Threat Actors Pivot After Microsoft Macros Decision
Keeping abreast of changes in the marketplace, constantly fine-tuning your plans to capitalize on news and events that affect your revenue potential — these activities aren’t limited to just high-performing businesses in the corporate world. The criminal element follows the same playbook.
Hackers, malware authors, and nation-state attackers — at least the successful ones — continually reevaluate and shift their TTPs (tactics, techniques, and procedures), transforming their operations as needed to minimize risk and maximize returns.
This post looks at recent pivots by those using macros as a threat vector, showing how some hackers revisit more exotic tricks from days past to catch victims unaware.
Macros and a Rapid Threat Actor Pivot
In a recent BlackBerry blog, we covered Microsoft’s on-off-on-again relationship with blocking Visual Basic for Applications (VBA) macros by default. Employees typically use these macros with Microsoft® Office files, such as Word or Excel®, to streamline workflows, automate repetitive tasks and generally improve their productivity. With the Office suite of products nearly ubiquitous in commercial organizations, threat actors naturally seek ways to leverage that huge global user base as a launching ground for cyberattacks. Adding malicious scripts and payloads in macros has been a staple of that approach for many years.
Microsoft recently phased in a new approach of blocking these macros by default. In a way, the company shrank a piece of the Office-related attack surface with this move. Attackers responded by adjusting their tactics to exploit other potential points of entry, including weak spots in traditional detection methods.
Seasoned hackers seem well acquainted with the adage, “When God (or Microsoft) closes a door, they open a Window(s)…”
What Did Threat Actors Try Next?
After Microsoft’s macro announcement, some attackers immediately pivoted to using file types that victims are less likely to be familiar with, such as LNK, RAR, and ISO files. By choosing less familiar file extensions, files are less likely to be stopped by current security products, so people would be more apt to run them, unaware of the potential consequences.
For example, a threat actor may send someone a malicious .RAR archive, describing it as containing a photo — perhaps from a friend’s or a colleague’s summer vacation. Once the victim opens the archive file, the attacker gains access to their device. Similarly, they may be able to fool victims into thinking that a malicious LNK file links to a legitimate information source, or that an ISO file is an optical disk image that contains a desirable application to be installed. Attackers can choose from a long list of file types that seem just plausible enough to fool a trusting victim.
How Can You Mitigate Risk from These Attacks?
As attackers shift their tactics to address ever-changing defense techniques, there are ways you can lessen this risk and protect against the “next big thing” in the threat landscape.
Estimates indicate that around 90% of reported cyberattacks that result in successful data breaches, malware, and ransomware deployments — all rely on a single threat vector: phishing or spam emails containing malicious files or links.
Training users to identify and report these types of attacks fundamentally reduces the success rate for threat actors targeting your organization. However, we humans are fallible creatures, and even a well-educated workforce needs help from technology to reduce risk factors.
If you’re concerned about links and attachments making their way through corporate email servers, you could take a “whitelist” approach, blocking all but a few approved attachment types in inbound emails originating from outside the company domain. Password-protected archive files might be one possible exception, for example.
Additionally, some organizations set up a process giving the recipient another chance to think about the source of the link or attachment, such as a popup window asking, “Do you trust links and attachments from this sender?”
Both of these approaches can help establish informed consent before opening files, reducing the risk of users absentmindedly clicking on them.
Also, BlackBerry customers can utilize the Script Control feature in our Cylance® AI-based CylancePROTECT® endpoint protection platform (EPP) solution. Script Control allows administrators to enable appropriate scripts on appropriate systems, while disabling all other scripts (unsafe/unauthorized) for the rest of the enterprise. You might think of it as script-specific whitelisting on a system-by-system basis.
In addition, CylanceOPTICS®, the BlackBerry® EDR (endpoint detection and response) platform, uses its Context Analysis Engine to block scripts that exhibit unexpected or unwelcome behaviors — like downloading files and storing them in non-approved directories, or PowerShell scripts, that launch encoded commands, which can hide malicious intent.
Malicious Macro Attacks: What Is Next?
The reason that Office files are so incredibly popular with attackers is due to the power and scope of these files. While most of us just think of them as fancified word processor or spreadsheet files, they share more in common with archive files. Their structure allows you to embed a wide variety of different content types —including a powerful scripting language (VBA). It would be reasonable for a user to assume that this scripting language would be limited to functionality within the Office file you’re working on, but unfortunately, that’s not the case. VBA allows you to directly call a vast range of programs and commands already built into your operating system, providing a “target-rich” environment for threat actors.
Office files with macros remain a very powerful and convenient attack vector, but they’re far from the only option. Now that macros are being blocked by default, a logical next step is for threat actors to switch to using other types of scripts in other types of archive files — but it won’t stop there. It may take a little time for threat actors to evolve their TTPs and probe for new chinks in our armor, possibly giving us a brief window of opportunity to get ahead of them.
But I wouldn’t count on it.