I was in a Skype chat early this morning when the people at the company on the other end found that staff were opening a very unusual e-mail. The chaos that ensued reflected a lack of preparedness and a misunderstanding of how technology can protect against external threats. This wasn’t a law firm but, as I saw the messages go by, I kept thinking how it easily could have been.
It all started, as it so often does, with an email. This was a very good e-mail, that appeared to come from a staff person’s account. There were a couple of things that made it ring warning bells:
- it had been sent to multiple people on a distribution list
- the person who sent it usually writes longer messages, and this was very brief
- it had a generic attachment – a Word document – that would not normally have been circulated to a group
On the other hand:
- it came from the person’s e-mail address
- a look at the source code (which I did later) showed it had gone through company servers
- the e-mail had this person’s default signature block, which would normally only go out in messages to clients and other staff
Not surprisingly, on balance, staff responded in different ways. It was early in the morning, before normal office hours but that’s when people start checking their e-mail, even if they aren’t on site. One person warned the IT team, who wouldn’t be in the office for another hour. Four people opened the attachment. A manager sent an all-staff e-mail warning them to delete the e-mail.
The attachment was a Microsoft Word document. After many years of seeing other types of attack payloads, Microsoft Visual Basic macros are back in the spotlight. There appear to be a couple of good reasons:
- a Microsoft Office macro can be cross platform, so it can run on Windows and some Macs
- Microsoft Office users may have forgotten when it was such a reliable tool for attacks
The document was blank, except for the macro. The macro, not surprisingly, was named autoopen. That is a magic – thaumaturgic, to lawyers – word that causes the macro to run as soon as the document opens. This is behavior as old as Microsoft Word macros.
The current status of this company is that 4 staff have opened a document containing the downloader.cir VB macro. One person has uploaded the file to Virustotal to understand how it got past the anti-virus software the company uses. It got past because the anti-virus software doesn’t know it’s a problem.
Internet security (endpoint security) software is only one of the tools that could potentially have inhibited the activation of this download script. Others include:
- Training staff to be more alert. Two people figured out there might be a problem, and at least four did not. The staff are probably the last line of defence.
At this point, it might have been worth pulling those 4 computers off the network – no access to internal or external network resources. But there was resistance, because there was work to be done and we all rely on our computers to be productive. This was complicated because two of the people who had opened the attachment were senior staff, and not accustomed to being told what to do. Again, taking the law firm perspective, you can imagine a partner in a small firm – they pay the bills, they own the equipment, they hire the staff – being reluctant to spike a couple of productive, billable hours.
It was made worse because the company was using security software and the staff assumed that the software was enough protection, on its own.
I Can See Danger
First, none of the 4 staff who opened the Word document could see anything happening. Because the Word document wasn’t doing anything on their screen – downloaders don’t have a progress bar, by the way – they thought they were fine. They might be correct, if their macro security was turned on. Otherwise, they couldn’t tell.
Encryption as Savior
Second, two of the staff used encrypted laptops. “Surely,” one said, “the encryption will protect me from whatever this is?” No. It won’t. The encryption is a container, and the container is opened (decrypted) when the computer is accessed. It’s great if you lose your computer, but if you are working on your computer, then whatever you download has potentially the same rights you do to change things on your PC.
Increasingly, when an attack happens, it will be invisible. It’s one reason I think law firms – after their confidential information has leaked and they claim that there was no wrongdoing or no evidence of breach – don’t really have any clue. Unless they were prepared in advance to watch for this sort of thing, it’s not surprising when they can’t find it. Funnily enough, one place encryption will protect is in the data that is leaving the law firm; it will inhibit the firm from seeing what is leaving.
Staff who think they will see something, or can rely on technology to save them, have a misunderstanding of their role in protecting corporate information and resources, and their own personal and private information.
Some people might use the term perfect storm at this point but it really is, as it so often is, just poor planning and a lack of training. The downloader appears to have bypassed all of the technical solutions:
- anti-virus on the e-mail server
- anti-virus on the staff computers / endpoints
- Microsoft Office macro restrictions
- staff training
- [if the downloader was set to contact a remote server, it was apparently able to do that]
If the company had had a plan in place – if a staff person opens a sketchy e-mail, do this – it might have been contained. But because staff were able to choose whether or not to open a file, and whether or not to stay on the network, it meant that a potentially bad situation was left to its own devices. The computers:
- should have been disconnected from other corporate and Internet resources
- should have been scanned to verify that, in fact, the endpoint security and other obstacles had worked despite the staff
It also highlighted the fundamental need for training. It’s not just that staff and lawyers need to know how to be aware of potential threats, like e-mail attachments, and what to do with them. They need to understand that the technology is just there to narrow the funnel, and decrease the likelihood that an attack will get all the way to the discretion of the staff person. When staff don’t understand what their technology does and does not do, and make assumptions about how it is securing them so that they need not use as much caution, it creates a likelihood of misunderstandings and potential resource and information loss.
Afterthought: somewhat unrelated, the company probably needs to see if the person’s e-mail account has been accessed. The e-mail was unusual enough that it looked like it came from the actual account, not a spoofed account as is often the case. Also, it went to other addresses in the sender’s address book. This may mean the company has a password / account access problem as well as whatever happens on those computers.