A simple Excel spreadsheet can be used by criminals to break into enterprise or industry systems to steal data or sabotage production. Although the risks involved with running macros in the Office suite are already known to security analysts, a new type of business-focused attack has caught the eye. Among them, FlushTunnel, named after an attack campaign identified in May this year by Kaspersky and announced at the Latin American Security Conference, which took place last week. Malware arrives via e-mail, hidden in Excel spreadsheets, and has the potential to attack industries, governments and businesses in various industries.
Scam exploits vulnerability in Excel to infect victims PC
Excel spreadsheets and other infected emailed files can be used to attack industrial machines Photo: Divulgao / Kaspersky
Want to buy a cell phone, TV and other discounted products? Meet the Compare TechTudo
The attachment appears to be a normal document, but within it is a request to enable macros, which by themselves already allow code execution. Once the user gives permission, attackers can download and execute infected files. That is why such a blow is so frequent.
The use of Excel as a very common infection vector, especially in targeted attacks. Office files have for many years had the macro function, which although not a security breach, has been used extensively for malicious purposes, explains Thiago Marques, security analyst at Kaspersky.
The case of FlushTunnel, however, drew the company's attention because it was a targeted campaign that had detections within the industrial environment, ie, connected machines called the Internet of Things (IoT) using Excel spreadsheets. It was discovered in May 2019 and focused on the Middle East. Its form of action shows that the criminals tried to minimize the chances of detection of the threat to deceive the antivirus and go unnoticed. In general, spreadsheets provided useful information for the day-to-day business, but some were just a blank table.
About 6% of attacks on industry come through phishing. Photo: Nicolly Vimercate / TechTudo
In this type of scam, a fake email is sent to a work-related company employee for the victim to download and open the compromised file. According to Kaspersky, as soon as most attacks target the industry arrive: through email attachments. More than 6% of computers in the industrial environment suffered some form of phishing attack in 2018, a 3% increase over the first half of 2018, and Latin America was the region that suffered the most from such threats, indicates the survey of the antivirus company.
Other common threats in the industry are malware trying to steal data and intercepting the remote access tool used by the company to take control of its machines. Unlike what is already known as cybercrime, where the only goal is to make money, targeted attacks have a more specific motivation behind them, ranging from data theft to sabotage or terrorism. It's hard to say what the bad guy is specifically looking for, since information capture tools are generally used, Thiago says. They may want confidential data to sell to other companies, sabotage in order to destroy a particular product, or uncover a company's secret formula or secrets.
Only Kaspersky identified 61 vulnerabilities that could be exploited by criminals on industrial systems connected to the Internet in 2018, plus the flaws found by other security companies, that number could be much higher. By the end of the year, only 47% had been corrected.
Named FlushTunnel Attack Does Its Victims Through Infected Excel Spreadsheets Photo: Disclosure / Kaspersky
This type of malware can also come in quite feasible format, as if the sender were a service provider. As a result, criminals increase the possibility of malicious code execution. These attacks are not like bank spam, sent to 200,000 people, and if any fall, it's great. In industry attacks, criminals gather information to understand who the company's suppliers are and capture some public data (or not) to direct the attack. They try to adjust to the target, warns Thiago.
Despite the ingenuity of criminals, employee unpreparedness may be the biggest vulnerability of companies today. According to a Kaspersky survey, human failure is still responsible for 33% of industry cyber security incidents in Latin America. Adding to this factor Brazil's lead in the ranking of phishing scams for the fourth year in a row, the result is a dangerous combination.
However, for Marques, the solution lies in raising awareness, not only of workers, but of companies as a whole to close their doors to attacks. We have a very vulnerable industrial sector, alert, drawing attention to the process adopted by many companies, which buy expensive computers, which are implemented by foreigners. After these professionals are gone, no one wants to touch that machine anymore for fear of spoiling. What is a very expensive device connected to the Internet, but without any kind of update, protection, maintenance, exposing the structure of the company. I need to take security more seriously, have technology people to do security analysis and understand: what risks am I taking along with this equipment, complete.
* The journalist traveled to Argentina at Kaspersky's invitation
How to create charts in Microsoft Excel