A Microsoft logo is displayed at a Mobile World Congress in Barcelona, Spain. (Photo by David Ramos/Getty Images)Microsoft on Friday said it would start blocking XLL add-ins from the internet to combat the growing number of malware attacks in recent months.Bad actors have been exploiting Excel-based XLL add-ins to send phishing lures with malicious malware payloads.The abuse of Microsoft add-ins by adversaries is not a new concept and it’s a technique that's been used by threat actors for years to execute malicious code, explained Dave Storie, adversarial collaboration engineer at LARES Consulting. Storie said the Microsoft Office Suite has become an attractive mechanism for adversaries to carry out attacks because of its ubiquity in corporate environments and personal machines, which allows threat actors to get a lot of mileage out of their malware.
“The recent rise in the spread of malicious Microsoft add-in's is likely due to the recent hardening of macros implemented by Microsoft in the Office Suite last year,” said Storie. “When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues. This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives.”Mike Parkin, senior technical engineer at Vulcan Cyber, added that threat actors will always find creative ways to abuse otherwise useful tools. In this case, Parkin said the level of abuse has reached the point where Microsoft has included additional functionality to try and prevent attackers from abusing the XLL feature. “This is welcome, but also points out how often malicious actors are abusing features of the Office Suite,” said Parkin. “Unfortunately, it’s unclear at this point whether it’s just going to be a warning that users can easily click through, a more proactive ‘off-by-default’ setting, or whether they are going to disable it entirely for XLL files downloaded from the internet.”
Solana is having its developers' source code and secrets pilfered by a malicious Python Package Index repository package masquerading as a tool for the blockchain platform dubbed "solana-token", which has been installed 761 times before being removed from PyPI, according to The Hacker News.
Six percent of organizations around the world were compromised with the FakeUpdates malware, also known as SocGholish, making it the most prevalent malicious payload in April, Hackread reports.
BleepingComputer reports that attacks with the ClickFix social engineering technique have been deployed by Pakistan-linked threat operation APT36, also known as Transparent Tribe, against both Windows and Linux systems.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
