Friday 13 October 2017

Office DDE – How a zero day exploit evolves

12:28 Posted by G No comments
I’ve been following Kevin Beaumont on Twitter for a while, he’s a security architect from Liverpool, and quite a regular blogger.

On Tuesday lunchtime I read a tweet from him :

Having read the article at Sensepost, they have discovered a way to run code (what is called in IT security nerd circles as ‘RCE – Remote Code Execution’) in Office documents without the use of Macros.  Macros are a traditional way of getting malware to run, but companies often block macros, and some anti-virus services are configured to remove them, so not a reliable way to get malware on your victim’s machine.  Using this DDE feature is a newer and easier way to potentially deliver malware.

Clearly this is a big deal.  Reading the full post from Sensepost, they have reported it to Microsoft and Microsoft have said this is expected behaviour and therefore they won’t be patching it.  This means that customers are vulnerable to this attack vector and will have to find another way to protect themselves.

The main point of this article is to illustrate how quickly things move and this threat evolves.  From the Sensepost article no anti-virus spotted this as a suspicious file.

Beaumont then goes on to test this himself, being able to create a word document that will start the calculator program from it, and showing that none of the malware protection running on his machine detect this exploit. This is now 6pm on Tuesday the 10th of October

By 7.30 that evening, one of the AV vendors has started to identify this type of file as malicious.

By 1am, Beaumont has discovered a word document that uses the DDE vulnerability to start Internet Explorer and open a website where the malicious code is stored.  What’s more interesting is that the site where the malware is stored is a US Government website (now shut down)

Then by 8am on the 11th, here’s a copy of the email which has the DDE Vulnerability embedded in it.

Finally at 5pm on Wednesday, there’s a write-up from Talos (part of Cisco) about the whole malware chain

What’s also interesting is that the hackers use DNS to exfiltrate data, which is quite an esoteric way of doing it, but most companies won’t spot it as DNS is a perfectly legitimate service to have running.

If you managed to follow this to the end, this is clearly a very sophisticated hacking attempt, here’s the core elements of campaign :
1. Use of DDE exploit, which is not commonly known, and won’t be patched by Microsoft
2. Lack of Anti-virus firms picking up this attack vector
3. Use of legit sounding emails (Purporting to be from the SEC relating to EDGAR (company filing system in the US)
4. Malware is downloaded from a legit US Government website

This all goes to show how sophisticated attackers are, and how important it is to stay vigilant

In subsequent blog post Beaumont goes on the make the point that Microsoft will have to do something about this, as it is so difficult to protect against.  His suggestion which makes good sense to me is to disable DDE by default, and enable it via a registry key.