Cybercriminals Exploiting Microsoft’s Vulnerable Dynamic Data Exchange Protocol

Visa Payment Systems Intelligence recently announced that cybercriminals are threatening the payments ecosystem by leveraging a vulnerable Microsoft Dynamic Data Exchange protocol in phishing campaigns. This phishing attack relies on the Dynamic Data Exchange (DDE) protocol for infection instead of the usual malicious macros or an exploit kit.

This exploit is related to the Microsoft Security Advisory 4053440 issued on November 8, 2017. It provides guidance on securing Microsoft applications when processing Dynamic Data Exchange (DDE) fields. The DDE protocol enables messages to be sent between Microsoft applications and uses shared data to be sent between applications. According to the advisory, malicious cyber actors could leverage the DDE protocol when delivering specially crafted files to users through phishing and web-based downloads.

Microsoft’s security advisory 4053440 covers zero-day attacks that were reported and patched in CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.

FortiGuard Labs has issued three IPS signatures that defend our customers against these attacks:

• Adobe.Flash.Malformed.Object.Inheritance.Memory.Corruption
• MS.DotNET.Framework.SOAP.Remote.Code.Execution
• MS.Office.OOXML.Parsing.Type.Confusion.Memory.Corruption

Additionally, our FortiClient agent also successfully defends against these attacks with the following application protection signatures:

• .NET Framework Remote Code Execution Vulnerability
• Microsoft Office Memory Corruption Vulnerability

As always, the FortiGuard Labs team recommends that in addition to employing the protections provided by our security solutions that customers actively patch or replace vulnerable systems. We also strongly recommend that users exercise caution when opening suspicious files.

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.