{"id":10532,"date":"2017-11-17T16:40:02","date_gmt":"2017-11-18T00:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/17\/news-4304\/"},"modified":"2017-11-17T16:40:02","modified_gmt":"2017-11-18T00:40:02","slug":"news-4304","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/11\/17\/news-4304\/","title":{"rendered":"Cybercriminals Exploiting Microsoft\u2019s Vulnerable Dynamic Data Exchange Protocol"},"content":{"rendered":"<p><strong>Credit to Author: FortiGuard SE Team| Date: Fri, 17 Nov 2017 18:40:59 +0000<\/strong><\/p>\n<div class=\"entry\">\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/CC_finance.jpg\" style=\"float: right; margin-left: 2%; width: 500px; height: 335px;\" \/>Visa Payment Systems Intelligence recently <a href=\"https:\/\/www.aba.com\/Tools\/Function\/Payments\/Documents\/VisaSecurityAlertDDEProtocol.pdf\">announced<\/a> that cybercriminals are threatening the payments ecosystem by leveraging a vulnerable Microsoft Dynamic Data Exchange protocol in phishing campaigns. This phishing attack relies on the Dynamic Data Exchange (DDE) protocol for infection instead of the usual malicious macros or an exploit kit.<\/p>\n<p>This exploit is related to the Microsoft Security Advisory <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/4053440.aspx\">4053440<\/a> issued on November 8, 2017. It provides guidance on securing Microsoft applications when processing Dynamic Data Exchange (DDE) fields. The DDE protocol enables messages to be sent between Microsoft applications and uses shared data to be sent between applications. According to the advisory, malicious cyber actors could leverage the DDE protocol when delivering specially crafted files to users through phishing and web-based downloads.<\/p>\n<p>Microsoft&rsquo;s security advisory <a href=\"https:\/\/technet.microsoft.com\/library\/security\/4053440\">4053440<\/a> covers zero-day attacks that were reported and patched in&nbsp;<a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/09\/12\/exploit-for-cve-2017-8759-detected-and-neutralized?ocid=cx-blog-mmpc\">CVE-2017-8759<\/a>,&nbsp;<a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsb17-32.html\">CVE-2017-11292<\/a>, and&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-11826\">CVE-2017-11826<\/a>.<\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html\">FortiGuard Labs<\/a> has issued three IPS signatures that defend our customers against these attacks:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.fortiguard.com\/encyclopedia\/ips\/44664\/adobe-flash-malformed-object-inheritance-memory-corruption\">Adobe.Flash.Malformed.Object.Inheritance.Memory.Corruption<\/a><\/li>\n<li><a href=\"http:\/\/www.fortiguard.com\/encyclopedia\/ips\/44522\/ms-dotnet-framework-soap-remote-code-execution\">MS.DotNET.Framework.SOAP.Remote.Code.Execution<\/a><\/li>\n<li><a href=\"http:\/\/www.fortiguard.com\/encyclopedia\/ips\/44522\/ms-dotnet-framework-soap-remote-code-execution\">MS.Office.OOXML.Parsing.Type.Confusion.Memory.Corruption<\/a><\/li>\n<\/ul>\n<p>Additionally, our <a href=\"https:\/\/www.forticlient.com\/\">FortiClient<\/a> agent also successfully defends against these attacks with the following application protection signatures:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.fortiguard.com\/encyclopedia\/endpoint-vuln\/36688\/net-framework-remote-code-execution-vulnerability\">.NET Framework Remote Code Execution Vulnerability<\/a><\/li>\n<li><a href=\"http:\/\/www.fortiguard.com\/encyclopedia\/endpoint-vuln\/36776\/microsoft-office-memory-corruption-vulnerability\">Microsoft Office Memory Corruption Vulnerability<\/a><\/li>\n<\/ul>\n<p>As always, the FortiGuard Labs team recommends that in addition to employing the protections provided by our security solutions that customers actively patch or replace vulnerable systems. We also strongly recommend that users exercise caution when opening suspicious files.<\/p>\n<p><em>Sign up for our weekly FortiGuard Labs&nbsp;<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html\">intel briefs<\/a>&nbsp;or to be a part of our&nbsp;<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html\">open beta<\/a>&nbsp;of Fortinet&rsquo;s FortiGuard Threat Intelligence Service.<\/em><\/p>\n<\/div<br \/><a href=\"https:\/\/blog.fortinet.com\/2017\/11\/17\/cybercriminals-exploiting-microsoft-s-vulnerable-dynamic-data-exchange-protocol\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/CC_finance.jpg\"\/><\/p>\n<p><strong>Credit to Author: FortiGuard SE Team| Date: Fri, 17 Nov 2017 18:40:59 +0000<\/strong><\/p>\n<p>Visa Payment Systems Intelligence recently announced that cybercriminals are threatening the payments ecosystem by leveraging a vulnerable Microsoft Dynamic Data Exchange protocol in phishing campaigns. This phishing attack relies on the Dynamic Data Exchange (DDE) protocol for infection instead of the usual malicious macros or an exploit kit. FortiGuard Labs has issued three IPS signatures that defend our customers against these attacks.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-10532","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10532"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10532\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}