Dynamic Data Exploit

Just in case you might not be an avid reader of Microsoft security advisories, we thought we might bring this little gem to your attention.

In light of some recent naughty activity, Microsoft released an advisory this week to alert the faithful to ‘information regarding security settings for Microsoft Office applications’. Somewhat unsurprisingly the reasons for posting this advisory are not mentioned but read on and make your own mind up.

The recommendations are around the settings for controlling the behaviour of your Windows machine when opening files that contain Dynamic Data Exchange instructions, which when used legitimately allow one application to populate data from another – you know like Word documents being auto-populated from Excel spreadsheets and so forth.

The issue is that with default settings, attachments sent by email can be crafted to exploit DDE and perform all manner of mayhem on a target machine and although some user prompts to allow the activity are given, they are different from the age-old ‘allow macros’ messages which we have been warning users about since the dark ages of, err, Windows.

It seems that the DDE vector may be about to become a regular route in. We recommend that you have a very good read of the Microsoft advisory and implement the suggested controls where you can because Microsoft didn’t just decide to write this. Something has forced its hand and if customers start being taken down, you know that the ‘didn’t you read and action the advisory?’ defence will be in play.

Long suffering, regular readers of this blog will have heard us talk about the exploit tool Mimikatz. Mimikatz is a massively powerful resource for hackers both casual and ever so serious alike. Amongst its brilliant, sorry worrying, features is the ability to recover encrypted passwords from the memory of a Windows machine (are you getting the hint yet chaps?) and decrypt it using the keys also held in memory. Hopefully you are thinking what we are thinking at this point.

Even though Microsoft has tightened this up and made it more difficult, Mimikatz still has great utility, especially when combined with some of the NSA tools leaked by The Shadow Brokers (mwahahaha). In fact the recent NotPetya and BadRabbit outbreaks both incorporated the Katz for lateral infection.

With Microsoft’s advisory about DDE abuse, we can only assume a new wave of phishing and spear phishing activity, which combined with the NSA toolkits and our feline friend present a real and present danger, as they say in Hollywood.

Wired magazine ran an excellent piece on the history of Mimikatz and how it came to be in the hands of Russian intelligence (the guy who wrote it went to a conference in Moscow and they took it from him, old skool style, not so clever anymore).  Thanks to our very own RZ Wood for sharing this.

In summary it looks like every avenue to jump your Windows boxes is being investigated and exploited. Be on your best behaviour and in the words of Hill Street Blues Sergeant Phil Esterhaus, “let’s be careful out there”. If careful isn’t your thing, you could always consider using technology from another, more fruity vendor.

If you would like to talk about Pass The Hash, Golden Tickets or other features of Mimikatz or would like to discuss what to do about DDE, please contact us at: [email protected] or call 0207 517 3900.