The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Microsoft office

A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage

A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage

June 16, 2022Ravie Lakshmanan
A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to mount attacks on cloud infrastructure and ransom files stored on SharePoint and OneDrive. The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker," Proofpoint  said  in a report published today. The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added. The attack, at its core, hinges on a Microsoft 365 feature called AutoSave that creates copies of older file versions as and when users make edits to a file stored on OneDrive or SharePoint Online. It commences with gaining unauthorized access to a target user's SharePoint Online
State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

June 05, 2022Ravie Lakshmanan
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked as  CVE-2022-30190  (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets. "This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253," the company  said  in a series of tweets. The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named "seller-notification[.]live." "This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine re
Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

May 31, 2022Ravie Lakshmanan
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new  zero-day flaw  in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint  said  in a tweet. "Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app." TA413  is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as  Exile RAT  and  Sepulcher  as well as a rogue Firefox browser extension dubbed  FriarFox . The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code. Specific
Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

May 30, 2022Ravie Lakshmanan
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (" 05-2022-0438.doc ") that was uploaded to VirusTotal from an IP address in Belarus. "It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code," the researchers  noted  in a series of tweets last week. According to security researcher Kevin Beaumont, who dubbed the flaw "Follina," the maldoc leverages Word's  remote template  feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload. The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in t
Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

April 12, 2022Ravie Lakshmanan
Microsoft's Patch Tuesday updates for the month of April have addressed a  total of 128 security vulnerabilities  spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others. 10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release. The updates are in addition to  26 other flaws  resolved by Microsoft in its Chromium-based Edge browser since the start of the month. The actively exploited flaw ( CVE-2022-24521 , CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine. The second publicly-known zero-day flaw ( CVE-2022-26904 , CVSS score: 7.0)
Microsoft Disables Internet Macros in Office Apps by Default to Block Malware Attacks

Microsoft Disables Internet Macros in Office Apps by Default to Block Malware Attacks

February 07, 2022Ravie Lakshmanan
Microsoft on Monday said it's taking steps to disable Visual Basic for Applications (VBA) macros by default across its products, including Word, Excel, PowerPoint, Access, and Visio, for documents downloaded from the web in an attempt to eliminate an entire class of attack vector. "Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access," Kellie Eickmeyer  said  in a post announcing the move. While the company does warn users about permitting macros in Office files, unsuspecting victims — e.g., recipients of phishing emails — can still be lured into enabling the feature, effectively granting the attackers the ability to gain an initial foothold into the system. As part of the new change, when a user opens an attachment or downloads from the internet an untrusted Office file containing macros, the app displays a
Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware

Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware

November 25, 2021Ravie Lakshmanan
A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines. "[T]he stealer is a PowerShell script, short with powerful collection capabilities — in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment," SafeBreach Labs researcher Tomer Bar  said  in a report published Wednesday. Nearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at "Iranians who live abroad and might be seen as a threat to Iran's Islamic regime." The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution fl
New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

September 07, 2021Ravie Lakshmanan
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents. "Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company  said . "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users who
Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

July 28, 2021Ravie Lakshmanan
An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware as part of a years-long social engineering and targeted malware campaign. Enterprise security firm Proofpoint attributed the covert operation to a state-aligned threat actor it tracks as TA456, and by the wider cybersecurity community under the monikers Tortoiseshell and Imperial Kitten. "Using the social media persona 'Marcella Flores,' TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor," Proofpoint  said  in a report shared with The Hacker News. "In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain." Earlier this month, Facebook  revealed  it took steps to dismantle a &quo
Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files

Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files

July 08, 2021Ravie Lakshmanan
While it's a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings prior to executing macro code to infect victims' computers. In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro." ZLoader infections propagated using this mechanism have been primarily reported in the U.S., Canada, Spain, Japan, and Malaysia, the cybersecurity firm noted. The malware — a descendant of the infamous ZeuS banking trojan — is well known for aggressively using macro-enabled Office documents as an initial attack vector to steal credentials and personall
YIKES! Hackers flood the web with 100,000 pages offering malicious PDFs

YIKES! Hackers flood the web with 100,000 pages offering malicious PDFs

April 15, 2021Ravie Lakshmanan
Cybercriminals are resorting to search engine poisoning techniques to lure business professionals into visiting seemingly legitimate Google sites that install a Remote Access Trojan (RAT) capable of carrying out a wide range of attacks. The attack works by leveraging searches for business forms such as invoices, templates, questionnaires, and receipts as a stepping stone toward infiltrating the systems. Users attempting to download the alleged document templates are  redirected , without their knowledge, to a malicious website that hosts the malware. "Once the RAT is on the victim's computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim's network," researchers from eSentire  said  in a write-up published on Tuesday. The cybersecurity firm said it discovered over 100,000 unique web pages that co
Researchers Unmask Hackers Behind APOMacroSploit Malware Builder

Researchers Unmask Hackers Behind APOMacroSploit Malware Builder

February 17, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed a new kind of Office malware distributed as part of a malicious email campaign that targeted more than 80 customers worldwide in an attempt to control victim machines and steal information remotely. The tool — dubbed " APOMacroSploit " — is a macro exploit generator that allows the user to create an Excel document capable of bypassing antivirus software, Windows Antimalware Scan Interface (AMSI), and even Gmail and other email-based phishing detection. APOMacroSploit is believed to be the work of two French-based threat actors "Apocaliptique" and "Nitrix," who are estimated to have made at least $5000 in less than two months selling the product on HackForums.net. About 40 hackers in total are said to be behind the operation, utilizing 100 different email senders in a slew of attacks targeting users in more than 30 different countries. The attacks were spotted for the first time at the end of November 2020, acco
Windows GravityRAT Malware Now Also Targets macOS and Android Devices

Windows GravityRAT Malware Now Also Targets macOS and Android Devices

October 20, 2020Ravie Lakshmanan
A Windows-based remote access Trojan believed to be designed by Pakistani hacker groups to infiltrate computers and steal users' data has resurfaced after a two-year span with retooled capabilities to target Android and macOS devices. According to cybersecurity firm Kaspersky, the malware — dubbed " GravityRAT " — now masquerades as legitimate Android and macOS apps to capture device data, contact lists, e-mail addresses, and call and text logs and transmit them to an attacker-controlled server. First documented by the Indian Computer Emergency Response Team (CERT-In) in August 2017 and subsequently by  Cisco Talos  in April 2018, GravityRAT has been known to target Indian entities and organizations via malware-laced Microsoft Office Word documents at least since 2015. Noting that the threat actor developed at least four different versions of the espionage tool, Cisco said, "the developer was clever enough to keep this infrastructure safe, and not have it blackl
Just Opening A Document in LibreOffice Can Hack Your Computer (Unpatched)

Just Opening A Document in LibreOffice Can Hack Your Computer (Unpatched)

July 26, 2019Swati Khandelwal
Are you using LibreOffice? You should be extra careful about what document files you open using the LibreOffice software over the next few days. That's because LibreOffice contains a severe unpatched code execution vulnerability that could sneak malware into your system as soon as you open a maliciously-crafted document file. LibreOffice is one of the most popular and open source alternatives to Microsoft Office suite and is available for Windows, Linux and macOS systems. Earlier this month, LibreOffice released the latest version 6.2.5 of its software that addresses two severe vulnerabilities (CVE-2019-9848 and CVE-2019-9849), but the patch for the former has now been bypassed, security researcher Alex Inführ claims . Though Inführ has not yet disclosed details of the technique that allowed him to bypass the patch, the impact of this vulnerability remains the same, as explained below. 1.) CVE-2019-9848 : This vulnerability, which still exists in the latest version,
Severe RCE Flaw Disclosed in Popular LibreOffice and OpenOffice Software

Severe RCE Flaw Disclosed in Popular LibreOffice and OpenOffice Software

February 05, 2019Swati Khandelwal
It's 2019, and just opening an innocent looking office document file on your system can still allow hackers to compromise your computer. No, I'm not talking about yet another vulnerability in Microsoft Office, but in two other most popular alternatives— LibreOffice and Apache OpenOffice —free, open source office software used by millions of Windows, MacOS and Linux users. Security researcher Alex Inführ has discovered a severe remote code execution (RCE) vulnerability in these two open source office suites that could be triggered just by opening a maliciously-crafted ODT (OpenDocument Text) file. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event. To exploit this vulnerability, Inführ created  an ODT file with a white-colored hyperlink (so it can't be seen) that has an "onmouseover" event to trick victim
GandCrab ransomware and Ursnif virus spreading via MS Word macros

GandCrab ransomware and Ursnif virus spreading via MS Word macros

January 25, 2019Swati Khandelwal
Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware. Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors. Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom
Hackers Using Zero-Width Spaces to Bypass MS Office 365 Protection

Hackers Using Zero-Width Spaces to Bypass MS Office 365 Protection

January 10, 2019Swati Khandelwal
Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks. Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Therefore, every time users click on a link provided in an email, Safe Links first sends them to a Microsoft owned domain, where it immediately checks the original link for anything suspicious. If Microsoft's security scanners detect any malicious element, it then warns the users about it, and if not, it redirects them to the original link. However, researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365's URL reputation check a
New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

December 06, 2018Swati Khandelwal
Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution. The vulnerability, tracked as CVE-2018-15982 , is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system. The newly discovered Flash Player zero-day exploit was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal from a Ukrainian IP address. The maliciously crafted Microsoft Office documents contain an embedded Flash Active X control in its header that renders when the targeted user opens it, causing exploitation of the reported Flash player vulnerability. According to cybersecurity researchers, neit
Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

October 30, 2018Mohit Kumar
Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers. Discovered by researchers at Cymulate, the bug abuses the ' Online Video ' option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown. When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer. Researchers decided to go public with their findings three months after Microsoft refused to acknowledge the reported issue as a security vulnerability. How Does the New MS Word Attack Works? Since the Word Doc files (.docx) are actually zip packages of its media and configuration files, it can easily be opened and edited. Acco
Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities

Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities

October 09, 2018Swati Khandelwal
Microsoft has just released its latest monthly Patch Tuesday updates for October 2018, fixing a total of 49 security vulnerabilities in its products. This month's security updates address security vulnerabilities in Microsoft Windows, Edge Browser, Internet Explorer, MS Office, MS Office Services and Web Apps, ChakraCore, SQL Server Management Studio, and Exchange Server. Out of 49 flaws patched this month, 12 are rated as critical, 35 are rated as important, one moderate, and one is low in severity. Three of these vulnerabilities patched by the tech giant are listed as "publicly known" at the time of release, and one flaw is reported as being actively exploited in the wild. Windows Update Patches An Important Flaw Under Active Attack According to the Microsoft advisory , an undisclosed group of attackers is actively exploiting an important elevation of privilege vulnerability (CVE-2018-8453) in Microsoft Windows operating system to take full control over the targete
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.