Attackers are taking advantage of an undocumented feature in Microsoft Word to gather information about potential victims by using seemingly harmless documents that have no active code embedded in them.
The technique was discovered by researchers from Kaspersky Lab in OLE2-formatted documents distributed as attachments to spearphishing emails. The files abused a feature called INCLUDEPICTURE that allows a picture to be attached to certain characters in the text.
Attackers have figured out how to include a URL in the INCLUDEPICTURE field and trick Microsoft Word to access it when the document is opened. The URL pointed to a PHP script on a remote server controlled by attackers.
“The document contains no active content, no VBA macros, embedded Flash objects or PE files,” the Kaspersky Lab researchers said in a blog post. However, when users open the document, Word sends a GET request to one of the internal links and that request contains information about the software installed on their machines, including the version of Microsoft Office they use, the researchers said.
Such information can be very valuable to hackers in the planning of a targeted attack. It provides them with the information needed to choose a software program to attack and how to deliver the exploit.
The abused feature is not only present in Microsoft Word for Windows, but also in Microsoft Office for iOS and in Microsoft Office for Android, the Kaspersky researchers said. LibreOffice and OpenOffice do not have it.
CCleaner Compromise Shows Risks of Supply-Chain Attacks to Businesses
A backdoored installer for the popular system optimization tool CCleaner was distributed to more than 2 million users over the past month. The incident is the latest in a string of supply-chain attacks that were reported this year and resulted in malware-infected applications being delivered to users directly from their developers’ servers.
According to researchers from Cisco Systems’ Talos division, the malicious code was added to the CCleaner installer before the package was compiled and digitally signed. This suggests that hackers managed to gain access to the program developer’s infrastructure.
The compromised installers were for CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191, which were released on Aug. 15 and Aug. 24, respectively. Only the 32-bit versions of the installers were affected.
CCleaner is developed by a company called Piriform that was acquired by antivirus firm Avast in July. The program has been downloaded more than 2 billion times since its launch in 2003 and regularly exceeds 20 million downloads per month.
Piriform released clean versions of CCleaner and CCleaner Cloud Sept. 12 and said that until the investigation is finished it doesn’t “want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it.”
The incident highlights the serious risks that supply-chain attacks can pose to companies. It’s worth noting that CCleaner Cloud is a business product and Piriform notes on its website that the program is “trusted by” Princeton University, City of Vancouver, Airbus, HBO, Siemens, Intel, Oracle, DHL and other well-known companies.”
Furthermore, another security firm called Morphisec claims that it was the first to spot the infected installers and notify Avast after its technology detected the backdoor “at customer sites” Aug. 20 and 21. Morphisec is an enterprise endpoint security vendor so its customers are businesses and large organizations, not consumers.
“Supply-chain attacks can be a very powerful way to get onto high-profile companies’ IT networks in a roundabout way,” said Carsten Eiram, the chief research officer at Risk Based Security. “Since the software comes from a legitimate vendor that is trusted by these companies, the software is rarely subjected to the same scrutiny as would be the case for other types of attacks.”
There is evidence that attackers are increasingly using this technique. Last month, Kaspersky Lab documented an attack it dubbed ShadowPad where hackers managed to insert a backdoor into a legitimate update for an enterprise server administration tool developed by a company called NetSarang Computer. In June, the destructive NotPetya SMB worm that caused major disruptions at large companies around the world started with an infected update for an accounting program called M.E.Doc.
In May, Microsoft warned about Operation WilySupply, an attack that targeted high-profile technology and financial organizations with malware delivered through the compromised update mechanism for an editing tool.
Aside from understanding the security of the software, devices and libraries they use on their networks, companies need to understand the security posture of the vendors that provide those tools, Eiram said. “A given vendor may make a great effort to write secure code with few vulnerabilities and of a high code maturity, but if it doesn’t make an equal effort to secure its IT infrastructure, its products may be the way for attackers to get onto its customers’ networks.”