Microsoft tells Office users how to disable DDE after Fancy Bear attacks

  • Liam Tung (CSO Online)
  • 10 November, 2017 02:44

Microsoft has posted a security advisory to help customers mitigate attacks that use an Office feature called Dynamic Data Exchange (DDE) to install malware when victims open an Office document. 

DDE is an old protocol that offers a way to send messages between application that share data. This can be used to create a document or spreadsheet with, for example, financial data that can be automatically updated with new data from an external source. Microsoft still supports DDE to maintain compatibility with older programs.  

Researchers at McAfee this week reported that the hacking group ATP28, or Fancy Bear, has started using DDE in a Word document with the filename “IsisAttackInNewYork.docx”. 

The attackers used DDE to launch a PowerShell script that reaches out to a URL and downloads an implant called Seduploader, which collects information about victims.  

Prior to this the DDE attack was only being used by cybercriminal groups. Researchers at security firm Sensepost last month drew attention to the technique, which offered an alternative method to install malware with macros. Hoping for a security fix Sensepost reported the issue to Microsoft, however Redmond deemed it a feature and therefore didn’t provide a patch in the October update.   

After that cybercriminals behind the Necurs botnet began pumping out email using DDE-rigged Word documents to install the Locky ransomware. 

The Fancy Bear files that used DDE were created on October 27 and communicated with control server domains that were registered on October 25. 

Microsoft’s advisory notes that if an attacker convinced a user to open a document that uses DDE, the victim would also need to disable Protected Mode and click through one or more additional prompts. 

The advisory also points to instructions for admins to enable DDE feature control keys that are stored in the registry.    

“Microsoft strongly encourages all users of Microsoft Office to review the security-related feature control keys and to enable them. Setting the registry keys described in the following sections disables automatic update of data from linked fields,” it said. 

The advisory also contains instructions for disabling DDE from within Office products. 

It notes that if DDE is disabled in Excel from the registry it may prevent spreadsheets from updating from a live feed. Users would then need to start the feed manually. 

Microsoft also has instructions for disabling DDE in Outlook, Publisher, and Word, as well as description of the impact if DDE is disabled.

Upcoming Events:

Nov 28th @11am | CSO Live Webinar: You may have security under control - but is your business still at risk? Register Today

Nov 30th @11am | CSO Live Webinar: It's easy to protect yourself from ransomware - if you plan ahead Register Today