Microsoft PowerPoint – Presenting an APT Privileged Pathway

PowerPointExploit

By Yossi Dantes

Microsoft PowerPoint is one of the most popular collaboration applications in the world of business – it’s also the latest pathway external attackers are taking to steal privileged accounts and launch advanced attacks.

Microsoft recently issued a temporary security fix for a zero day vulnerability that impacts every Microsoft OS except Windows Server 2003. The exploit allows attackers to launch targeted attacks using malicious PowerPoint documents sent in phishing emails.

According to the security bulletin, the vulnerability “resides within the OS’s code that handles OLE (object-linking and embedding) objects. The vulnerability is triggered by opening a PowerPoint (or any MSFT Office file) containing a malicious OLE object. Once triggered, attackers can gain the same user rights as the current user – including administrative and privileged user rights.”

Stealing and exploiting this level of access is critical for hackers to carry out their attacks.  Once the attacker gains this privileged foothold, they can elevate privileges to move about the network to conduct reconnaissance on the security architecture, identifying the systems they need to avoid to perpetrate their attack. Once this insider knowledge is gained, they can easily infiltrate systems and exfiltrate data. This level of insider/privileged access is the key on which all advanced attacks turn.  We’ve seen this time and again.

While this vulnerability is specific to Microsoft, the reality is that no OS is safe.  The Shellshock vulnerability was specific to Unix systems. DARPA, the research arm of the Department of Defense, recently highlighted similar vulnerabilities in Apple Inc. ’s OSX operating system. Security is not dependent on which OS you use – it’s dependent on how your organization is managing its privileged accounts.

Whether it’s through an OS zero day vulnerability, a phishing email, or any other perimeter tactic, attackers will get inside your organization, they will target privileged accounts, and if they’re successful, the chances are high that you will suffer a debilitating security incident.

This is why a least privileged approach on all servers and desktops is vital to securing any organization.  With a least privileged approach to security, attackers may get in, but they will not be able to get the administrative rights necessary to access the critical organization assets. This is an absolutely necessary step in any targeted attack. Preventing this level of access can help an organization stop a targeted attack before it starts.

This is why CyberArk created the On-Demand Privileges Manager (OPM) – to help our customers enforce ‘the principle of least privilege’ and lock down administrative accounts. With OPM, users can use their named accounts with standard user permissions, elevating themselves to execute commands and applications on a need basis (and based strictly on company policy). This allows all users to have the privileged access they need to do their jobs, without compromising the security posture of the entire organization.  This helps stop advanced attacks reliant on privileged exploitation early in the kill chain.

No matter what OS you’re using, applying and enforcing policy securing privileged accounts is critical to protecting your organization against the latest advanced threats.