Threat Actors Increasingly Exploiting Dynamic Data Exchange

As the NJCCIC has reported in several recent threat alerts, hackers are increasingly leveraging Dynamic Data Exchange (DDE) – a protocol in Microsoft Office products that establishes how applications send messages and share data through shared memory – to spread malware. In October alone, threat actors exploited DDE to spread Locky ransomware and the Hancitor trojan and it was recently leveraged by APT28 to deliver the Seduploader trojan to unsuspecting victims. The cybercrime group known as FIN7 was also observed abusing this protocol to deliver the DNSMessenger trojan. In response to these threats and the risk that this feature poses, Microsoft has issued a security advisory that details the steps users can take to properly secure their applications. The NJCCIC recommends all Microsoft Office users and administrators review the Microsoft Security Advisory and follow the recommended mitigations. Additionally, the NJCCIC encourages all email users to maintain awareness of emerging phishing campaigns and avoid clicking on links and opening attachments delivered with unexpected or unsolicited emails. We also discourage disabling Protected Mode or enabling macros in documents unless you trust and can personally verify the sender.