Security Advisory 4053440, published by Microsoft, offers instructions for protecting Dynamic Data Exchange (DDE) fields in Microsoft Office applications. Following the recently publicized attacks and Proofs of Concept (PoCs) that used DDE, this Here are some things that users and businesses should understand about DDE and how to protect themselves from attackers who might use it.
Applications can exchange or share data within operating systems thanks to the DDE protocol, which is a set of messages and rules. DDE uses shared memory to exchange data between applications and sends messages between programs that share data. If continuous user interaction is not required, it is regarded as one of the best options for communication and data exchange.
A wide variety of application features, such as connecting to real-time data from stock market updates, scientific instruments, or process control, can be implemented using DDE. As an example, a word processor document that incorporates a chart created by a graphics program uses it to create compound documents. When the source data changes in this case, DDE updates the data on the chart while maintaining the consistency of the rest of the document.
According to Microsoft, an attacker could use an email attack to take advantage of the DDE protocol by sending the user a specially created file that must be opened in a DDE-compatible application. Typically, the attacker will employ social engineering strategies to persuade the user to open the file. After that, the attacker must con the user into turning off Protected Mode and follow one or more additional prompts.
Pawn Storm (a. k. a. Following the disclosure of information about its most recent cyberespionage campaign by security researchers, Fancy Bear, APT28, Sofacy, and STRONTIUM) made headlines once more. In the group’s most recent spear phishing campaign, DDE is misused to launch the command prompt and execute PowerShell commands. The payload that profiles the impacted machine will then be retrieved by the commands and assisted in execution.
Additionally, Cisco’s Talos researchers have found a campaign of attacks that disseminated malicious Microsoft Word documents that could execute code on the targeted device without the need to activate macros or corrupt memory. Researchers found that hackers were actively using spear phishing emails purporting to be from the Securities and Exchange Commission (SEC) to target multiple organizations.
The Attack Surface Reduction (ASR) mitigation present in Windows Defender Exploit Guard safeguards users against DDE attacks in the case of the Fall Creators Update for Windows 10. Users without it are strongly advised to use caution when opening suspicious file attachments by the company. Users can protect themselves from phishing attacks that may make use of the DDE protocol by adhering to these best practices.
By incorporating additional security measures, IT/sysadmins can protect the email gateway from attackers who take advantage of legitimate protocols like DDE. They can also set up a central location for reporting suspicious email so that staff members have a convenient and accessible way to report any suspicious email. Enabling a sandbox that can examine the malware’s various routines and behaviors can also assist in identifying the threat’s obfuscation or evasion strategies.
SCADA Tutorial 31 – Dynamic Data Exchange DDE | SCADA Communication Protocol
How does the Dynamic Data Exchange work?
The shared memory between the two applications, which can be accessed simultaneously on different devices, is the foundation of how the Dynamic Data Exchange operates. With this protocol, data is requested from the other system by one application using a client and server model. The DDE broadcasts messages that contain requests for running applications. A conversation is started if a running application accepts the request. Then, Windows determines a link between the systems. This allows the applications to complete a data exchange. The DDE can be used for a variety of tasks, including connecting to real-time data, creating compound documents, and answering data queries.
What is the Dynamic Data Exchange protocol?
Data can be transferred between applications using the message-based Dynamic Data Exchange (DDE) protocol. This protocol was created by Windows, so in order for it to function, the applications need to be on other Windows systems. The DDE protocol creates a conversation between the two applications. The first system requests information from the second system. The system that requests information is known as the client in the DDE protocol, and the system that has the information is known as the server. Between the two programs, the DDE protocol transfers data using a shared memory.
How to use the Dynamic Data Exchange with Windows
Here are six steps to using Windows and Dynamic Data Exchange:
1. Starting a conversation
Starting a conversation between two applications is the first step in putting a DDE into action. To accomplish this, you configure the client system to send a “WM_DDE_INITIATE” message. The first parameter, “SendMessage,” instructs the client to broadcast this message. When you’re done, call “GlobalAddAtom” to get the client ready for the application and topic name. Using “NULL” atoms, you can instruct the client to ask about any server application or topic. The client removes the global atoms when the “SendMessage” call returns.
2. Retrieving an item
The “WM_DDE-REQUEST” message allows the client to obtain information from a server once the DDE conversation has begun. You send the message and specify the item and format you’d like to receive to accomplish this. The server typically deletes the item atom after completing this method. In some cases, this is unsuccessful, and the client deletes the atom as a result. If the server has access to the item, it can render it in the requested format, enabling the server to copy the item as a shared memory object. This allows you to retrieve an item from the server.
3. Sending an item
Sending the data to the server is another way to transfer a single item. You can achieve this by sending a “WM_DDE_POKE” message. The client does this by rendering the data and sending the message “WM_DDE_POKE.” This message is similar to the “WM_DDE_DATA” message. However, the client sends the “WM_DDE_POKE” message to the server.
The server analyzes the data after receiving it from the clients. The server sends the clients a positive “WM_DDE_ACK” message if it accepts the data as necessary. A negative “WM_DDE_ACK” message is sent to the client if the server is unable to analyze the data. When this happens, the client must send a “WM_DDE_POKE” message with a negative acknowledgment in order to release the memory.
4. Setting a permanent data link
Then, in a server application, establish a permanent data link to the data you are transferring. Once you create this link, the server will periodically update the link and send updates to the client. Usually, the server sends these updates when the data changes. The data stream remains in place once a permanent data link has been established until it is disconnected. Have your client send a “WM_DDE_ADVISE” message to create a data link. The client receives a message marked “WM_DDE_ACL” after the server accepts this message. Now, whenever data changes, the server notifies the client and sends new data.
5. Completing commands
The DDE lets you execute a variety of commands between the two programs. To do this, the programs send the “WM_DDE_EXECUTE” message. This message should contain the commend youd like to implement. The server notifies the client with a positive “WM_DDE_ACK” message once the device has completed the command. If it fails, the server sends a negative message. Usually, you can only send one command at a time, so you can only send a message after sending the first command. This helps each command to work properly.
6. Deleting a conversation
You can eliminate the client-server conversation once the DDE protocol is complete. Simply instruct the server or client to send the message “WM_DDE_TERMINATE” As long as both applications are ready to receive the termination message, you can do this whenever you want. This helps the process run efficiently with no errors. Before turning off the systems, it’s crucial that you remove all of the program conversations. This ensures that no errors occur with the DDE protocol. Before processing the “WM_DESTROY” message, the application ends the DDE conversations once it is ready to delete.
Please note that Indeed is not affiliated with any of the businesses mentioned in this article.
FAQ
What is Dynamic Data Exchange in Excel?
Utilizing the Dynamic Data Exchange (DDE) protocol is one strategy. The DDE protocol is a set of messages and guidelines. It uses shared memory to exchange data between applications and sends messages between programs that share data.
What applications use dynamic data exchange?
DDE was introduced in Windows 2. thousands of applications, including Microsoft Word, Microsoft Excel, and Visual Basic, have been using it since version 0. 0 in 1987.
How do I enable dynamic data exchange?
DDE server launch is disabled by default; however, users can enable it by visiting File >> Options >> Trust Center >> Trust Center Settings >> External Content. It is not advised to enable DDE server launch for security reasons.
What tactic uses the technique dynamic data exchange?
KeyBoy downloads remote payloads utilizing the Dynamic Data Exchange (DDE) protocol. Leviathan has inserted malicious content using OLE into a variety of phishing documents.
