STE WILLIAMS

Organizations now have one more reason to pay attention to the security settings of their Microsoft Office applications.

Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query to remotely drop and run malware on a user’s system to escalate privileges and other malicious activity.

Such attacks can be hard to detect and could allow attackers to load payloads into Excel spreadsheets directly from the Web or other external source when the document is opened, Mimecast said. Because Power Query is a very powerful feature, the potential for the issue to be abused is great, according to the security vendor.

Mimecast’s exploit is the latest involving Dynamic Data Exchange (DDE), a protocol that allows Microsoft applications that use shared memory to exchange data and messages with each other. In the past, researchers and advanced threat groups have demonstrated how DDE can be exploited within Word and other Microsoft Office apps to distribute malware, escalate local privileges, and enable other malicious activity.

In response, Microsoft issued guidance in January 2018 recommending that organizations disable the DDE feature where it is not needed to block external data connections. The company has also noted that for DDE exploits to work, a user would need to click through multiple security prompts. Warnings are displayed on all currently supported Excel versions before loading external data and before executing a command from a DDE formula.

But Meni Farjon, chief scientist of advanced threat detection at Mimecast, says it’s unclear how many organizations are following the advice. “It is unlikely that many organizations have disabled it,” he says.

The default setting is for DDE to be enabled, which means an organization is vulnerable to exploits targeting the protocol, he says. “It is hard to say that organizations have disabled this feature because some of them rely on these Excel features.”

DDE and Social Engineering
Mimecast’s new exploit shows how attackers can use Power Query to launch a remote DDE attack in an Excel spreadsheet.

Power Query is a feature in Excel that lets users to connect their spreadsheets with other structured and unstructured data sources, including web pages, text files, databases, Active Directory, Exchange, Hadoop, and even Facebook. It’s one of three data analysis tools available with Excel and allows users to discover, combine, and refine their data in various ways.

Mimecast researchers discovered that Power Query’s ability to link spreadsheets to other sources and load data from them into an Excel spreadsheet could be abused relatively easily to launch sophisticated and hard-to-detect attacks. “Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” the company said in an advisory Thursday.

Mimecast’s proof of concept shows how an external web page hosting a malicious payload can be loaded into an Excel spreadsheet. “An attacker just needs to open up an Excel document and follow a few clicks to create the issue — no reverse engineering, no hex editing, no memory abuse,” Farjon says.

For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page. 

Antivirus tools wouldn’t spot the crafted file as being malicious because the payload would not be embedded in it. And attackers could ensure the payload bypasses antivirus and sandboxing controls when being loaded from the external web page by adding a specific HTTP header in the request, Mimecast said.

“It is very easy and fast to craft, so it makes it viable for both opportunistic and high-scale attacks,” Farjon says. A user, however, would need to click on a warning box in order to enable the remote content, he adds. “This isn’t a configuration issue since it is enabled by default. It’s a security issue rather than a security vulnerability, as per Microsoft,” he says.

Microsoft itself pointed to its previous guidance around DDE in response to Mimecast’s new exploit. “For this technique to work, a victim would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula,” a spokeswoman said in an emailed statement.

Related Content:

• Microsoft Office Dominates Most Exploited List
• Microsoft Patch Tuesday: 64 Vulnerabilities Patched, 2 Under Attack 
• Enterprise Malware Detections Up 79% as Attackers Refocus
• 8 Steps to More Effective Small Business Security

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-exploit-for-microsoft-excel-power-query-/d/d-id/1335083?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

I first wrote about polymorphic malware four years ago. I recall having a hard time getting an editor to approve publication of my piece because he claimed none of his readers would be interested in the concept. Yet in the time since then, polymorphism has gone from virtually unknown to standard practice by malware writers. Indeed, it has become so common that most descriptions of attacks don’t even call it out specifically. Webroot in its annual threat assessment from earlier this year reported that almost all malware it has seen had demonstrated polymorphic properties.

The term refers to malware that can adapt to conditions and change its behavior to try to avoid detection. A recent example is the After-Shock-3PC malware which targeted a number of media websites. It frequently switched its active code to spoof online payment systems, in the process trying to appear as if it belonged on the computers that it infected. It was even partially successful.

Polymorphic malware has become popular because criminals can purchase malware construction kits that include this feature, such as the kits that have produced the Cobalt Strike, Fallout, and Orcus malware families. Another reason for the attraction is that polymorphic code is harder for researchers to pick apart and track down its shifting series of operations.

Actually, polymorphic malware is far from a New Thing. The first piece of such malware could be traced to 1990 with Ralf Burger’s Chameleon. But what is good for attackers is also good for defenders. Using polymorphic principles to confuse an attacker has become a rich research area, especially for academics. They also call the concept a “moving target defense,” and there have been two major two Association of Computing Machinery conferences devoted to the subject: the first one in November 2014 in Arizona and a second one in November 2015 in Denver.

That research has spawned a number of vendors that incorporate polymorphic methods using one (or more) of three major protective tactics to defend your resources:

• Using network-based actions such as changing IP addresses,
• Using host-based actions such as changing host names and other identifying characteristics, and
• Using application-based actions such as recompiling code or changing memory locations of executables.

This last tactic is used by several vendors, including Polyverse and Morphisec. The latter has been a leader in this area and earlier this year closed a $12 million series B funding round. Its software is now installed on 2 million endpoints. Other startup vendors, such as CyActive, have been absorbed by PayPal, indicating how important this technology is for online-centric businesses that want to shore up their defenses.

Shape Security has a network-based product that is used to block distributed denial-of-service and man-in-the-browser attacks, working with an ordinary network firewall to redirect traffic to critical web resources. There are also numerous other security vendors that claim to block some kinds of polymorphic malware vectors as part of their overall firewall, web app/email security gateways, or intrusion-detection products.

Clearly, its time has come, on both offensive and defensive sides.

What are the main takeaways for security staffs? First, study the concepts behind the moving target defense to see if this can benefit your own operations. Next, consider using one of the defensive vendors mentioned above to protect your most critical online assets. Look at recompiling your custom apps to include polymorphic methods to help stay ahead of attackers. Finally, examine your existing threat detection portfolio and check to see if anything can recognize polymorphic attack scenarios properly. Certainly, the attackers will continue to use these methods to evade detection, so we have to get better at ferreting them out and stopping them.

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services … View Full Bio

Article source: https://www.darkreading.com/perimeter/understanding-and-defending-against-polymorphic-attacks/a/d-id/1335006?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The open source software that the vast majority of organizations include in their critical applications is vulnerable to exploitation from threat actors taking part in its creation. That’s the message from security professionals who point to the nature of open source projects and the ubiquity of the code as a real threat to enterprises.

Once insinuated into an open source project, criminals have a wide range of options, but within a narrow window: “Whether it’s a backdoor keylogger, or Trojan of some sort, it needs to net them something valuable quickly, or they need to do it in a really slick way so they don’t get found out for a while,” says Brad Causey, owner of Zero Day Consulting.

The combination of flexibility and availability makes open source project hacking an opportunity that criminals are willing to sieze. “It’s a pretty well-known attack vector. And I would I would expect that it’s probably happening more than we’re aware of,” says Chris Eng, chief research officer at Veracode.

Other experts agree. “It’s not only heard of, it’s happening all the time around us. We know of such actions from history and there’s no reason to believe that it’s not still going on,” says Eran Yalon, head of security research for Checkmarx. 

In almost all open source projects, contributors must have their work vetted by other members before the code is accepted as part of the project. The level of review varies with the individual’s reputation — as they become more trusted, fewer layers of review may be required. Especially in the larger, more well-known open source projects such as major Linux distributions, the procedures are well-defined and the labor pool large enough to enforce those procedures on a consistent basis.

“The smaller projects don’t have those resources to provide the level of security that the larger project have,” says Causey. “So you see those projects getting compromised more often.”

Small Project, Big Impact

Experts point to very small open-source projects as the primary target for malicious actors looking to insert malicious code.

“A very small package can be a dependency of larger packages, and there’s no limit on how many layers deep the dependencies can go,” says Yalon. “When you think you’re building a project with one or two dependences, you could actually be using hundreds, and there’s no way of really checking all of them.”

An open source project published and maintained by a single individual, Event-stream, was taken over by a malicious actor who managed to insert attack code into the code library distributed through NPM, a popular package manager for Javascript developers.

“Event-stream was a project run by a developer who didn’t have enough time to maintain it,” explains Yalon. “A malicious user convinced him that he could take over the project.”

After taking over the project, the code was maintained as usual — for a time. Then, the malicious owner changed a package that event-stream itself depended on, inserting code that was able to hijack certain Bitcoin wallets.

How big was the reach of this attack? The project code is downloaded almost 1.5 million times each week, and it used in more than 1,600 other packages that are, themselves, downloaded millions of times.

Another non-malicious incident exemplifies how profound the impact of a small package can be: On March 23, 2016, a developer named Azer Koçulu removed 250 modules he had written and distributed through NPM. One of those modules was a very small piece of code (11 lines) that added spaces to the left side of a string of text to make it fit into a variable definition. “left-pad” was, as it turns out, part of the code collection (known as dependencies in development-speak) used in thousands upon thousands of enterprise and commercial programs around the world, including those built with Javascript development mainstays Babel and Node.

And upon left-pad’s un-publishing, those thousands upon thousands of applications stopped working. While it was easy for developers to re-create the functionality, the short-term impact of this simple act was huge.

(Nearly) Universal Threat

“I do think [that it’s] important to just underscore how prevalent open source is,” notes Engz. Gartner data shows that 95% of enterprises use open source code in their internal projects, he says.

Given the time pressures inherent in agile and devops methodologies, the one certain defense — the internal development team writing its own functions and libraries — is not likely to be adopted, Eng says.

So what is a dev group to do to increase code security?

“Step number one is to be selective about what libraries and what open source projects you choose to roll into your technology stack,” says Causey, adding that some projects have much better track records than others.

Next, he says, be sure that the project for the code used is an active project, with regular updates. “Look into the history of the activity of the project to make sure it’s a good project, meaning that there’s a lot of active folks out there,” he explains. This makes it far more likely that any vulnerabilities will be quickly patched.

And once the patches are written, they have to be applied, says Eng. He says that he’s seen too many organizations that get excited about zero-day vulnerabilities and nation-state actors fail to keep up with “basic code hygiene.” That’s “the basic blocking and tackling like simply keeping your open source code up-to-date, and doing basic code scanning,” he says.

It’s all about trust: trust in the open source project and in the internal developer using the code, Yalon says. “A malicious open source packages isn’t a problem if no one uses it,” he says. “There should be rules inside every it organization for who can upgrade or change software packages. Someone should take a look to see what’s going on.”

Related Content:

• Can Your Patching Strategy Keep Up with the Demands of Open Source?
• ‘Cattle, Not Pets’ the Rise of Security-as-Code
• How Open Testing Standards Can Improve Security
• War on Zero-Days: 4 Lessons from Recent Google Microsoft Vulns
• How the Best DevSecOps Teams Make Risk Visible to Developers

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/application-security/how-hackers-infiltrate-open-source-projects-/d/d-id/1335072?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As the world moves toward end-to-end encryption for personal messaging platforms, businesses are challenged to integrate the same level of security in corporate messaging apps.

Even encryption protocols for person-to-person messaging are still undergoing development. Services want to reduce the amount of sensitive data they store; however, only a few encryption protocols – Signal, for one – have been scrutinized for security.

The Signal protocol, which rolled out to WhatsApp’s base of one billion users in 2016, is the first end-to-end encryption protocol to be globally deployed. Security guarantees of the open-source protocol include forward-secrecy and recovery from key compromise. And while a few personal messaging systems have adopted Signal, corporate messaging has failed to follow.

“In the consumer space there are a few services with end-to-end encryption but in the business space it’s very rare,” says Raphael Robert, head of security at Wire, which launched in 2014 as a secure messenger primarily built for consumers. Since then, it has repositioned itself to build a secure business collaboration system. Wire is currently in the midst of working to develop Messaging Layer Security (MLS), a new protocol designed to facilitate more secure enterprise messaging platforms.

Technical challenges often hold companies back from adopting end-to-end encryption. “The bigger the organization, the harder it is to make a change in general,” says Robert. Scalability is a key problem: WhatsApp, for example, uses a protocol dubbed Sender-Keys to support group chats. The problem is, the protocol doesn’t support post-compromise-security, meaning in a simple deployment an employee who left the company may still read messages.

In many modern enterprise environments, products use transport encryption between client and server but messages and content being shared aren’t encrypted on the server. This information usually ends up in a large database, he continues, where it’s vulnerable to third-party access. A cybercriminal needs only an employee’s credentials to break in and get it.

“This is a huge risk, which doesn’t really meet the requirements of businesses in general,” he adds. “There is typically very sensitive information.”

Messaging Layer Security (MLS): A New Protective Protocol

To address the many issues in enterprise messaging security, the Internet Engineering Task Force (IETF) is building the MLS group messaging protocol. Its goals for MLS differ from those of pairwise protocols: it aims to allow practical groups up to 50,000 clients, cover multiple industry use cases including federation and Web browser support, and offer formal security guarantees.

When Wire introduced end-to-end encryption to its system in 2016 and open-sourced its code base, secure messaging protocols were “always a big issue,” says Robert. There was no open standard they could adopt. That summer, during the IETF meeting in Berlin, Wire proposed a standard that was protected by modern security properties and could be used by companies large and small.

MLS has since been undergoing development. While initiatied by Wire, along with Mozilla and Cisco, in 2016, it has received support from major tech companies along the way: Facebook, Google, INRIA, and Twitter have all contributed to the effort. “In the past 18 months we’ve worked a lot on the core protocol to make sure of what kind of security guarantees we want to achieve and how we can achieve them,” says Robert. Now, they’re finalizing it for the academic community to review.

How will it be different? Researchers proposed it should be possible to use MLS in a federated environment, meaning you don’t need a central server or central cloud to implement it. Employees should be able to communicate across clouds and devices, Robert explains.

Many businesses also struggle with the risk of shadow IT, he continues. People rely on their mobile apps to communicate internally and externally, and it’s difficult to regulate. Most employees use multiple devices, which most existing protocols “never really took into account,” he adds. Since its inception, the people behind MLS wanted to address security across devices.

“One of the core goals of MLS was to support multi-device scenarios and support groups, particularly large groups, particularly large groups, and to make encryption as efficient as possible,” he adds. With many protocols, encryption for groups can get expensive.

By next year, he hopes, MLS will be ready to integrate into messaging platforms. Robert, along with INRIA’s Benjamin Beurdouche and independent researcher Katriel Cohn Gordon, will discuss the research behind, and details of, MLS this summer at Black Hat USA in a briefing entitled “Messaging Layer Security: Towards a New Layer of Secure Group Messaging.”

Related Content:

• 7 Container Components That Increase a Network’s Security
• How Hackers Infiltrate Open Source Projects
• Developers and Security Teams Under Pressure to Collaborate
• Email Threats Continue to Grow as Attackers Evolve, Innovate

 Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/perimeter/inside-mls-the-new-protocol-for-secure-enterprise-messaging/d/d-id/1335075?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Shutterstock

Breaches resulting from third-party security lapses are on the rise. Last year, 61% of surveyed US organizations said they had experienced a breach caused by one of their vendors or another third party. Some 75% said they believed such incidents were only going to increase.

The growing complexity of the third-party landscape bears much of that blame, according to the Opus/Ponemon Institute survey. While companies in the survey, on average, said they shared confidential and sensitive information with as many as 583 third parties, barely one-third had as much as an inventory of these entities. Some 69% said they did not have centralized control over third parties, and more than 60% did not have adequate resources for managing third-party risk.

In a separate survey conducted this year by BitSight and the Center for Financial Professionals, 97% of financial services companies said third-party risk were becoming a major concern. Nearly eight in 10 companies said they had already terminated a business relationship, or had ratcheted it down, over cybersecurity issues. Barely 22% said they were continuously monitoring third-party cyber-risk.

“Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify, and costly to address,” says Steve Durbin, managing director of the Information Security Forum. 

Here, according to Durbin and several other security experts, are tips for managing third-party risks.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/analytics/7-ways-to-mitigate-supply-chain-attacks/d/d-id/1335068?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Jun Ying, former chief information officer of Equifax US Information Solutions, has been sentenced to four months in federal prison and a year of supervised release for insider trading.

In March 2018, the Securities and Exchange Commission (SEC) charged Ying with insider trading ahead of Equifax’s disclosure of a massive data breach in September 2017. As an executive within a US business unit of Equifax, Ying was privy to sensitive information that led him to conclude the company had been breached in August 2017, weeks before the incident was made public.

On Aug. 25, 2017, Ying messaged a colleague to warn Equifax may have been breached. A few days later he exercised all of his stock options and received 6,815 shares of Equifax stock, which he sold to receive proceeds of $950,000. He realized a gain of more than $480,000 – avoiding a loss of over $117,000. Equifax announced the breach on Sept. 7; its stock price fell.

Ying, who was next in line to be Equifax’s global CIO, has also been ordered to pay restitution of $117,117.61 as well as a $55,000 fine. He was convicted of these charges on March 7, 2019.

This is the second Equifax employee to be found guilty of insider trading related to the 2017 data breach. Sudhakar Reddy Bonthu, former Equifax manager, pleaded guilty in July 2018.

“If company insiders don’t follow the rules that govern all investors, they will face the consequences for their actions,” said Chris Hacker, special agent in charge of FBI Atlanta, in a statement. “Otherwise the public’s trust in the stock market will erode.”

Read more details here.

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/former-equifax-cio-sentenced-to-prison-for-insider-trading/d/d-id/1335078?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple