Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 973470" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">THREAT INSIGHTS REPORT Q4 - 2021 (HP WOLF SECURITY)</span></strong></p><p></p><p><span style="font-size: 15px">[URL unfurl="true"]https://threatresearch.ext.hp.com/wp-content/uploads/2022/01/HP-Wolf-Security-Threat-Insights-Report-Q4-2021.pdf[/URL]</span></p><p></p><p></p><p></p><p>It is an interesting lecture to see how modern attacks can impact the SWH settings.</p><p>In most cases, such attacks can be also neutralized by ConfigureDefender HIGH settings + WMI ASR rule, when Microsoft Defender is the main Antivirus.</p><p></p><p><strong>* Surge in attackers using Excel add-ins (.XLL) to infect systems.</strong></p><ul> <li data-xf-list-type="ul">Some attacks via XLL add-ins could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH.</li> </ul><p></p><p><strong>* Aggah targets South Korean organizations with malicious PowerPoint add-ins (.PPA)</strong></p><ul> <li data-xf-list-type="ul">This attack uses VBA macros, so it would be prevented by SWH defaults.</li> </ul><p></p><p><strong>* TA505’s links to MirrorBlast</strong></p><ul> <li data-xf-list-type="ul">These attacks were performed via Windows Script Host, HTML pages containing malicious Javascript, or MS Office documents with malicious macros.</li> <li data-xf-list-type="ul">Some of these attacks could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH or the DocumentsAntiExploit tool included in SWH.</li> </ul><p></p><p><strong>* QakBot gives attackers access to infected systems to deliver ransomware</strong></p><p><strong> Ongoing courier spam delivers Ursnif malware to Italian-speaking organizations</strong></p><p><strong> The return of Emotet and its reversal of roles</strong></p><ul> <li data-xf-list-type="ul">Some of these attacks could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH or the DocumentsAntiExploit tool included in SWH.</li> </ul><p></p><p><strong>* Fake Discord website serves RedLine malware posing as installer</strong></p><ul> <li data-xf-list-type="ul">The initial infection vector used Windows Script Host, so it would be prevented by SWH defaults</li> </ul><p></p><p><strong><span style="color: rgb(0, 168, 133)">Conclusion</span></strong></p><p>The presented attack vectors via MS Office can be dangerous for casual users.</p><p>Generally, it is better to avoid using MS Office (desktop versions) for viewing documents.</p><p>The best compatibility with MS Office formats can have Word mobile, Excel mobile, and PowerPoint mobile (free versions). Also "PDF Reader by Xodo" is highly compatible and secure - it converts on-the-fly office documents into PDF files. The mobile office applications and Xodo application run in AppContainer. Furthermore, all these applications are from Microsoft Store, so the strong Exploit Protection mitigation can be used (Code Integrity Guard).</p><p>Anyway, such attacks are not especially dangerous for cautious users because MS Office applications block by default macros and Add-ins with clear notification that enabling these features is not safe.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p><p></p><p><strong><span style="color: rgb(0, 168, 133)">Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.</span></strong></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 973470, member: 32260"] [B][SIZE=5]THREAT INSIGHTS REPORT Q4 - 2021 (HP WOLF SECURITY)[/SIZE][/B] [SIZE=4][URL unfurl="true"]https://threatresearch.ext.hp.com/wp-content/uploads/2022/01/HP-Wolf-Security-Threat-Insights-Report-Q4-2021.pdf[/URL][/SIZE] It is an interesting lecture to see how modern attacks can impact the SWH settings. In most cases, such attacks can be also neutralized by ConfigureDefender HIGH settings + WMI ASR rule, when Microsoft Defender is the main Antivirus. [B]* Surge in attackers using Excel add-ins (.XLL) to infect systems.[/B] [LIST] [*]Some attacks via XLL add-ins could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH. [/LIST] [B]* Aggah targets South Korean organizations with malicious PowerPoint add-ins (.PPA)[/B] [LIST] [*]This attack uses VBA macros, so it would be prevented by SWH defaults. [/LIST] [B]* TA505’s links to MirrorBlast[/B] [LIST] [*]These attacks were performed via Windows Script Host, HTML pages containing malicious Javascript, or MS Office documents with malicious macros. [*]Some of these attacks could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH or the DocumentsAntiExploit tool included in SWH. [/LIST] [B]* QakBot gives attackers access to infected systems to deliver ransomware Ongoing courier spam delivers Ursnif malware to Italian-speaking organizations The return of Emotet and its reversal of roles[/B] [LIST] [*]Some of these attacks could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH or the DocumentsAntiExploit tool included in SWH. [/LIST] [B]* Fake Discord website serves RedLine malware posing as installer[/B] [LIST] [*]The initial infection vector used Windows Script Host, so it would be prevented by SWH defaults [/LIST] [B][COLOR=rgb(0, 168, 133)]Conclusion[/COLOR][/B] The presented attack vectors via MS Office can be dangerous for casual users. Generally, it is better to avoid using MS Office (desktop versions) for viewing documents. The best compatibility with MS Office formats can have Word mobile, Excel mobile, and PowerPoint mobile (free versions). Also "PDF Reader by Xodo" is highly compatible and secure - it converts on-the-fly office documents into PDF files. The mobile office applications and Xodo application run in AppContainer. Furthermore, all these applications are from Microsoft Store, so the strong Exploit Protection mitigation can be used (Code Integrity Guard). Anyway, such attacks are not especially dangerous for cautious users because MS Office applications block by default macros and Add-ins with clear notification that enabling these features is not safe.(y) [B][COLOR=rgb(0, 168, 133)]Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.[/COLOR][/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
