Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/9/2016
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US-CERT Warns Of Resurgence In Macro Attacks

Organizations and individuals urged to be proactive in protecting against threat from the 90s.

The recent resurgence in the use of macros to distribute malware on Windows machines has become enough of a worry to prompt the US-CERT to issue an advisory reminding organizations of the threat.

In a brief alert this week, US-CERT urged individuals and organizations to proactively secure systems against what it described as an increase in malware that is being spread via macros and to refer to Carnegie Mellon CERT's blog post on macros.

“Macro viruses are back,” CMU's CERT senior vulnerability analyst Will Dormann wrote. He pointed to the continued reliability of the exploit and weaknesses in the user interface of Microsoft Office as reasons for the renewed interest in such attacks.

“Malicious Microsoft Office documents that leverage macros are exploiting capabilities that are provided by Microsoft Office by design,” Dormann said. The best way for organizations to mitigate the issue is to disable Microsoft Office macros enterprise-wide to the extent possible and to implement new controls for systems that do require macros.  

“If you wish to protect your systems, restrict access to macros. Regardless of the level of information provided to an end-user, don't always rely on that user to make the right choice,” Dormann cautioned.

Macros are basically pieces of code written in Visual Basic for Applications (VBA) that allows users to automate frequently used tasks in Word, PowerPoint, Excel and other Microsoft Office apps. Macros are typically used to speed up certain common tasks like formatting a document, inserting a table with pre-specified dimensions into a document or filling in forms.

Back in the 1990s and early 2000’s, rogue macros written from scratch using VBA and inserted into Word documents and other files, were a favorite tool for attackers to distribute malware. Many malware samples from that era leveraged macros to spread, most notably the Melissa virus, which some consider as one of the most widely distributed macro infections ever.

“Macro malware became almost extinct after Microsoft disabled VBA macros by default in Office applications,” several years ago, says Deepen Desai, director of research at security vendor Zscaler. However, with modern attacks increasingly targeting end users and endpoint systems, there has been a steady resurgence in the use of macro malware, Desai tpld Dark Reading.

Examples of recent attacks involving the use of macros include a campaign targeting point of sale systems at some 100 organizations and the attack on the power grid in Ukraine. Documents containing malicious macros have also been used widely to distribute ransomware samples like Locky and CryptoWall and banking Trojans like Dridex.

In many cases, attackers are able to slip past default security settings by using social engineering tactics to get users to enable macros, Desai says. Increasingly, attacks involving the use of macros have begun getting more sophisticated and difficult to detect. “First, they made these macros highly obfuscated and difficult to read or detect,” he says. "Subsequently, they started leveraging different functions of VBA language to make the detection even more difficult by traditional as well as automated analysis systems like sandboxes.”

Earlier this year, Microsoft itself noted that 98% of threats targeting Office over the last year involved the use of macros. In a TechNet blog post, Microsoft blamed the “enduring appeal” for macro attacks on the continuing tendency by users to enable macros that have been disabled by default on their systems.

In response, the company has released a new feature in Office 2016 that make it harder for users to enable macros, gives them more notification about the potential security threats associated with macros and gives administrators greater control over the use of macros in an enterprise setting.

In his blog post, CERT’s Dormann laid at least some of the blame to date on the manner in which Microsoft has chosen to warn users about the dangers of macro use over the years. Starting with very clear and explicit warnings in earlier versions of Office, Microsoft’s notifications pertaining to the dangers of enabling macros have become less informative, he said.

Though Microsoft offers guidance on how to restrict macro functionality users of newer versions of Office are actually more likely to enable macros than previously without understanding the consequences, he said.

His recommendations for mitigating the threat included disabling macros wherever possible, enabling macros only for specific apps as needed and allowing only signed macros to run.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.