- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Increased use of old bug 'VelvetSweatshop'
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Increased use of old bug 'VelvetSweatshop'
Weird science: retro Office glitch strikes again When it comes to malicious office documents (maldocs) and the exploits they attempt to deploy, what’s old is often used again and again, goes away after Microsoft produces an update, and then (sometimes) resurfaces. For years, SophosLabs has tracked how attackers embed a wide and rapidly changing variety of exploits into maldocs. Newly-disclosed vulnerabilities often find favor among the criminals who use maldocs as a stepping stone to deliver a malware payload, because not everyone installs patches right away, and it sometimes takes a bit of time for security companies to craft an effective “safety net” defense, based on behavior or other characteristics of a novel vector. Most of the maldocs we’ve seen throughout the past year have been constructed using tools called builders that give attackers a literal point-and-click menu system that lets them decide exactly what exploit(s) to craft into the malicious document. As endpoint protection tools get better at identifying these more modern exploits, which usually involve a script that has been embedded into the document, maldoc creators seem to have dug deep to find a very, very old bug that helps conceal the macros or other malicious content in the documents. The bug is colloquially known as the VelvetSweatshop exploit, though it really isn’t an exploit at all. In fact, VelvetSweatshop was introduced by Microsoft into Microsoft Office 2003, although we didn’t see it abused until 2013, when Excel workbooks exploiting the CVE-2012-0158 vulnerability were cloaked with the help of the glitch. An Excel spreadsheet or Word .doc marked as “read-only” is just a password-protected document with a stock password of, you guessed it, VelvetSweatshop. We’ve seen a lot of malicious Excel spreadsheets being delivered this year that use the technique as a way to evade advanced threat detection. Because of the encryption, the real malicious content is hidden behind strong crypto that scanners can’t crack, and can’t scan unless they support the latest algorithm used by attackers. Due to the use of the default-password, Excel opens the decoded content without prompting for the password, so from the execution point of view the encryption is transparent. Endpoint security programs added support for the encryption and the default password, but the criminals keep finding additional cryptographic algorithms that have the same feature and are not (yet) implemented by AV scanners.
It was quite a surprise to discover a bug old enough that, if it were human, would be in its last year of school. But it’s no surprise that the makers of weaponized document builders would try to take advantage of it.