they want.) Yikes.

Here is the blog post with a video, links to the patch that came out a few days ago, Redmond security guidance and technical background, and how to run a command prompt to disable registering of the component in Windows registry if for some reason you cannot apply the patch yet. Please forward this to your IT Pro friends that need to keep their network up & running:
OUCH: Zombie Remote Access Phishing Trojan Kills Antivirus

Eric Howes, KnowBe4's Principal Lab Researcher sent me a heads-up about a nasty remote access trojan (RAT) called Adwind (aka AlienSpy) we discovered rearing its ugly head again, but on a much wider scale than before and way more powerful.

Adwind, a cross-platform malware-as-a-service offering that has been around since at least 2012 skyrocketed in the phishing emails reported to us by customers, and made us sit up and take notice.

What, if anything, had changed with Adwind? Were endpoint antivirus apps dealing with Adwind any better? Had the bad guys made any changes to social engineering schemes deployed in the phishing emails they used to distribute Adwind? What were the evil new features?

The latest Adwind has a daunting collection of advanced functionality, including:
  • Sandbox detection
  • Detection, disabling and killing of various antivirus and security tools
  • TLS protected command-and-control
  • Anti-reverse engineering/debugging protection well as a wide array of data-gathering features:
  • Collection of System Information (e.g. IP, OS version, memory RAM information, Java version, Computer Name, etc.)
  • Upload & Execute additional malware
  • Capture Webcam and Microphone without user notification
  • Remote Desktop to watch user activity
  • File Manager to allow access to files in the context of the current user
  • Browser Password theft
  • Keylogging to capture passwords otherwise obscured from viewing
Of course we were interested how well endpoint antivirus engines would handle these latest Adwind variants. When we looked at one particular Jsocket variant two years ago, we noted that antivirus coverage (as measured via VirusTotal) was "spotty" at best, with typically only 5-6 engines detecting the samples we submitted.

Today, the samples we submitted were being picked up by only 16-24 engines (out of 60 total) -- roughly 26%-40% of tested engines -- even weeks after their original appearance in the wild. Pretty bad.

Yes, it's true that most endpoint antivirus products now have heuristics-driven behavioral detection capabilities that allow them to provide protection beyond their more traditional, file-focused core engines.

But Adwinds Aggressively Kills Security Tools

Many of these behavioral protection schemes intervene only after malicious files land on the file system and execute, however. And given that Adwind itself sports extremely aggressive tools to detect, thwart, and kill all manner of security tools, the best approach to handling an advanced threat like Adwind is to prevent it from being downloaded and executed in the first place.

So step those users through new-school security awareness training as a crucial piece of your defense-in-depth strategy. Full blog post with more detail:
The Future of Cyberwar: Weaponized Ransomware, IoT Attacks and a New Arms Race

Steve Ranger at TechRepublic did a good job summarizing the direction of future threats we are going to have to deal with. "After at least a dozen years in the shadows, cyberwarfare is gradually emerging into daylight. While cyber weapons were mostly developed and used by intelligence agencies as part of secret missions, they are now becoming an acknowledged military option during conflicts."

Here are six predictions about how cyberwarfare will evolve over the next year:
  • The cyber arms race will accelerate
  • Cyber weapons will become a standard feature of warfare
  • Stealthy cyberwar preparations will continue
  • Weaponized ransomware will be your next big headache
  • The IoT will be a cyberwar and cyber espionage gold mine
  • Failure to patch will be the cause of another giant security disaster
Here Is What You Can Do About It

Here are 8 Things to Become a Hard Target (apart from having weapons-grade backups and religious patching of both OS and 3rd party apps) at the KnowBe4 blog:
Ransomware Recovery Methods: What Does the NIST Suggest?

Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson at TechTarget outlines what the NIST recommends for enterprises. She wrote:

"Since the WannaCry outbreak, ransomware has attracted a great deal of attention. In response, the National Institute of Standards and Technology, or NIST, published a draft version of ransomware recovery methods. What methods has the NIST recommended?

To help enterprises with ransomware recovery, the NIST recommends corruption testing, logging analysis and data backups. Here is the article with a link to the full NIST PDF:

P.S. Ransomware went Prime Time again a few days ago. In ‘Grey’s Anatomy’ fall finale cliffhanger the hospital got shut down by a ransomware attack. This is actually good ammo to create awareness of the potential cost of a ransomware infection:
OK, so Who *Is* This Stu Guy?

Hope I'm making a good first impression because I'll never get a second chance!

I'm a serial IT entrepreneur, the Editor-in-Chief of CyberheistNews, and the CEO of KnowBe4. I've been in IT since 1979 and KnowBe4 is my 5th startup.

My customer has always been the IT pro needing tools to keep the network up & running, first minicomputers, then PC networks, next servers and now the cloud -- which is just renting someone else's server really.

I've been wading in spam, phishing and malware since 2003 when we released a new tool called CounterSpy. With the Sunbelt Software team we built an antivirus engine called VIPRE from the ground up, including a firewall, IDS, IPS and sandbox.

I started KnowBe4 because while running 70 people in Sunbelt's tech support, we were always surprised how end-users were able to get their workstations infected with malware. It was social engineering that bypassed endpoint antivirus even then. Here is a bit more about me:

A freelance video crew follow me one day at Black Hat, and this is a short clip of me (with Kevin Mitnick making a guest appearance) that will give you an idea of who the heck I am [VIDEO]:

At the same BlackHat show, I was interviewed by DarkReading. click on the play button at the bottom of the page [VIDEO]:

Last, I made a stop in London a few days ago and was interviewed by Infosecurity Magazine about the latest news regarding KnowBe4:

This week, I hosted a Webinar: Phishing and Social Engineering in 2018: Is the worst yet to come?

It was was massively oversubscribed, and if you were not able to watch it live you can view it on-demand now. It’s 30-minutes loaded with relevant information, great for your own fun and instructive lunch & learn!

Key topics covered in this webinar:
  • Understanding the current threat landscape
  • What scary new threats will be on the rise for 2018
  • Next innovations of ransomware, phishing and social engineering
  • What you can do to make your organization a harder target for cybercrime
  • How to create your “human firewall”
Watch Now:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"The thing always happens that you really believe in; and the belief in a thing makes it happen."
- Frank Lloyd Wright - Architect (1867-1959)

"The higher we are placed, the more humbly we should walk."
- Marcus Tullius Cicero - Orator and Statesman (106 - 43 BC)

Thanks for reading CyberheistNews
Security News
We're Still Not Ready for GDPR? What is Wrong With Us?

Sara Peters, Senior Editor at Darkreading wrote an excellent article about GDPR. It is both reprimanding and encouraging to get off our collective butts and do something about GDPR very soon. If potential penalties of 20 million euros or 4% of your global annual revenue, whichever is higher, don't help us obtain better budgets, then we're doing something wrong. The article starts out with:

"The canary in the coalmine died 12 years ago, the law went into effect 19 months ago, but many organizations still won't be ready for the new privacy regulations when enforcement begins in May." More:
Security Awareness Training Revisited – Overcoming Those Hurdles

CSO had a great article about the traditional critical success factors of security awareness that may not be enough to create a security aware environment. There are a number of hurdles that still make you fail. So how can we overcome those?

Excellent suggestions for a fully mature awareness program and I have only one thing to add: frequent social engineering test using simulated phishing, vishing and smshing attacks. Here is the full article:

Don’t exactly know where to start when it comes to creating a program?

We’ve taken away all the guesswork with our complimentary Automated Security Awareness Program (ASAP).

ASAP is a revolutionary new tool for IT pros, which allows you to create a customized Security Awareness Program for your organization that will show you all the steps needed to create a fully mature training program in just a few minutes.

The program is complete with actionable tasks, helpful tips, courseware suggestions and a management calendar. Your custom program can then be fully managed from within the KnowBe4 console. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you get budget and reporting to management.

The process of creating the program is simple enough, answer between 15-25 questions about your goals and organization, and a program will be created and scheduled for you automatically. The tasks will be based on best-practices on how to achieve your security awareness goals. You'll have an easy calendar view to plan and deploy your security awareness program.

Try it here, there is no cost except 5 minutes of your time, no need to talk to anyone:
Mobile Malware Incidents Hit 100% of Businesses

Attempted malware infections against BYOD and corporate mobile devices are expected to continue to grow, new data shows.

Every business with BYOD and corporate mobile device users across the globe has been exposed to mobile malware, with an average of 54 attempts per company played out within a 12-month period, according to a Check Point report released this week.

The study, based on data collected from Check Point SandBlast Mobile deployments at 850 organizations, is the latest sign of growth in mobile malware incidents.

"100% of businesses [facing an attempted attack] was not surprising because the statistics from a year or two ago started to show it was going this way," says Michael Shaulov, head of Check Point's product management for mobile and cloud security. "But the average of 54 [attempts] was surprising. I was expecting two, three, or four."

The report also notes that 94% of security professionals anticipate actual mobile malware attacks to continue to increase, with nearly 66% doubting they can prevent them. More at Darkreading:
The Breacher Report: Year-to-Date Breaches up 14.7%

Andrew Nowinski at Piper Jaffrey keeps track of breaches and it does not look much better: cloudy with a chance of phish:

"We conducted our analysis of breaches reported in the month of October. There were 62 breaches in October, which was down 24.4% Y/Y. However, on a year-to-date basis, the total number of breaches is still up 14.7% to 1,074. The amount of records exposed is down 67% Y/Y, but excluding the "mega" breaches of Yahoo! and Equifax in their respective years, records exposed is only down 8.9% Y/Y.

No mega breaches in October - There were no large (greater than 500K records) or "mega" breaches (greater than 10 million records) reported in the month of October. Much of the industry discussion still centers around the mega Equifax breach during September 2017, which exposed more than 145.5 million records due to a vulnerability exploited in an open source application. There were no comparable large or mega breaches in October 2016.
Antivirus Software Doing the Complete Opposite and Spreading Malware

Nicknamed AVGater by Austria-based security consultant Florian Bogner, he discovered an exploit within Antivirus software that takes advantage of the “restore from quarantine” function and allows a user to move a piece of malware from the quarantined folder to somewhere else on the victim’s computer, allowing the malware to be executed.

Bogner, who works for Kapsch, says he has notified the vendors of all the antivirus programs that contained the flaw. Some of the companies have released updates that address the issue, including Emisoft, Ikarus, Kaspersky, our friends at Malwarebytes, Trend Micro, and ZoneAlarm.

At the KnowBe4 blog is an animation and technical background how this works:

McAfee's own anti-hacking service exposed users to banking malware

And while we are at it... a purportedly safe McAfee link pointed users to a malicious Word document, laden with Emotet banking malware. Security firm McAfee has blocked access to malware that appeared to be sent from the company's own network.

The malware was hosted on a third-party website but was shared via a domain associated with McAfee ClickProtect, an email protection service that the company touts as able to "protect your business from hacking."

The service is meant to protect against phishing attacks, malware from links in emails, and prevent users from visiting sites that are known to be high risk. So much for that. Story at ZDNet:
Try the Weak Password Test for a Chance to Win a Nintendo Switch

Are your user’s passwords...P@ssw0rd? Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. (The recent Bad Rabbit ransomware attack is a scary example of this.) Employees are the weakest link in your network security.

KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus, you’ll be entered to win a Nintendo Switch.

Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!

To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy. Hurry, deadline to enter is Nov 30th...
Interesting News Items This Week

Phishing Testing: Building Your Human Firewall:

Supreme Court Could Decide Question of “Harm” In Data Breaches:

Mobile devices present a significant risk for GDPR noncompliance:

To Improve Cybersecurity, Start With Improving Human Behavior:

Q3 Sees a Whopping 400M Malware Infections:

Emerging IT Security Technologies: 13 Categories, 26 Vendors:

Complimentary security tool protects internet users through DNS:

Trump administration releases rules on disclosing security flaws:

Voice impersonators can fool speaker recognition systems easily, says study:

How criminals clear your stolen iPhone for resale:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • OK, take 8 minutes of your day and see how our beloved IT can be turned around in to a practically unstoppable smart killer technology. UC Berkeley professor Stuart Russell and the Future of Life Institute created this eerie video that depicts a future in which humanity develops lethal mini-drones. Unfortunately this is not sci-fi, it's done with today's technology. Yikes:
    • ORIGINAL: Dashcam Norway - Semi truck narrowly misses a kid. Show this to your own kids to teach them why they should never cross over blind:
    • You probably don’t need to worry about someone hacking your iPhone X’s Face ID with a mask. Their method required obtaining a detailed digital scan of their victim's face, and building a mask out of 3-D-printed plastic, silicone, makeup, and paper. But... see the next one!
    • Watch a 10-Year-Old's Face Unlock His Mom's iPhone X. You are looking at (pun intended) still buggy V1.0 face recognition code:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Phishing & Social Engineering Trends On-Demand Webinar

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews