Security breach in Microsoft Office – Hornetsecurity filters harmful documents

Security breach in Microsoft Office – Hornetsecurity filters harmful documents

A short while ago, security experts discovered the security breach CVE-2017-11882 in the Microsoft Office suite. Microsoft reacted quickly and closed the breach with a security update. Due to the publication of the exploit, however, attackers are now aware of the breach and target systems that haven’t been patched yet.   All Office versions besides Office 365 are affected by the security breach. The exploit is located in the Equation editor of Microsoft, which is a former version of the formula editor. It uses a buffer overflow which allows the attacker to execute his hazardous code on the user’s system. Through this, it is possible to download malware from the Internet and to install them.   Breach existed for 17 years   The Equation editor was compiled in 2000 and since then never reconditioned. Due to this, it is not fulfilling current security standards and allows a buffer overflow to happen which leads to the exploit. Even though the causing formula editor was replaced in Office 2007, it is still part of the package in order to ensure backward compatibility with older document versions, where the 17-year-old piece of software is needed to display and edit mathematical formula.   The only interaction necessary for the exploit to be executed is for a user to open the infected document. After that, the hazardous code will be executed automatically. Only the protected view, the so-called sandbox of the Office programs, is prohibiting its execution.   Hornetsecurity detects exploit in documents   Since the security breach was published, attackers are increasingly trying to distribute infected Office documents using the exploit. However, Hornetsecurity adapted its filters so it can detect infected documents before they appear in the mailbox. Nevertheless, we advise you to perform the security update as soon as possible.  
Attack of the encryption trojan Bad Rabbit

Attack of the encryption trojan Bad Rabbit

Some time has passed since the last huge wave of ransomware attacks has been detected. Now, a new type has appeared and it is causing considerable damage. Especially in Eastern Europe and Russia the trojan was successful and infected several companies. But Germany has seen those attacks, too. The malware Bad Rabbit, named after a specific site in the darknet, where the victims are supposed to pay the ransom. It encrypts local data and demands 0,05 Bitcoins to provide the decryption key. Considering the recent change rates this amounts to 293 USD or 255 Euro.

Down the Rabbit-Hole

The crypto-trojan spreads mainly through compromised news sites. By using so called watering hole attacks, the cyber criminals can target certain user groups and companies. If a user visits an infected website, an automated drive-by-download is initiated and a forged Adobe Flash update is downloaded. As soon as this file is executed, Bad Rabbit enters the system and all data are encrypted after a forced reboot of the computer.
   
Bad Rabbit Trojaner

Payment page in the TOR network

  Click on the image to enlarge     Like WannaCry and Petya before, Bad Rabbit can spread within a network. However, instead of using the EternalBlue exploit in the Version 1.0 of the SMB protocol, the malware infects other computers through the Windows Management Instrumentation (WMI). To prevent a local distribution of Bad Rabbit, it is advisable to deactivate WMI if it is not in use.

Hornetsecurity recognizes the malware and protects with URL rewriting

The URL rewriting feature of Hornetsecurity Advanced Threat Protection recognizes Bad Rabbit on compromised websites and blocks it. Using Hornetsecurity ATP, you can continue clicking on news links in your emails without fearing to catch the malware.  

Our recommendations

Nevertheless, we recommend you to create backups on a regular basis and to not download unknown files or even execute them. Especially Adobe Flash updates should only be downloaded from the software producer itself. In case of an infection, do not pay the ransom, because it is unclear whether you will receive the keys necessary to recover your files.
Ransomware attacks and its consequences: How Cryptotrojans endanger the existence of companies

Ransomware attacks and its consequences: How Cryptotrojans endanger the existence of companies

The fact should be well-known by now that ransomware attacks can lead to extremely unpleasant consequences for affected companies. Yet only few people know that Trojans have already threatened the existence of some enterprises or even drove them into bankruptcy. This article will highlight possible worst-case scenarios of a ransomware attack by an encryption virus.   It must be the ultimate nightmare for every enterprise: an employee is catching an encryption virus upon his computer. Subsequently, it won’t take long before bugs like the Trojan encryption virus has spread throughout the whole company’s network.   A similar case occurred to the biggest ocean carrier for container shipping worldwide: A. P. Møller Maersk. As the Danish group of companies communicated on Twitter they had to undergo a massive global breakdown of their IT systems.    
Ransomware attacks and its consequences: How Cryptotrojans endanger the existence of companies

By loading the tweet, you agree to Twitter’s privacy policy.
Learn more

Load tweet

    According to the German Federal Office for Information Security BSI (= Bundesamt für Sicherheit in der Informationstechnik) that malware was the Cryptotrojan Petya. A. P. Møller Maersk reacted immediately with a partial shutdown of complete systems. This became necessary as the responsible people feared that the attack would have an impact on the navigating systems of the container ships and their safety would be endangered by the Cryptotrojan. Although the exact economic damage yet needs to be evaluated, the multi-day system outage will most likely have caused very high costs.  

Ransomware attacks: which costs arise from an infection with a Cryptotrojan?

  Experts estimate the average downtime caused by a Cryptotrojan attack lasts between 9 to 16 hours (see “Second Annual State of Ransomware Report”). For big enterprises like A.P. Møller Maersk, such outage times can quickly sum up to several million Euros of damage, but also smaller companies can suffer immensely from those consequences. All in all, several cost factors play a role for restoring the operational systems and removing the Cryptotrojan.   First of all, it is the loss of data arising if the affected company did not carry out regular backups in the past or made no backups at all. Editors of the study “Cost of Data Breach” estimated an average amount of 325 Euros for each data record getting lost by a ransomware attack. Thinking about thousands of lost records one can easily imagine the possible cost level for such a huge data loss.   In addition there are costs for analyzing the dimension of the attack. Above all, it has to be examined which units and data had been encrypted by which type of Cryptotrojan. Companies often consult teams of IT experts for an extensive research that may last some days. The costs for this external service can easily shoot up to five-digit amounts.   Additional costs may arise e.g. for lawyers and courts, public relation work and data recovering. Penalties shall be paid to regularity authorities as well as hours of overtime for the employees. Experts have determined an approximate benchmark for hospitals which had also been targeted by a Cryptotrojan. Only within the first week of the attack, the estimated cost level for the damage could amount to values between 630,000 Euros and 1.3 million. Of course, the exact damage sum will just depend on the hospital’s size and the availability of backups.    

One-fifth of all enterprises declare insolvency after a Cryptotrojan attack

  A ransomware attack may lead to a variety of possible effects for the companies concerned. Although most firms follow the experts’ advice not to pay the ransom demanded by hackers, there will be a number of negative consequences – no matter which decision might have been made.   According to an article on the IT platform “Gulli” 20 percent of the companies being targeted by a Cryptotrojan had to stop all operations temporarily. Further 15 % suffered considerable loss of sales. Also 25 % of the companies were not able to identify the gateway. Therefore, the bug could easily spread over the complete network.    

Only correct prevention can avoid trouble

  If bugs like a Cryptotrojan have once entered the company’s network, it would both be expensive and costly to restore the contaminated systems. The negative effects of a ransomware attack can only be avoided by adequate preventive measures. That’s why Hornetsecurity Advanced Threat Protection provides a whole bundle of safety mechanisms to protect against all types of selected attacks as well as malware.  
Do away with antivirus software!

Do away with antivirus software!

Valid argument or indispensable shield? There are effective alternatives for protecting yourself.

  Installing antivirus programs on your PC does not offer protection; on the contrary, they open up superfluous vulnerabilities in the protective shield! This is what Robert O’Callahan argues. As a former developer of the Firefox web browser, he has called upon users to uninstall their AV software. Justin Schuh, a developer of the competitor browser Chrome, concurs: AV programs are not equipped with important and appropriate mechanisms such as sandboxing. Rather, some of them have significant quality problems, particularly with respect to their own security. The high-level system rights that most AV programs are granted enable attackers to exploit these vulnerabilities and cause direct damage on the end devices.

 

Virus software fails to identify viruses

  To make matters worse, there is a problem that various previous studies have already shown: namely that the mechanisms used to identify viruses are not as effective as they were a few years ago. Back in 2014, Lastline Labs tested the quality of various AV programs. One of the sobering results of the tests: Only 61% of all programs identified new viruses within two weeks of their emergence. At the same time, the updates must be installed much faster, because the duration of virus attacks are becoming shorter all the time. In other words, many attacks last just a few minutes or hours. What’s more, today’s malware is often a polymorphic phenomenon, transforming in manifold ways during an attack. Both create major problems for signature-based scanners.   So what’s to be done? Robert O’Callahan recommends that Windows users trust the already very reliable Defender module that is part of Windows 10. This makes sense, particularly considering that Defender is already an integral part of the operating system. While this doesn’t improve recognition, it at least prevents the opening of new security gaps. Additionally, it cannot be stressed enough that users should keep all programs up-to-date and always install the latest security patches.   Nevertheless, the question remains as to whether protection on local devices is still at all useful or whether protecting computers and networks should take place somewhere entirely different. It obviously makes sense to examine more closely how malicious software finds its way onto a computer in the first place.    

Spam filter + web filter > antivirus protection

  The two main gateways for malware are email and web traffic. Attacks via other routes such as infected external disks or active attacks by hackers, on the other hand, occur much less often. However, file attachments with malicious code or links to hidden downloads are frequently found in emails. Preventing these from ever landing in a recipient’s inbox in the first place is an effective way to protect against unwanted intruders. Cloud solutions in particular offer a protective wall that is located far upstream from one’s own IT infrastructure. In addition to this, by bundling the data traffic of very large numbers of users, undesired data can be noticed quickly – so all users benefit quickly from the results of the analysis. Professional cloud providers also offer additional security mechanisms such as sandboxing or the revising of links found in emails in order to increase the level of protection offered by filter systems. Web filter systems, on the other hand, check whether users are surfing on websites containing malware and block the opening of the destination page if needed, thereby blocking this attack route.   Of course, none of these measures offer 100% protection either, but they do greatly increase the likelihood of stopping data theft, extortion attempts, and imposter schemes.  
Emailing from the cloud – the smart alternative for SMBs

Emailing from the cloud – the smart alternative for SMBs

Digitization turns our working world and existing IT structures upside down. Products turn into services; fixed service packages turn into tailored solutions that can be customized in a modular manner to suit the changing requirements and IT budget of companies. The cloud makes this possible.   Small and medium-sized enterprises (SMBs) in particular have had difficulty keeping up with the rapid IT developments in recent years. The result: aging infrastructure and applications that are no longer on the cutting edge. This in turn lead to slower business processes. Media inconsistencies have often hampered the continuous flow of processes.   In addition to classic office or business applications, this also affected and continues to affect email traffic. Outdated solutions are still in use. Not least because many companies lack the necessary expertise – people use what they are familiar with and tend to shy away from innovations. Cloud solutions in particular can be a way of avoiding this dilemma for many SMEs. Professional cloud providers enable these companies to benefit from modern infrastructure and sufficient IT know-how that helps them make use of modern solutions.   Hornetsecurity provides its customers secure and convenient email traffic with Hosted Exchange. Companies that do not have a professional IT department particularly benefit from such a service, which provides a professional email landscape at attractive prices. Operating the solution is a breeze, as only some basic information is required to set it up. For the customer, this means “out of the box” emailing, i.e. getting started quickly and easily without a long installation process. The provider also takes care of maintaining the solution. Users no longer have to worry about updates, as hardware and software are always state-of-the-art.   Security is Hornetsecurity’s core competence. Spam and virus protection is thus a self-evident component of Hosted Exchange. The service also includes encrypted data traffic via TLS and the ability to recover deleted messages if necessary.   Individual service variants   Customer focus and service quality are key features of Hosted Exchange, which is offered in two versions. The service is generally aimed at users who either don’t want to or can’t operate their own email server. Hosted Exchange allows such companies the flexible use of a professional email infrastructure. The service offer includes 25 gigabytes of storage capacity and Microsoft Exchange, which Hornetsecurity uses as a platform for the service.   Hosted Exchange Enterprise Plus is based on the basic version of the service, while extending it to include additional options. This variant thus enables you to store your entire email traffic for three months. This is a particularly important criterion for critical business processes, as accidentally deleted messages can be recovered without any problems. Hosted Exchange Enterprise Plus also provides encryption mechanisms that allow emails to be signed and encrypted using the latest technologies.   With solutions such as Hornetsecurity Hosted Exchange, SMEs in particular should see the digital transformation as an opportunity rather than as a risk. Digital processes and services from the cloud increase flexibility, provide transparency and reduce IT costs, thus making SMEs fit for global competition.
Executable file interceptor – the Content Filter

Executable file interceptor – the Content Filter

  A central promise of our Managed Spam Filter Services is to protect our customers from malicious mails. Especially the automatic detection of spam and malicious software has rapidly gained importance in recent months – Locky, Tesla, Petya and co. send their regards! The Content Filter is an additional, customizable protection. Customers can use it to independently control the handling of attachments contained in incoming and outgoing emails. The maximum file size for attachments can thus be set – although the Content Filter’s ability to detect certain types of file extensions is much more important. This allows administrators to define specific file extensions, thus preventing the delivery of an email with the relevant attachment.  

Executable file interceptor – the Content Filter

The content filter can be quickly activated and customized in the control panel

Specifically, this means: If an IT manager wants to prevent their email users from receiving attachments with the .exe extension, they need only enable the Content Filter (if not already activated) and enter .exe into the open field. As a special service and for ease of use, we have set up several group extensions to provide improved protection in all the default settings: .executable, .mediafile, .xlsmacro and .docmacro. If, for example, “.executable” is specified, the Content Filter automatically blocks 58 extensions of executable files. This group extension is continuously maintained and kept up to date in order to always ensure the highest possible protection. The extension .mediafile, for example, can be used to filter out files with the extensions .wav, .mp3, .mid. mpg and several others. The two other collective terms are specifically designed to retain macros in Excel and Word files, which often transmit links to blackmailer viruses. The Content Filter can incidentally be configured for the entire domain as well as for specific groups within a domain.   If not already enabled, we thus urgently advise all customers and partners of Hornetsecurity to activate the Content Filter free of charge and add the file extension “.executable” to their list of files to be blocked. They can ramp up their protection another notch by doing so. The screenshot shows how this is done.   Note: This blog post was first published in April 2015 and has now been updated and adapted to the new ransomware threats.