Tag Archive for: Docs

Malicious Microsoft Office docs drop LokiBot malware


It’s been a busy week for Microsoft. Lost in the crush of news about a Chinese APT attack and exploited zero-days fixed in Patch Tuesday, FortiGuard Labs observed several malicious Microsoft Office documents that, when executed, drop the LokiBot malware onto a victim’s system.

In a blog post July 12, FortiGuard Labs said the malicious Microsoft Office documents exploited known remote code execution vulnerabilities: CVE-2021-40444 (CVSS 7.8) and CVE-2022-30190 (CVSS 7.8). Patches have been available for both bugs for well over a year.

The researchers said LokiBot, also known as Loki PWS, has been a well-known information-stealing trojan active since 2015. LokiBot primarily targets Windows systems and aims to gather sensitive information from infected machines.

LokiBot exploits various vulnerabilities and employs Visual Basic for Applications (VBA) macros to launch attacks. It also leverages a Visual Basic injector to evade detection or analysis. Leveraging the injector, it can bypass certain security measures and pose a significant threat to users.

“Users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites,” the researchers said. “It’s essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up-to-date with the latest security patches can help mitigate the risk of exploitation by malware.”

Andrew Barratt, vice president at Coalfire, said these are challenging known vulnerabilities that leverage the classic social engineering methods preying on end users — dropping an alluring attachment in the hopes that a misguided or under protected end user will open it.

Barratt said that fortunately Microsoft has been on top of the problem from a resolution-and-workaround perspective, so it’s imperative that we remind security teams to keep their endpoint protection products current. 

“As with any remote code execution vulnerability, it’s very important to consider them the highest threat,” said Barratt. “Teams that are concerned it may have slipped through should look through the…

Source…

Hackers Exploiting Flaws in Google Docs’ Comments Feature


Application Security
,
Cloud Security
,
Cybercrime

Campaign Difficult for Both Email Scanners and Victims to Flag

Hackers Exploiting Flaws in Google Docs’ Comments Feature
(Photo: Stephen Phillips – Hostreviews.co.uk via Unsplash)

A new wave of phishing attacks has been identified in which hackers exploit a vulnerability in the comments feature of Google Docs to deliver malicious phishing websites to end-users, reports security firm Avanan.

See Also: How to Uplevel Your Defenses with Security Analytics

Starting in December 2021, Avanan, a Check Point company, observed a ‘massive wave’ of hackers leveraging the comment feature in Google Docs and other Google collaboration tools primarily targeting Outlook users.

It hit more than 500 inboxes across 30 tenants, with hackers using more than 100 different Gmail accounts say Avanan researchers.

“In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” says Jeremy Fuchs, cybersecurity researcher/analyst at Avanan.

Google Docs is an online word processor included as part of the free, web-based Google Docs Editors suite offered…

Source…

Security Researchers Warn Of Massive Malware Campaign Aimed At Google Docs Users


Google Docs icons
Google Docs pretty much revolutionized online collaboration when it came about. Instead of having to install clunky network software packages, or worse, use awkward remote desktop features, you could simply send your coworker or collaborator a web link and the two of you could work on a document simultaneously in your browsers. Google’s application package certainly wasn’t the first (or last) collaborative-editing software, nor even the first to work this way, but it was by far the most accessible given its price: free!

We’re speaking in the past tense because we’re talking about Google Docs’ public release back in 2012, but it’s not as if the application suite has become less popular. Thousands of businesses and millions of individuals rely on Google Docs. Naturally, that makes it even more of a massive, delicious target for bad actors than it already was, and Avanan (a security company under the Check Point umbrella) is warning of exactly such a danger.

The specific exploit in this case is pretty simple, and it makes use of features built into Google Docs intended to speed collaboration. Hackers open a public Google document and then add a comment, mentioning someone with an @. This automatically sends an e-mail to that person’s inbox that comes from Google itself and contains the full text of the comment, including dangerous phishing or malware links. To make matters worse, the e-mail of the commentor isn’t shown; only the name is included, which makes this feature perfect for impersonation attacks.
googleslidesattack
An example of an attack e-mail. Image: Avanan (click to enlarge)

Avanan says it has seen the attack used primarily targeting Outlook users, although it could be used for any e-mail address that is used to login to a Google account. The security firm says that the hackers it observed attempting this exploit used over 100 different G-mail accounts to create the fishy comments, likely knowing that the entire account would be creamed once Google got wind of its misdeeds.

Because the e-mail comes directly from Google and directly to a specific user, and because the e-mail doesn’t contain any e-mail addresses, this specific exploit punches right through most spam filters and content…

Source…

LibreOffice, OpenOffice bug allows hackers to spoof signed docs


LibreOffice

LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. 

Although the severity of the flaw is classified as moderate, the implications could be dire. The digital signatures used in document macros are meant to help the user verify that the document hasn’t been altered and can be trusted. 

“Allowing anyone to sign macro-ridden documents themselves, and make them appear as trustworthy, is an excellent way to trick users into running malicious code.

The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. 

The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. 

Addressing the risk

If you’re using either of the open-source office suites, you’re advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. 

Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers – LibreOffice, OpenOffice. 

If you’re using Linux and the aforementioned versions aren’t available on your distribution’s package manager yet, you are advised to download the “deb”, or “rpm” package from the Download center or build LibreOffice from source. 

If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros. 

To set macro security on LibreOffice, go to Tools → Options → LibreOffice → Security, and click on ‘Macro Security’. 

Menu to set macros to disabled on LibreOffice
LibreOffice settings menu to disable macros

In the new dialog, you may select among four distinct levels of security, with High or Very High being the recommended options. 

If you’re still running an old and vulnerable version, you shouldn’t rely on the “trusted list” functionality as an invalid…

Source…