STE WILLIAMS

Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.

Stan Hegt and Pieter Ceelen, both security researchers and red teamers with security firm Outflank B.V., have been exploring a range of attack techniques that abuse Microsoft Office features. Their previous research, shown at DerbyCon 2018, demonstrated how abusing legacy functionality (a macro language that predates VBA, for example) bypasses security controls.

Outflank B.V. is a small, specialized security firm focused on red teaming, Hegt explained in an interview with Dark Reading. During most engagements, they attempt to remotely compromise workstations. Remote entry is among the toughest attacker methods, says Hegt. “It forces us to innovate, but we don’t see that much innovation in this respect, in the wild.”

Early findings prompted them to analyze flaws within the functionalities embedded into the Office suite. And since DerbyCon, the duo has continued to research Office and uncover new security holes.

“To dive into Microsoft Office, there’s so much to go into,” says Hegt. “When we dove in with the purpose of DerbyCon, we noticed there were many points to go left or right with additional research. Every path led to more cool stuff we could present to the world.”

As part of their ongoing research, Hegt and Ceelen found “at least two things that were not according to spec” – and resulted in two vulnerabilities being recently patched by Microsoft. One CVE uses the old feature of fields in Microsoft Word, in combination with macro buttons (no VBA required) to steal the contents of any file on disk. Another CVE uses fields in combination with templates and headers to build phishing documents without the use of macros.

“There are plenty of new defenses being built into Microsoft Office, but there are so many archaic features,” Heft continues. “Many times, those archaic features can be exploited to evade or abuse modern defenses.”

Both bugs the team discovered can be exploited to steal information; one steals files, the other goes after credentials. Further, they say, both combine legacy features in ways that likely weren’t foreseen. The researchers note their analysis shows that the kind of Office malware currently seen in the wild is “just the tip of the iceberg” of what’s possible in Office threats.

At Black Hat Asia, coming up March 26-29 in Singapore, Hegt and Ceelen will take the stage to present their talk “Office in Wonderland,” in which they will disclose details on new Word and Excel vulnerabilities, release attack vectors which Microsoft deemed Office features, and demonstrate the security impact of the architectural design of the full Office suite.

Getting Bugged Down

As part of its January Patch Tuesday release, Microsoft issued CVE-2019-0561, a Microsoft Word information disclosure vulnerability discovered as part of Hegt and Ceelen’s research. The flaw exists when Word macro buttons are improperly used, and a successful attacker could target the vulnerability to read arbitrary files from a targeted system, according to Microsoft.

To exploit CVE-2019-0561, an attacker would have to create a malicious file and convince the user to open it. They would have to know the location of the file whose data they want to steal. Microsoft’s patch for CVE-2019-0561 addresses the vulnerability by changing the way some Word functions handle security warnings.

Microsoft’s February Patch Tuesday release yesterday included CVE-2019-0540, addressing another bug discovered by Hegt and Ceelen. This is a Microsoft Office security feature bypass flaw that exists when Office doesn’t validate URLs. Attackers can send victims specially crafted files to trick them into entering credentials and perform a phishing attack.

“A lot of organizations rely on username and password combinations,” says Ceelen. “As an attacker it’s very much in interest to go collect usernames and passwords.” This bug lets attackers send plain docs without any macros, and it will alert the target with a pop-up to enter their credentials. “We slowly see bad guys abusing these techniques,” he continues.

The patch addresses the vulnerability by ensuring Office properly validates URLs. While Ceelen points to an attacker focus on Word and Excel, given they have the longest history, he notes Microsoft has upped its patching game. “We see them making steps in all directions,” Ceelen says.

Both CVE-2019-0561 and CVE-2019-0540 were classified as Important in severity by Microsoft. Neither was publicly known or exploited in the wild prior to the release of their patches.

Related Content:

• New Zombie ‘POODLE’ Attack Bred from TLS Flaw
• Cybersecurity and the Human Element: We’re All Fallible
• 2019 Security Spending Outlook
• Experian: US Suffers the Most Online Fraud

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/researchers-dig-into-microsoft-office-functionality-flaws/d/d-id/1333870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC). 

Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals – Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar – were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt’s former co-workers.

Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.

Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.

“The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt’s betrayal of the oath she swore to safeguard America’s intelligence and defense secrets,” said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. “This case also highlights the FBI’s commitment to disrupting those who engage in malicious cyber activity to undermine our country’s national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case.”

Facebook and ‘Target Packages’
According to the indictment, Witt provided the Iranian nationals with “target packages” to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent’s account. They then leveraged that account to target other agents where Witt once worked.

Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured “Mia Ash,” the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.

The highly detailed and creative social engineering ruse employed Mia – a young, London-based professional photographer who’s also an Arsenal FC fan – as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim’s machine. 

Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more “personal” touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example. 

John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn’t identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.

“Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces,” he says. “However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest.”

Related Content:

• New Hacker Group Behind ‘DNSpionage’ Attacks in Middle East
• Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
• ‘Chafer’ Uses Open Source Tools to Target Iran’s Enemies
• Iran Ups its Traditional Cyber Espionage Tradecraft

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/ex-us-intel-officer-charged-with-helping-iran-target-her-former-colleagues/d/d-id/1333868?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC). 

Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals – Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar – were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt’s former co-workers.

Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.

Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.

“The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt’s betrayal of the oath she swore to safeguard America’s intelligence and defense secrets,” said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. “This case also highlights the FBI’s commitment to disrupting those who engage in malicious cyber activity to undermine our country’s national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case.”

Facebook and ‘Target Packages’
According to the indictment, Witt provided the Iranian nationals with “target packages” to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent’s account. They then leveraged that account to target other agents where Witt once worked.

Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured “Mia Ash,” the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.

The highly detailed and creative social engineering ruse employed Mia – a young, London-based professional photographer who’s also an Arsenal FC fan – as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim’s machine. 

Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more “personal” touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example. 

John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn’t identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.

“Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces,” he says. “However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest.”

Related Content:

• New Hacker Group Behind ‘DNSpionage’ Attacks in Middle East
• Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
• ‘Chafer’ Uses Open Source Tools to Target Iran’s Enemies
• Iran Ups its Traditional Cyber Espionage Tradecraft

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/ex-us-intel-officer-charged-with-helping-iran-target-her-former-colleagues/d/d-id/1333868?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new strain of MacOS malware disguises itself as a Windows executable file to evade detection and embed itself on a system. But the malware authors aren’t exactly in the cross-platform avant-garde: the .EXE file that carries the MacOS malware will not, in fact, execute on a Windows machine.

Welcome to the malware rabbit hole.

Researchers from Trend Micro discovered the malware inside the installer for a popular firewall and network monitor called Little Snitch. Inside the standard MacOS .DMG installer is a .EXE file that is part of the mono framework — technology that’s used to allow .NET applications to run across multiple platforms, including MacOS.

The application that begins execution scans the host system for a variety of machine and environment information and sends the data to a CC server. It then downloads potentially unwanted applications (PUAs) that include adware camouflaged as Adobe Flash and a copy of Little Snitch that might, in itself, be compromised.

Malware authors typically use higher-level executables, like Adobe Flash files, JavaScript, or PHP to move between platforms. Most of those file types are now scanned by malware protection software and blocked if malicious behavior is detected.

Because .EXE files will not on their own execute on MacOS, MacOS anti-malware packages don’t typically scan or block them. This attack is aimed squarely at Macs: The .EXE file used to deliver the malware payload returns an error message if someone tries to run it on a Windows system.

According to the researchers, this particular implementation of the new technique is likely a research project on the part of malware authors. “We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine,” they wrote in their post on the findings.

As for how to avoid this attack, some anti-malware packages are beginning to pick up and scan these .EXE files for malicious intent. If your organization doesn’t have such software, then be sure that multi-layer security is in place and remind users to only download applications from fully vetted and verified sources.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Related Content:

• Unpatched Kernel-Level Vuln in IBM Security Tool for Apple MacOS Revealed
• Mac Malware Cracks WatchGuard’s Top 10 List
• Apple Patches Multiple Major Security Flaws
• Real-World Threats That Trump Spectre Meltdown
• 2019 Attacker Playbook

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/windows-executable-masks-mac-malware/d/d-id/1333876?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new strain of MacOS malware disguises itself as a Windows executable file to evade detection and embed itself on a system. But the malware authors aren’t exactly in the cross-platform avant-garde: the .EXE file that carries the MacOS malware will not, in fact, execute on a Windows machine.

Welcome to the malware rabbit hole.

Researchers from Trend Micro discovered the malware inside the installer for a popular firewall and network monitor called Little Snitch. Inside the standard MacOS .DMG installer is a .EXE file that is part of the mono framework — technology that’s used to allow .NET applications to run across multiple platforms, including MacOS.

The application that begins execution scans the host system for a variety of machine and environment information and sends the data to a CC server. It then downloads potentially unwanted applications (PUAs) that include adware camouflaged as Adobe Flash and a copy of Little Snitch that might, in itself, be compromised.

Malware authors typically use higher-level executables, like Adobe Flash files, JavaScript, or PHP to move between platforms. Most of those file types are now scanned by malware protection software and blocked if malicious behavior is detected.

Because .EXE files will not on their own execute on MacOS, MacOS anti-malware packages don’t typically scan or block them. This attack is aimed squarely at Macs: The .EXE file used to deliver the malware payload returns an error message if someone tries to run it on a Windows system.

According to the researchers, this particular implementation of the new technique is likely a research project on the part of malware authors. “We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine,” they wrote in their post on the findings.

As for how to avoid this attack, some anti-malware packages are beginning to pick up and scan these .EXE files for malicious intent. If your organization doesn’t have such software, then be sure that multi-layer security is in place and remind users to only download applications from fully vetted and verified sources.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Related Content:

• Unpatched Kernel-Level Vuln in IBM Security Tool for Apple MacOS Revealed
• Mac Malware Cracks WatchGuard’s Top 10 List
• Apple Patches Multiple Major Security Flaws
• Real-World Threats That Trump Spectre Meltdown
• 2019 Attacker Playbook

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/windows-executable-masks-mac-malware/d/d-id/1333876?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple