Category: Uncategorized

The 25-year-old has been charged with leaking information belonging to thousands of FBI agents.

A member of the "Crackas with Attitude" hacking group has been sentenced to five years in prison.

On Friday, the US Department of Justice (DoJ) said Justin Liverman, otherwise known as "D3F4ULT," pleaded guilty to being a member of the group, as well as conducting unauthorized computer intrusions, identity theft, and telephone harassment.

As part of a plea agreement, the Morehead City, North Carolina resident admitted he was part of a scheme resulting in the leak of data belonging to roughly 31,000 FBI and DoJ agents.

Crackas with Attitude has also been linked to the compromise of CIA Director John Brennan's AOL email account, which he used to handle government intelligence -- albeit very unwisely -- as well as infiltrating the personal email accounts of the former US Director of National Intelligence James Clapper and his wife.

Prosecutors say the group's actions have caused more than $1.5 million in losses.

Liverman was involved in these attacks, but also went a step further and sent threatening text messages to victim cellphones. In addition, he paid a "phonebombing" service to flood victim cellphones with threats.

According to US law enforcement, the 25-year-old man was charged with conspiring with others to gain unauthorized access to government computer systems, as well as online accounts belonging to government officials.

In addition to the prison sentence, Liverman must also pay $145,000 in restitution.

According to The Mercury News, during sentencing on Friday in Alexandria, Virginia, Judge Gerald Bruce Lee ruled out the group's actions as "pranks," saying "this computer hacking, Crackas With Attitude, caused chaos. Your intent was clear, and that was to wreak havoc."

Liverman is not the only member of the group who must serve time behind bars. In June, another member, Otto Boggs, was sentenced to two years in prison.

UK law enforcement arrested the alleged leader of the group, a 17-year-old British male who went under the nickname "Cracka" in February. The teenager is on bail, and when speaking to the media, claimed the UK and US agents were trying to "ruin his life" and that he is innocent of all charges.

In related news, two Russian hackers were jailed last week to three years in a penal colony after a court found them guilty of being members of Shaltai-Boltai and stealing information belonging to Russian officials, as well as compromising their social media accounts.

From:http://www.zdnet.com/article/crackas-with-attitude-govt-data-leaker-sent-behind-bars/

The commission says that "illicit gain through trading" may have been the key motivator.

The US Securities and Exchange Commission has admitted to being hacked in 2016, with illegal trading potentially at the root of the breach.

On Wednesday, SEC Chairman Jay Clayton said one of the financial regulator's databases, containing corporate announcements, was compromised and may have been used to gain an advantage in stock trading.

By specifically targeting this system, the threat actors may have gained access to information which had the power to change the market, which in turn could be used to trade illicitly thanks to the stolen, "insider" information contained therein, whether they were company financial statements or merger announcements.

In a statement, SEC said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected -- or how much the hacker profited.

Edgar processes roughly 1.7 million electronic filings per year.

The hacker was able to take advantage of a "software vulnerability in the test filing component" of Edgar, which "resulted in access to nonpublic information."

Once discovered, the problem was immediately patched, and an investigation has now begun into the data breach.

Clayton said the review of the incident is ongoing with help from "appropriate authorities," but it is not so far believed that the hack went any further and compromised any other SEC systems.

"Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic," Clayton said. "We must be vigilant. We also must recognize -- in both the public and private sectors, including the SEC -- that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."

The breach was discovered as part of an audit ordered by the chairman. It was also discovered that staff have used private, unsecured email accounts to transfer confidential information.

SEC's disclosure comes only two weeks after Equifax disclosed a severe data breach, resulting in private and sensitive data belonging to 143 million US consumers, as well as roughly 400,000 UK customers, being compromised.

US names, social security numbers, dates of birth, and home address were exposed and may have been stolen, but Equifax says UK client data leaked only included customer names, dates of birth, email addresses, and telephone numbers.

Equifax then blamed an Apache Struts security hole for the incident. While it is possible that a zero-day bug was to blame, it appears more likely that a patching oversight or lazy updating was to blame.

From:http://www.zdnet.com/article/sec-admits-data-breach-suggests-insider-trading-was-the-key/

Individuals can now obtain two new cybersecurity-focused certifications from the Australian Computer Society.

The Australian Computer Society (ACS) -- the association for the country's IT sector -- has launched a new cybersecurity accreditation program, allowing specialists in the security field to obtain two new certifications.

The new accreditations are an extension to the ACS Certified Professional and Certified Technologist schemes, and will see cybersecurity experts in Australia able to achieve Certified Professional (Cyber Security) and Certified Technologist (Cyber Security) accreditation.

The cybersecurity specialisation status will require applicants to demonstrate in-depth capability in a range of areas identified in the globally recognised Skills Framework for the Information Age (SFIA), ACS president Anthony Wong explained.

"A key element of cybersecurity is trust. We trust business and government to protect our private and personal data. Establishing a professional certification where applicants must commit to a code of ethics, code of professional practice, and undertake continuing professional development helps provide a level of certainty and trustworthiness," Wong said, speaking at the ACS Cybersecurity event in Canberra on Wednesday.

The ACS expects the two new certifications to provide employers with a guarantee that the cybersecurity individuals they are hiring have the right skills for the role.

"By employing professionals with a [cybersecurity] certification, businesses and government are demonstrating to consumers that their cybersecurity professionals have undergone a rigorous assessment process, demonstrated a commitment to the highest principles, and are well placed to lift the cyber resilience of their organisation," Wong said.

Existing Certified Professionals and Certified Technologists are able to apply to have their certification upgraded through the ACS.

According to Australia's Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon, the accreditation program from the ACS will help remove the current seagull-like approach to hiring cybersecurity professionals, where government, the enterprise, and big business are all "fighting over the same chip".

Addressing the ACS in Sydney on Tuesday, MacGibbon said it makes sense that as Australia grows its cybersecurity skills and capabilities, it has the right people involved.

"It's widely recognised that there's a skills deficit in ICT broadly, but particularly when it comes to cybersecurity," he said, noting that the country is missing the point if only tertiary institutions are focused on.

"We also need to focus on vocational training, and indeed those that are self-taught."

He said Australia needs to create avenues for self-taught individuals to "come to the side of goodness and light" to actually protect the communities they operate in.

"Which is why initiatives like this one are so important for us, because it tries to make sense of the skills that we have and help to standardise those somewhat," he explained.

"A casual observer would say that there has been an awful lot of conflict, an awful lot of overlap, and often some confusion as to what certifications are best to have.

"Until we actually have the supply right of staff, the supply right of skilled people, we're always seagulls fighting after the same chip that government will sit there and say that it will grow some skills, the private sector might come and offer more money and steal the chip from us, big business will fight over that same person next, and we have this game of inflationary wages -- good for the individual, but bad for business generally -- and of course we have the deficit, we just don't have enough people to be doing the work that's there."

Speaking with ZDNet earlier this year, MacGibbon said he wants the understanding of cybersecurity to be a life skill children of today grow up with, which means taking the conversation to primary school classrooms.

While PhD, university, and even high school students should still be gaining powerful knowledge on the threat landscape, MacGibbon would argue that this kind of structure isn't enough to ensure the success of Australia when it comes to cybersecurity.

"For me, being a successful person in my generation was being able to read and write and do basic maths," he told ZDNet. "What is going to get our kids to be successful in this world is the concept of computation, coding, and communication.

"If we're going to win when it comes to protecting the Australian way of life, in terms of cybersecurity, then it indeed starts in primary schools."

He also wants those in IT to look at furthering their skills in the cybersecurity sector.

From:http://www.zdnet.com/article/cybersecurity-specialisation-status-up-for-grabs-with-new-acs-accreditation-program/

Companies that fail to enforce security policies must be prepared to handle the consequences.

After reading through some security blogs and strategy papers, I saw what appeared to be an underlying theme across the narratives I'd read: Security tolerates failure.

It's understandable that it happens, but I think if we are honest with ourselves, it happens because of a collective acceptance that close enough is good enough. It can be easy for any of us to offload responsibility when so many things aren't in our control, and we can feel powerless because of it. In almost every instance I read about, I saw leadership and technical security folks pointing fingers at all kinds of issues, but I hardly ever read about any of them taking ownership -- or even acknowledging that security earned this failure. The bad things did not happen through osmosis; no evil hacker just magically jumped into the network. Failures occurred because of a series of bad decisions, poor strategy, and a lack of enforcement of well-known security practices.

Let's think about this for a second: You deserve what you tolerate. What does that message mean in the context of cybersecurity and security operations?

If companies collectively turn a blind eye to lackluster security policies and don't bother to enforce the standards that were put in place solely to defend their networks, these organizations deserve the bad things that will inevitably occur because of those decisions. If companies do not wish to enforce a user policy because users gripe about it, again, they deserve the work and stress that comes with the imminent breach headed their way. If companies tolerate vendors selling them technology that comes with default hard-coded back doors and lack ways to technically control or patch that device, it can't be surprising when  it becomes an IoT threat to the network and every other network on the server.

Here is the first half of the hard part of accepting failure that comes from tolerating it -- this takes accountability and willpower:

Tolerating overhyped technology means we won't get what we deserve (or what we paid for).
If we don't enforce our policies, we let down our users, our leadership, and shareholders.
If we don't align our strategy with the business, we can't be surprised when we aren't involved in decisions and our initiatives are sidelined.
We should take steps that will help us stop failing and stop tolerating anything less than victory. There is only one thing to do: raise the level of expectations.

Here is the hard part -- organizations still have to actually do it. There is no AI that will help here:

If companies have a user policy that says "we monitor your activities and we are watching what you do on our network," they must enforce it.
Don't accept smart devices into networks without having a plan in place to track and patch that item.
Make the C-Level team realize that security is not just a part of the business: It's critical to its success in today's world. Don't take a back seat.
Analyze and understand the nuances, technical needs, and implications of any technology your team is considering using. Don't just move forward with a POC and think it's all going to work out (it won't).
That goes for the good and the bad. The choice of whether the results lean more toward the positive or negative are up to us and how much failure we are willing to stomach before we flip the script and move decisively away from tolerance.

From:http://www.zdnet.com/article/you-deserve-what-you-tolerate-why-companies-must-enforce-security-standards/

Updated: Technology and entertainment retailer CeX has warned its online customers that their names, addresses, email contact details, and phone numbers may have been stolen.

The personal details of up to two million customers of technology and video games retailer CeX may have been compromised in a data breach.

Information including names, addresses, email contact details, and phone numbers of CeX customers in the UK who supplied their data to the retailer through online forms has been accessed in a "sophisticated breach", the company has warned.

The company said it had suffered a phishing attack and a "a low-level breach in our online UK website security" which occurred "late last year". CeX acted at the time to "immediately put in place additional security measures", it added.

The company said "no further security breach has since taken place" and that "we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data".

However, the company said it "received communication from a third party claiming to have access to some of our online UK website data" in August this year.

The retailer said it immediately informed the relevant authorities, including the Information Commissioners Office (ICO) and National Crime Agency (NCA) "who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again".

It added: "We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage."

While no password data has been compromised, customers have nevertheless been urged to change their CeX online password, as well as the password for any other accounts that use the same password. CeX warns that it's "precautionary measure" so customers can protect themselves further attacks in the event of the criminals cracking users' passwords -- especially those which aren't complex.

CeX has also said that in a "small number of instances" encrypted data from credit and debit cards up to 2009 may have been accessed, but that no live payment information has been taken as those cards will have expired and the company no longer stores financial information.

The retailer is contacting all customers who are directly affected by the breach, which only affects the online arm of the company. No in-store personal membership details are thought to have been compromised. CeX has over 350 stores in the UK and over a hundred more overseas.

CeX has yet to detail how exactly attackers managed to gain access to the data, only that the incident occurred "recently".

The retailer said it is working alongside the police, the NCA, and ICO to investigate the incident and has also employed a "cyber security specialist" to review security processes.

"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement.

"Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again," the company added.

From:http://www.zdnet.com/article/two-million-shoppers-told-to-change-their-passwords-after-tech-retailer-is-hacked/

Windows 7 machines mostly unprotected because they're not running any antivirus, says Microsoft.

Microsoft's latest security report makes a case for why Windows 10's Defender fallback is right for end-user security.

Microsoft recently settled a fight with Russian antivirus (AV) vendor Kaspersky Lab that could have resulted in regulatory attention over claims that Windows 10 disadvantaged third-party AV.

Kaspersky last week dropped its complaints after Microsoft agreed to several concessions that will appear in the Windows 10 Fall Creators Update, due out next month.

Since Windows 8, Microsoft has enabled Windows Defender when a third-party AV expires. However, Kaspersky complained that Windows 10 notifications made it too easy for users to miss an expired subscription alert. Microsoft also admitted to disabling third-party AV under certain circumstances.

Though Microsoft's implementation of the Defender fallback wasn't perfect, data in its latest Security Intelligence Report, volume 22, suggests that the concept was overall sound. It also offers a defense for its handling of AV in Windows 10 after bowing to Kaspersky's demand for more compatibility testing time and the right to use its own expired subscription notifications.

Windows 7 is still the most widely used version of Windows in the world, and was the primary casualty of the recent NotPetya and WannaCry outbreaks.

Despite its popularity as a target, by far the biggest reason for Windows 7 machines being classed as not "protected" in Microsoft's telemetry data is that they don't run any antivirus.

Microsoft's graph compares four main reasons why Windows Vista, Windows 7, Windows 8, and Windows 10 aren't protected.

For Windows Vista and Windows 7, over 50 percent of unprotected machines aren't running any AV. The remainder have AV installed, but it's either switched off or doesn't have up-to-date virus signatures.

By comparison, the main reason Windows 10 machines were unprotected was out-of-date signatures or the AV was snoozed, while Windows 8 and Windows 8.1 were mostly unprotected because the AV product was turned off.

Microsoft notes a possible explanation for Windows 8/8.1 is that several malware families are capable of switching off anti-malware products.

The graph says nothing about what proportion of users on each version of Windows are unprotected. In 2013 Microsoft reported that 24 percent of Windows PCs weren't protected by up-to-date antivirus.

Back then, Microsoft encouraged Windows users to install one of several third-party products in addition to its own for protection. Today it's had to publicly reaffirm several times that it really does believe a "healthy antivirus ecosystem" is what's best for Windows 10 security.

From:http://www.zdnet.com/article/windows-10-security-after-kaspersky-fight-microsoft-talks-up-its-case-for-defender/29

Stealthy and persistent cryptocurrency-mining malware is hitting Windows machines.

Criminals are infecting Windows machines with fileless malware that runs in memory, and puts the hijacked PCs to work on mining cryptocurrency.

Two features in particular make this malware, known as Coinminer, "extremely stealthy and persistent", according to malware researchers at Trend Micro.

To infect Windows machine, it's using the so-called EternalBlue vulnerability employed by WannaCry and NotPetya as a spreading mechanism. Microsoft released a patch for the flaw in March but a spate of infections in Asia, mostly in Japan, suggest some systems have not been updated.

On machines vulnerable to this bug, the malware runs a backdoor that installs several Windows Management Instrumentation (WMI) scripts that run in memory, which makes them more difficult to detect.

IT admins can use WMI to run scripts that automate administrative tasks on remote computers and acquire management data from these computers and installed Windows applications.

However, in this case the cryptocurrency mining malware uses WMI for more nefarious purposes, including connecting to the attacker's command-and-control domains to download the mining software and malware.

WMI malware isn't new and was used in the infamous Stuxnet malware. FireEye has also found an advanced hacker group APT29 using WMI capabilities to create persistent and stealthy backdoors by automatically triggering a backdoor when a system starts up.

Malwarebytes identified WMI techniques being used to hijack Chrome and Firefox to redirect users to an attack site.

According to Trend Micro, the mining malware operation includes a timer that automatically triggers the malicious WMI script every three hours.

Admins should disable the SMBv1 file-sharing protocol to prevent attacks using Eternal Blue, an exploit for SMBv1 thought to be created by the NSA and leaked in April by the Shadow Brokers.

Even before the leak of EternalBlue and WannaCry's adoption of it, Microsoft was urging customers to stop using the 30-year-old protocol.

Trend Micro also points to a Microsoft tool that can trace WMI activity and recommends restricting WMI on an as-needs basis, as well as disabling WMI on machines that don't need access to it.

From:http://www.zdnet.com/article/windows-security-cryptocurrency-miner-malware-is-enslaving-pcs-with-eternal-blue/

The 2017 evolution of Gartner's cybersecurity framework comes with a new buzzword: CARTA. But really, we should just set fire to everything.

"A fire is coming," says Steve Riley, a research director at Gartner. It's a metaphorical fire, representing the rapid change in cybersecurity that's making traditional techniques like blacklists, whitelists, and malware signatures irrelevant.

It's now a spectrum of risk, Riley told the Gartner Security and Risk Management Summit in Sydney on Monday. Embrace the shades of grey, he said. Embrace all the colours of risk.

Each year, Gartner's summit kicks off with an explanation of their current framework for thinking about cybersecurity. Each year it morphs a little bit, adding new concepts as the cybersecurity threat landscape and technology evolve, dropping items as they lose significance because everyone's already on that same page.

Gartner's framework is, therefore, an indication what organisations are not doing. And the more Gartner emphasises it, the more organisations really need to pull their fingers out.

In recent years, Gartner has stressed the importance of a risk-based approach to security, and a people-centric approach. Their most recent keyword has been "adaptive", steering away from the overused "agile". Most of these ideas were in one of the first slides we were shown on Monday.

"Manage Risk. Build Trust. Embrace Change by Becoming Adaptive Everywhere."

There's nothing new there, but it needs to be repeated.

Gartner also stressed the importance of using analytics to reduce the workload of cybersecurity staff. They cited the example of one US organisation that had used analytics to reduce the number of security events needing investigation daily from 1500 to 30.
Such productivity improvements are not unheard of. There's nothing new there, but if Gartner has to remind us, then there are plenty of organisations that are not doing that either.

This year, Gartner wants us to go beyond "adaptive", and they've got a new word for it: CARTA, which stands for continuous adaptive risk and trust assessment.

"A CARTA strategic approach enables us to say 'yes' more often. With a traditional binary allow-or-block approach, we had no choice but to be conservative, and to say 'no'. With a CARTA strategic approach we can say 'yes', and monitor to make sure, allowing us to embrace opportunities that were once considered too risky in the past," Riley said.

But is that so new? Not really. Gartner has simply -- and effectively -- condensed a bunch of contemporary concepts in cybersecurity into a catchy initialism. But again, it needs to be repeated.

Sid Deshpande, one of Gartner's principal research analysts, reminded us that digital business -- which is to say business -- is now deeply intertwined.

"Risk management is no longer the domain of a single enterprise, and it must be considered at the ecosystem level," Deshpande told the summit. Businesses should expect to continuously monitor the security posture of key providers, and should expect them to do the same back.

Still nothing new there, at least if you've been to some of the cybersecurity conferences in the last couple of years, but it needs to be repeated.

I'm not mocking Gartner. Far from it. Gartner's frameworks provide a pre-packaged mindset for organisations unable to create their own, which seems to be most of them. After all, as the Australian Financial Review reminded us on Monday, the Dunning-Kruger Effect means that clueless executives actually imagine themselves to be leaders.

Riley ended the keynote by returning to his metaphorical fire.

"There are two types of fires. Some that will consume everything in an uncontrolled and catastrophic manner, others that are anticipated. Perfect fire prevention isn't possible. Striving for it makes the fire worse when inevitably it does occur. To adapt, we light backfires to clear out the underbrush and continuously monitor for indications of an outbreak. Now, the ecosystem adapts, and even flourishes when smaller fires burn," Riley said.

"The fire is coming. It can bring destruction, or it can bring a new landscape of opportunity. Embrace the grey. Embrace the risk. Embrace CARTA."

All hail CARTA!

Seriously, though, if organisations are still failing in so many fundamental ways -- risk-based security, agility, trust-building, extending their security view out into their business ecosystem -- then they'll need more than a Gartner framework to save them.

They need a bit of that all-consuming, cleansing fire.

From:http://www.zdnet.com/article/gartner-sets-fire-to-all-the-cyber-things/

A recent phishing and malware campaign looked like the work of a cybercriminal gang -- but researchers have tracked it back to a lone attacker in Nigeria.

An international hacking campaign targeting thousands of oil, mining and construction firms sounds like the work of a sophisticated criminal operation. The scale of such an endeavour suggests it would need extensive resources and manpower, potentially even nation-state backing.

But a newly uncovered cyberattack that targeted more than 4,000 organisations in the oil and gas, mining, construction, and transportation sectors has been found to have been carried out by a 20-year-old man in Nigeria.

The lone attacker successfully hacked into the networks of at least 14 organisations, including a marine and energy company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction company in Dubai, an oil and gas firm in Kuwait, and a construction organisation in Germany.

Using a remote access Trojan and a keylogger, the attacker stole login credentials and financial information from these companies.

The fact that attacks were targeted at financial staff working in specific regions and sectors -- energy and transportation firms in Europe and the Middle East -- and the use of a phishing email lure claiming to be from oil and gas giant Saudi Aramco, initially led researchers to believe the campaign was the work of a well-organised group.

But researchers at Check Point investigating the attack found this wasn't the case.

"We realised this was just one person, because of the technical analysis of the malware and the C&C communications, we realised it was a criminal, not a nation state conducting espionage," Maya Horowitz, head of research for Check Point, told ZDNet.

And unlike professional hacking gangs, the culprit has very poor operational security, allowing researchers to identify him and monitor his actions.
"You can see holes in the phishing emails themselves and there are holes all over the infrastructure," Horowitz said.

Put simply, the phishing emails are crude and unconvincing, with spelling errors, generic subjects and the target referred to as 'Sir/Ms'. The mass-mailed messages ask users to download an attachment, which asks for macros to be enabled then installs two forms of malware -- both of which are freely available on the web.

Victims end up infected with Netwire, a remote access Trojan that allows the attacker to gain full control of infected machines, and Hawkeye, a commercially available form of keylogging software. While both forms of malware are relatively simple, they've enabled the attacker to steal banking and other credentials, and earn thousands by stealing from accounts and selling on credentials.

While they've managed to infiltrate a number of large organizations, the perpetrator is far from a cybercriminal mastermind. Indeed, he has not even made much of an effort to cover his tracks and has even discussed his actions on Facebook.

"He's not very techie, but he's on a Facebook group of several Nigerian hackers where they exchange tactics and techniques," said Horowitz.

Attacks using phishing to infect machines with malware are gaining in popularity, she added, and are replacing the infamous 419 scams of old. "The same people who ten years ago were only able to send Nigerian Prince scams today they can just rent malware and send it to whoever," said Horowitz.

"It's the same people, with the same technical skills, but now this whole market works more like a business where you can just buy or rent your tools online as malware-as-as-service. In this case it's not even on the dark web, it's just on the internet," she added.

The increasingly availability of malware-as-a-service -- or freeware such as Netwire and Hawkeye -- means it's easier than ever for budding cybercriminals to get in on the action. However, in many cases, the attacker doesn't have the knowledge to take the necessary steps to hide themselves.

In the case of this individual, Check Point has shared its findings with Nigerian police and international agencies in order to stop future attacks and arrest the culprit.

Those organisations that have already fallen victim to the attacks will need to take extra security precautions, because it's likely log-in credentials and other sensitive information have been sold on to criminals who could use them to perform further attacks.

Ultimately, the phishing emails used in this attack were very basic but nonetheless fooled employees in the target organisations. Horowitz stressed the importance of companies making employees aware what these emails look like and the threats they pose.

"These attacks can be prevented, nobody has to be infected with this malware," said Horowitz.

"Fourteen organisations were hit but there's no reason they should have, because with proper security measures and -- more importantly -- education and awareness, these emails shouldn't have got into the systems."

From:http://www.zdnet.com/article/how-a-one-man-hacking-operation-was-able-to-compromise-international-firms/

It's the first time this exploit has been used to target PowerPoint users - and it's being used to distribute powerful Trojan malware, say researchers.

Cyber attackers are exploiting a vulnerability to evade antivirus detection and deliver malware via Microsoft PowerPoint.

The flaw in the Windows Object Linking and Embedding (OLE) interface is being exploited by attackers to distribute malicious Microsoft Office files.

The exploit is commonly used to deliver infected Rich Text File (.RTF) documents, but cyber security researchers at Trend Micro have spotted attackers using it to compromise PowerPoint slide show files for the first time.

As with many hacking campaigns, this attack begins with a spear-phishing email. The message purports to be from a cable manufacturing provider and mainly targets organisations in the electronics manufacturing industry.

The sender's address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly contatining

However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text 'CVE-2017-8570', the reference of a different Microsoft Office vulnerability to the one used in this attack.

The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process and results in malicious code being run using the PowerPoint Show animations feature, which downloads a file logo document if successful.

This downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called 'RATMAN.EXE', a Trojanised version of the Remcos remote access tool, which then connects to a command and control server.

Once up and running on a system, Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.

Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer. That indicates skill on the part of the attackers, suggesting that this isn't an amateur campaign.

Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.

Fortunately, there's a way to completely avoid becoming a victim of this particular attack; Microsoft released patches to address the vulnerability in April and any systems updated with these is safe from this attack.

Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.

"Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails--even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files," wrote TrendMicro researchers Ronnie Giagone and Rubio Wu.

There are various techniques organisations can use to defend themselves against these attacks, with education of staff playing a key role.

From:http://www.zdnet.com/article/microsoft-powerpoint-exploit-used-to-bypass-antivirus-and-spread-malware/