By Omri Gabai, VP Security Products at ReasonLabs
Our slightly older readers might fondly remember the show MacGyver (from 1985, not the 2016 version): Angus MacGyver (yes, his first name is Angus!) finds himself in a difficult situation, takes a bunch of innocent-looking day-to-day items, turns them into a sophisticated tool that can defuse a bomb (or other threat) and saves the day.
Aside from having what I personally think was one of the best theme songs ever , my main take from this show was how impressively someone can combine technical know-how together with creativity and quick thinking, and create something awesome out of it.
Now let’s imagine an alternative: an evil, cyber criminal version of MacGyver in the present time; and let’s call him … CyberGyver. So CyberGyver, being the evil genius that he is (perhaps with a cool metal version of the show’s theme song) lives in 2023 and wants to make some quick money out of cybersecurity criminal extortion.
Depiction of CyberGyber according to OpenAI’s DALL-E
According to ReasonLabs’ recent consumer cybersecurity trends report, he knows that
“newly promoted government legislation around companies engaging in ransomware demands is increasingly forcing attackers to deploy ransomware on home users instead of large corporations”
In other words, governments aren’t allowing companies to negotiate with ransomware demand, so criminals are now redirecting their focus to attacking vulnerable home users. So if CyberGyver wants to turn his focus to attacking the weaker home users rather than large corporations, as they are a much easier and profitable target — what is the most effective technique at his disposal?
Weaponized Office Documents
Next, he will turn his attention to creating a quick yet effective attack vector that can be applied to users on a large scale, using accessible ‘day-to-day’ cyber methods. Again, by referencing ReasonLabs’ report, we can see that properly targeted email messages with weaponized Office Documents are unfortunately very popular and on the rise.
Every day, a large set of files are being sent as phishing documents to lure unsuspecting users to run malicious code that may result in ransomware attacks, infostealers, crypto miners, and many other types of cyber threats.
To fully understand how a cyber criminal can utilize a commonplace tool to generate cyber attacks, let’s delve a little further into what exactly we mean by ‘weaponization of Office Documents’. What is it, and how is it even possible?
Let’s start with Office Macros: Macros are scripts written in Visual Basic for Applications (VBA) that are embedded into Office Documents. Using Macros, users can enrich their documents with the automation of repetitive tasks, and improve productivity.
However, attackers have also realized the possible nefarious uses of embedded macros, and the distribution of Office Documents with malicious scripts inside them has become a popular attack vector, as it is an effective way to lure users into a trap. The embedded Macros can be used to do anything on a device, including downloading more malware, then executing it, and sending the exfiltrated data back to the attacker.
Over the years, ReasonLabs has witnessed an increase in the usage of Macros in Office Documents, as well as a number of other technologies that have the same behavior as Macros, but use different techniques to weaponize Office Documents e.g. using embedded, linked, and remote OLE objects, Excel 4.0 macros, remote templates and VSTO files (Visual Studio Tools for Office) vulnerabilities.
Microsoft Office Zero-Day Exploits
Let’s move on to ‘Zero-Day Exploits’ — the method used to gain access to a system by utilizing a vulnerability that is as yet unknown to the vendor (the Microsoft Office team, in our case).
Zero-day bugs can be found in all different types of software, including within Microsoft Office. An example of one such vulnerability is the recently found Follina (CVE-2022–30190). The Chinese hacking group TA413 was using the vulnerability in malicious Word Documents purported to be sent from a Tibetan government agency. According to Microsoft’s own security response blog about Follina, an assailant could use the vulnerability to access sensitive data or even install programs remotely. That’s a lot of power for a potential attacker.
This vulnerability was since fixed and patched on one of the recent Microsoft updates. But there are always users who don’t bother updating the applications and systems. I would estimate that if you check your system at this very moment, you might find at least two pending updates e.g. an OS update, browser update, or other updates for applications that are currently running. If this is the case, and you haven’t patched your most recent version of MS Office, CyberGyver would be able to target you and use those vulnerabilities for a stronger grip on your computer and operating system.
This should be taken as a kind reminder for you to check and update your system ASAP!
Another method that has recently been growing in popularity is Crimeware-as-a-Service or Cybercrime-as-a-Service (CaaS). This practice refers to the providing of cyber products and services to other criminals to facilitate large-scale attacks.
These products and services are sometimes referred to as Malware-as-a-Service and are typically focused on delivering ransomware, malware, phishing threats, and more. Many are extremely easy to use and are currently being deployed against home users worldwide. Their often simple designs and easy-to-use nature has greatly reduced the barrier of entry for beginner or less experienced threat actors to target consumers.
This is bad news for us as users, but excellent news for CyberGyver, who now has an accessible easy-to-use malware that he can quickly and effectively embed into his attack vector.
Combining These Items
In the same way as our hero MacGyver used his knowledge of science, engineering, and household items to create tools and devices that helped him overcome any obstacle, our evil CyberGyver can use his technical cybersecurity knowledge for criminal masterminding. By creatively combining Office Macros, CaaS, and other known exploits of Microsoft Office, CyberGyver has the means to create an efficient digital weapon to attack home users like yourself and your loved ones.
How Can You Protect Yourself
There are a few ways to make sure you’re safe from such attacks so that even cunning CyberGyver won’t pose a threat to you:
- Take advantage of available resources to educate yourself. For example, you can use this Google-powered Phishing Quiz to learn how to detect dangerous-looking emails and documents.
- Make sure your OS, browser and applications are updated with recent patches. You’ll usually see an indicator for it, for example, on Windows you might see an update icon on the system tray (usually the right side of your taskbar).
- Make sure you have adequate Endpoint Protection installed and running on your device. At ReasonLabs, we developed RAV Endpoint Protection which provides you with the same level of cyber protection utilized by Fortune 500 companies. It protects against info-stealers, crypto-miners, ransomware, Trojans, and many other types of cyber threats that bad guys like CyberGyver might target you with.
There are always more levels of security you could apply, but for this particular purpose, I think these are the basic essentials for any user, that should provide you with enough coverage and awareness. I hope this article will help you and your loved ones learn a bit more about the types of threats that are currently out there and how you can protect yourselves.
That’s all folks — I’m going to listen to MacGyver’s theme song on repeat now 🙂
Stay Cyber Safe!
An earlier version of this article first appeared on the Reasonabs Medium page on February 27, 2023.