![](\"http:\/\/zapt4.staticworld.net\/images\/article\/2017\/06\/presidential-election_2016-100726562-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Preston Gralla| Date: Tue, 20 Jun 2017 08:29:00 -0700<\/strong><\/p>\n Russian hacking of the 2016 election went deeper than breaking into the Democratic National Committee and the Clinton campaign \u2014 the Russians also hacked their way into getting information about election-related hardware and software shortly before voting began.<\/p>\n The Intercept<\/em> published a top-secret National Security Agency document<\/a> that shows exactly how the Russians did their dirty work in targeting election hardware and software. At the heart of the hack is a giant Microsoft security hole that has been around since before 2000 and still hasn\u2019t been closed. And likely never will.<\/p>\n Before we get to the security hole, here\u2019s a little background<\/a> about how the Russian scheme worked, spelled out in detail by the secret NSA document. Allegedly, Russia\u2019s military intelligence agency, the GRU, launched a spearphishing campaign against a U.S. company that develops U.S. election systems. (The Intercept<\/em> notes that the company was likely \u201cVR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.\u201d) Fake Google Alert emails were sent from noreplyautomaticservice@gmail.com to seven of the company\u2019s employees. The employees were told they needed to immediately log into a Google website. The site was fake; when at least one employee logged in, his credentials were stolen.<\/p>\n Using those credentials, the GRU hacked into the election company, the NSA found, and stole documents for a second, far more dangerous spearphishing attack. In this second attack, launched either on Oct. 31 or Nov. 1, 2016, spearphishing emails were sent to 122 email addresses \u201cassociated with named local government organizations,\u201d which probably belonged to officials \u201cinvolved in the management of voter registration systems.\u201d In other words, the Russians targeted people who maintain voter registration rolls.<\/p>\n Here\u2019s where the Microsoft security hole comes in. Attached to those emails were Microsoft Word documents that the emails claimed were documentation for VR Systems\u2019 EViD voter database product line. In fact, though, they were \u201ctrojanized Microsoft Word documents \u2026 containing a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then run an unknown payload from malicious infrastructure. \u2026 The unknown payload very likely installs a second payload which can then be used to establish persistent access to survey the victim for items of interest to threat actors.\u201d<\/p>\n In plain English, the Word document opened a back door into the victims\u2019 computers, allowing the Russians to install any malware they wanted and get virtually any piece of information to which the victims had access.<\/p>\n It\u2019s not clear what election information the Russians were able to gather or how they might have used it. But by using the Microsoft security hole, they were potentially able to get very close to states\u2019 election hardware and software, and possibly voter rolls as well.<\/p>\n Those with long memories may remember that Visual Basic played a key role in two of the first world-spanning virus attacks, Melissa in 1999 and ILoveYou in 2000. Back in 2002, Michael Zboray, who was then chief technology officer for market researcher Gartner Group and is now Gartner\u2019s CISO, said that Visual Basic<\/a> has the \u201cwrong security posture,\u201d and added, \u201cVisual Basic script and the macros are proving to be a disaster. This is just happening over and over again. We have to get away from this hostile active content that is coming in through Word documents, Excel spreadsheets and the browser.\u201d<\/p>\n And now, 15 years later, they\u2019re still proving to be a disaster. Visual Basic has given way to Visual Basic for Applications, but the holes remain. The security company Sophos warned<\/a> in a blog in 2015 that these kinds of attacks were making a comeback. This Russian hack shows they\u2019re back with a vengeance.<\/p>\n It\u2019s unlikely Microsoft will abandon Visual Basic for Applications, because too many enterprises rely on it. So enterprises need to get smarter about its use. Sophos recommends that they consider blocking all Office files that are emailed from outside a company, if those files contain macros created with Visual Basic for Applications. Microsoft offers advice of its own<\/a> in its security post, \u201cNew feature in Office 2016 can block macros and help prevent infection,\u201d including instructions on how enterprises can use Group Policy to block macros from running in Word, Excel and PowerPoint documents sent by email or downloaded from the internet.<\/p>\n Companies need to realize that Visual Basic for Applications and its macros are a potent weapon for hackers and malware authors. If it can threaten U.S. elections, it can certainly threaten enterprises\u2019 most important documents and secrets. Given that Microsoft won\u2019t be shutting down Visual Basic for Applications, enterprises need to take control themselves by blocking macros and scripts on incoming documents.<\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Preston Gralla| Date: Tue, 20 Jun 2017 08:29:00 -0700<\/strong><\/p>\n Russian hacking of the 2016 election went deeper than breaking into the Democratic National Committee and the Clinton campaign \u2014 the Russians also hacked their way into getting information about election-related hardware and software shortly before voting began.<\/p>\n<\/p>\n