Cybercriminals, notably state-sponsored hackers, have begun exploiting a newly uncovered vulnerability in Microsoft Office that the company has not classified as a security risk nor plans to address with a patch. This vulnerability involves the Dynamic Data Exchange (DDE) feature in Microsoft Office, which allows applications to share data seamlessly without needing macros or causing memory corruption.
DDE is utilized extensively by numerous applications, including Microsoft Excel and Word, for both one-time data transfers and continuous updates between programs. After information about this DDE exploit became public last month, it was revealed that various attack campaigns were actively utilizing this technique to distribute malware to organizations.
In an alarming development, the Advanced Persistent Threat (APT) group known as APT28, also recognized as Fancy Bear and believed to be associated with the Russian government, has started to employ this DDE attack method. Recent analysis revealed that this group has been leveraging the vulnerability since late October, particularly in a spear-phishing campaign that references a recent terrorist incident in New York City as a guise to entice victims into opening malicious documents.
Security researchers, including those from McAfee, have documented how these documents trick individuals into activating harmful code on their devices, ultimately leading to malware installation. As DDE is a legitimate Microsoft feature, it typically does not trigger warnings from antivirus software. Victims may unknowingly execute the attack through attachments labeled with titles like “SabreGuard2017.docx” or “IsisAttackInNewYork.docx.” Once opened, these documents can connect to a command-and-control server, facilitating the installation of an initial malware stage dubbed SedUploader.
Seduced by the initial malware, attackers can gather basic information from the compromised system, which aids them in determining if the target merits further infiltration. If the system is deemed significant, more advanced spyware, such as X-Agent and Sedreco, may be deployed later. McAfee researchers have concluded that APT28’s strategic use of current events for exploitation, as well as their adaptations of new methods to enhance their attack efficacy, underscores their resourcefulness as a threat actor.
This DDE attack method is not isolated; Cisco’s Talos threat research group also discovered campaigns exploiting this vulnerability to disseminate fileless remote access trojans, while other research indicated the technique has been utilized to distribute both Locky ransomware and TrickBot banking trojans via compromised documents. Additionally, Hancitor malware has been identified as another malware variant taking advantage of this exploit.
Microsoft currently offers no protections against these types of attacks, making it imperative for users to proactively disable the DDE functionality within their applications to mitigate risk. For those using Microsoft Word and Excel, disabling the option for automatic link updates is a critical step. Furthermore, advanced users may reference a Registry file available on GitHub that disables functionalities linked to DDE entirely.
Observational vigilance is essential in preventing infections; any unsolicited documents received via email should be approached with skepticism. Users are advised not to click on links within these documents without thoroughly verifying their origins, thus reinforcing a culture of cautious behavior in the face of endemic cyber threats.
In conclusion, understanding the techniques associated with the MITRE ATT&CK Matrix—such as initial access through spear-phishing and subsequent privilege escalation techniques employed by sophisticated adversaries—can significantly enhance an organization’s defense posture against such cyber threats.