DDE: What It Is, What It Does, and How to Defend Against Attackers Who May Exploit It

Microsoft released Security Advisory 4053440 that provides guidance on securing Dynamic Data Exchange (DDE) fields in Microsoft Office applications. This comes on the heels of the recently reported attacks and Proofs of Concept (PoCs) that leveraged DDE.  Here’s what users and enterprises need to know about DDE and what can be done to defend against attackers who may leverage it.

What is DDE?

The DDE protocol is a set of messages and guidelines that allows applications to exchange or share data within operating systems. DDE sends messages between applications that share data and uses shared memory to exchange data between applications. It is considered one of the best options for communication and data exchange if ongoing user interaction is not required.

DDE was introduced in Windows 2.0 back in 1987 and currently used by thousands of applications such as Microsoft Word, Microsoft Excel, and Visual Basic.

DDE can be used to implement a broad range of application features that include linking to real-time data such as stock market updates, scientific instruments, or process control. It is also used in creating compound documents, such as a word processor document that includes a chart produced by a graphics application. In this instance, DDE updates the data on the chart when the source data is changed, while the rest of the document remains the same.

Moreover, DDE can perform data queries between applications, such as a spreadsheet querying a database for accounts past due.

How is DDE being exploited?

Microsoft said that in an email attack scenario, an attacker could exploit the DDE protocol by sending the user a specially crafted file that has to be opened in an application that supports DDE.  The attacker typically uses social engineering tactics to convince the user to open the file. The attacker then has to trick the user into disabling Protected Mode and click through one or more additional prompts.

Reported attacks and PoCs

Pawn Storm (a.k.a. Fancy Bear, APT28, Sofacy, and STRONTIUM) made headlines again after security researchers revealed details regarding its latest cyberespionage campaign. The group’s latest spear phishing campaign involves the abuse of DDE to invoke the command prompt to run PowerShell commands. The commands will then retrieve and help execute a payload that profiles the affected machine. 

Researchers from Cisco’s Talos have also discovered an attack campaign that spread malware-carrying Microsoft Word documents that perform code execution on the targeted device without the need to enable macros or corrupt memory. The researchers observed that the technique was actively being exploited in the wild by hackers targeting several organizations using spear phishing emails supposedly from the Securities and Exchange Commission (SEC). 

Meanwhile, a PoC by researchers from SensePost revealed that popping a remote SYSTEM shell from an unprivileged user Excel sheet using DDE commands will remotely load and execute a modified MS16-032 Powershell module to get a reverse SYSTEM shell.

Researchers have known about the possibility of compromising a computer using malicious DDE formulas as early as 2014. By specifying creative arguments and a magic number, a ‘link’ can be created that, when opened, can hijack a computer. 

How to defend against DDE attacks

Microsoft’s advisory notes that in the case of Windows 10 Fall Creators Update, users are protected against DDE attacks by the Attack Surface Reduction (ASR) mitigation included in Windows Defender Exploit Guard. For users who do not have it, the company strongly recommends they exercise caution when opening suspicious file attachments. Users can follow these best practices for defending against phishing attacks that may leverage the DDE protocol.

IT/sysadmins can secure the email gateway by adding a layer of security mechanisms to further defend against attackers that abuse legitimate protocols like DDE. They can also set up a central point for reporting suspicious email as an avenue for employees to report all suspicious email in a convenient and accessible manner. Enabling a sandbox that can analyze the various routines and behaviors of the malware can also help identify the obfuscation or evasion tactics that threats can use.

[Related: How can you protect legitimate tools and services from being exploited?]

In addition, Trend Micro provides comprehensive protection against threats that abuse DDE via Deep Discovery™ (which includes Deep Discovery™ Email Inspector), and Deep Security, as well as InterScan™ Messaging Security and InterScan™ Web Security, which are part of Trend Micro’s Smart Protection Suites.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.