Security vendor Check Point has discovered four separate vulnerabilities in LinkedIn Messenger. The vulnerabilities were reported to LinkedIn on 20th June and patched by 24 June. The details have only just been released to ensure LinkedIn members had updated their clients. The attacks are aimed at users of the LinkedIn PC client. The details were released in a blog by researchers Eran Vankin, Dvir Atias and Alon Boxiner.
According to the researchers: “We have been able to identify multiple vulnerabilities that take advantage of LinkedIn’s security restrictions. When a valid file is uploaded and sent, LinkedIn’s security protections scan the attachment for malicious activity. However, in a recent trial conducted by Check Point researchers, it was discovered that attackers could bypass the security restrictions and attach a malicious file to the LinkedIn messaging service.”
How does it work?
It appears the attack is extremely simple. The attack is hidden in a file uploaded to LinkedIn and there are four examples in the blog. Each of the examples shows how code can be uploaded when masquerading as an allowed document type. Once the file is uploaded it can be sent to contacts on LinkedIn. Once the recipient opens the file the code executes.
The four examples are:
- Microsoft PowerShell script inside a PDF file: As soon as it is downloaded the PowerShell commands inside the PDF will execute. This allows attackers to immediately download malware to a machine.
- Windows Registry file: Attackers upload a REG file with a malicious PowerShell script and upload as a PDF. The victim downloads the PDF and the code give the attacker complete access over then users computer.
- Scrambled macro: The victim is sent an Excel macro consisting of a scrambled VB script shell code. The file is sent as an Excel XLSX file rather than a XLSM macro file. This means the macro avoids detection. Once the file is opened the VB script will attempt to run and infect the victim’s computer.
- Malicious code inside an OLE file (CVE 2017-0199): This attack uses a known vulnerability that is currently reported by several security vendors as being in use. It embeds an object into a Microsoft Word DOCX file. The object is linked to an HTML Application (HTA) hosted on the attackers website. The file is then downloaded and executed on the victims machine.
Why use LinkedIn Messenger?
The researchers say that the trust of users in the LinkedIn platform means they are likely to open files without doing further checking. This is because they believe LinkedIn is checking all files for malicious content. While it does a lot of checking, like any platform it is not infallible.
Many LinkedIn users send their CVs to recruitment companies and potential employers through the LinkedIn Messenger. This means that any successful attack can yield a lot of personal data.
The network is also used by people to send other business files, reports and documents. It doesn’t have the same issue as most corporate email servers with file sizes. This makes it ideal for large complex documents.
What does this mean?
No communication channel should be perceived as being secure. Any file from any service can be infected. The use of code embedded in file types that people see as safe is on the rise. Many people accept PDF files believing that they are less likely to be infected than more common office document types. This is a mistake as the first two attacks here show.
It is also interesting that the fourth exploit is still active. A week ago Trend Micro reported it saw the attack being used in conjunction with malicious PowerPoint slide shows. Microsoft patched this vulnerability in April and IT security teams need to check their patching routines. Users falling to any attack that has been effectively patched shows a failed security position.