Microsoft disables VBA macros in Office by default following years of complaints


Connor Jones

8 Feb, 2022

Microsoft has announced it will disable all Visual Basic Application (VBA) macros obtained from the internet in Office documents by default in a bid to tackle widespread exploitation of the method used for malware and ransomware delivery.

Cyber security experts have long called on Microsoft to change its approach to VBA macros and the move has been greeted positively by nearly all corners of the industry. The default setting will be applied to five Microsoft Office products – Word, Excel, Powerpoint, Visio, and Access – and will start rolling out to Windows users in April 2022 with the Version 2203 update via the Current Channel (preview).

The change will be available in other update channels at an unspecified later date, including in Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 will also eventually all receive the update.

VBA macros are commonly used in Microsoft office products to automate repeat manual functions and are especially commonplace in industries like accounting and finance to expedite tasks in spreadsheets, for example. 

Cyber attackers are also commonly drawn to the feature to facilitate the launch of cyber attacks or distribute malware, a technique most commonly used in phishing attacks. A common scenario would see an attacker send a phishing email to an individual’s work account containing a seemingly innocuous Office document attached.   

Credit
Microsoft

Once the document is downloaded and opened, the user would be presented with a document with a notification in the toolbar providing the user to ‘enable content’ which would see the macro run and whatever malicious payload associated with it downloaded and installed.

Figures from Netskope’s January Cloud Threat Report revealed that the use of Microsoft Office documents related to malware downloads increased to 37% by the end of 2021, compared to 19% at the start of 2020.

“A wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code,” said Tom Gallagher, partner group engineering manager at Office Security. “Usually, the malicious code is part of a document that originates from the internet (email attachment, link, internet download, etc.). Once enabled, the malicious code gains access to the identity, documents, and network of the person who enabled it.”

Microsoft is changing the default behaviour of macros in five Office applications so that users will no longer be able to enable them with one click of a mouse. Instead, users will now be presented with a button encouraging them to click and learn more about the potential impacts of enabling macros, and what malicious ones can achieve on a corporate network.

“The default is more secure and is expected to keep more users safe including home users and information workers in managed organisations,” Microsoft said.

Community reaction

The cyber security community has come out in droves to support the move from Microsoft, a move that some corners of the industry have requested for some time. As recently as the weekend, the topic resurfaced on social media with experts calling for a change in approach to macros. 

Malware campaigns launched through phishing attacks are typically the chief exploiters of VBA macros, such as the newly resurfaced Emotet campaign which relies on the method as a key entry point. Experts believe the move is expected to reduce the number of cyber attacks in businesses significantly. 

“The implications of turning Macros off by default is a huge win for security as it significantly reduces the potential victim scope of macro-based attacks for cybercriminals,” said Joseph Carson, chief security scientist at Delinea to IT Pro.

“In the past, we relied heavily on users to make security decisions on macros with a warning – this can potentially reduce the risks from curious employees who may just accept the warning and run the macro that could result in stolen credentials or a fully compromised machine. The issue lies in how quickly organisations can upgrade to this version as office upgrades can typically take a long time, though at least those who have moved to cloud solutions should benefit sooner.”

Other experts have said malicious macros account for “about 25% of all ransomware entry” – a figure they describe as “conservative” mostly related to larger ransomware organisations like the ones most recently targeted by international law enforcement.

Real-world applicability

Some corners of the industry have raised concerns about how easily it will be for businesses to enforce the new default rules for Office documents given the entrenched culture of macros use in certain industries.

Security experts have said certain users who rely on macros for significant areas of their job, such as accountants, will likely complain to IT departments asking for the default to be reverted back to the one-click functionality of before, despite the risks. 

Others disagree, saying the difference will only add a small layer of friction to normal processes. Magni Reynir Sigurðsson, senior manager of detection technologies at Cyren said: “this will not affect industries that rely on documents using macros, they will just have to take the extra step of enabling them file by file for specific files they do trust”.

“For those industries that heavily rely on macros such as financial or accounting industries, the hope is that Microsoft will, at last, make it simple enough for individuals to turn it on for on-demand purposes on approved documents and scanned documents,” added Carson.

Administrator options

There are a number of policies available to system administrators who wish to enable the new macro settings in a custom way, one that’s suitable for their business. Such policies include:

  • Blocking macros from running in Office files from the Internet – Microsoft recommends enabling this policy and the organisation will not be affected by the default change
  • Opening files from a Trusted Location
  • Opening files with digitally signed macros and providing the certificate to the user, who then installs it as a Trusted Publisher on their local machine

Credit
Microsoft

The image above outlines the evaluation flow for Office files with VBA macros and Mark of the Web (MOTW) – an attribute added to files by Windows when it is sourced from an untrusted location.

Administrators can read more about how the change impacts the environments in Microsoft’s dedicated article for Office admins. 

AWS shakes off outages with 40% surge in revenue


Bobby Hellard

4 Feb, 2022

Amazon Web Services (AWS) reported 40% revenue growth year-on-year despite enduring a quarter marred by outages. 

The cloud arm of Amazon generated $17.8 billion in the fourth quarter of 2021, once again boosting the overall earnings of its parent company. 

The online retail giant reported profits of $14.32 billion on Thursday with sales up 24%. However, almost 13% of Amazon’s total revenue came from AWS and 153% of its overall operating income has been attributed to cloud services. 

“On the growth rate, I think it’s a combination of things. We’ve been adding resources in sales and marketing over the last two years, and that is starting to pay off,” Brian Olsavsky, Amazon’s finance chief, said during a conference call with analysts.

Its continued growth is all the more impressive considering the service was shaken by major outages over the fourth quarter. Each became headline news around the world because they the dominance of AWS and the risks associated with having so many services reliant on a single cloud vendor. 

However, while AWS still accounts for a third of the worldwide market it should be looking over its shoulder at the “truly impressive growth” of Microsoft and Google Cloud, according to SRG Research’s chief analyst John Dale.

 
“It has taken Microsoft 18 quarters to double its market share, which has now passed the 21% mark,” Dale told IT Pro. “Despite a relatively late start, Google too is now accelerating the pace of its cloud activities. Its market share remains at less than half that of Microsoft, but it continues to post some strong growth numbers.” 
 
While Google Cloud is mopping up market share, the service is still some way off profitability, with the business posting a loss of  $3.1 billion for 2021.

Google Cloud adds cryptomining protection following widespread exploitation


Connor Jones

8 Feb, 2022

Google Cloud has launched a new threat detection solution for Google Cloud Platform (GCP) specifically designed to tackle the mounting cases of cryptomining malware operating through compromised cloud instances.

Google Cloud said the Virtual Machine Threat Detection (VMTD) is a first-to-market solution from a major cloud provider, now available in public preview as an added security layer within Security Command Center (SCC) Premium.

Virtual machine-based computing accounts for a significant portion of businesses’ operations running in the cloud and according to a November 2021 threat intelligence report from Google Cloud, cryptomining activity was observed in 86% of all compromised GCP instances, making it the leading issue affecting Google Cloud customers.

The time it took for attackers to install this financially-motivated malware was quick, too, with more than half of cases (58%) seeing malware installed within just 22 seconds of compromising the platform.

Google Cloud said in most cases, this was due to exploitation of poor customer security practices or vulnerable third-party software. Leveraging the power of cloud computing can improve the efficiency of cryptomining malware due to its scalable nature, potentially raising monthly cloud bills for businesses by a large sum.

“The economy of scale enabled by the cloud can help fundamentally change the way security is executed for any business operating in today’s threat landscape,” said Timothy Peacock, product manager at Google Cloud. “As more companies adopt cloud technologies, security solutions built into cloud platforms help address emerging threats for more and more organisations.

“VMTD is one of the ways we protect our Google Cloud Platform customers against growing attacks like coin mining, data exfiltration, and ransomware,” he added.

Now available in public preview, VMTD detects cryptomining attacks but as it moves closer towards general availability, Google Cloud said customers can expect to see a steady release of new detective capabilities that will integrate with other parts of GCP.

Google Cloud said VMTD complements the existing threat detection capabilities supplied by the existing Event Threat Detection and Container Threat Detection products, providing cover for compute while the others services areas like Kubernetes, identity, managed services, networking, and API.

Agentless approach

Google Cloud’s VMTD provides memory scanning for customers on an agentless basis, which means GCP users can expect a smaller performance impact, lowered operational burden, and a less-exposed attack surface.

This is unlike a traditional endpoint security model which involves running additional software inside virtual machines to gather signals and telemetry. Instead, Google Cloud said it ‘instruments the hypervisor’ – the underlying software that “orchestrates” its virtual machines – to include threat detection that’s difficult to tamper with.

TikTok, Euromoney CISOs say retraining staff now critical to cloud success


Connor Jones

4 Feb, 2022

Security heads at some of the world’s largest companies have revealed how they managed to stave off the cloud skills crunch by retraining staff to fill some of the most sought-after roles in the industry.

Speaking at cyber security firm Check Point’s CPX 360 conference this week, the CISOs of media giant TikTok, and business and financial information company Euromoney Institutional Investor, said they both resorted to upskilling existing staff in order to support their move to the cloud.

Martyn Booth has held the CISO position at Euromoney for six years and said that during his time business objectives such as costs and efficiencies drove the cloud transition initially, but the company found it difficult to attract the right security talent.

Now with 70% of Euromoney’s business running in the cloud, he said specialised cloud security talent is needed and security-specific cloud skills are still scarce, years after his original search for talent.

“Having access to people that knew what they were doing was always going to be a bit of a challenge,” said Booth in a one-on-one interview with Check Point. “So, we’ve had to skill-up people quite quickly, rather than just go to market because some of those people weren’t available and then use those people to protect those environments.”

Non-technical people in the business typically think one security professional is full-purpose and can cover the full breadth of what’s required but this isn’t the case, he said.

The key to this successful internal upskilling program, he added, was having hungry staff – people within the security side of the business that wanted to learn new skills.

“We had some people that were interested in doing it, it suited me for them to do it, so it was a reciprocal arrangement, really – that they wanted to learn something new and it’s something that I needed them to know,” said Booth.

“So, we took the decision to train people internally, and those people now will probably consider themselves, and I would consider them, as cloud security experts. Before, we had a very limited ability to manage that internally.”

TikTok’s CISO, Roland Cloutier, told of a similar experience at the cloud-first media platform, and its “multi-pronged approach” to talent acquisition that covers numerous pipelines.

Such pipelines include higher education partnerships, early education, outside hires from adjacent industries such as government and the military, and internal hires – both from a security background and from wider areas of the business looking for a change in career path.

“We have to create a pipeline that’s 10 years out… and then internally, one of our focus areas, being a converged security organisation, is where do our practitioners want to go,” said Cloutier.

“Maybe you’re in risk management today, but tomorrow, you want to be leadership in the fusion centre – what does that career progression look like for you. So we spend a lot of time focusing on where our people want to go, and how that’s going to help our pipeline going forward,” he added.

“And of course, when we find super great people that are looking to join TikTok, they’re coming even potentially from other areas within the business; it’s always great to give those opportunities as well.”

Cloud security’s extreme skills shortage

The shortage of talent in the wider technology industry is well documented and has been widening for years, but the shortage is especially apparent in cloud computing – a newer technology that is still struggling to attract professionals en masse.

“It’s a fairly new technology, and it’s a complex technology, so the knowledge gaps there are huge and it means critical data is really in danger,” said Maya Horowitz, VP of research at Check Point, speaking to IT Pro.

“The ones that really are cloud experts, they are so rare that they go to work for pure cloud companies and there aren’t enough left for other organisations… definitely, we’re in shortage of cloud experts.”

The anecdotal reports are backed by research with HashiCorp figures showing more than half of IT organisations (57%) think a skills shortage is the primary challenge in cloud adoption, and nearly half (47%) said security is a top cloud inhibitor too.

Cisco launches suite of products aimed at improving enterprise campus networks


Danny Bradbury

4 Feb, 2022

Cisco has announced a range of services and products to support hybrid working, including a private 5G service for enterprises and new high-performance Wi-Fi access points tailored for enterprise campus environments.

The announcements focus on bolstering on-site enterprise networks to improve performance and accessibility for hybrid workers when they come to the office.

They target network infrastructures capable of supporting emerging business applications, including higher-resolution video traffic and immersive interfaces, Cisco said.

The private 5G service includes both 5G radio and Wi-Fi capabilities. Offered on a pay-as-you-go subscription model, the service is designed to minimize initial customer investment, and work is being done with third-party service providers to scope out customer environments and create tailored packages, Cisco explained.

Cisco will manage the cellular part of the solution, and customers use a cloud-based management portal to monitor and manage policy and enterprise networking devices, the vendor added. It also includes identity management, with secure access policies that allow users to access only the resources they need.

The company launched Wi-Fi 6E access points targeting hybrid business environments. Wi-Fi 6E extends Wi-FI 6 into the 6GHz radio spectrum for faster speed and reduces radio interference from other Wi-Fi devices. Cisco expects this to be useful for applications including augmented and virtual reality, which require high bandwidth and low latency.

The Meraki MR57 is a cloud-managed device featuring gigabit speeds. It offers radio optimization with multi-antenna MU-MIMO support and measures local metrics, including visit lengths and repeat visit rates so that administrators can measure performance across different campus locations over time.

Cisco also expanded its own line of silicon to power its Catalyst switches. Silicon One, its own ASIC architecture launched in December 2019, was its attempt to create a single silicon architecture that could be used in multiple products across the network. It was previously only available in service provider switches and routers, but now it will be available in its enterprise-class products, the company said.

This brings 400 Gbit capabilities into lower form-factor devices for enterprise campus environments with lower power demands, executives said.

The first products to get it are the Catalyst 9500X and 9600X switches, also announced on Thursday.

Cisco has already made forays into more immersive interfaces for hybrid workers. It recently announced plans for augmented reality capabilities in its Webex conferencing platform. Participants could see hologram-like video of each other using augmented reality headsets, it said.

Cloudflare opens $3,000 bug bounty program to the public


Praharsha Anand

3 Feb, 2022

Cloudflare, a provider of web infrastructure and security services, has announced the launch of its public bug bounty program.

Bug hunters and security researchers can now report vulnerabilities found in Cloudflare products as part of the company’s latest program, which is hosted on HackerOne.

A private bounty program was previously launched in 2018, following a vulnerability disclosure program in 2014. The company paid $211,512 in bounties during the lifetime of this program, with 292 out of the 430 reports receiving a reward.

Rewards for Cloudflare’s latest program vary with the severity of the vulnerability. Each security flaw is assigned a severity rating based on the Common Vulnerability Scoring Standard (CVSS) version 3.

There is a $3,000 payment for a critical vulnerability report, while high, medium, and low vulnerabilities are worth $1,000, $500, and $250, respectively. However, rewards vary for secondary and other targets.

As a way to make vulnerability research easier, Cloudflare also developed a sandbox called CumulusFire, which provides a standardized playground for researchers to test their exploits. The sandbox will also assist Cloudflare’s security teams in reproducing potential exploits for analysis.

“CumulusFire has already helped us address the constant trickle of reports in which researchers would configure their origin server in an obviously insecure way, beyond default or expected settings, and then report that Cloudflare’s WAF does not block an attack. By policy, we will now only consider WAF bypasses a vulnerability if it is reproducible on CumulusFire,” explained Cloudflare.

A good place to start is to refer to the documentation on Cloudflare’s developer and API portals, the Learning Center, and its support forums.

The firm also aims to add additional documentation, testing platforms, and a way for researchers to interact with its security teams to ensure submissions are valid.

Google Cloud lost $3.1 billion in 2021


Bobby Hellard

2 Feb, 2022


Google’s cloud division reported another year of losses, despite extending the life of its hardware by a further 12 months. 

The cloud giant lost $890 million in the fourth quarter of 2021 and $3.1 billion over the entire year, according to financial results posted by its parent company, Alphabet. 

Last year Google extended the operational lifespan of its cloud servers from three to four years in a bid to offset some costs. While the switch saved the company $3.6 billion in reduced depreciation expenses and brought in a $2 billion net income increase, it still wasn’t enough to make the tech giant’s cloud arm profitable. 

Cloud losses were relatively minor compared to Alphabet’s overall financial outlook; the company reported record-breaking revenues of $257 billion for 2021, a 41% year-on-year increase. The company also reported Q4 revenue of $75.3 billion, which is a 32% increase compared to 2020. 

“Q4 saw ongoing strong growth in our advertising business, which helped millions of businesses thrive and find new customers, a quarterly sales record for our Pixel phones despite supply constraints, and our Cloud business continuing to grow strongly,” Alphabet and Google CEO Sundar Pichai said.

Alphabet doesn’t usually reveal specific financial or sales information when it comes to its hardware, or even for its Android mobile operating system, and typically bundles them into a category listed as “Google other”. This category brought in $8.16 billion of revenue for the fourth quarter, and it is worth pointing out that its latest Pixel handsets – Pixel 6 and Pixel 6 Pro – both went on sale just before.  

2021 was the first time Alphabet surpassed $200 billion in revenue, pulling in $258 billion, which is almost triple what it reported in 2016 ($90 billion).

Gmail’s new ‘integrated view’ layout will become default in April


Bobby Hellard

2 Feb, 2022

Google has announced a new Gmail layout that changes how Chat, Meet and Spaces are integrated with the service. 

The new ‘integrated view’ makes it so that the messaging apps are no longer little windows floating alongside emails by giving each one its own screen, accessed via larger buttons on the left-hand side. 

 All Google Workspace users – except those on Workspace Essentials – will be moved to the new interface. Users can choose to switch to this new look on 8 February, with an option to switch back still available.

However, the new layout will become the default option by April and, eventually, the only option by the end of the second quarter of 2022. 

With the application buttons tucked away to the left, the changes give Gmail a similar look to Microsoft’s Outlook. The new app position removes the need for users to switch between tabs or windows in order to use Chat or Meets because they can now use them directly in the same browser window.

Credit
Google

There will also be notification bubbles for each app and, soon, Google will also offer a ‘unified’ search function so that it shows results from all integrated applications. 

The refreshed interface is a win for those that like data density and having all their work apps in one place. However, it could be a little confusing having multiple app notifications all going off in one window, potentially adding more stress to those looking to focus on one task at a time. 

Whether the changes are agreeable or not, users may have suspected they were coming, given the changes Google has made to Workspace (formally G Suite) during the pandemic. The company has sought to make its platform more conducive to hybrid and remote working by tweaking the way various elements work with one another, with the rebrand to Workspace, itself, also a nod to greater integration and ease of use.

Citrix to be acquired by Vista and Evergreen in $16.5 billion deal


Praharsha Anand

2 Feb, 2022

Citrix is set to be acquired by affiliates of Vista Equity Partners and Evergreen Coast Capital in an all-cash deal valued at $16.5 billion.The transaction is inclusive of Citrix’s debt.

The deal also calls for the merger of Citrix with Tibco, a portfolio company of Vista. Tibco offers enterprise data management solutions that help businesses connect, integrate, and accurately predict business outcomes. 

Citrix’s digital workspace and application delivery suite, combined with Tibco’s data and analytics capabilities, will enable customers to access secure applications and insights to accelerate digital transformation and navigate hybrid workplaces.

The Citrix-Tibco merger will also accelerate Citrix’s defined growth strategy and shift to software as a service (SaaS)

In addition, the firm stated that the combined entity will be positioned to provide secure, optimized, and comprehensive infrastructure for enterprise application, desktop delivery, and data management to advance hybrid cloud computing solutions.

“Citrix and Tibco provide mission-critical software and services to many the world’s most successful businesses, and we see tremendous value in combining their respective world-class offerings to help companies gather insight from the growing volumes of data generated by the hybrid work economy,” said John Stalder, managing director at Vista.

“Both businesses have now completed transitions to approximately 90% recurring revenue, poising the go-forward combined business to drive future growth. We look forward to partnering with Evergreen and the Citrix and Tibco teams to ensure this is a seamless transition for all stakeholders,” added Stalder.

As per the terms of the acquisition, Citrix shareholders will receive $104 in cash per share. The firm’s board of directors approved the transaction unanimously, and the deal is expected to close mid-year, pending shareholder and regulatory approvals. Citrix shares will cease to trade on the Nasdaq following the transaction, and the company will go private.