CSO

Microsoft closes off two avenues of attack: Office macros, RDP brute-forcing

Blockade against VBA scripts in downloaded files is back on by default


Microsoft is trying to shut the door on a couple of routes cybercriminals have used to attack users and networks.

The enterprise IT giant's policy of blocking Visual Basic for Applications (VBA) macros in downloaded Office documents by default has been activated once again after a brief pause to address feedback from users who were having difficulty with the security defense.

Also this week, Microsoft enabled a default in Windows 11 that's designed to block or slow down obvious Remote Desktop Protocol (RDP) brute-force attacks.

Both policies are hoped to close avenues that criminals have been using for years to muscle their way into systems, steal data, and spread malicious code.

Macro problem

The issue of macros has become a particularly gnarly one for the software giant.

"For years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros," Kellie Eickmeyer, a principal product manager at Microsoft, wrote in a blog post in February when the IT titan announced its plans to block by default macros running in downloaded or internet-sourced Office files.

"While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access."

Eickmeyer added that "for the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet."

The policy was to block these particular macros by default in Access, Excel, PowerPoint, Visio, and Word, though after a few months of – at times, negative – feedback from users, Microsoft put a temporary halt on the initiative. Complaints ranged from critiques about how the blocking was implemented to the negative impact it had on some users' systems.

In an update this week to the original announcement, Eickmeyer wrote that Microsoft is "resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we've made updates to both or end user and our IT admin documentation to make clearer what options you have for different scenarios."

End users can click here for more information, while IT administrators can head here.

Holding back the years

Macros have been a security problem for years, with Microsoft in 2016 releasing a tool that allowed administrators to set policy around when and where these scripts were allowed to run. In addition, users were asked whether they really wanted to run macros before allowing them to run.

The challenges continue even now. HP's Wolf Security threat intelligence group this month wrote about OpenDocument files being used to distribute Windows malware. These documents were sent to marks via email, and if opened, the user would be asked whether fields with references to other files should be updated and if they click "yes," an Excel file is opened and another prompt asks whether macros should be enabled. If the user enables the macros, their systems are infected with the open-source AsyncRAT backdoor nasty.

Regarding the RDP brute-force attacks, Windows 11 builds from now on include a default account lockout policy that should be able to at least slow down would-be intruders.

In brute-force attacks, cybercriminals use automated tools to guess someone's account password: the tools run through a huge list of passphrases until one of them works and logs into a victim's account. According to a tweet from Dave Weston, vice president of enterprise and OS security at Microsoft, such tools are used to spread ransomware and commit other crimes.

The default policy for Windows 11 builds – specifically, Insider Preview 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 attempts to sign in fail. Users can tweak this, changing the number of failed sign-in attempts that trigger a lock and how long the account will be locked.

In his tweet, Weston wrote that "this control will make brute forcing much harder, which is awesome."

In a write-up last year, researchers at Malwarebytes Labs detailed RDP brute-force attacks, saying they "represent a serious, on-going danger to Internet-connected Windows computers."

"While there are lots of ways to break into a computer that's connected to the Internet, one of the most popular targets is the Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows somebody to use it remotely," they wrote. "It's a front door to your computer that can be opened from the Internet by anyone with the right password."

The Malwarebytes Labs eggheads outlined a number of ways to protect against RDP brute-force attacks, from permanently turning off RDP to using strong passwords, multi-factor authentication, and a VPN, as well as limiting the number of guesses before an account is locked. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022