How hackers use Microsoft Excel against himself

Hello, Habr! I present to you the translation of the article "How Hackers Turn Microsoft Excel's Own Features Against It" by Lily Hay Newman.

Elena Lacey, getty images

Surely for many of us Microsoft Excel is a boring program. She knows a lot of things, but still it's not Apex Legends. Hackers look at Excel differently. For them, Office 365 applications are another attack vector. Two recent finds clearly demonstrate how the native functionality of programs can be used against themselves.

On Thursday, experts at Mimecast, a cyber-threat company, talked about how the Power Query feature built into Excel can be used to attack operating system level. Power Query automatically collects data from specified sources, such as databases, spreadsheets, documents or websites, and inserts them into a spreadsheet. This function can also be used to the detriment if the linked website contains a malicious file. By sending such specially prepared tables, hackers hope to eventually get rights at the system level and / or the ability to install backdoors.

“Attackers don’t need to invent anything, just open Microsoft Excel and use its own functionality,” says Mimecast CEO Meni Farjon. “This method is also reliable for all 100. The attack is relevant on all versions of Excel, including the latest, and will probably work on all operating systems and programming languages, because we are not dealing with a bug, but with the function of the program itself. For hackers, this is a very promising area. ”

Fargejon explains that as soon as Power Query establishes a connection with a fake site, attackers can use Dynamic Data Exchange. Through this protocol in Windows, data is exchanged between applications. Usually programs are severely limited in rights and DDE acts as an intermediary for the exchange. Attackers can upload DDE-compatible instructions for the attack to the site, and Power Query will automatically upload them to the table. In the same way, you can download other types of malware.

However, before the DDE connection is established, the user must accept the operation. And most users agree to all requests without looking. Thanks to this, the percentage of successful attacks is high.

In the "Security Report" in 2017, Microsoft already offered solutions. For example, disable DDE for specific applications. However, the kind of attack detected by Mimecast describes code execution on devices that do not have the option to disable DDE. After the company reported the vulnerability in June 2018, Microsoft replied that it was not going to change anything. Farjon says that they waited a whole year before telling the world about the problem, hoping that Microsoft would change its position. Although there is as yet no evidence that this type of attack is used by attackers, it is difficult to notice because of the nature of its behavior. “Most likely, hackers will take this opportunity, unfortunately,” says Farjon. “This attack is easy to implement, it’s cheap, reliable and promising.”

In addition, Microsoft’s own security team warned everyone last week that cybercriminals were actively using another Excel feature that allowed them to access the system even with all the latest patches installed. This type of attack uses macros and targets Korean users. Macros are far from the first year to bring with them a bunch of problems for Word and Excel. They are a set of programmable instructions that can not only facilitate, but also complicate the work if they are not used in a scenario conceived by the developers.

It is clear that Office 365 users want to see more and more new features, but each new component of the program carries potential risks. The more complex the program, the more potential attack vectors for hackers. Microsoft said that Windows Defender is able to prevent such attacks because it knows what to pay attention to. But the Mimecast finds serve as an extra reminder that there are always workarounds.
“Getting into an organization’s network is becoming increasingly difficult using traditional methods,” says senior security guard Ronnie Tokazowski of Email Security, Agari. “If you don’t even need to break anything for a successful attack, then you’ll go further along the path of least resistance, and the Windows version does not matter.”

Microsoft said both macros and Power Query are easily managed at the administrator level. Group Policy allows you to configure behavior for all devices in your organization at once. But if you have to disable the built-in function for user safety, the question arises, “Is it needed?”

Also popular now: