Microsoft shuts down two methods of attacking its software • The Register

Microsoft is trying to close the door to two methods used by cybercriminals to attack users and networks.

The IT giant’s policy to block Visual Basic for Applications (VBA) macros in Office documents downloaded by default has been activated again after a short pause to process feedback from users struggling with security defence.

Also this week, Microsoft enabled a default in Windows 11 that is designed to prevent or slow down obvious Remote Desktop Protocol (RDP) brute force attacks.

It is hoped that both policies will block the avenues that criminals have used for years to make their way into systems, steal data, and spread malicious code.

macro problem

The issue of macros has become a particularly thorny issue for the software giant.

Kellie Eickmeyer, Microsoft’s chief product manager, wrote in a blog post in February when the IT giant announced its plans to virtually block macros running in Office files downloaded or sourced from the Internet.

“While we have introduced a notification bar to warn users about these macros, users can still select to enable macros by clicking a button. Bad actors send macros in Office files to end users who enable them without their knowledge, malicious payloads and impact are delivered It can be severe including malware, compromised identity, data loss, and remote access.”

“In order to protect our customers, we need to make it more difficult to enable macros in files obtained from the Internet,” Eckmayer added.

The policy was to block these macros by default in Access, Excel, PowerPoint, Visio, and Word, although after a few months of sometimes negative feedback from users, Microsoft paused the initiative. Complaints ranged from criticism about how the ban was implemented to the negative impact it had on some users’ systems.

In this week’s update to the original announcement, Eickmeyer wrote that Microsoft “is resuming rolling out this change in the Current Channel. Based on our review of customer feedback, we’ve made updates to both the end user and our IT admin documentation to clarify your options for different scenarios.”

Users can click here for more information, while IT administrators can head here.

hold back the years

Macros have been a security issue for years, with Microsoft in 2016 releasing a tool that allowed administrators to set a policy about when and where these scripts were allowed to run. Additionally, users were asked if they really wanted the macros to run before letting them run.

Challenges continue until now. HP Security Intelligence Group Wolf Security wrote this month about the use of OpenDocument files to distribute Windows malware. These documents were sent to tags via email, and if opened, the user would be asked if fields with references to other files should be updated, if they clicked “yes” the Excel file was opened and another prompt asked if macros should be enabled. . If the user enables macros, their systems are infected with a disgusting open source AsyncRAT backdoor.

In terms of RDP brute force attacks, Windows 11 builds from now on includes a default account lock policy that should at least be able to slow down potential hackers.

In brute force attacks, cybercriminals use automated tools to guess someone’s account password: the tools work through a huge list of passphrases until one of them works and logs into the victim’s account. according to tweet From Dave Weston, Vice President of Enterprise Security and Operating Systems at Microsoft, these tools are used to spread ransomware and commit other crimes.

The default policy for Windows 11 versions – specifically, Insider Preview 22528.1000 and later – automatically locks accounts for 10 minutes after 10 failed login attempts. Users can modify this, changing the number of failed login attempts that lead to account lockout and how long the account is locked.

“This control will make brute impact more difficult, which is fantastic,” Weston wrote in his tweet.

In a written report last year, researchers at Malwarebytes Labs detailed RDP brute-force attacks, saying they “present a serious and ongoing risk to Windows computers connected to the Internet”.

“While there are many ways to break into a computer connected to the Internet, one of the most common targets is Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows anyone to use it remotely,” they wrote. “It’s a front door to your computer and anyone can open it from the internet with the correct password.”

Malwarebytes Labs experts have identified a number of ways to protect against RDP brute force attacks, from permanently turning off RDP to using strong passwords, multi-factor authentication, and a VPN, as well as limiting the number of guesses before an account is locked. ®

Leave a Reply

%d bloggers like this: