After almost 16 years of little use, one of the most popular types of viruses from the 1990s is back — and this time around, it’s distributing ransomware.
Macro attacks, which add malicious code to the automated task software in Microsoft Office, were a favorite among hackers in the late ’90s, allowing them to easily breach public and private sector systems. But Microsoft caught on, and as more advanced malware like worms became popular, macro attacks became a far-off memory.
Now, according to the Department of Homeland Security’s United States Computer Emergency Readiness Team, the virus is resurging, spreading wherever Microsoft Office programs are found. In the first quarter of 2016, there were 450,000 total cases of macro malware, according to a McAfee Labs report — up about 300,000 cases from the same time in 2014.
“When you realize they are affecting Microsoft Office software in general, then obviously the federal government is affected,” Will Dormann, vulnerability analyst with Carnegie Mellon University’s Software Engineering Institute CERT Division, told FedScoop.
Attackers have returned to macro attacks because they offer the best “rate of return,” he said. The danger lies in their flexibility: Macro attacks can cause a malicious problem for little work, ranging from corrupted data to stolen info and even ransomware. The attacks take advantage of macros automating a series of commands and instructions that allow users to group together as a single command.
“There is a definite connection between computers getting ransomware and the use of Office macros,” Dormann said.
While macro-related malware is a daily occurrence, federal agencies have so far been able to avoid major breaches or ransomware attacks that trace back to macros, Vincent Weafer, vice president of McAfee Labs at Intel Security Group, told Fedscoop. Since the late ’90s, Microsoft has disabled most macros by default and issues security warnings if they are turned back on.
Still, warnings are easy to accidentally ignore in recent versions, Dormann said in a blog post. In Office 2010, 2013 and 2016 for example, the pop-up warning is small and unclear about the dangers. Agencies and employees often get so inundated with emails or warnings, they get “dialogue fatigue” and may ignore warning signals. Many macro-based attackers also use phishing scams to try to get victims to enable macro programs, Weafer said.
“Macros are an effective way to execute malicious content,” Weafer said. “Agencies and companies have so many emails and information coming in, it can get hard to tell what could be malicious. And even though security can often stop the problems, it’s something everyone is dealing with.”
But a lot has changed since Melissa — with more education, security protocols, Weafer said something as catastrophic probably wouldn’t happen again.
To stop macro attacks, letting people just know about them might not be enough, Dormann said. He recommended agencies completely shut down macro capabilities to workers unless it is completely necessary. A brief mention or notice to be careful about enabling unknown macros could help prevent a huge cyber headache in the future.
“That’s not to say nobody should ever be running macros ever,” Dormann said. “The real call to action is to disable Microsoft Office macros and enabling the macros as necessary.”
Correction: June 27, 2016 — An earlier version of this story misstated Will Dormann’s affiliation. Dormann is a vulnerability analyst with Carnegie Mellon University’s Software Engineering Institute CERT Division.
Contact the reporter on this story via email: Jeremy.Snow@FedScoop.com. Follow him on Twitter @JeremyM_Snow. Sign up for the Daily Scoop — all the federal IT news you need in your inbox every morning — here: fdscp.com/sign-me-on.