A new unpatched Microsoft Work exploit has surfaced. Hackers were found using the Necurs Botnet to deliver Locky Ransomeware and TrickBot banking trojan, using the newly discovered DDE attack technique, according to a post from Brad on SANS.
The research Brad, shared his security news findings. The first step was looking at the emails in a controlled lab environment:
Next, we see what happens after a victim downloads the attachment:
The Grande Finale
For more technical information on the unpatched Microsoft exploit, make sure you read Brad’s post!
Looking at the bright side, this ransomware is not asking for nudes.
How to protect the organization
- Disable “update automatic links at open”
Open Word → Select File → Options → Advanced and scroll down to General and then uncheck “Update Automatic links at Open.”
- Provide security awareness training to your employees. No one should be clicking on suspicious link or downloading files from unknown sources.
- Use “Software Restriction Policies” or “AppLocker” to restrict what softwares can do on your network.
- Keep your operating system and other softwares updated.
- Regularly backup your data in case of a ransomware outbreak.
- Use Privilege Access Management softwares.
How does Privilege Access Management (PAM) software work?
For ransomware and other harmful applications to run, they need administrator level privileges on the victim’s computer.
PAM solutions give administrator privileges to applications instead of users, thus eliminating the risks of ransomware and malware spreads due a user clicking the wrong link.