Windows 10 Update Threat
Threat actors are using a vulnerability in Windows 10 to steal user credentials by installing malicious viruses and trojan horses. Phishing emails are being sent with a Microsoft Office attachment that when opened implements ActiveX remote desktop and installs TrickBot, with the user unaware. The TrickBot bypasses Windows 10 UAC (User Access Control) and runs in the background until specific security software is updated and able to detect it. The recent Windows 10 update included a UAC Bypass which is now the root cause of the new threat. UAC prompts include the familiar phrase “Do you want to allow this app to make changes to your device?”, which the new TrickBot is bypassing altogether. The threat will most certainly create a new wave of phishing attempts and windows users will need to be as cautions as ever.
Employee recognition of phishing attempts and exercising extreme caution when opening attachments from outside sources is the best way to prevent and mitigate this threat. Additional prevention techniques include disabling macros, content, and editing in Microsoft Office products and making sure your security software is actively updated.
A new Windows 10 threat using TrickBot to install malware via a Microsoft Office attachment, typically sent through a phishing email. The threat uses ActiveX remote desktop to activate along with a UAC (User Access Control) Bypass that was included in the most recent Windows 10 updates. UAC is the familiar pop up window that states “Do you want to allow this app to make changes to your device?”
The threat first appeared within a Forbes article, Windows 10 Users Warned As Hackers Target Newly Updated Computers, published 02/29/2020.
Additional resource was found within SC Media’s article, Windows 10 ActiveX control hacked to execute TrickBot dropper, published 03/02/2020.
Why This Matters:
- Windows 10 is the most popular desktop OS in the world
- The threat could lead to devastating data breaches or ransomware events
- Employee phishing training will best protect and prevent these events from happening
- Disabling macros, content, and editing within Microsoft Office products can help prevent this threat altogether
- The threat goes against the traditional notion that always updating your OS software is the most secure action