A vulnerability in Windows that has been around for decades is being exploited by hackers behind a new version of the infamous Locky ransomware.
It is a vulnerability that has been apparent since the 1980s, but which Microsoft has publicly stated it will not address by removing the feature, making the new attacks undetectable with traditional cyber security software.
The hackers are exploiting Microsoft’s Dynamic Data Exchange (DDE), a feature that allows the transfer of data between Windows applications, and which is almost exclusively used to point to data sources inside a network. DDE is being subverted to distribute ‘weaponised’ Office files posing as legitimate documents such as invoices. All the unsuspecting member of staff has to do is to open the innocent-looking attachment in order to compromise the organisation’s entire database.
The problem is that DDE dates back to the pre-internet days and allows today’s cybercriminals to instantly execute links in a document once a victim opens it. Microsoft has replaced DDE with the more modern Object Linking and Embedding (OLE) technology, but has said it will continue to support DDE and will not remove it as an Office document feature despite its highly-effective exploitation by cyber criminals.
Since DDE continues to be a legitimate feature, it needs to be surgically removed, which is beyond the capability of traditional anti-virus or security scanning systems. The only solution is through a patented file-regeneration process which filters out files containing this feature among any other new and emerging threats.
Phishing and ransomware attacks succeed as a result of staff members opening attachments or links that deliver malware. A, email file protection platform, which is integrated seamlessly with companies’ existing security architecture, will provide a ‘last line of defence’ that proactively manages the risk that email attachments pose to the organisation. Users open secure email attachments without the fear of malware or ransomware, and the organisation continues without the disruption from cyber threats.
Windows’ underlying DDE security flaw is now one that affects almost every organisation receiving email attachments that reach users inside the organisation. Only a tiny percentage – those using cloud based computing such as O365 – remain largely unaffected. Already there are reports of ransomware demands being made following successful security breaches using Locky to exploit Windows’ DDE vulnerability.
Industry estimates are that ransomware damage costs are around US$5 billion a year and are predicted to exceed US$11.5 billion annually by 2019. But even this could be an underestimate, since the full-scale of the problem is difficult to gauge as few companies report successful ransomware attacks for fear of frightening off customers and investors.
And there is growing case evidence that ransomware attacks and outbreaks are becoming increasingly ambitious. Exactly a year ago, a ransomware attack hit San Francisco’s public transport system, infecting over 2,000 of the Municipal Transport Agency (MTA)’s computers. The affected systems included administration computers, email and print servers, payroll systems, databases, staff terminals, and publicly visible station kiosk PCs – there was no hiding the effect of ransomware from the citizens of San Francisco, who went viral on Twitter sharing pictures of infected computers displayed the message: “You Hacked, ALL Data Encrypted, Contact For Key ([email protected]) ID:601”.
Rather than meet the 100 Bitcoin (US$73,000) ransom demand for the decryption key, the MTA opened the transport system’s fare gates and immediately contacted the Department of Homeland Security. But although the MTA behaved in an exemplary fashion by refusing to give in to the cyber criminals, organisations forced to pay ransomware often hide the fact. The financial industry, for instance, has long been a target for all varieties of ransomware but the banks have not been obliged to reveal data breaches.
However, from May next year the situation is set to alter radically with introduction of the European Union (EU)’s General Data Protection Regulation (GDPR). Despite Brexit, the UK has agreed to comply with the GDPR. Among other things, GDPR makes it mandatory to report significant cyber breaches immediately. Failure to do so makes the firm concerned liable to a draconian fine of up to four per cent of the company’s global turnover, something organisations need to be reminded of to ensure they are not just lazily following ‘best practice’ but proactively seek out new and innovative technologies to stay ahead of attackers.
Recent high-profile hacks which the companies affected sat on for some time such as Uber and the recently revealed Equifax hack, which compromised the details of at least 700,000 UK consumers, would have potentially made those companies liable for significant fines in the hundreds of millions had the security breaches taken place after May next year. If it had appeared that they had not taken sufficient cyber security precautions or had not disclosed the security breach quickly enough, the results could have been potentially devastating. In Equifax’s case, the fine would have been as high as US$126 million. In Uber’s case, it could have been as high as US$260 million. In addition to the fiscal and reputational damage, organisations failing to comply with GDPR could also see jail sentences handed out to those executives held responsible.
There is now an increasing focus on DDE vulnerabilities that will make it hard for the executives of firms which have been breached in this way or forced to pay ransomware to plead ignorance of such a glaring and well-reported security weakness. Microsoft, for example, recently tweeted a warning that cyber criminals might be using DDE to deliver malware during the Christmas online shopping season.
Companies wishing to avoid any future variants of ransomware can no longer just rely on cyber breach recovery programs as a means of insurance. What we all consider to be best-practice must change to include proactive measures that secure an organisation against damaging cyber security breaches before they detonate. There is no option now but to actively innovate and employ solutions that sanitise all incoming email attachments, particularly those exploiting vulnerabilities in Windows’ DDE vulnerability.
[su_box title=”About Lewis Henderson” style=”noise” box_color=”#336588″][short_info id=’83351′ desc=”true” all=”false”][/su_box]
VP Threat Intelligence
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.