Tuesday, December 24, 2024

Microsoft closes two avenues of attack: Office macros, RDP brute-forcing

Microsoft is trying to shut the door on a couple of routes cybercriminals have used to attack users and networks.

The enterprise IT giant’s policy of blocking Visual Basic for Applications (VBA) macros in downloaded Office documents by default has been activated once again after a brief pause to address feedback from users who were having difficulty with the security defense.

Also this week, Microsoft enabled a default in Windows 11 that’s designed to block or slow down obvious Remote Desktop Protocol (RDP) brute-force attacks.

Both policies are hoped to close avenues that criminals have been using for years to muscle their way into systems, steal data, and spread malicious code.

Macro problem

The issue of macros has become a particularly gnarly one for the software giant.

“For years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros,” Kellie Eickmeyer, a principal product manager at Microsoft, wrote in a blog post in February when the IT titan announced its plans to block by default macros running in downloaded or internet-sourced Office files.

“While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access.”

Eickmeyer added that “for the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet.”

Recommended:  Windows Privilege Elevation Exploit POC Released into The Wild

The policy was to block these particular macros by default in Access, Excel, PowerPoint, Visio, and Word, though after a few months of – at times, negative – feedback from users, Microsoft put a temporary halt on the initiative. Complaints ranged from critiques about how the blocking was implemented to the negative impact it had on some users’ systems.

In an update this week to the original announcement, Eickmeyer wrote that Microsoft is “resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both or end user and our IT admin documentation to make clearer what options you have for different scenarios.”

End users can click here for more information, while IT administrators can head here.

Holding back the years

Macros have been a security problem for years, with Microsoft in 2016 releasing a tool that allowed administrators to set policy around when and where these scripts were allowed to run. In addition, users were asked whether they really wanted to run macros before allowing them to run.

The challenges continue even now. HP’s Wolf Security threat intelligence group this month wrote about OpenDocument files being used to distribute Windows malware. These documents were sent to marks via email, and if opened, the user would be asked whether fields with references to other files should be updated and if they click “yes,” an Excel file is opened and another prompt asks whether macros should be enabled. If the user enables the macros, their systems are infected with the open-source AsyncRAT backdoor nasty.

Recommended:  Microsoft Warning: Some files might not be deleted when you reset a Windows PC

Regarding the RDP brute-force attacks, Windows 11 builds from now on include a default account lockout policy that should be able to at least slow down would-be intruders.

In brute-force attacks, cybercriminals use automated tools to guess someone’s account password: the tools run through a huge list of passphrases until one of them works and logs into a victim’s account. According to a tweet from Dave Weston, vice president of enterprise and OS security at Microsoft, such tools are used to spread ransomware and commit other crimes.

The default policy for Windows 11 builds – specifically, Insider Preview 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 attempts to sign in fail. Users can tweak this, changing the number of failed sign-in attempts that trigger a lock and how long the account will be locked.

In his tweet, Weston wrote that “this control will make brute forcing much harder, which is awesome.”

In a write-up last year, researchers at Malwarebytes Labs detailed RDP brute-force attacks, saying they “represent a serious, on-going danger to Internet-connected Windows computers.”

“While there are lots of ways to break into a computer that’s connected to the Internet, one of the most popular targets is the Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows somebody to use it remotely,” they wrote. “It’s a front door to your computer that can be opened from the Internet by anyone with the right password.”

The Malwarebytes Labs eggheads outlined a number of ways to protect against RDP brute-force attacks, from permanently turning off RDP to using strong passwords, multi-factor authentication, and a VPN, as well as limiting the number of guesses before an account is locked. ®

Recommended:  Microsoft appears to be rolling back Office Macro blocking

source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security