Malware and Virus Protection | SecurePC LLC - Computer Repair, Maintenance and Security

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack. He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes. Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document. Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader). Regarding the others, we highly suspect they may be vulnerable as well. We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did. Unfortunately, their response was not encouraging. They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system. This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy. Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines. People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials. It appears that every reader is affected and that no help is coming for older systems.

Majority Of Web Apps Found To Have Security Vulnerabilities

How many web apps do you have on your phone? Probably a ton. Here’s something you likely didn’t know. Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report:

44 percent of the apps with vulnerabilities place the user’s personal data at risk
70 percent are prone to leak critical information stored on the device
96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device
Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though. The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline. Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity. Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.

New Trick Lets Hackers Bypass Office 365 Email Security

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts. The gimmick? Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences. What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font. Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts. Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly. Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view). Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new. They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled. Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Watch Out For Rise In Microsoft Office Attacks

Menlo Security has recently published a new report that will probably dismay you if you’re a business owner.

Microsoft Office has been named as the attack vector of choice for hackers around the world. The most common form of the attack is a malicious Word document or other office document attached to an innocent looking email.

There are, of course, plenty of other ways to take advantage of various security weaknesses in MS Office and Office 365. These include the use of remotely hosted malicious components embedded within documents that deliver zero-day exploits when the document is opened.

The reason MS Office is such a wildly popular choice isn’t because it has an unusual number of security loopholes that can be exploited (although it’s certainly got its share). Rather, it has everything to do with the overwhelming popularity of the office suite. Simply put, lots of people use it on a regular basis, and that means the pool of potential victims is enormous.

As the report explains:

“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage applications and operating system vulnerabilities, both old and new.

With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer. By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises…Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits.”

All true, and beyond troubling. If your business uses Microsoft Office or Office 365 (and odds are excellent that it does), continued vigilance is the key.