Month: September 2020

A US senator is calling on the Department of Homeland Security’s cybersecurity arm to assess the threat posed by browser extensions made in countries known to conduct espionage against the US.

“I am concerned that the use by millions of Americans of foreign-controlled browser extensions could threaten US national security,” Senator Ron Wyden, a Democrat from Oregon, wrote in a letter to Christopher Krebs, director of the DHS’ Cybersecurity and Infrastructure Security Agency. “I am concerned that these browser extensions could enable foreign governments to conduct surveillance of Americans.”

Also known as plugins and add-ons, extensions give browsers functionality not otherwise available. Ad blockers, language translators, HTTPS enforcers, grammar checkers, and cursor enhancers are just a few examples of legitimate extensions that can be downloaded either from browser-operated repositories or third-party websites.

Unfortunately, there’s a darker side to extensions. Their pervasiveness and their opaqueness make them a perfect vessel for stashing software that logs sites users visit, steals passwords they enter, and acts as a backdoor that funnels data between users and attacker-controlled servers.

Extensions: A short, sordid history

One of the more extreme examples of this type of malice came last year when Chrome and Firefox extensions were caught logging the browsing history of more than 4 million users and selling it online. People often think that long, complicated Web URLs prevent outsiders from being able to access medical or accounting data, but the systematic collection, dubbed DataSpii, proved the assumption wrong.

Among the sensitive data siphoned by the extensions was proprietary information from Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla, and Blue Origin. The Dataspii extensions also collected private medical, financial, and social data belonging to individuals. The collection only came to light thanks to the dogged and costly work of an independent researcher.

Other examples of abusive extensions can be found here, here, here, and here.

Wyden’s letter mentions the case of an extension provider that’s from China, a country critics say pays hackers and others to steal source code, blueprints, and other proprietary data from its foreign adversaries. The senator wrote:

For example, my office has been investigating Genimous Technology, a Chinese company that, through a series of shell companies in offshore jurisdictions like Cyprus and Cayman Islands, controls a network of web browser extensions used by more than 10 million consumers. Genimous’ subsidiaries offer dozens of browser extensions, which provide users with some limited, free functionality, such as weather reports or package tracking, in order to gain access to users’ computers. The true purpose of Genimous’ browser extensions is to change users’ search engine to one offered by Verizon Media, which pays Genimous a fee for doing so.

I am concerned that the use by millions of Americans of foreign-controlled browser extensions could threaten US national security. In particular, I am concerned that these browser extensions could enable foreign governments to conduct surveillance of Americans.

Neither Genimous nor Verizon immediately responded to a request to comment for this post.

Nation-hired hackers

There are at least two reported cases of foreign governments using extensions in espionage hacks. The more advanced attack came to light in 2017. It involved Firefox extensions used by Turla, a Russian-speaking hacking group that many researchers believe works on behalf of the Kremlin.

One such extension analyzed by security firm Eset masqueraded as a security feature available from the website of a fictitious security company. Behind the scenes, it acted as a backdoor that connected infected computers to a Turla command and control server that retrieved stolen data and could upload and install new or updated malware.

To cover its tracks, the extension didn’t call the server directly. Rather, it connected to the comment section of Britney Spears’ Instagram account. By computing a hash from a comment and using a programming technique known as a regular expression, the backdoor was able to derive the server address. Researchers from Bitdefender stumbled upon the same Turla campaign that used other Firefox extensions.

A separate nation-sponsored hack involving extensions occurred in 2018. It used Chrome extensions, available in Google’s official Chrome Web Store, that security firm Net Scout believes stole data such as browser cookies and/or passwords. To give the extensions an air of authenticity, the hackers copied reviews left for other extensions that either praised or criticized them.

Getting answers

Over the years, Wyden has pressed both government officials and business leaders on a host of topics relating to technology. Last year, he and Senator Marco Rubio, Republican of Florida, called on CISA’s Krebs to investigate VPNs, which like extensions, have the ability to covertly collect sensitive information and do other nefarious things.

“To that end, I ask you to assess the threat posed by web browser extensions offered and controlled by companies in adversary nations,” Wyden wrote. “If you determine that these companies and their products threaten US national security, please take the appropriate steps to protect US government employees and government systems.”

September has been a busy month for malicious Android apps, with dozens of them from a single malware family alone flooding either Google Play or third-party markets, researchers from security companies said.

Known as Joker, this family of malicious apps has been attacking Android users since late 2016 and more recently has become one of the most common Android threats. Once installed, Joker apps secretly subscribe users to pricey subscription services and can also steal SMS messages, contact lists, and device information. Last July, researchers said they found Joker lurking in 11 seemingly legitimate apps downloaded from Play about 500,000 times.

Late last week, researchers from security firm Zscaler said they found a new batch comprising 17 Joker-tainted apps with 120,000 downloads. The apps were uploaded to Play gradually over the course of September. Security firm Zimperium, meanwhile, reported on Monday that company researchers found 64 new Joker variants in September, most or all of which were seeded in third-party app stores.

And as ZDNet noted, researchers from security firms Pradeo and Anquanke found more Joker outbreaks this month and in July respectively. Anquanke said it had found more than 13,000 samples since it first came to light in December 2016.

“Joker is one of the most prominent malware families that continually targets Android devices,” Zscaler researcher Viral Gandhi wrote in last week’s post. “Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques.”

Digital sleight of hand

One of the keys to Joker’s success is its roundabout way of attack. The apps are knockoffs of legitimate apps and, when downloaded from Play or a different market, contain no malicious code other than a “dropper.” After a delay of hours or even days, the dropper, which is heavily obfuscated and contains just a few lines of code, downloads a malicious component and drops it into the app.

Zimperium provided a flow chart that captures the four pivot points each Joker sample uses. The malware also employs evasion techniques to disguise download components as benign applications like games, wallpapers, messengers, translators, and photo editors.

The evasion techniques include encoded strings inside the samples where an app is to download a dex, which is an Android-native file that comprises the APK package, possibly along with other dexes. The dexes are disguised as mp3 .css, or .json files. To further hide, Joker uses code injection to hide among legitimate third-party packages—such as org.junit.internal, com.google.android.gms.dynamite, or com.unity3d.player.UnityProvider—already installed on the phone.

“The purpose of this is to make it harder for the malware analyst to spot the malicious code, as third-party libraries usually contain a lot of code and the presence of additional obfuscation can make the task of spotting the injected classes even harder,” Zimperium researcher Aazim Yaswant wrote. “Furthermore, using legit package names defeats naïve [blocklisting] attempts, but our z9 machine-learning engine enabled the researchers to safely detect the aforementioned injection tricks.”

The Zscaler writeup details three types of post-download techniques to bypass Google’s app-vetting process: direct downloads, one-stage downloads, and two-stage downloads. Despite the delivery variations, the final payload was the same. Once an app has downloaded and activated the final payload, the knock-off app has the ability to use the user’s SMS app to sign up for premium subscriptions.

A Google spokesman declined to comment other than to note that Zscaler reported that the company removed the apps once they were privately reported.

Day after day

With malicious apps infiltrating Play on a regular, often weekly, basis, there’s currently little indication the malicious Android app scourge will be abated. That means it’s up to individual end users to steer clear of apps like Joker. The best advice is to be extremely conservative in the apps that get installed in the first place. A good guiding principle is to choose apps that serve a true purpose and, when possible, choose developers who are known entities. Installed apps that haven’t been used in the past month should be removed unless there’s a good reason to keep them around.

Using an AV app from Malwarebytes, Eset, F-Secure, or another reputable maker is also an option, although they, too, can have difficulty detecting Joker or other malware.

One of the highest-impact Windows vulnerabilities patched this year is now under active exploitation by malicious hackers, Microsoft warned overnight, in a development that puts increasing pressure on laggards to update now.

CVE-2020-1472, as the vulnerability is tracked, allows hackers to instantly take control of the Active Directory, a Windows server resource that acts as an all-powerful gatekeeper for all machines connected to a network. Researchers have dubbed the vulnerability Zerologon, because it allows attackers with only minimal access to a vulnerable network to login to the Active Directory by sending a string of zeros in messages that use the Netlogon protocol.

Zerologon carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Despite the high rating, the escalation-of-privileges vulnerability received scant, if any, attention when Microsoft patched it in August, and Microsoft deemed the chances of actual exploitation “less likely.”

The security world finally took notice last week with the release of several proof-of-concept exploits and a detailed writeup, which demonstrated severity of the vulnerability and the relative ease in exploiting it.

All hands on deck

On Wednesday evening, Microsoft issued a series of tweets that Zerologon was now being exploited in the wild.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon,” Microsoft representatives wrote. “We have observed attacks where public exploits have been incorporated into attacker playbooks.”

The company provided several digital signatures of files used in the attacks, but it didn’t publicly provide additional details. Microsoft has published a threat analytics report that’s designed to help administrators assess the vulnerability of their networks, but it’s available only to Office 365 subscribers. For everyone else, the best resource is this white paper from Secura, the security firm that discovered Zerologon. Microsoft representatives didn’t respond to an email asking for a copy of the analytics report.

Crown jewels

It’s hard to overstate the severity of an exploit that makes it possible to take control of an Active Directory using several dozen lines of code. Active Directories (and the domain controller servers they run on) are the resources most cherished by ransomware attackers. With control over the central provisioning directory, they can infect entire fleets of machines within minutes. Nation-sponsored hackers performing surgical-precision espionage campaigns also prize such access because it allows them to control specific network resources of interest.

Both types of attackers often begin hacks by compromising a computer with low-level privileges on a network, often by tricking an employee into clicking on a malicious link or file or by entering a password on a phishing page. It can sometimes take weeks or months to escalate low-level privileges to those needed to install malware or execute commands. In certain cases, Zerologon can allow an attacker with this kind of toehold to almost instantly gain control of the Active Directory.

There may also be ways to exploit Zerologon directly from the Internet with no previous access. Internet searches like this one and this one show more than 33,000 and 3 million networks are exposing domain controllers and Remote Procedure Call login servers to the public Internet. In the event a single network is exposing both resources, the combination may leave a network wide open with no other requirements.

The risk posed by Zerologon isn’t just that of facing a catastrophic hack. There’s also the threat of applying a patch that breaks a network’s most sensitive resource. Late last week, the cybersecurity arm of the Department of Homeland Security mandated agencies to either apply the patch by Monday night or remove domain controllers from the Internet.

With word less than three days later that exploits are in the wild, it’s clear there was good reason for the directive.