Macro Exploits–Trusted Locations what you need to know

Malicious macro exploits have been a security issue for Office since the day macros were introduced. There are lots of legitimate work flow macros, so you cannot by default disable all macros in all Office programs. In the past you could create trusted macro locations within your network or system to add a layer of protection and prevention from malicious macros running.

GPO- Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations

The latest threat though, with the added use of cloud locations, makes that harder to control and disable external document macros. While there is now an option to “Block macros from running in Office files from the Internet” unless users save the “trusted” cloud documents to a local path, designated as trusted in the GPO or system, then it may block legitimate work macros as well. So you will need to plan accordingly and remind the users “what to” and “what not to” open and where.

Knowing the average user is likely to click first on an attachment and ask long after the damage is done. The latest and worst macro exploit now triggers the newest malware craze “ransomware” such as Cerber. These two have been recently combined into yet another form of malware to thrash your data and systems.

The latest spam and phishing emails with those malicious attachments are currently concentrating on Office 365 users due to the fact that they know they have the Office suite to open the attachment macros and trigger the malware. The ransomware depends on the user to open the exploiting Macros by having end users “Enable Editing” and “Enabling Content” in the attachment. Here is an example of what one looks like:

clip_image002

The Cerber ransomware has been around since around March, but the Office 365 and cloud based targeting only just begun recently. Victims once they trigger the macro and are infected will see a ransomware note and the malware will also read aloud a note stating that their files have been encrypted.

Cerber uses AES-256 encryption and the victims are asked to pay about $800 U.S. dollars' worth in Bitcoin. If you don’t have a recent backup your only recovery option may be to pay the ransom if critical data is encrypted. Of course there is no guarantee they will honor the payment agreement.

If you are not using additional safeguards outside of what is provided by Microsoft, you could be at risk. I recommend you implement the following to help prevent ransomware from infecting your system:

  • Spam filtering
  • Firewalls
  • DNS filtering (such as OpenDNS)
  • Content filtering
  • Antivirus/antimalware
  • Group Policies to manage trusted locations
  • Employee Policies that outline how to open external documents
  • Backups (potentially ones that are not constantly connected to the network)

Comments

Post a Comment

Popular posts from this blog

Office 365 Deployment Tool Office Download fails “Could not Install”

Image
Problem: you run the setup.exe /download download.xml and fails immediately with “Couldn’t install” You make sure all the settings are correct (see other blogs) and find nothing wrong Solution: Change drives and run it as an administrator again. For example above i am in the F:\OfficeDeploy directory which is the same directory I have the download.xml directing the download to. If i Change to the c: and run the same command again it works The Office Data folder was created and updated as shown below:
Read more

FRS to DFSR Post Cleanup “File Replication NtFrs Stopped”

Image
After successfully migrating from FRS to DFSR you get the File Replication NtFrs service is Stopped error on the local servers AD DS Services list. In the Event logs you may see Event id 13575 13577. You can confirm your migration completed by opening a cmd prompt as administrator and typing in: dfsrmig /getmigrationstate After your migration to DFSR is completed and you have given your servers ample time to propagate this service is no longer required. Since it is set to “Automatic”, as shown below” it shows in logs as a false positive error. Edit the File Replication Service and change it to “Disabled”, as shown below: Once it is listed as “Disabled” it will no longer show in the Console as an “error” Note : it may take some time to clear from the active view
Read more

Domain Migration SubinACL /Migratetodomain How To:

Caution : DO NOT run this on Domain Controller C:\ and only run on roaming profiles folders, or my docs shares day of migration to avoid ownership change issues. Confirm Domain trust is in place and users and groups have been migrated Test ping of olddomain.org from new domain Test ping of newdomain.org from olddomain Add newdomain.org domain controller host records to olddomain.org including reverse DNS records Confirm the user running the app is a domain admin in BOTH domains Download SubinACL here: http://www.microsoft.com/en-us/download/details.aspx?id=23510 /Migratetodomain- command will add the permissions of the new user to the old files and folders for example if jimbob@olddomain.org was migrated to the new domain jimbob@newdomain.org and you run the command below any file or folder in that path that has jimbob@olddomain.org will add Jimbob@newdomain.org with the exact same permissions. This is a safer way to migrate by keeping the old and new permissions intact while a
Read more