Skip to content
  • Home
  • Emerging Technology & News
  • Computer Help
  • Privacy and Security
  • Reimage Windows Repair
The Reimage Blog
Menu
  • Home
  • Emerging Technology & News
  • Computer Help
  • Privacy and Security
  • Reimage Windows Repair
Facebook Twitter
Home  /  Privacy and Security  /  Excel is still a security headache after 30 years because of this one feature
PostedinPrivacy and Security Posted on August 13, 2021

Excel is still a security headache after 30 years because of this one feature

Posted By Shannon.Smith

Threat researcher explains why it’s tricky to tell the difference between legitimate Excel Macros and ones that deliver malware.

Released Excel 4.0 for Windows 3.0 and 3.1 in 1992 and many companies still use this functionality in legacy operations. The problem is that bad actors have started using Excel sheets and macros as a new way to deliver malware. 

Tal Leibovich, head of threat research at Deep Instinct, explained at a presentation during DEFCON 29 why this legacy scripting language has been the vehicle for a recent rise in malware delivery.  Leibovich presented “Identifying Excel 4.0 Macro strains using Anomaly Detection” with Elad Ciuraru last week. Deep Instinct is a company specializing in endpoint protection and using deep learning to stop cyberattacks. 

organizations first noticed a spike in March 2020 of this kind of attack. Microsoft released a new runtime defense against Excel 4.0 macro malware in March. Leibovich said that he has seen a substantial increase over the last two years of hackers using Excel 4.0 Macros in attacks. 

“You’d expect attacks using this old script language to be very limited but we are seeing new obfuscation techniques,” he said.

Leibovich’s presentation was part of the AI Village at DEFCON 29. Several of those sessions are on the group’s YouTube channel and Twitch channel.

Hackers are using creative tactics to build new attack vectors. Leibovich said that hackers also are using other Excel commands and API calls to Windows in the attacks.  

“You can use a short command in one place and another here in the Excel sheet and by jumping between different cells you can create an attack,” he said. “That’s the way a lot of attackers create malware that is undetected.”

The problem is that this legitimate capability in Excel is not always malicious.

“Many organizations have legacy files that use macros,” he said. 

He said that the challenge is creating a good detection engine that can spot actual threats without generating false positives and noise.

“Excel’s auto-open capability is fundamental and everybody uses it, so you have to detect the specific functionality of the macro to avoid creating false alarms,” he said. “The main tool we use to do that is deep learning.”

How to protect against macro-based malware

It’s easy to understand why this threat has been so persistent over the years. Macro worms and viruses primarily use Visual Basic for Applications programming in Microsoft Macros and is the prevalent productivity suite. The basic math is that Microsoft is dominant in this space, and uses Visual Basic for Applications is highly and easily targeted and many organizations still do not always properly address the macro issue, according to  Aaron , director of digital forensics and incident response at NTT Ltd.

The nuclear option for protecting against this kind of malware is to block any and all inbound macro-enabled and macro-embedded files from email or file transfer pathways, Card said.

“Any O365 organization can also set a group policy to ‘disable all macros,’ with or without notification to the user in case a file somehow slipped through the defenses, or someone was allowed to run a file from an external drive or media,” he said.

Also, most endpoint can be configured to block Macros.

“If you are an organization that absolutely must use macro functionality to function, then I suggest running all functionality and users in virtual desktop environments to greatly limit any spread or damage from macro malware that persists,” he said. 

User education about cybersecurity is more about optics than impact, according to Card. In his experience, user education only works when it is practiced and measured over and over again. The other key is establishing real consequences when people break the rules.

Card said that there are two specific tactics that are effective in influencing user behavior. The first involves adding specific language around responsible cybersecurity behavior into performance reviews. 

“For example, does a team member have low or no instances of clicking on phishing emails or using an insecure device for work,” he said. “Adding an incentive, such as a bonus when possible, can also help sharpen a company’s security posture.”

The other tactic is giving each leader a score on a monthly or quarterly basis based on the number of user-related security errors that have or have not occurred on their watch.

“Those scores are shared internally in a kind of leaderboard or scorecard, and this kind of accountability drives people to do better,” he said.

Tags: Security
Share on Facebook Share on Twitter
Previous Article
Samsung Unpacked 2021: New foldable 5G smartphones, watches and earbuds
Next Article
How to get the Windows 11 security protections on an existing PC

About Author

Shannon.Smith

Related Posts

  • Hackers have carried out over 65,000 attacks through Windows’ Print Spooler exploit

    May 13, 2022
  • How to secure your internet activity on iOS devices

    May 9, 2022
  • Using Google’s Chrome browser? This new feature will help you fix your security settings

    April 15, 2022
Scan Now

Categories

  • Business
  • Computer Help
  • Emerging Technology & News
  • Privacy and Security
  • Reviews

Reviews

Reimage Social

Security

Popular Posts

  • PCWorld calls Reimage “A Fantastic Repair Utility “ July 26, 2011 Reviews
  • 4 Ways to Keep the Ghouls & Goblins Away From Your PC October 26, 2010 Archive
  • The PC Key to Happiness – A Properly Maintained OS September 2, 2010 Archive
  • Google says hacked websites were attacking iPhones for years September 12, 2019 Privacy and Security

Random Posts

  • Industry News by Reimage.com April 1, 2009 Archive
  • Google, IBM among 56 tech firms underreporting greenhouse gas emissions, study says October 26, 2021 Business
  • Apple acquires Fleetsmith, a company that streamlines deployment of Apple devices in the workplace June 25, 2020 Business
  • Surf the Web with IE 9 – Reimage Has Got You Covered September 28, 2010 Archive
© Copyright 2019
We use cookies to ensure that we give you the best experience on our website.Ok