The last decade has seen a steady increase in the number of cyberattacks targeting companies in the commercial and public sectors. These attacks are usually aimed at committing all sorts of malicious activities such as stealing sensitive information, industrial espionage, unauthorized monitoring, disruption of normal business operations, and more. The perpetrators can be motivated both by criminal intent and by ideological and publicity considerations.
Internal and external communications of companies tend to rely heavily on the use of the Internet and e-mail services. It is logical that the latter has been and remains a very attractive “entry point” for the deployment of cyberattacks on corporate information systems. Among other things, attackers actively use social engineering techniques to induce email recipients to open a dangerous attachment or follow a link to a malicious web page. Cybercriminals can also place viruses and other malware on the Web, disguising them as useful and/or freeware. Moreover, scripts that run automatically when a Web page opens can perform various unwanted actions on a user’s computer, including identity theft and malware installation.
The presence of an email client on many home computers and virtually all corporate computers, as well as the fact that malware can access the contents of email address books to find new victims, provide favorable conditions for the avalanche-like spread of harmful files. In a typical scenario, the user of an infected computer unknowingly sends infected emails to a wide range of recipients in the address book, each of whom, in turn, sends new malicious emails. For example, there have been cases where an infected document has inadvertently made its way onto a large company’s commercial mailing lists, and then hundreds or even thousands of subscribers to such mailing lists became victims, subsequently sending out infected files to tens of thousands of recipients and correspondents.
According to this year’s Top Trends in Cyberattacks report (PDF) for the first half of 2020, the distribution of different types of malicious files depending on which channels they are distributed is as follows
Figure 1: Actual distribution of malicious files
The chart above shows that non-executable files which can be downloaded from web links or attached to emails are an integral part of many cyber attacks. This type of attack is popular, in part, for the following reason. Program and application files, i.e. executable files (with the *.exe extension in Microsoft Windows operating systems, for example), are filtered out by most mail servers because they pose an obvious potential threat; non-executable files (with *.pdf, *.docx extensions, etc.) are skipped and, moreover, are not perceived as a direct threat by most users. They are presented in a format that can only be interpreted by a program specifically designed for this purpose and often cannot be executed directly. However, the actual non-executable files are no less dangerous for corporate information systems, since the programs which open them may contain vulnerabilities or have the functionality to run macros which will allow the attacker to perform malicious actions on the victim’s computer. Various security tools can be used to prevent such attacks: web application firewalls (WAFs), next generation firewalls (NGFWs), intrusion detection and prevention tools (IPS / IDS), etc.
There are known limitations in detecting attacks initiated through unexecutable files associated with the use of these security tools. In addition to the high cost of such products and solutions, it can be noted that they rely in part on repositories of known object and event signatures maintained by vendors and shared with customers. The main limitation here is the difficulty in detecting attacks of the newest, as-yet-unknown type – due to the delay that exists between the appearance of the next malware and the time that vendors provide the appropriate signature database updates.
Importantly, however, even the unsophisticated user can take some simple and effective steps on their own to minimize the risk of a successful cyberattack with the most common types of malicious files.
Users work with a variety of sources of information, including those for which the level of protection is not well known. In such cases, it is useful to apply the following universal measures to protect against cyberattacks.
- Scan files with the existing anti-virus protection tool or use a third-party scanning service (such as VirusTotal).
- Turn on the display of file extensions in the operating system (for example, to do this, select “View” → “Options” → “View” in Windows 10 and uncheck the “Hide extensions for known file types” box).
- If possible, use process control features, either integrated into OS or installed additionally (so called “superimposed”). Such controls can provide the following functions
- blocking the creation of child processes and running executable content for application software (for example, in Windows 10 to create a group policy with this and other rules you need to go to the Group Policy management console and create a template);
- OS kernel isolation (for Windows 10 go to “Settings” → “Update and Security” → “Windows Security” → “Device Security” → “Kernel Isolation”);
- blocking calls to the system application programming interface (API), etc.
- Use means of controlling access to folders by applications (the built-in OS features may be enough).
- 5. Use only the licensed software.
- Timely update used software (including system software). These recommendations are relevant for countering attacks of any kind.
As a second tier of defense it is advisable to consider recommendations for protecting against malicious files, specific to different types (file extensions).
What are the dangers
The .exe extension has executable files that become active when opened, which means that they can cause very serious damage. If such files are attached to an email, you should never open them. Fortunately, many e-mail service providers, such as Gmail or Outlook, completely block e-mails containing attachments with this extension.
Despite the obvious danger of running executable files from untrusted sources, this type is still the most commonly used in Internet attacks. The main reason for its popularity among attackers is the ability to distribute malicious objects to a wide audience without any additional tricks.
To block attacks using executable files, in addition to general precautions, it is recommended:
- When downloading software (including – free software) check its developer and available ways of distributing the product. If the creator of the program has its own site, it is safer to download it from there.
- Limit the ability to run executable files in the operating system (for example, in Windows 10 you run the gpedit.exe utility and go to “Computer Configuration” → “Windows Configuration” → “Security Settings” → “Restricted Software Policies” → “Additional Rules”).
What’s the danger
HTML is the standard markup language used to create web pages. This format provides great opportunities to hide Trojans and computer worms. For this reason, many companies do not allow access to HTML messages on their servers.
Web pages are infected by exploiting vulnerabilities in the software used to deploy and run the site, as well as configuration errors. A typical scenario involves modifying a page’s code to redirect the user to a web site with malicious code.
HTML email messages are dangerous because all you need to do to download a malicious program to your computer is to open such a message in an email client and the script in the HTML code does the rest.
Another attack method involves sending emails with a link to a fake web page where the user is prompted to enter credentials for logging into a personal account, card details for making a purchase, and other information that should not be disclosed.
To block web page attacks, in addition to general measures, it is recommended that you
- Enable viewing HTML emails in text format (for example, for the Microsoft Outlook email client, this feature is controlled under Tools → Options → Properties → Email → Email Options → Message Handling).
- Be cautious about emails that involve an immediate response and clicking on links. Before you take action, it is worth checking the text of the message for the presence of manipulative techniques (promise of easy money, a demand to take urgent action, etc.). If the message came from a familiar mailbox, you can, for example, check the style of the text to match the speech style of the intended sender or ask the sender if he/she actually sent the message using another connection.
- If you receive a web link in an email, you can hover over it to see the URL in a tooltip – if it’s not the same as the URL, you should treat the message with caution.
- Use URL checking tools. It may be separate services or special browser plug-ins, as well as antivirus protection complexes.
.DOC and other office document extensions
What’s at risk
Malicious objects which look like office documents with the usual extensions like .doc / .docx, .xls / .xlsx / .xlsb etc. can be used to target individuals or organizations. Opening such a file may display the expected text or tabular content, which will mislead the user by appearing innocuous and with no immediate negative consequences. At the same time, however, an attacker can use the built-in features of office applications, such as macro functionality, to carry out the attack. A macro is essentially custom code which is usually created and run to automate useful routine operations like graphing, calculations, text formatting, etc. But there is much more to it than that: macros can also be used to perform external operations such as writing to the registry, launching files, accessing Win32 APIs, etc.
The working principle of malicious macros is as follows. The code prepared by the cybercriminal writes to the DOT file, which contains all global macros, and replaces some of them. All files saved with the software system will then contain the macro.
In some cases, the malicious object will not be detected by the installed intrusion detector and antivirus – for example, if an XLM macro located in the same container as the data is used for the attack.
In addition to file formats designed specifically for office applications, there are file formats that do not contain macros explicitly and are considered more secure, such as RTF (for graphical and text data). However, such a file may also contain malicious content; for example, a few years ago, a vulnerability was found in a Word application that made it possible to silently execute arbitrary code on the victim’s computer and infect the device via the RTF document.
To block attacks using office documents you can use the following additional recommendations, available to every user:
- Disable macros in office applications. In a corporate environment, this can also be done centrally (for example, in Microsoft Word 2016, you should select “Disable all macros with notification” under “Settings” → “Security Control Center” → “Security Control Center Settings” → “Macro Settings”).
- Enable and use Protected File View and Data Execution Prevention mode (for example, in Microsoft Word 2016, you must make changes to this under Settings → Security Control Center → Security Control Center Settings → Protected View Mode).
- Use tools to block the launching of email content with specified extensions (for example, in Windows 10, this feature is enabled by using rules in a Group Policy template).
.JAR and other archive extensions
What’s the danger
The primary function of archives – compressing multiple files – simultaneously serves as a potential attack on the system: the archive content can be organized in such a way that it requires more resources to decompress than the system can afford. Most often, such an attack is carried out with a recursive archive, i.e. one that unpacks into itself.
Another danger is that the files in the archive may not be what they appear to be. An attacker can use standard OS functions or a simple HEX editor to pass off an executable file in an archive as an object with a more innocuous extension.
Cross-platform malware can infect multiple endpoints running different operating systems with just one file. One of the cross-platform archive formats is JAR, which is needed to store the executable code of the Java environment. If this environment is installed on the computer, the .jar files will run as programs. Many mobile and desktop applications (e.g. for Android), computer games, etc. need the Java environment. The .jar archive may end up on your device even after visiting a compromised site. The code may not require administrative privileges and may be executed as a normal user.
- To prevent attacks using archives, in addition to general measures, it is recommended that you
- Check file types in their properties before unpacking an archive and running its contents.
- Verify that the file icon inside the archive corresponds to the stated extension.
- If you suspect the archive is recursive, limit the memory size for the archive extraction process or verify the contents in a virtual machine.
Most malicious objects are spread through downloads from Web sites or through e-mail attachments. This is not surprising, since email has long been one of the most important means of communication. It can be used to make appointments, send documents and solve personal or business issues in a matter of seconds. A side effect of gaining these benefits is the risk of causing enormous damage in an equally short period of time.
The following basic steps help significantly reduce the risk of a cyberattack and minimize potential losses:
- Using an anti-virus program that is regularly and automatically updated, recognizes most computer viruses and helps detect problems. Keep in mind, however, that many unwanted and malicious objects are ignored or missed by such programs – especially if they are new and/or poorly researched.
- Direct interaction with the sender: to protect yourself in case an anti-virus program malfunctions, it is always a good idea to verify that the attachment actually came from the person or institution claimed.
- Knowledge building: it is important to know the basic facts about file types and their extensions, to have an idea of which ones are more dangerous than others and how to block the possibilities given to an attacker while processing a file of this or that type.