The company will block the configuration files, which interact with Web applications — since threat actors increasingly use the capability to install malicious code.

Microsoft plans to add a feature to Office Excel that will make it harder for cyberattackers to exploit the spreadsheet application's "add-ins" function to run malicious code on a victim's computer.

And while it's a welcome development, Microsoft's countermeasure is just the latest go-around in the cat-and-mouse game going on between major software makers and cyberattackers, researchers say.

**Microsoft Takes Aim at XLLs **

In an update to its Microsoft 365 road map last week, the company stated that it is currently "implementing measures to block XLL \[add-in files\] coming from the internet," with a goal to have the feature in general availability sometime in March. 

Excel add-in files are designated with the XLL file extension. They provide a way to use third-party tools and functions in Microsoft Excel that aren't natively part of the software; they're similar to dynamic link libraries (DLLs) but with specific features for Excel spreadsheets. For cyberattackers, they offer a way to read and write data within spreadsheets, add custom functions, and interact with Excel objects across platforms, Vanja Svajcer, a researcher with Cisco's Talos group, said in a December analysis.

And indeed, attackers started experimenting with XLLs in 2017, with more widespread usage coming after the technique became part of common malware frameworks, such as Dridex. The add-in functionality has become increasingly popular with attackers since then; in fact, according to an Arctic Wolf report from early 2022, the use of XLL files increased nearly 600% in 2021.

One of the reasons for that is because Microsoft Office does not block the feature but raises a dialogue box instead, a common approach that Microsoft has taken in the past, Svajcer wrote: "Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning."

That could be an issue even after blocking is in place, Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading.

"Unfortunately, it's unclear at this point whether it's just going to be a warning that users can easily click through, a more proactive 'off by default' setting, or whether they are going to disable it entirely for XLL files downloaded from the Internet," he notes.

**Staying Ahead of the Cyberattackers?**

For more than two decades, cybersecurity firms have sought to strip out potential avenues for malicious scripts in common files types — such as Office formats or PDF files — but attackers have always adapted. 

For instance, Visual Basic for Applications (VBA) and Excel 4.0 macros both became so popular over the past five years for malware delivery that Microsoft blocked Office macros by default in the summer of 2022, disallowing macros from running when they have been assigned a Mark of the Web (MotW) tag, which indicates that the document came from the Internet.

Following that decision, threat actors began incorporating Shell Link (LNK) files as payloads for a number of malware families, with their use peaking in October with a spike in usage by the operators behind Qakbot, according to an analysis this week by researchers in Cisco's Talos intelligence group.

And LNK files aren't the only file type that's becoming a more popular way to hide malicious code in the wake of blocking macros. In the third quarter of 2022, for example, zip archives and HTML files became the most common file types for malware delivery, with 44% of malware files hidden in archives, according to the third quarter "HP Wolf Security Threat Insights Report." 

Even if these alternative approaches are not as efficient or powerful, attackers will have to adopt them to continue to successfully compromise victim's systems, because companies are hardening their products against more common attack techniques, Dave Storie, an adversarial collaboration engineer at cybersecurity-services firm Lares Consulting, said in a statement sent to Dark Reading.

"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," he said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."

Microsoft to Block Excel Add-ins to Stop Office Exploits

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy.

The figure, based on the latest annual report from the IoT Security Foundation (IoTSF), compares to the 9.7% of IoT (Internet of Things) vendors that were reported to have a disclosure policy in the 2018 edition of the same study.

BACKGROUND IoT Security Foundation launches vulnerability disclosure platform for smart device vendors

Vulnerability management ought to be a cornerstone of connected product security, widely recommended in 30 cybersecurity guidance initiatives including the IoTSF’s IoT Security Assurance Framework.

Straightforward reporting of security issues is essential for security lifecycle maintenance, and vendors risk falling foul of newly enacted UK regulations if they ignore best practice mandates.

The UK’s Product Security and Telecoms Infrastructure – which became law in early December 2022 – requires that IoT manufacturers, importers, and distributors offer a vulnerability disclosure policy, with suppliers who breach this risking potential sanctions including penalties of up to £20,000 per day in the most severe cases.

Catch up on the latest vulnerability disclosure policy news

The IoTSF’s latest study was based on a review of practice of 332 companies who sell consumer-focused IoT products. The review, carried out by mobile and IoT security consultancy Copper Horse, covered security practices tied to a range of products ranging from tablets and routers to smart home lighting controls and smart speakers.

Vendors from Asia tended to be better at establishing vulnerability disclosure programs, with European suppliers trailing significantly behind (34.7% versus 14.5%, respectively).

Laurie Mercer, senior manager of security engineering at HackerOne, said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle.

“It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice.”

**Increased regulation**

Lawmakers across the world are looking to introduce regulations in order to push IoT vendors into making their products more secure. For example in the US lawmakers have established the IoT Cybersecurity Improvement Act (2020).

The draft European Cyber Resilience Act covers similar ground.

David Rogers, CEO of Copper Horse, told The Daily Swig: “The trend is towards mandating it – which makes you wonder again, why aren’t companies realising this? The writing is on the wall!”

Rogers added: “Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

During the study, researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions.

Other trends uncovered were an increase in the number of vendors that updated their policies and a rise in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

**Best practice**

It’s not all doom and gloom, however, as the report did highlight examples of good practice by some vendors.

Rogers explained: “Some companies and industries are starting to act in a much better way – there are some examples in the car industry such as Volkswagen Group where they have completely transformed their approach, in a positive way.

“I think these companies can set a good example to their peers in showing that you can work with the security research community without all the brinksmanship.”

Vendors would do well to have a safe harbor policy, a legal framework that allows ethical hackers to look for flaws in systems with risking legal threats or potential prosecution. LG, for example, operates a safe harbor policy for its IoT products.

Looking more broadly, the IoTSF report commends 34 vendors that “meet or exceed what will be required by legislation” based on a review of their policies by security researchers from Copper Horse. Firms listed include Bosch, BT, Canon, Huawei, LG, Logitech, Microsoft, Peloton, Samsung, and Wink.

YOU MAY ALSO LIKE WAGO fixes config export flaw threatening data leak from industrial devices

IoT vendors faulted for slow progress in setting up vulnerability disclosure programs

The notorious Russian-speaking cybercriminals grew successful by keeping a low profile. But now they have a target on their backs.

High-profile ransomware attacks have become a fact of life in recent years, and it’s not unusual to hear about major monthly attacks perpetrated by Russia-based gangs and their affiliates. But since late 2019, one group has been steadily making a name for itself on a multi-year rampage that has impacted hundreds of organizations around the world. The LockBit ransomware gang may not be the most wildly unhinged of these criminal groups, but its callous persistence, effectiveness, and professionalism make it sinister in its own way.

One of the most prolific ransomware groups ever, the LockBit collective has attempted to maintain a low profile in spite of its volume of attacks. But as it has grown, the group has gotten more aggressive and perhaps careless. Earlier this month, the LockBit malware was notably used in an attack on the United Kingdom’s Royal Mail that hobbled operations. After other recent visible attacks, like one on a Canadian children’s hospital, all eyes are now on LockBit.   

“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”

Keep It Professional

For the Royal Mail, LockBit was a chaos agent. On January 11, the UK postal service’s international shipping ground to a halt after being hit with a cyberattack. For more than a week, the company has told customers not to send new international parcels—adding further disorganization after workers went on strike over pay and conditions. The attack was later linked to LockBit.

Just before Christmas, a LockBit member attacked the SickKids hospital in Canada, impacting its internal systems and phone lines, causing delays to medical images and lab tests. The group quickly backtracked after the attack, providing a free decryptor and saying it had blocked the member responsible. In October, LockBit also demanded an unusually high $60 million payment from a UK car dealership chain. 

Adding to its infamy, LockBit is also one of the most prolific and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems. Security firm Dragos estimated in October that in the second and third quarters of 2022, the LockBit malware was used in 33 percent of ransomware attacks on industrial organizations and 35 percent of those against infrastructure.

In November, the US Department of Justice reported that LockBit’s ransomware has been used against at least 1,000 victims worldwide, including in the United States. “LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims,” the Justice Department wrote. The FBI first began investigating the group in early 2020. In February 2022, the agency released an alert warning that LockBit “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense.”

LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.

Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they’ll share a cut of the profits with the affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model is flipped on its head. Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The structure seemingly works well and is reliable for LockBit. “The affiliate model was really well ironed out,” Segura says.

Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized. 

“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”

The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms. 

“They've got different ways of paying,” Mackenzie says. “You could pay to have your data deleted, pay to have it released early, pay to extend your deadline,” Mackenzie says, adding that LockBit opened its payment options to anyone. This could, theoretically at least, result in a rival company buying a ransomware victim’s data. “From the victim's perspective, it's extra pressure on them, which is what helps make people pay,” Mackenzie says.

Since LockBit debuted, its creators have spent significant time and effort developing its malware. The group has issued two big updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 affiliates at most. Since the 3.0 release, though, the gang has opened up significantly, making it harder to keep tabs on the number of affiliates involved and also making it more difficult for LockBit to exercise control over the collective.

LockBit frequently expands its malware with new features, but above all, the malware’s characteristic trait is that it's simple and easy to use. At its core, the ransomware has always offered anti-detection capabilities, tools for circumventing Microsoft Windows defenses, and features for privilege escalation within a compromised device. LockBit uses publicly available hacking tools when it can, but it also develops custom capabilities. The 2022 FBI report noted that the group sometimes uses previously unknown or zero day vulnerabilities in its attacks. And the group has the capability to target many different types of systems.

“It's not just Windows. They'll attack Linux, they'll go after your virtual host machines,” Mackenzie says. “They offer a solid payment system. There's a lot of backend infrastructure that comes with this. It's just a well-made product, unfortunately.” In October, it was reported that LockBit’s malware was deployed after a zero day was used to hack Microsoft Exchange servers—a relatively rare occurrence when it comes to ransomware gangs.

“Theer are additional features that make the ransomware more dangerous—for example, having worm components to it,” Segura adds. “They've also discussed things like doing denial-of-service attacks against victims, in addition to the extortion.”  

With the release of LockBit 3.0, the group also signaled its intention to evolve. It introduced the first ransomware bug bounty scheme, promising to pay legitimate security researchers or criminals who could identify flaws in its website or encryption software. LockBit said it would pay anyone $1 million if they could name who is behind LockBitSupp, the public persona of the group.

The core members at the top of LockBit seem to include its leader and one or two other trusted partners. Analyst1’s DiMaggio, who has tracked the actors for years, notes that the group claims to be based in the Netherlands. Its leader has said at various times that he personally operates out of China or even the United States, where he has said he is a part owner of two restaurants in New York City. LockBit members all seem to be Russian-speaking, though, and DiMaggio says that while he cannot be certain, he believes the group is based in Russia.

“The leader doesn’t seem to have any concern about being arrested. He thinks he’s a supervillain, and he plays the part well,” DiMaggio says. “But I do believe he has a healthy concern that if the Russian government were to get their hooks in him, he would have to make the decision to turn over most of his money to them or do work for them like helping them with the Ukraine war.”

Beware the Spotlight

Despite LockBit’s relative professionalism, the group has, at times, slipped into showboating and bizarre behavior. During desperate efforts to get attention—and attract affiliates—in its early months, the criminal group held an essay-writing competition and paid prizes to the winners. And in September 2022, the group memorably posted a message on a cybercrime forum claiming it would pay anyone $1,000 if they got the LockBit logo tattooed on themselves. Around 20 people shared photos and videos with their feet, wrists, arms, and chests all branded with the cybercrime gang’s logo.

LockBit’s meteoric rise and recent attacks against high-profile targets could ultimately be its downfall, though. Notorious ransomware groups have been infiltrated, exposed, and disrupted in recent years. Before Russia’s full-scale invasion of Ukraine in February 2022, the Russian Federal Security Service (FSB) arrested high-profile REvil hackers, although the group has since returned. Meanwhile, the US military hacking unit Cyber Command has admitted to disrupting some ransomware groups. And a Ukrainian cybersecurity researcher contributed to the downfall of the Conti ransomware brand last year after infiltrating the group and publishing more than 60,000 of the group’s internal chat messages.

These deterrent actions appear to be having some impact on the overall ransomware ecosystem. While it is difficult to determine real totals of how much money ransomware actors take in, researchers who track cybercriminal groups and those who specialize in cryptocurrency tracing have noticed that ransomware gangs seem to be taking in less money as government enforcement actions impede their operations and more victims refuse to pay. 

The screws are already turning on LockBit. An apparently disgruntled LockBit developer leaked its 3.0 code in September, and Japanese law enforcement has claimed it can decrypt the ransomware. US law enforcement is closely watching the group as well, and its recent attacks can only have raised its profile. In November 2022, the FBI revealed that an alleged LockBit affiliate, Mikhail Vasiliev, 33, had been arrested in Canada and would be extradited to the US. At the time, deputy attorney general Lisa O. Monaco said officials had been investigating LockBit for more than two and a half years.

“I think LockBit is going to have a rough year this year and potentially see their numbers go down,” Analyst1’s DiMaggio says. “They are under a lot of scrutiny now, and they also may have lost their main developer, so they could have development issues that bite them in the ass. It’ll be interesting to see. These guys don’t care about anyone or anything.”

LockBit has seemingly been so dangerous and prolific because it maintained standards for the types of targets its affiliates could hit and avoided attracting too much attention while casting a wide net. But times have changed, and shutting down the UK’s international mail exports for more than a week isn’t exactly keeping a low profile.

“They do have a bit of a PR problem when it comes to their affiliates at this point, because they obviously can't seem to handle them very well,” Malwarebytes’ Segura says. “The bragging, hitting some pretty critical infrastructure, and high-visibility targets is a very dangerous game they're playing. LockBit has a big target on its back right now.”

The Unrelenting Menace of the LockBit Ransomware Gang

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.
Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via

Cyber Threat / Cyber Crime

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.

Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails.

Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014.

The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.

Two latest additions to Emotet's module arsenal comprise an SMB spreader that's designed to facilitate lateral movement using a list of hard-coded usernames and passwords, and a credit card stealer that targets the Chrome web browser.

Recent campaigns involving the botnet have leveraged generic lures with weaponized attachments to initiate the attack chain. But with macros becoming an obsolete method of payload distribution and initial infection, the attacks have latched on to other methods to sneak Emotet past malware detection tools.

"With the newest wave of Emotet spam emails, the attached .XLS files have a new method for tricking users into allowing macros to download the dropper," BlackBerry disclosed in a report published last week. "In addition to this, new Emotet variants have now moved from 32bit to 64bit, as another method for evading detection."

The method involves instructing victims to move the decoy Microsoft Excel files to the default Office Templates folder in Windows, a location trusted by the operating system to execute malicious macros embedded within the documents to deliver Emotet.

The development points to Emotet's steady attempts to retool itself and propagate other malware, such as Bumblebee and IcedID.

"With its steady evolution over the last eight-plus years, Emotet has continued to become more sophisticated in terms of evasion tactics; has added additional modules in an effort to further propagate itself, and is now spreading malware via phishing campaigns," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Emotet Malware Makes a Comeback with New Evasion Techniques

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21796.

CVE-2023-21795

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.

CVE-2023-21719

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-21796

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21795.

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

Tag

#microsoft