And all because
Someone, somewhere, decided it would be a good idea if the program you use to write memos could run system level commands embedded in the text files you are editing?
Seriously, it is high time this useful "feature" was removed.
A detailed analysis of the Shamoon malware – which is playing a huge role in the cyberwar between Saudi Arabia and Iran – has identified servers used to spread the software nasty. Shamoon surfaced in 2012 when it infected 30,000 workstations in the world’s largest oil production firm, Saudi Aramco, wiped their hard drives, and …
Unluckily, they become "development platform" too. I knew a guy in a Swiss bank whose job was mostly to automate Office applications using VBA. It was mostly Excel stuff, but there was some Word one as well.
I'm still surprised about sysadmins who don't bother to neuter macros for users who don't need them (hint: can be made through GPOs), or allowing only signed ones.
"VBScript is designed to be a secure programming environment"
/me commences hysterical laughter
it all reflects the _USUAL_ vulnerabilities in Micro-shaft software. The MS Word doc with the nasty payload, 'opened' by some low-level HR dweeb, or merely previewed in "Virus Outbreak" (aka 'MS Outlook'), sent by a spear-phisher with a fake identity, etc. taking over a windows box because the user is logged in with "admin" credentials for no good reason, because Micro-shaft sets the defaults "that way".
> a macro within the document executes two Powershell scripts
> 139.59.46.154:3485/eiloShaegae1 via HTTP
> 45.76.128.165:4443/0w0O6 via HTTP
> 45.76.128.165:4443/0w0O6
So four controls already used in security-conscious organizations, one where the system and network administrators do not administer security devices, would have worked perfectly.
1. Block "PowerShell" in all proxy traffic if it shows up in the User-Agent
2. Remove the ability to execute the two copies of PowerShell from non-administrative users and no, everyone does not have to be an admin.
3. Review your proxy logs for the past several months with an eye towards the destination port. Allow all non-standard destination ports used for business-related sites and drop all others. And review that rule on occasion. You'll see how many bullets you dodged without even knowing it.
4. Run man-in-the-middle HTTPS decryption and in #3 use separate port ranges, one for HTTP and one for HTTPS. None of those non-standard ports have ever been seen in business-related traffic for us, a large bank. 4443 has been seen but never for HTTP. That's a clear deception trick.
Why did I single out "system and network administrators who run security devices"? Like in real estate, those poor people are graded by their management on three things: Availability, Availability and Availability. "I can't get to my cat website because you block dynamic DNS sites running on odd ports!"
yep you're right on that one.
https inspection would have nixed that one.
some good extension restrictions should have pinned it too, why are non it (presumably) users downloading .ps1 scripts, i suppose it could be a .txt and renamed but i am speculating on that.
how are machines still getting pwnd by macroes?
i find the PS vector quite intriguing, as i dont think the attackers have thought, lets try this and see how it goes, i am thinking someone was working there first and doing a little recon.
someone must have known/done some footwork beforehand to prep for the social/phish engineering.
i bet you there a little bit more to it yet.
- why is the execution policy set to unrestricted?
- are users admins on their machines?
- where's the use of GP?
- did they learn nothing from stuxnet/crypto outbreaks?
enquiring minds want to know, as it seems like it admin 101.
the simplicity of it all is quite astonishing.
beer 'cause friday and i don't have to deal with it.
So the Xforce IRIS recommend blocking these malicious IP addresses.
Yet search on Xforce Exchange
https://exchange.xforce.ibmcloud.com/ip/139.59.46.154
https://exchange.xforce.ibmcloud.com/ip/45.76.128.165
and they are categorised as "unsuspisious"
It's not intelligence unless it's actionable. It's not actionable unless it's automated.
@IBM - don't publish a report telling me I've got to block addresses. Do what I'm paying you for and build it into the threat feeds to my defences.