Microsoft issues Advisory to Office users after Fancy Bear attacks

Microsoft, the tech giant has posted a security advisory to let the Office customers minimize attacks that utilize an Office feature DDE to install malware upon opening an Office document. According to security researchers, since last month a Russia-linked hacking group named APT28 is making the use of DDE or Dynamic Data Exchange, an old protocol to embed malicious code through an infected Word document. This protocol enables the users to send messages between applications that share data.

These targeted attacks linked to this Russia-linked group are sometimes known as Fancy Bear hacking gang. Last month, it was observed that it was possible to plant attacks exploiting DDE via Excel spreadsheets, Word documents and Outlook, even when macros have not been enabled. For example- financial data that can be auto updated with new data from an external source.

As per McAfee researchers report, the hacking group has started using DDE in a word document with the file name "IsisAttackInNewYork.docx". The hackers used DDE to launch a PowerShell script that lands to a URL and downloads an implant named Seduploader, which automatically fetches information about victims.

In the email attack scenario, an attacker could influence the DDE protocol by sending a specially customized file to the user and compelling him to open the file, mainly by the way of enticement in an email.

Before to this, the Dynamic Data Exchange attack was being used by cybercriminal groups. Sensepost researchers grab attention to the technique, which offered an alternative way to implant malware with macros. Sensepost reported this issue to the tech giant, Microsoft. However, Redmond thought it a feature and hence didn’t provide a patch in the October update.

The Fancy bear files that took the help of DDE were created on October 27 and shared with control server domains that were registered two days before.

Microsoft issues an advisory that if an attacker influence a user to open a document that make the use of DDE, the victim also need to disable Protected Mode and click through one or more additional prompts. The recommendation also points to instructions for administrators to enable DDE feature control keys that are saved in the registry.

The tech giant strongly encourages all the Office users to review the security-related feature control keys and to enable them for better protection from the Fancy Bear attacks. The advisory also include guide for disabling DDE from the inside of Office products. It shows that if DDE is disabled in Excel from the registry it may prevent the spreadsheets from automatically updating from a live feed.

If the users need them they have to start the feed manually. In the same way, Microsoft has provided instructions for disable this Dynamic Data Exchange in its Office.com/Setup Office applications, including Publisher, Word and Outlook, along with the description of the impact if this DDE is disabled.

Source: http://office.com-setupinstall.com/microsoft-issues-advisory-office-users-fancy-bear-attacks/

Lena Smith is the author of this article, she has written various articles on Technical issues.