How Microsoft Changed Cyberspace With One Decision [CPRadio]

Produced by PI Media. Hi, I'm rand Levy. Welcome to CP Radio. According to Statista, the global cybersecurity industry is expected to earn one hundred and sixty two billion dollars in twenty twenty three. Five years from now,

it's projected at over two hundred and fifty billion. Large organizations spend thousands upon thousands, even millions of dollars in a year trying to protect their systems, and small businesses will scrap together what little they can get for some kind of protection, whether it's basic anti virus or a password manager, phishing protections, firewalls, XDR we name it. A massive amount of time, energy, money, manpower and other resources we could otherwise spend on other things are by

necessity dedicated to fighting cyber criminals every day, which makes it almost unbelievable to think that just one simple policy change from one company, with almost no cost to anybody and no effort involved, could alter the entire course of cyberspace. And yet that is exactly what happened about a year ago. Today. The following story is a microcosm of how a single act from Microsoft change fundamentally, how even high level threat letters must now go on about infecting their victims and

the implications that follow when the entire cybercrime ecosystem is forced to shift. At the center of this story is APT thirty seven. APT thirty seven is a state sponsored actor from North Korea, and they typically target their southern neighbors in South Korea. Sam Hendelman is a threat intelligence analyst at Checkpoint. Recently, he and his colleagues were embedded in research about North Korea's APT thirty seven. Also known by names like Ripper and Scarcraft, the group is sort of a

Swiss army knife for any of the Kim Jungong regimes cyber needs. Although they usually attack South Korea, they have also been seen targeting other countries such as Japan, Vietnam, and even recently they were seeing targeting countries in the EU. The group has been around for over a decade, at least since two thousand and twelve, and in that time they've created a series of different trojan backdoors, such as Dolphin and Gold backdoor and Connie. They actually have a

lot more, but I won't list them all right now. One of the most recent creations, first discovered in twenty seventeen, is called rock Rat. In most ways. Rock rat is like any other remote access trosian with Kepple. These including being able to download payloads, download shell code, delete files on the computer to clean up the kind of commands that you would see in most other rats. Its most interesting trait is how it interfaces with cloud services

like dropbox, yandex cloud and peak cloud. The attackers can upload files to the cloud service and the RAT is able to download them and interpret them as

commands and run additional payloads. And what's interesting about using these services as a command and control infrastructure or C two is that the attackers are able to use a very generic and well known services, which makes it harder for researchers to actually track their infrastructure because, for example, we could have seen in the past that APT thirty seven uses A, B and c IP addresses, and then in the future we'd be able to track those servers and it'd be easier

for us to find. But instead they opted into using cloud services, which make it a little more generic and harder to track and make the traffic look more benign because it's common for people to use these cloud services to get rock rat onto computers in South Korea and abroad, APT thirty seven crafts phishing attack emails designed to be interesting enough to click on. The lures that they use are tend to be connected to themes related to relations with North Korea, including

the Ministry of Reunification for escaped dissidents. We've seen them also use lures related to the private sector in South Korea, including some business documents that appear to be taken from previous hack. In a recent campaign, for example, the lure that they used to deliver this malware was a lot more generic and just

seemed to be targeted to general people in South kore Are. They use the lure using a bank called Cacao Bank, and it prompted the user to enter in their password for Cacao Bank. The goal in any of these cases is, of course, to get a target to download their own malware. And there's one trick hanckers love more than any other for achieving that a malicious word document with a macro. So can you just briefly explain what macros are and

how hackers use them? So macros are code that you can find in Microsoft Office documents that are intended to automate different kinds of tasks. The whole intention of macros was to make life easier for people to automate mundane tasks in office

documents. For example, let's say you have a word document and you had to write something in it, or an Excel document you wanted to write something in it and you need to submit it somewhere, and the author of the document puts in a button that you can click to submit that data somewhere else,

to the Internet. This is the kind of thing that macros were created for, as well as maybe filling out certain things in a document once you open it, which is why macros support running code on opening a document on closing a document. Some people love to use macros to automate any number of useful tasks that would otherwise take far longer without them. But hackers eventually took these facts, took these aspects of macros, and were able to use them

in a malicious way. Hackers can write scripts in VBA, the programming language for macros, that automate things they want to do to their targets computers. So, for example, using the hook of running code when you open a document is probably the most common way to run a macro because it will open the code will run right when you open the document. This usually is what's

happening behind the scenes. When you hear about a malicious attachment in an email file, somebody clicks to open it and maybe chooses the option to enable macros, thinking that it's harmless, but in fact allowing hacker's malware to run in the background. Over the years, like baggy jeans and Britney spears, macros

have gone through waves of being in and out of favor. The first, like macroviruses that first came up, happened like around nineteen ninety nine approximately, and macros were actually a common way of spreading computer viruses like twenty years ago.

And then what happened is that people started thread actors started shifting more towards using exploits such as like exploits and Internet Explorer, or even exploits and Microsoft Word and this was a better all turn native because it allowed them to run code without you having to click enable content, and it allowed code to just automatically run once you opened a web page or opened a document, and so exploits actually became a lot more popular for many years, until things like Internet

Explorers started to become less common. Flash started to become less common, and eventually both of those technologies which were constantly, constantly exploited, were eventually killed off. Microsoft no longer supports Internet Explore. Flash is also no longer developed or supported. Those technologies are gone, and modern browsers, such as Chrome

and chromium based Edge Firefox, they've become more difficult to exploit. So I think because of that, maybe around I would say twenty sixteen or twenty seventeen, a lot of attackers started switching again more to macros, which is what they had been using a long time ago in the past, but it became the easy your vector to use to attack. So ironically, it was precisely

because popular software was becoming more secure that macros became so rampant. So I would say the reason that macros were kept around for so long is because so many people were already using them for so many years. I mean macros have been around for I mean macro viruses have been around for even over twenty years, so people have been using them for even longer. The main thing is

that people didn't want their code to just stop working. You can probably automate these tasks in other ways without having to embed them in the document, but this is what people were used to and people don't like change, so they continued to do this for a long while. Even as macros returned to the

four in cybercrime, they were simply accepted as effect of life. That is until February seventh, twenty twenty two, when Microsoft change in the course of cybersecurity with twelve words quote VBA, macros obtained from the Internet will now be blocked by default. Actually implementing the new rule turned out to be bumpy.

Microsoft initially announced that they would start blocking macros in February twenty twenty two, but then they quickly reversed this because there was a lot of pushback from people who are using Office. So we could see that there was actual pushback from people using the software because they really wanted to continue using it. By June twenty twenty two, though the security community went out over the Office Power users, the plan was back on, and technically it's actually still possible to use

it. It's just that macros are disabled when they're downloaded from the Internet from like an email attachment if they have a mark of the web tag on them. Hackers now needed an alternative to macros, but they were prepared. Microsoft first started talking about banning certain types of macros back in October twenty twenty one, certain types of Excel macros, that is XLMS for Excel specifically. I think there was already a beginning. There was a sense that Microsoft was going

to fully banned macros eventually, and there started to be a shift. According to data from cybersecurity company Proofpoint, in two twenty two, the year that Microsoft rolled out its Internet Macro's band, macro enabled cyber attacks decreased by two thirds, and this trend continued in two twenty three, except the cyber attacks themselves. Those didn't stop. Look at APT thirty seven. They surely wouldn't let a simple change in Windows get in the way of their attacks against their

southern neighbors. They're still using North Korean based lures, but just instead of only using word documents with malicious macros inside of them, they started using zip files and ISO files that contain several benign documents, and then one ellen k that's masquerading itself as a benign document but it actually runs malicious PowerShell in the background. ZIP folders, ISO, optical disc files, LANK shortcut files, APT thirty seven continued spreading its rock rat backdoor, only now be a more

creative means. And so this isn't like a complete takeover, It isn't a complete replacement. It's really more that APT thirty seven added a new tool to their tool set and they're starting to use ellen K's a little bit more. We still saw even in twenty twenty three that they were sometimes using macros, but most of the time most of the samples that we saw happen to be

ellen K's. This is just one file type attackers can manipulate for their own purposes, and other threat actors have come up with their own clever workarounds. Some used hdmils smuggling, sneaking and encoded malicious script into an hdmill attachment, which gets decoded and runs when the attachment is open. Some have opted for even simpler solutions than that, like old reliable PDF files containing hyperlinks. Another

trend emerged around last December. A lot of malware started using one note documents. Basically, they would include a VB script payloads inside the one note document and trick the user into clicking a button that would actually run them. So we saw that in emotats and cubot campaigns, as well as others. By the following month, dozens of hacker groups hopped on the trend, using one note to execute over one hundred and twenty attacks in the first few months of

twenty twenty three. And now this was mostly cyber crime that was abusing this technique, but there was actually one instance where Kimsuki, another North Korean apt was seen using this technique as well. At the end of the day, few decisions have ever made such an impact in cybersecurity as Microsoft's decision to block Internet downloaded macros. But that's not to say there's a single answer to cyber

security, no possible thing anyone can do to prevent all of it. We forced hackers to change by reducing the attack surface, and my opinion in any way that we can reduce the amount of possibilities that hackers have the better. However, we know that attackers will always try to adapt to these changes and come up with new ways of attacking. But security is constantly just been a game of cat and mouse, where attackers do something new and then Blue team

defenders have to catch up to that and try to respond. And the fact of the matter is the changes the trends that we've been seeing when shifting away from macros to other methods. They're not necessarily all, they're not all novel, or they're not like impossible to follow. So we just need to keep monitoring all these different types of methods and making sure that we defend against them

properly. Criminals kept hacking our software, so we made a software more secure, which forced hackers to change the methods, which pressured Microsoft to change their policy, which forced hackers to evolve once more. Now again it's our turn. That's it for this episode. Thank you for listening. For past episodes, visited Checkpoints Research blog at research dot checkpoint dot com, and you can

follow Checkpoint Research on Twitter or follow me at rand Levy. That's r A n l e v I. CP Radio is produced by PI Media, written by Nate Nielson, produced by Hila Shemesh, and edited and narrated by Rand Levy. See you next time. Bye bye,