back to article Fancy Bear hacker crew Putin dirty RATs in Word documents emailed to govt orgs – report

Russian state-backed hacking crew Fancy Bear (aka APT28) is distributing malware-riddled files with a suggested link to the recent Lion Air crash in order to dupe government workers into downloading software nasties – and has developed a new remote-access trojan called Cannon, according to Palo Alto Networks. Researchers from …

  1. Anonymous Coward
    Anonymous Coward

    "I've always believed that if the US Government were ever to get really serious about Internet security, the top players in Microsoft's management hierarchy would find themselves handcuffed, blindfolded, led onto a tarmac within some obscure Air Force base, and shot." - the sig line from an old ASR post.

    1. J. Cook Silver badge

      "I've always believed that if the US Government were ever to get really serious about Internet security, the top players in Microsoft's management hierarchy would find themselves handcuffed, blindfolded, led onto a tarmac within some obscure Air Force base, and shot." - the sig line from an old ASR post.

      ...Followed shortly by the chain over at Adobe that decided to bury a (crummy) scripting engine in the PDF reader.

  2. naive

    Sigh .... those Russians

    Uncle Adolf started with fear mongering about Russians, it never stopped after.

    1. Valeyard

      Re: Sigh .... those Russians

      indeed... comrade ;)

    2. Bonzo_red

      Re: Sigh .... those Russians

      I dare say that a number of women and girls living in eastern Germany at the time would have said that he was right to have had concerns about Russia.

    3. Voland's right hand Silver badge

      Re: Sigh .... those Russians

      Uncle Adolf started with fear mongering about Russians,

      No he did not.

      He started with fear mongering about COMMUNISTS and his first example was a BULGARIAN. That is where the "Obscure Balkan Subject" attribute comes from (something Bulgarians are very proud of and refer to themselves regularly as such).

      The fear mongering about RUSSIANS is essential dish in the national cousine elsewhere. In other countries. Ones that make money out of it. To the tune of up to a quarter of their GDP from it.

  3. MacroRodent

    Here we go again

    The stupidity of allowing macros in docs to do arbitrary things (handling other data than the document itself) was apparent already more than 20 years ago, but still MS Word continues to support it. Attacks like this just would not work, if the macros were sandboxed properly.

    1. JohnG

      Re: Here we go again

      Although, if you open such a document in MS Office, you are going to get a message along the lines of "This file was downloaded from the Internet. Macros have been disabled". Macros won't run unless the user presses "Enable macros".

      1. Death_Ninja

        Re: Here we go again

        But the document will also tell you that you can't see the content unless you click "enable macros"...

        Now obviously that would be a big red flag to switched on guys and gals, but you'd be surprised how many will accept the offered choice when they can't see what it is they are getting...

        1. Mark 85

          Re: Here we go again

          Now obviously that would be a big red flag to switched on guys and gals, but you'd be surprised how many will accept the offered choice when they can't see what it is they are getting...

          It should be but isn't. Seems most people will open it out of curiousity. Techies (or semi-techies) according to recent article here at El Reg, are even worse because "we has skills"....

      2. Peter2 Silver badge

        Re: Here we go again

        15 years ago with office 2003, Microsoft implemented a macro security setting called "high", which disables all macros other than ones with a digital signature on a predefined list. This was IIRC later renamed to "Disable all macros, except digitally signed macros" in office 2007, 2010, 2013 & 2016

        You can force this on or off via group policy via a set of (free) extensions available free of charge from Microsoft's website and it takes what, 5 minutes to download and configure?

        Is there anybody out there who hasn't actually enabled this, and the other security settings? I kind of assume the answer is "yes" otherwise "advanced" hackers wouldn't be using this sort of attack, but seriously WTF guys?

        1. MacroRodent

          Re: Here we go again

          > 15 years ago with office 2003, Microsoft implemented a macro security setting called "high", which [...]

          But the results are already in: The continued success of Word macro attacks shows this approach does not work in practice. For getting any security, macros need to be seriously restricted, or the feature removed entirely.

          1. Peter2 Silver badge

            Re: Here we go again

            But the results are already in: The continued success of Word macro attacks shows this approach does not work in practice. For getting any security, macros need to be seriously restricted, or the feature removed entirely.

            What it demonstrates is that in practice, people leave the settings on the default setting of "medium" or it's updated equivalent which warns the end user, but allows them to activate macros when they click one button.

            Organizations then expend considerable time and money training people not to click the button. I would argue that this approach "does not work in practice", whereas forcing macros to "off" unless they are appropriately signed by an approved internal certificate demonstrably does in fact completely prevent this entire class of attack.

            While personally I think this setting ought to be the default from installation, changing it to a setting I consider to be more appropriate at network level takes less than 5 minutes and then can't be changed by the end user.

    2. bombastic bob Silver badge
      Facepalm

      Re: Here we go again

      "Attacks like this just would not work, if the macros were sandboxed DISABLED properly."

      Fixed it for ya.

      Also, gummints should just STOP using Micro-shaft office stuff. Just stop. A 'hardened' version of Libre Office, blessed and maintained by the nation's intelligence and security agencies, would be an ideal replacement.

      And "click to open" from an e-mail? How about PLAIN TEXT ONLY on e-mails, and no auto-view inline attachments, either. And mail servers AUTO-STRIPPING attachments that can be executed from ALL e-mails going into their department's e-mail server.

      (or maybe they're already doing that and the attack ain't so "Fancy"... ?)

      Being hit by 20-year-old exploits like WORD MACROS would be an EMBARASSMENT.

      1. Clarecats
        Headmaster

        Re: Here we go again

        "Being hit by 20-year-old exploits like WORD MACROS would be an EMBARASSMENT."

        Whereas using a word processor correctly would not be an embarrassment.

  4. mark l 2 Silver badge

    Another proof that MS will never make Word secure because of fears doing so it will break compatibility with macros. And if big business decide that there is no point in upgrading to the latest office because it breaks their macros then the whole MS business model around office collapses.

  5. Anonymous Coward
    Anonymous Coward

    why can't anyone do anything fun

    Like the modern equivalent of a TSR, that hides for 6 months or a year and then renames every file to something random. written in some cross platform code, and given plenty of time to propagate by multiple channels. polymorphic with a random timer.

    It seems all the stuff I hear about is easily detectable, easy to mitigate, and is too aggressive to spread to a wide audience.

    Who needs your data, or your money, when you can easily cause widespread FUD, costing trillions.

    1. Anonymous Coward
      Anonymous Coward

      Re: why can't anyone do anything fun

      We did. 2 years, 7 months, 13 days to go...

  6. amanfromMars 1 Silver badge

    Deep See Drilling ...... for Fine Friends in the Despond of Phantom Foe and Terrified Enemy

    Russian state-backed hacking crew Fancy Bear (aka APT28)

    Care to personally identify accurately Russian state actors? Are they of monied peasant stock and/or oligarchic ...... post modern aristocratic and virtually autocratic?

    And, furthermore, does ....

    APT28, referred to by Palo Alto in its report as Sofacy, is a Russian state-backed hacker crew that is increasingly well known by Western cybersecurity firms and state organisations. The group is active and prolific, cranking out new strains of malware that keep the infosec sector on its toes.

    .... keep the military industrial complex solvent? That easily suggests enemies can never be who you are led to believe, whenever home grown.

    1. Cliff Thorburn

      Re: Deep See Drilling ...... for Fine Friends in the Despond of Phantom Foe and Terrified Enemy

      .... keep the military industrial complex solvent? That easily suggests enemies can never be who you are led to believe, whenever home grown.

      How very true amfM, they try very hard to create a Goat, simply connect the dots ...

  7. _LC_
    Windows

    Call Bloomberg immediately!

    Yup, I can confirm the validity of that signature:

    --- С уважением, товарищ Путин. ---

    Call Bloomberg immediately!

  8. PaulAb

    All together now!! a 1 and 2 and 3....

    There lived a certain man in Russia about now

    He was big and strong, in his eyes a flaming mad glow

    Most people looked at him with terror and with fear

    But to Moscow politicos he was such a lovely dear

    He could preach the bible like a biker

    Full of ecstasy and fire

    But but he really should wear a shirt

    He looks a right wanker

    Ra ra ras Putin

    Lover of of his Russian team

    There was a cat that really was gone

    Ra ra ras Putin

    Russia's greatest mad machine

    It was a shame how he carried on

    He ruled the Russian land and never mind the czar

    But shirtless he danced really wunderbar

    In all affairs of state he was the man to please

    But he was real great when he had a country to squeeze

    For the team he was no wheeler dealer

    Though they'd heard the things he'd done

    they believed he was a nutcase

    Who could drop a bomb…

    Chorus, all together now

    Available for parties and gatherings, lycra shorts and fluffy collars included

  9. Tree
    Pirate

    Don't use Word

    OpenOffice or LibreOffice are great for Doc and docx and you are safer, too. Also, Microsoft doesn't get your money.

  10. Anonymous Coward
    Anonymous Coward

    Reality TV

    If even half the reports are accurate, it would seem that nothing FancyBear/APT28 does is secret, so why not have a reality TV show?

    I mean we would have voting for who will defect next.

  11. EnviableOne
    Joke

    who in their right mind

    opens a file crash list.docx

    IMHO just asking for trouble

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like