Skip to main content

Criminals are far too successful at recycling old threats that defeat enterprises’ legacy systems

(Image credit: Image Credit: Deepadesigns / Shutterstock)

Continued use of insecure legacy Windows operating systems is placing major organisations and businesses across the UK at risk of cyberattack.

Criminals are spending more time gathering intelligence on individuals and infrastructure within a large organisation to send them new malware disguised in legacy file-types.

Detailed analysis of threats by Glasswall Solutions reveals that in the first quarter of 2019, 85 per cent of CVE-related malware that was evading all conventional security layers, including AV and sandboxing, was already known to the cybersecurity industry. And yet it still penetrated multiple layers of defence, hiding new threats within old documents.

It is worth remembering that earlier this year an organisation as high-profile as BA was fined £183million by the Information Commissioner’s Office for “poor security arrangements” that enabled a breach of credit card information, names, addresses, travel booking details, and logins for about 500,000 customers. While the details have not been released, it is possible that BA was using legacy systems that rendered it vulnerable.

It was certainly true with the NHS, which was hit in the 2017 WannaCry attack, largely because of reliance on unpatched Windows XP.  Research shows that remarkably, Windows XP, Windows 7 and 8 are still in widespread use amongst enterprises. In the year to May, the worldwide share of Windows 7, for example, remained at 36 per cent. 

A threat from 2017 accounts for 77 per cent of threats detected this year

Whatever the reasons for retaining these outdated systems, they offer criminals an enticing opportunity that is proving far too easy for them to ignore. Glasswall researchers have found malware had matching characteristics of the legacy systems in use by target organisations or individuals, demonstrating a highly sophisticated malicious actor that had done thorough intelligence-gathering. This year, for example, a threat from 2017, CVE-2017-1182, has turned up relentlessly, accounting for 77 per cent of malware detected and neutralised.

What is particularly alarming about this threat (a vulnerability in Office’s legacy Equation Editor component) is its ability to exploit admin privileges. Hackers can use social media and leaked metadata to profile individuals, but they can also host websites to determine the system in use on that person’s machine. They can then hone their threat to the individual using a variety of social engineering techniques.

A closer examination of CVE-2017-1182 reveals it to have been delivered in Office documents sent as attachments. Of these, 68 per cent were in binary Word documents, designed around the time of Windows XP for use between 1997 and 2003. Think about how long ago such documents were relevant in the context of owning an old car, built to less robust safety standards and more prone to the risk of failure. Not many people drive cars 20 years-plus in age, so would you continue to use a computer two decades old? Unlikely, so why take the risk?

Further analysis revealed more than a quarter (28 per cent) of this threat was in current format Excel files, with the remainder in docx, xltx and pptx formats– basically, the bad guys know sending people familiar document types with hidden payloads just works.

The picture we have is of a massive vulnerability targeted through documents designed a quarter of a century ago. And lest anyone think themselves immune, bear in mind that these are simple document formats that work on all Windows machines, including Windows 10. Criminals can spread their malice right along the supply chain. A large company with small suppliers using outdated formats should think very hard about allowing supply chain partners to continue sending old format attachments. Such scenarios should be on any organisation’s Risk Register.

Another vulnerability, constituting nine per cent of those detected, is CVE-2017-0199. This old enemy is designed to function on Vista, Windows 7 and 8, along with Windows Server 2008 and 2012.  It was found inside .docx, .doc and .xlsx files. Embedded files were used, placed inside the .docx files, while 22 per cent of the Excel files used Microsoft’s Dynamic Data Exchange (DDE) feature. This is yet another legacy Windows feature that is getting continued support from Microsoft, yet remains one of the malicious actors’ weapons of choice to kick start their attacks.

Embedded files and AcroForms are often detected

There are two points to make here. Firstly, although patches are available, criminals know that IT departments will, for their own reasons, avoid implementing every single one. Hackers can probe an enterprise’s systems to find out if patches have been applied. Secondly, embedded files (such as Excel or PowerPoint) and the use of DDE, should always set off the alarm klaxon.  DDE should never be in an Excel spreadsheet received from outside an organisation, because it’s typical use is to point towards internal, not external datasets. When directed outside it is a sign of a malware trigger that points to a malicious website, although it may look perfectly normal to all inbound security detection systems.

In nearly six per cent of cases, CVE-2017-0199 is delivered in PDFs. The even older CVE-2010-0188 also exploits Adobe Acrobat, arriving in PDFs, but with an AcroForm. There can be few reasons why any supply chain partners need to use AcroForms within the documents they exchange as email attachments, and yet seemingly they do, which is why criminals use them. Any information required by partners should be provided through a secure website portal with log-in requirements.

Upgrades and new approaches are needed urgently

This use of new malware in old containers is a major threat to all organisations. Any enterprise that relies on legacy operating systems should upgrade as soon as possible and ensure patches are applied thoroughly.

Yet the fact remains that despite all the different layers of conventional technology defending organisations, known malware can still get through. Almost nine-out-of-ten threats detected by Glasswall were from known sources. Analysing millions of files, Glasswall calculates that one in every 5,000 emails contains a malicious attachments. With millions of emails exchanged every day, attachments with malware remain high-risk threats. And since the average attack now takes 280 days to discover, and the entire breach lifecycle can last years, once it has penetrated conventional defences and found its target, a huge amount of damage can be done by malware that leads to exfiltration of data or damage by ransomware.

One of the most effective options to combat these new waves of attacks is content disarm and reconstruction technology which reverses the logic of looking for known bad, and simply works to only allow clean, safe and sanitised files into the organisation.

Upgrading the technology defending an organisation is now vital but it must go hand-in-hand with improved security policies and data hygiene, particularly in relation to supply chain partners. When it comes to cybersecurity the ability of criminals to recycle evasive threats must be taken very seriously.

Lewis Henderson, VP of Threat Intelligence, Glasswall (opens in new tab)