According to the companies that develop the most effective corporate endpoint protection solutions, 70% of threats come from malicious Office documents. The main companies that deal with computer security publish reports whose conclusions appear very similar: the main sources of infection in companies have become malicious Office documents.
Kaspersky experts explain that cybercriminals use web vulnerabilities much less, especially for targeted attacks, while preferring to exploit vulnerabilities in the Microsoft Office suite.
In the last months of 2018, Office became the preferred attack vector with 70% of the total, while two years ago, the percentage was at most 16%. The attack surface that distinguishes Office is, in fact, extremely broad.
There are many formats that the Microsoft suite manages, many possible interactions with the operating system and other software, and many technologies that users can use. Since last year, the number of zero-days has increased significantly in the case of Office, a clear sign of renewed interest by cybercriminals for the Microsoft Home suite. Kaspersky observes how attackers prefer logical errors and how the various security holes are quickly inserted into automatic tools available on the net, which allows “packaging” malicious Office documents.
The Russian experts point out that the vulnerabilities discovered at the time in the equation editor of Office (identifiers CVE-2017-11882 and CVE-2018-0802 ) remain today the most exploited of all (see Vulnerability in all versions of Office allows the executing malicious code and stealing other people’s passwords with a simple Word document is possible ).
Kaspersky points out that unless users update Office (therefore, the problem related to the reluctance to install updates on all systems used in the enterprise persists), the vulnerabilities identified in the equation editor work on all versions of Word issued in the last 17 years.
Furthermore, exploiting these gaps can be done without having particular technical skills. Furthermore, none of the most exploited vulnerabilities affects Office itself but rather software components connected to it.
The company founded by Eugene Kaspersky also cites the interesting example of the CVE-2018-8174 Vulnerability: the exploit code was identified in a malicious Word document used to carry out targeted attacks, but the Vulnerability concerns the old Internet Explorer. In other words, the Word document is used as leverage to execute malicious code on the user’s machine by invoking Internet Explorer to load regardless of the web browser configured as default.
Also Read: Artificial Intelligence As A Leading Technology Between Cyber Defence And Cyber Attack
How To Block Attacks Using Malicious Office Documents
Given the large-scale diffusion of attacks that exploit security flaws that gradually emerged in the various versions of Office, it is important to adopt some precautions to avoid problems that could cause the theft of confidential information and loss of data and money. The main companies that develop IT security solutions make advanced tools for protecting endpoints available to customers.
The concept of security must rhyme with prevention, detection, and response. In the company today, it is essential to use a centralized approach for the timely detection and blocking of any threats. Some threats are designed for large-scale attacks (think ransomware that targets as many users as possible for ransom money). Still, Advanced Persistent Threat (APT ) attacks, designed to target a single professional or precise enterprise, are unfortunately more and more
common.
Even those who use advanced antivirus and antispam solutions on the server side will certainly have noticed that phishing messages sometimes arrive on the workstations of employees and collaborators, inviting them to open malicious attachments. More and more often (it often happens to us, too), cybercriminals use cunning techniques to capture the attention of email recipients by inserting references, written in Italian, to the company’s activities, procedures, and flow of information in the message. Work.
This is called spear phishing because the attackers, in an attempt to persuade the user to open a malicious attachment, provide information that appears to be legitimate and related. An employee’s failure to open a malicious file attached to an email can have serious consequences for businesses and government agencies. Suppose the local network is not configured correctly, for example, by isolating the devices that provide critical functions and operating a correct management of permissions.
In that case, an attacker can exploit the individual workstation of the employee to make his way inside the LAN and shared resources. With stolen data, criminals can steal commercially sensitive information, engage in industrial espionage, cause damage, steal money, and much more. Some practical steps to block APT attacks and prevent the use of Office documents as leverage to attack the company
Information And Training
Organization representatives, most importantly, should know about the dangers. They should realize vindictive messages containing perilous connections might appear in their letter boxes.
Secure Your Endpoints
Already a good solution for the security of individual endpoints protects against most threats (commodity malware ). Choosing a good anti malware solution that can check the behavior of each file opened on the system is essential.
Also Read: Macro Malware The Hidden Threat In Word And Excel Files
Management Of Account Permissions And Shared Resources
In the company, you should never provide employees and employees with user accounts with administrative rights. In this regard, it is essential to check that each user can access the shared resources of their exclusive competence. It is also advisable to check that no resources are accessible on the LAN without a password or with generic credentials known to more or less large groups of users.
Adopt An Effective Backup Policy
Users, especially employees and contractors should never be able to access the contents of the NAS or server used for data backup. Or rather, they can access the most recent backup versions but not the previous versions of the same files. In the articles Backup, the best strategies to protect data, OpenMediaVault, what it is and how to build a NAS yourself and What it is and how Synology Active Backup for Business works we presented several solutions to effectively manage data versioning and activate deduplication, to reduce the space required for storing backup copies.
Use A Product With A Centralized Endpoint Management Panel
Advanced local network and endpoint health monitoring software tools offer heuristic capabilities to detect multiple threats, including those delivered through malicious Office documents. After an initial analysis, the most advanced solutions load suspicious files into a sandbox to intelligently verify their behavior and unmask dangerous objects.Kaspersky Endpoint Security for Business has useful features for detecting threats in transit on the local network.
Similar solutions are Sophos Endpoint Protection, BitDefender GravityZone ( Bitdefender against new increasingly complex threats), and Malwarebytes Endpoint Protection ( Malwarebytes protects individual PCs and the entire corporate network from a single cloud panel ). F-Secure provides a Rapid Detection & Response service that helps companies deal with cyber-attacks before, during, or after the event.
Proper Handling Of Vulnerabilities
Asset discovery and Vulnerability scanning tools help minimize the attack surface by identifying critical vulnerabilities that can be exploited. The company often uses outdated operating systems and applications, which contain bugs that have already been fixed but for which the corresponding patches still need to be installed. Windows patch management using WSUS ( Windows Server Update Services ) is a great solution.
Still, tools that help inventory the software installed on each endpoint (even third-party ones) and take action with the installation of security updates prove to be very useful to protect yourself from the risk of aggression: Windows Defender ATP: a single panel to control device security. Particular attention must also be paid to updating the firmware of devices constantly connected to the network, which may be made reachable and accessible from the outside (routers, NAS, security cameras, IoT devices,…).
If not properly protected, these devices can act as a “bridgehead” to attack the entire corporate infrastructure. F-Secure Radar is a vulnerability management solution proposed by the Finnish company. It makes it possible to minimize the attack surface by identifying critical vulnerabilities that malicious parties can exploit.
Segment The Network And Separate Critical Systems
It is essential to examine and possibly rethink the structure and configuration of the network by verifying which services the company exposes, segmenting the LAN where necessary, and isolating the most critical systems. The corporate network and the devices connected to it should be impenetrable from the outside and usable only after activating a secure VPN.
By way of example, it should be the NAS server that “fishes” on shared resources and creates file backups (appropriately keeping previous versions). At the same time, the individual workstations should not send their data to the NAS.
When In Doubt, Scanning On VirusTotal Is Always A Good Approach
Compared to some time ago, when VirusTotal only used a certain set of scanning engines to analyze files, the tool has undergone an important evolution: today, sandboxes and artificial intelligence (as well as behavioral analysis) are used to ascertain ” the identity” of a file and its potential danger: VirusTotal: guide to using the service to check the identity of files.
