In a typical office environment, you expect to use common business software like Microsoft Teams or Zoom on an everyday basis.
What you don’t expect is for these common programs to become vectors for malware.
Unfortunately, creative attackers have found ways to hijack the very tools you rely on to deliver their attacks.
Though some of these can be stopped with updates, others require strong vigilance and other further protections.
So, before you or your team members fall victim to one of these sneaky attacks, let’s examine a few of the problems plaguing common business software today.
Update This Common Business Software Now
Recently, Zoom released patches for a bug in XML parsing. Unpatched, a malicious actor can trigger an attack simply by sending a message to a victim through the Zoom chat.
Since the attacker would need to be present on a Zoom call to execute the attack, this bug is only rated as medium severity. However, it is also considered dangerous, because victims don’t need to click or otherwise activate the malware to become infected.
Two of the flaws enabling this attack can also be found in other tools using Expat, an open source XML parser used by Aruba, F5, IBM, Oracle, and some Linux distributions.
These other tools, like Zoom, aren’t normally a part of the regular patching process. As a result, make sure you either inform your users or otherwise ensure this common business software is updated.
Now, you might be tempted to think this Zoom issue won’t be a big deal. After all, how many attackers can join Zoom calls?
Well, the problem is some employees receive so many Zoom call requests that fake Zoom call invitations are an effective form of phishing attack to spread malicious PDFs.
And, since it’s easy to avoid malware detection and simply send a virus through the Zoom call itself, updates should be performed without delay.
Although malicious Excel files remain the most popular malware container in phishing attacks, bad PDFs are a growing problem.
As one of the most common business software programs imaginable, it’s also an issue nearly everyone will face.
HP researchers recently documented attacks using embedded .docx files inside of PDF files to deliver malware to victims.
Now, if your systems are fully updated, you probably don’t need to worry much about this particular malware, named Snake Keylogger. It exploits a 22-year-old bug patched four years ago.
But, your legacy systems could still remain vulnerable.
At the very least, it’s a proof-of-concept attack that has many people worried.
Additionally, this attack also illustrates another frightening technique: the specialty naming of files to fool victims.
In this case, the embedded file was named ‘has been verified. However PDF, Jpeg, xlsx, .docs’.
Seems a little odd reading it like that, right? Well, the problem is what happens next.
When the file is launched, the following prompt ends up looking like thsis:
“The file ‘has been verified. However PDF, Jpeg, xlsx, .docs’ may contain programs, macros, or viruses that could potentially harm your computer.”
It’s easy to see how someone could be fooled by a message that starts with “The file has been verified…”
A user in a hurry may misunderstand the message and assume it has been checked for viruses.
Again, though this particular instance was limited to affecting older technology, it’s the technique applied within this common business software that poses the biggest risk.
Attacks Through Microsoft Teams
Though the attacks above can be prevented through updates, others rely upon critical collaboration business processes that can’t be blocked.
One such vector uses stolen credentials for various attacks through Microsoft Teams.
Over 145 million people use Microsoft Teams to coordinate activities and communicate across departments, making it one of the most common business software programs around.
For companies with strong user group segmentation, Teams provides a bridge between segments which bypasses network security and micro-segmentation.
In attacks observed earlier this year, attackers used Teams to spread a trojan executable file through chat threads.
However, your users should be educated that Business Email Compromise (BEC) and other scams could also be propagated through Microsoft Teams chats instead of email.
Another discovered attack makes use of OneDrive to spread malware.
Here, attackers used stolen credentials to access a victim’s OneDrive account. Once in, they used the standard file synchronization features to upload malware to OneDrive, which would then automatically download to the user’s device and execute.
This uses OneDrive as a command-and-control (CnC) server, and conceals the malicious activity within normal OneDrive activity.
The attackers exfiltrate data by moving it to the local OneDrive folder, then allowing the synchronization to stealthily copy the data to the OneDrive cloud folder for download.
Most organizations can’t just block critical common business applications like Teams or OneDrive. Additionally, very few tools specifically monitor their activity.
However, attacks using these vectors and similar supply-chain attacks use methods that can be detected by advanced endpoint protection or cybersecurity monitoring.
And, as always, educating yourself and your team on the latest techniques is one of the best ways to prevent clicking on a suspicious link
If you’re not sure where to begin, there’s no reason to worry – there’s always a solution available.
Contact Ideal Integrations at 412-349-6680, or fill out the form below for a no-obligation discussion on how to secure your organization from attacks through this common business software.