Mimecast just published this great piece of analysis on the PowerQuery Exploit for Excel.
This serious exploit for Microsoft Excel comes at the right time... For attackers. People are more aware than ever that they need to switch off macro-processing (https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/) in documents, Microsoft published this with Office 2016 and it can of course be done using GPO (most of it should be in here if you are interested: https://blogs.technet.microsoft.com/secguide/2018/02/13/security-baseline-for-office-2016-and-office-365-proplus-apps-final/).
It seems that the Excel team thought it might be a good idea to introduce another way to get malicious code into the system, why not just load it from the network with a new powerful feature called PowerQuery that enables users to load queries or just code from external sites.
I think we as IT Security people can learn a couple of things from this:
- Tools are very complex and powerful (Excel, Word, Adobe Acrobat, Browsers)
- It's impossible to protect the endpoint in a world where people rely on very powerful and complex tools to build and manage their spreadsheets, documents, PDFs etc.
- If you thought that antivirus is the solution, the above example clearly shows how easy evasion is
- Trusting any document from external sites is a bad choice
- Trusting documents that open in Office applications, Adobe Acrobat etc. is a bad choice and we should know by now.
- You will not be able to switch off productivity tools, because your business needs those to make money
- Tools are set to potentially dangerous behaviour by default instead of using a least privilege approach
If you accept that endpoints can be breached, there are a couple of things that become obvious:
- Once a attacker has control of a rather unimportant endpoint, he will go and figure out what else is of interest
- this is called lateral movement
- If you think of where the most interesting data in your company is, it is in applications and the data being processed in those applications
- IT Security needs to protect your most critical applications on a least privilege level
- this includes authentication, authorization, but also access to those applications on a network level
- Security Operations need to monitor access and blocked access to high value applications
- If a attacker manages to move further into your network (which he will be able to do), think of how you can limit the blast radius and the exposure of high value applications further than you do today.
Microsoft of course published some mitigations for this (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440).
The Power Query feature is designed to allow you to embed remote content easily and dynamically. Such attacks are usually hard to detect and gives threat actors more chances to compromise the victim’s host. Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened.