Malware, Network Security, Vulnerability Management

Flaw in LinkedIn Messenger could harbour malware

Flaws in LinkedIn's own security restrictions could have allowed cyber-criminals to upload malware-laden attachments in the social network's messenger service.

According to security researchers at Checkpoint, when a valid file is uploaded and sent, LinkedIn's security protections scan the attachment for malicious activity. But it was discovered that attackers could bypass the security restrictions and attach a malicious file to the LinkedIn messaging service.

“To do this, an attacker could have uploaded a normal-looking file that passes LinkedIn's security checks; however, the file is only masquerading as a legitimate file, in reality, it is a form of malware that contains malicious content, able to infect the recipient's network,” said the researchers in a blog post.

The researchers found four exploits in the LinkedIn security systems. First, an attacker could create a malicious Power Shell script. The script is saved as a .pdf file and this is uploaded to LinkedIn's CDN server. If downloaded it would remain undetected.

The second flaw allowed a hacker to create a Windows registry file which contains a malicious PowerShell script and disguise it as a .pdf file. When the victim opens the file received via LinkedIn, the crafted REG containing the malicious payload runs, giving attacker control over the user's machine. From now on, the script will run each time the user logs in to his computer.

The third flaw sees a hacker creating a malicious XLSM file, embedded with Macro, disguised as an XLSX file. The Macro is a scrambled VB script shell code. The masqueraded file passes the anti-virus check and then it is uploaded successfully to LinkedIn's CDN and sent to the victim. When the victim opens the malicious XLSM file, Excel runs the VB scripts and the victim gets infected.

The last flaw is where a hacker creates a malicious DOCX file containing an external object. This object is linked to an HTA file on the attacker's server. The DOCX file is then uploaded successfully to LinkedIn's CDN, passing the virus check and sent to the victim. When the victim opens the malicious DOCX file, WINWORD automatically downloads the HTA file through the object link, and then runs it. Once the HTA file is executed, the victim is infected.

Check Point identified the four flaws and reported the discovery to LinkedIn on 14 June 2017. LinkedIn verified and acknowledged the security issues and deployed a fix effective 24 June 2017.

John Smith, principal solution architect at Veracode, told SC Media UK that at the heart of this vulnerability disclosure is the issue of trust.

“The vulnerability itself provides an attacker with the means to make malicious files available to the potential victim – but that hardly calls this vulnerability out as being particularly unique or special,” he said.

“But unless the victim actually opens the malicious file then the attack is not successful, and this is where the issue of trust arises. Users have been told for years not to open attachments or click on links that they receive from sources that they do not trust, but communication on LinkedIn carries with it an implied trust based on our network which would likely increase the success rate for the attacker.”

James Maude, senior security engineer at Avecto, told SC Media UK that organisations should focus on proactively reducing the attack surface of the endpoint by removing high risk admin accounts that could lead to widespread compromise of systems and networks, and controlling the applications that can be launched.

“Group policy can be used to disable macros as an additional defence against some document-based attacks, and as always, patching systems reduces the number of vulnerabilities that can be exploited. If the attacker is blocked from accessing admin rights and launching tools such as PowerShell, their impact is greatly reduced,” he said.

Tony Rowan, chief security consultant at SentinelOne, told SC Media UK that using tools that transcribe the original media content can be an effective method of insulating the endpoint and social media user from the effects of malicious content that may be embedded in social media.

“The issue here is that such manipulations increase latency and can render some content unreadable.  Ultimately, effective endpoint monitoring, detection and response capabilities are still needed.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.