"I've always believed that if the US Government were ever to get really serious about Internet security, the top players in Microsoft's management hierarchy would find themselves handcuffed, blindfolded, led onto a tarmac within some obscure Air Force base, and shot." - the sig line from an old ASR post.
Fancy Bear hacker crew Putin dirty RATs in Word documents emailed to govt orgs – report
Russian state-backed hacking crew Fancy Bear (aka APT28) is distributing malware-riddled files with a suggested link to the recent Lion Air crash in order to dupe government workers into downloading software nasties – and has developed a new remote-access trojan called Cannon, according to Palo Alto Networks. Researchers from …
COMMENTS
-
-
Thursday 22nd November 2018 17:44 GMT J. Cook
"I've always believed that if the US Government were ever to get really serious about Internet security, the top players in Microsoft's management hierarchy would find themselves handcuffed, blindfolded, led onto a tarmac within some obscure Air Force base, and shot." - the sig line from an old ASR post.
...Followed shortly by the chain over at Adobe that decided to bury a (crummy) scripting engine in the PDF reader.
-
-
-
Wednesday 21st November 2018 17:21 GMT Voland's right hand
Re: Sigh .... those Russians
Uncle Adolf started with fear mongering about Russians,
No he did not.
He started with fear mongering about COMMUNISTS and his first example was a BULGARIAN. That is where the "Obscure Balkan Subject" attribute comes from (something Bulgarians are very proud of and refer to themselves regularly as such).
The fear mongering about RUSSIANS is essential dish in the national cousine elsewhere. In other countries. Ones that make money out of it. To the tune of up to a quarter of their GDP from it.
-
Wednesday 21st November 2018 13:27 GMT MacroRodent
Here we go again
The stupidity of allowing macros in docs to do arbitrary things (handling other data than the document itself) was apparent already more than 20 years ago, but still MS Word continues to support it. Attacks like this just would not work, if the macros were sandboxed properly.
-
-
Wednesday 21st November 2018 15:50 GMT Death_Ninja
Re: Here we go again
But the document will also tell you that you can't see the content unless you click "enable macros"...
Now obviously that would be a big red flag to switched on guys and gals, but you'd be surprised how many will accept the offered choice when they can't see what it is they are getting...
-
Wednesday 21st November 2018 18:45 GMT Mark 85
Re: Here we go again
Now obviously that would be a big red flag to switched on guys and gals, but you'd be surprised how many will accept the offered choice when they can't see what it is they are getting...
It should be but isn't. Seems most people will open it out of curiousity. Techies (or semi-techies) according to recent article here at El Reg, are even worse because "we has skills"....
-
-
Wednesday 21st November 2018 16:05 GMT Peter2
Re: Here we go again
15 years ago with office 2003, Microsoft implemented a macro security setting called "high", which disables all macros other than ones with a digital signature on a predefined list. This was IIRC later renamed to "Disable all macros, except digitally signed macros" in office 2007, 2010, 2013 & 2016
You can force this on or off via group policy via a set of (free) extensions available free of charge from Microsoft's website and it takes what, 5 minutes to download and configure?
Is there anybody out there who hasn't actually enabled this, and the other security settings? I kind of assume the answer is "yes" otherwise "advanced" hackers wouldn't be using this sort of attack, but seriously WTF guys?
-
Thursday 22nd November 2018 04:58 GMT MacroRodent
Re: Here we go again
> 15 years ago with office 2003, Microsoft implemented a macro security setting called "high", which [...]
But the results are already in: The continued success of Word macro attacks shows this approach does not work in practice. For getting any security, macros need to be seriously restricted, or the feature removed entirely.
-
Thursday 22nd November 2018 09:46 GMT Peter2
Re: Here we go again
But the results are already in: The continued success of Word macro attacks shows this approach does not work in practice. For getting any security, macros need to be seriously restricted, or the feature removed entirely.
What it demonstrates is that in practice, people leave the settings on the default setting of "medium" or it's updated equivalent which warns the end user, but allows them to activate macros when they click one button.
Organizations then expend considerable time and money training people not to click the button. I would argue that this approach "does not work in practice", whereas forcing macros to "off" unless they are appropriately signed by an approved internal certificate demonstrably does in fact completely prevent this entire class of attack.
While personally I think this setting ought to be the default from installation, changing it to a setting I consider to be more appropriate at network level takes less than 5 minutes and then can't be changed by the end user.
-
-
-
-
Wednesday 21st November 2018 19:54 GMT bombastic bob
Re: Here we go again
"Attacks like this just would not work, if the macros were
sandboxedDISABLED properly."Fixed it for ya.
Also, gummints should just STOP using Micro-shaft office stuff. Just stop. A 'hardened' version of Libre Office, blessed and maintained by the nation's intelligence and security agencies, would be an ideal replacement.
And "click to open" from an e-mail? How about PLAIN TEXT ONLY on e-mails, and no auto-view inline attachments, either. And mail servers AUTO-STRIPPING attachments that can be executed from ALL e-mails going into their department's e-mail server.
(or maybe they're already doing that and the attack ain't so "Fancy"... ?)
Being hit by 20-year-old exploits like WORD MACROS would be an EMBARASSMENT.
-
-
Wednesday 21st November 2018 14:30 GMT Anonymous Coward
why can't anyone do anything fun
Like the modern equivalent of a TSR, that hides for 6 months or a year and then renames every file to something random. written in some cross platform code, and given plenty of time to propagate by multiple channels. polymorphic with a random timer.
It seems all the stuff I hear about is easily detectable, easy to mitigate, and is too aggressive to spread to a wide audience.
Who needs your data, or your money, when you can easily cause widespread FUD, costing trillions.
-
Wednesday 21st November 2018 15:26 GMT amanfromMars 1
Deep See Drilling ...... for Fine Friends in the Despond of Phantom Foe and Terrified Enemy
Russian state-backed hacking crew Fancy Bear (aka APT28)
Care to personally identify accurately Russian state actors? Are they of monied peasant stock and/or oligarchic ...... post modern aristocratic and virtually autocratic?
And, furthermore, does ....
APT28, referred to by Palo Alto in its report as Sofacy, is a Russian state-backed hacker crew that is increasingly well known by Western cybersecurity firms and state organisations. The group is active and prolific, cranking out new strains of malware that keep the infosec sector on its toes.
.... keep the military industrial complex solvent? That easily suggests enemies can never be who you are led to believe, whenever home grown.
-
Wednesday 21st November 2018 21:42 GMT Cliff Thorburn
Re: Deep See Drilling ...... for Fine Friends in the Despond of Phantom Foe and Terrified Enemy
.... keep the military industrial complex solvent? That easily suggests enemies can never be who you are led to believe, whenever home grown.
How very true amfM, they try very hard to create a Goat, simply connect the dots ...
-
-
Saturday 24th November 2018 21:46 GMT PaulAb
All together now!! a 1 and 2 and 3....
There lived a certain man in Russia about now
He was big and strong, in his eyes a flaming mad glow
Most people looked at him with terror and with fear
But to Moscow politicos he was such a lovely dear
He could preach the bible like a biker
Full of ecstasy and fire
But but he really should wear a shirt
He looks a right wanker
Ra ra ras Putin
Lover of of his Russian team
There was a cat that really was gone
Ra ra ras Putin
Russia's greatest mad machine
It was a shame how he carried on
He ruled the Russian land and never mind the czar
But shirtless he danced really wunderbar
In all affairs of state he was the man to please
But he was real great when he had a country to squeeze
For the team he was no wheeler dealer
Though they'd heard the things he'd done
they believed he was a nutcase
Who could drop a bomb…
Chorus, all together now
Available for parties and gatherings, lycra shorts and fluffy collars included