Macro malware epidemic returns

The return of a decade-old attack vector, the malicious macro, requires a granular, policy-based approach to managing email at the gateway, says Greg Sim.

Greg Sim, Glasswall Solutions
Greg Sim, Glasswall Solutions

There are some innocuous things that just slowly disappear, like dial up internet connections, fax machines and phone books but there are other, far more dangerous things which keep reappearing even when you hope they've gone for good.  In our world of Information Security, where we place so much emphasis and investment on detecting and preventing new risks to the business, the latest threat to make just such an unwelcome return is macro malware.

Having been monitoring the slow re-emergence of macro malware since the beginning of this year, we have witnessed a growing spike in daily attacks from multiple sources using macros, particularly embedded in Word and Excel documents.  The attacks are all well-crafted and researched – and are highly credible, targeted attacks aimed at specific individual email accounts or departments.  Sales order forms, travel confirmations, invoices for software licences, marketing event costs, recruitment fees, stationery bills and SEO services are just a few of the specific examples that we have seen.

And it is not just those with criminal intent that have resurrected the technique – state sponsored attackers are also dusting off vintage approaches from their tool kits.  The 2014 cyber espionage operation named Rocket Kitten, which sounded cute but was anything but, targeted government and educational institutions in both Western Europe and Israel with email spear-phishing attacks carrying malicious macros embedded in Excel files.  When opened, the macros installed a sophisticated back door into these organisation's systems and data.

I was talking to a concerned CISO the other day, who told me that many of his users – despite their security awareness training – click on attachments without even reading the email.  His concern is not misplaced, as was highlighted in the research carried out by Intel Security and announced last month

Intel invited readers of CBS News around the world to test their ability to spot emails designed to steal personal information.  Of the more than 19,000 participants that took the test, only 3 percent correctly identified all the phishing emails they were shown.  Approximately 80 percent were tricked by at least one email, highlighting that a significant number of phishing emails are missed, even when we are on are the alert.  The advice that users should make more effort to recognise phishing emails is both unhelpful and unrealistic, which is why taking control at the gateway through granular policy management is essential.  

Organisations should not operate on the basis that a breach is inevitable, and the focus should not be on reducing the time that malware is resident.  We have known for a long time that email attachments are all too easy a backdoor into corporate systems and that by anti-virus vendors' own admission, current signature-based security doesn't protect from even the most basic of targeted attacks.  That's why we do what we do, look for good and create granular policy that secures the border whilst supporting business continuity.

Businesses need to employ proactive use of ‘allow known good' policies, enforced with the right technology, to render these attacks benign and finally stop attackers using a decade-old approach to such potentially devastating effect.

Contributed by Greg Sim, CEO, Glasswall Solutions