{"id":4339,"date":"2023-02-05T14:31:04","date_gmt":"2023-02-05T13:31:04","guid":{"rendered":"https:\/\/sajberinfo.com\/?p=4339"},"modified":"2023-02-05T14:59:26","modified_gmt":"2023-02-05T13:59:26","slug":"zloupotreba-microsoft-visual-studio-dodataka-za-ms-office","status":"publish","type":"post","link":"https:\/\/sajberinfo.com\/en\/2023\/02\/05\/zloupotreba-microsoft-visual-studio-dodataka-za-ms-office\/","title":{"rendered":"Zloupotreba Microsoft Visual Studio dodataka za MS Office"},"content":{"rendered":"<p><span style=\"font-size: 14pt;\">Sigurnosni istra\u017eiva\u010di su primijetili zloupotrebu <em>Microsoft Visual Studio<\/em> dodataka za <em>Microsoft Office<\/em> programski paket, kao sredstva za dobijanja upori\u0161ta i pokretanja proizvoljnog k\u00f4da.<\/span><\/p>\n<div id=\"attachment_4342\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4342\" class=\"size-full wp-image-4342\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/vsto.jpg\" alt=\"Zloupotreba VSTO\" width=\"1024\" height=\"657\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/vsto.jpg 1024w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/vsto-300x192.jpg 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/vsto-768x493.jpg 768w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/vsto-18x12.jpg 18w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-4342\" class=\"wp-caption-text\"><em>Zloupotreba Microsoft Visual Studio dodataka za MS Office, Source: <\/em><a href=\"https:\/\/www.clipartkey.com\/view\/hRmRxT_computer-viruses-illustration-virus-in-network-security\/\" target=\"_blank\" rel=\"noopener\"><em>Clipartkey<\/em><\/a><\/p><\/div>\n<p><span style=\"font-size: 14pt;\">Od kako je kompanija <em>Microsoft<\/em>, pro\u0161le godine u julu, onemogu\u0107ila podrazumijevano kori\u0161tenje <em>macro<\/em> skripti u <em>Office<\/em> dokumentima, distribucija zlonamjernog softvera kori\u0161tenjem ovih dokumenta postala nepouzdana za napada\u010de. Oni su ubrzo pre\u0161li na nove formate datoteka, kao \u0161to su <em>ISO<\/em> datoteke, <em>ZIP<\/em> arhive za\u0161ti\u0107ene lozinkama i <em>LNK<\/em> pre\u010dice za \u0161irenje zlonamjernog softvera.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Sada su <a href=\"https:\/\/www.deepinstinct.com\/blog\/no-macro-no-worries-vsto-being-weaponized-by-threat-actors\" target=\"_blank\" rel=\"noopener\">sigurnosni istra\u017eiva\u010di kompanije<em> Deep Instinct<\/em><\/a> otkrili da napada\u010di koriste <em>.NET<\/em> kao bazu za zlonamjerni softver i ubacuju ga u <em>Microsoft Visual Studio Tools for Office (VSTO)<\/em> dodatke za<em> Office<\/em> programski paket.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-size: 14pt;\"><strong>\u0160ta je <em>Microsoft Visual Studio Tools for Office (VSTO) <\/em>?<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">To je alat za programski razvoj i nalazi se u <em>Microsoft Visual Studio IDE<\/em>. On omogu\u0107ava dodatke za <em>Office<\/em> programski paket razvijene u programskom okru\u017eenju <em>.NET<\/em> i dozvoljava pravljenje <em>Office<\/em> dokumenta koji \u0107e isporu\u010diti ove dodatke. Ovi dodaci mogu biti biti povezani sa odre\u0111enom aplikacijom iz Office paketa sa kojom \u0107e se zajedno pokretati, dodaju\u0107i aplikaciji dodatne mogu\u0107nosti. <em>VSTO<\/em> dodaci mogu biti u\u010ditani lokalno iz <em>Office<\/em> dokumenata ili sa udaljene lokacije kada se<em> Office<\/em> dokument otvori, \u0161to ipak zahtjeva ga\u0161enje nekih sigurnosnih mehanizama.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-size: 14pt;\"><strong>Napad kori\u0161tenjem <em>VSTO<\/em><\/strong><\/span><\/h3>\n<p><span style=\"font-size: 14pt;\">Napada\u010di za sada koriste lokalni <em>VSTO<\/em> pristup, koji ne zahtjeva zaobila\u017eenje sigurnosnih mehanizma da bi se dodatak u\u010ditao. Me\u0111utim, primije\u0107eno je odre\u0111eni broj napada kori\u0161tenjem <em>VSTO<\/em> u\u010ditavanja sa udaljene lokacije. Kada se pokrene dokument predvi\u0111en da dostavi<em> VSTO<\/em> dodatak, pojavljuje se prozor sa upitom za instalaciju dodatka. Da bi prevarili korisnika, napada\u010di koriste sli\u010dan metod kao i kod <em>VBA<\/em> napada, obavje\u0161tenje korisniku da dozvoli instalaciju.<\/span><\/p>\n<div id=\"attachment_4344\" style=\"width: 604px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4344\" class=\"size-full wp-image-4344\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/fig04-word-doc-prompts-user-to-allow-add-in.webp\" alt=\"Message to trick users VSTO install\" width=\"594\" height=\"228\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/fig04-word-doc-prompts-user-to-allow-add-in.webp 594w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/fig04-word-doc-prompts-user-to-allow-add-in-300x115.webp 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/fig04-word-doc-prompts-user-to-allow-add-in-18x7.webp 18w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><p id=\"caption-attachment-4344\" class=\"wp-caption-text\"><em>Message for Spanish users to trick them into installing a malicious add-in: Source: <\/em><a href=\"https:\/\/www.deepinstinct.com\/blog\/no-macro-no-worries-vsto-being-weaponized-by-threat-actors\" target=\"_blank\" rel=\"noopener\"><em>Deep Instinct<\/em><\/a><\/p><\/div>\n<p>&nbsp;<\/p>\n<div id=\"attachment_4345\" style=\"width: 590px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-4345\" class=\"size-full wp-image-4345\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/install-prompt.webp\" alt=\"install prompt VSTO\" width=\"580\" height=\"289\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/install-prompt.webp 580w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/install-prompt-300x149.webp 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/02\/install-prompt-18x9.webp 18w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><p id=\"caption-attachment-4345\" class=\"wp-caption-text\"><em>Installation dialog served to the victim; Source: <\/em><a href=\"https:\/\/www.deepinstinct.com\/blog\/no-macro-no-worries-vsto-being-weaponized-by-threat-actors\" target=\"_blank\" rel=\"noopener\"><em>Deep Instinct<\/em><\/a><\/p><\/div>\n<p><span style=\"font-size: 14pt;\">U jednom napadu koji su istra\u017eiva\u010di posmatrali, nakon pokretanja instalacije, do\u0161lo je do pokretanja proizvoljnog <em>PowerShell<\/em> k\u00f4da na ure\u0111aju. U drugom napadu, koji je podrazumijevano udaljeni <em>VSTO<\/em> dodatak, instalacija je preko posebno pripremljene <em>DLL<\/em> datoteke pokrenula preuzimanje lozinkom za\u0161ti\u0107ene <em>ZIP<\/em> arhive. Sigurnosni istra\u017eiva\u010di nisu uspeli do\u0107i u posjed \u010ditavog procesa instalacije da bi shvatili u potpunosti kako funkcioni\u0161e.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Da bi istra\u017eili ovo do kraja, sigurnosni istra\u017eiva\u010di su napravili koncept zloupotrebe (eng. <em>proof-of-concept \u2013 PoC<\/em>). <a href=\"https:\/\/github.com\/deepinstinct\/VSTO-POC\" target=\"_blank\" rel=\"noopener\">U ovom konceptu<\/a> su poku\u0161ali pokazati kako napada\u010di koriste <em>VSTO<\/em> za dostavljanje zlonamjernog softvera i kako dobiju upori\u0161te na zara\u017eenom ure\u0111aju. Oni su namjerno omogu\u0107ili da na\u010din dostave bude lako otkriti, ali je dalje istra\u017eivanje pokazalo da sve ostale komponente ovog koncepta zloupotrebe <em>Windows Defender<\/em> ne mo\u017ee otkriti.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4><span style=\"font-size: 14pt;\"><strong>Zaklju\u010dak<\/strong><\/span><\/h4>\n<p><span style=\"font-size: 14pt;\">Sigurnosni istra\u017eiva\u010di smatraju da \u0107e sve vi\u0161e zlonamjernih aktera po\u010deti da koristi <em>VSTO<\/em> kao vektor napada. Smatraju da bi se u ovo mogli uklju\u010diti i <a href=\"https:\/\/sajberinfo.com\/en\/2020\/12\/08\/apt-sponzorisani-napadi\/\" target=\"_blank\" rel=\"noopener\"><em>APT<\/em> grupe<\/a> i drugi \u201c<em>napredniji<\/em>\u201d napada\u010di, zbog njihovog nivoa znanja i mogu\u0107nosti da zaobi\u0111u <em>Windows<\/em> sigurnosne mehanizme kori\u0161tenjem validnih digitalnih certifikata.<\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>Sigurnosni istra\u017eiva\u010di su primijetili zloupotrebu Microsoft Visual Studio dodataka za Microsoft Office programski paket, kao sredstva za dobijanja upori\u0161ta i pokretanja proizvoljnog k\u00f4da. Od kako je kompanija Microsoft, pro\u0161le godine u julu, onemogu\u0107ila podrazumijevano&#46;&#46;&#46;<\/p>","protected":false},"author":1,"featured_media":4342,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[130,268,269,126,270],"class_list":["post-4339","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hronike","tag-microsoft","tag-visual-studio","tag-vsto","tag-vulnerability","tag-windows-defender"],"_links":{"self":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/4339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/comments?post=4339"}],"version-history":[{"count":0,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/4339\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media\/4342"}],"wp:attachment":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media?parent=4339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/categories?post=4339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/tags?post=4339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}