Perpetual IT

The US National Security Agency (NSA) and its Australian counterpart the Australian Signals Directorate (ASD) have published a set of guidelines to help companies avoid a common kind of attack: web shell exploits.

A web shell is a malicious program, often written in a scripting language like PHP or Java Server Pages, that gives an attacker remote access to a system and lets them execute functions on a victim’s web server. Attackers hack web-facing applications so that they can install and execute these files on the server, enabling them to steal data, launch attacks on visitors to the site, or use the web server as an ingress point to burrow further into the victim’s infrastructure.

Attackers often disguise web shells as innocuous-looking files that could pass for a component of the web application, enabling them to ‘live off the land’ by executing malicious commands unobtrusively and lurk undetected for a long time unless an admin is paying attention. The NSA warned:

Web shell malware has been a threat for years and continues to evade detection from most security tools. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic.

The guidelines list several CVEs that are common attack vectors for the installation of web shells, targeting products from Microsoft (SharePoint and Exchange), Atlassian, Progress, Zoho, and Adobe (ColdFusion).

The document addresses several layers of defence. The first involves detecting malicious web shells. It suggests several techniques, one of which is to compare current web application files with those that are known to be legitimate. To do this, you’d take a copy of the freshly installed web app, with the necessary updates applied, and then periodically use file comparison tools (WinDiff for Windows or LinuxDiff for Linux systems) to compare it against current versions. The NSA also provides a PowerShell script for this.

It also advises people to watch for uncommon activity such as running network enumeration commands that have no place in most legitimate web apps. Other things to watch for include large responses to a web app which could indicate data exfiltration, access times outside peak hours, or access times from unusual regions. These signals will often generate false positives, though, it warns.

The second layer of defence focuses on preventing malicious web shells and the damage they can do to your systems.

The document suggests protecting the web servers themselves from unauthorised access by blocking or restricting access to appropriate ports and services. Other guidance focuses on preventing attackers using an installed shell to to wreak havoc in your network. These include using least-privilege principles when assigning permissions to web apps and/or monitoring the integrity of web-accessible directories and files, either blocking or alerting admins to changes.

Another recommendation involves segregating networks so that internet-facing web servers can’t access sensitive parts of your network. This might be tricky if your web app needs access to customer records from production systems, but could at least prevent attackers from penetrating deeper into your network.

Finally, the paper looks at response and recovery after an attack. After detecting a web shell, use packet capture (PCAP) to find out what it was doing inside your network, it says.

The paper, along with a related NSA GitHub repository, also includes tools and intrusion prevention system (ISP) rules to help implement some of these anti-web shell techniques. The Open Web Application Security Project (OWASP) also publishes a set of core intrusion prevention system (ISP) rules that people should apply, the paper adds.

Latest Naked Security podcast

Microsoft just issued Security Advisory ADV200004, entitled Availability of updates for Microsoft software utilizing the Autodesk FBX library.

At first glance, you might be inclined to read just the headline and skip on by because you don’t use FBX files or you don’t have any Autodesk software products.

We’ll be honest and admit we hadn’t even heard of FBX files until now, let alone created one – the abbreviation is short for Filmbox, and it’s a proprietary format owned by Autodesk that is used to save motion capture data along with audio and video streams.

Autodesk is probably still best-known for its AutoCAD computer aided drawing software, but it has a huge range of products for video rendering, game creation and more, where the FBX file format is right at home.

Well, Autodesk just published its own Security Advisory ADSK-SA-2000-0002, “Vulnerabilities in the Autodesk FBX Software Development Kit“.

This advisory announces fixes for six different security bugs denoted CVE-2020-7080 to CVE-2020-7085 consecutively.

Announced as they are at the same time, these vulnerabilities sound like the sort of multi-bug fix that sometimes emerges after a concerted burst of reviewing and testing existing code to improve it, and if so it sounds as though the review was both extensive and worthwhile.

These vulnerabilities are due to a range of different programming errors that often creep into code that handles complex data objects stored in a binary format, namely: buffer overflow, type confusion, use after free, integer overflow and null pointer dereference.

Well, here’s the thing: it seems that the Microsoft Office 2019 and Office 365 ProPlus products from Microsoft include support for FBX files – whether you use FBXes yourself or not – and that the code to process those files comes from Autodesk.

Therefore the latest versions of Office inherit these six CVE-tagged vulnerabilities from Autodesk, and five out of six of them are listed as allowing RCE, short for remote code execution.

Click to run

As you probably know, an RCE bug that is present when a vulnerable application processes a booby-trapped file often means that simply opening up or previewing that file could allow crooks to implant malware on your computer.

You typically won’t see any of the usual “do you want to download?” or “this file wants to run a program, are you sure?” warnings, so opening the file will not only feel innocent – as opening up a data file is supposed to be – but also appear innocent, too.

In other words, a crook could email you an FBX file – a file that isn’t a program and isn’t supposed to be a program – that puts you at risk of what Microsoft calls click to run.

A click-to-run bug isn’t quite as dangerous as a security hole that can be exploited remotely even when no one’s logged in, because you have to be tempted at least to look at the offending item.

But a click-to-run attack is much more dangerous than, say, a document file containing macros that have to be authorised as a second step after the document is opened.

And even if you think you’d never open an FBX file because it sounds unimportant or irrelevant, remember that:

• Crooks rarely send one phishing email at a time. Even if crooks aren’t directly targeting your company, their spam database probably contains multiple email entries for every company domain on the list anyway. The crooks don’t have to trick everyone – they can target anyone and win if they trick someone.
• Windows doesn’t show file extensions by default. A file called something.text.fbx will typically be displayed as something.text, which has a deceivingly safe look to it.

What to do?

Microsoft’s advisory states that it has “not identified any mitigating factors [or] workarounds for [these vulnerabilities]”.

So you know what we’re going to say, so we’ll say it quickly: Patch early, patch often.

And if you are an Autodesk customer, don’t forget to check for updates to affected Autodesk products.

The Autodesk list includes various verisons of: the FBX Software Development Kit (which is presumably how these bugs ended up in Office), Maya, Motion Builder, Mudbox, 3ds Max, Fusion, Revit, Flame, Infraworks, Navisworks and Autodesk AutoCAD.

One more thing

While you’re about it – because you can! – we recommend telling Windows not to suppress file extensions.

You might not yet know that files ending .JS (JavaScript) are actually programs rather than data files, and are generally very risky to open up directly on your computer.

But there’s a irony that once you do know what .JS files are, Windows doesn’t make it easy for you to use that knowledge to protect yourself.

Type file explorer in the search bar and launch the Windows File Explorer app; go to the View menu and check the box labelled File Name Extensions.

If you’re a syadmin, you can make this change for all your users via Windows Group Policy.

Latest Naked Security podcast

Remember the Shadow Brokers, the mysterious group that stole and leaked a collection of NSA files in 2016? Well, it’s the gift that keeps on giving. A security researcher claims to have unearthed a previously-unknown APT group after reading over some of the dumped files.

The Shadow Brokers published their stolen NSA files online in several batches. One of the largest was batch number five, which got the nickname ‘lost in translation’. In March 2018, Budapest University’s Laboratory of Cryptography and System Security (CrySys Lab) published a report picking apart this file drop. It focused on a file called sigs.py which contained 45 file signatures that government operatives could use to scan machines for infection. Each file signature could be linked to a different attack group. Some of the signatures, like Flame and Stuxnet, were already known. Others were less common. The lab identified one of them, a file called godown.dll in signature 37, as IronTiger_ASPXSpy. It got this reference from a file listing on VirusTotal.

Juan Guerrero-Saade, a security researcher and adjunct professor at Johns Hopkins University’s School of Advanced International Studies, wasn’t convinced, arguing that misleading files make their way onto VirusTotal all the time. He realised that the file in question was a 15Mb memory dump of a McAfee installer. In short, it’s a red herring.

Investigating godown.dllfurther, he found that the file was a drop from a larger multi-stage infection framework. The tools and techniques that the framework used indicated a unique cluster of activity. It pointed to an advanced persistent threat group that wasn’t publicly known until now.

Although it’s difficult to directly attribute the attack to a specific actor, Guerrero-Saade noted that some of the resources in the files mention Farsi (Persian), which is native to countries including Iran. The name used in the root debug path, c:/khzer, apparently means ‘to survey or monitor’ according to friends of his that are acquainted with the language, and so he decided to call the attack group Nazar, after the heart-shaped amulet supposed to protect people against the evil eye in many countries across the middle east.

While the evidence is far from conclusive, he said:

When we think about Iranians targeting we tend to think of western APTs. In this particular case if we were to take all of the attributed indicators at face value it sort of defies that general perception.

This could mean we’re looking at an Iranian-born cluster of activity that’s targeting what looks like exclusively Iranian victims he adds, pointing to previous domestic spying toolkits that have come to light in other countries, although he warns that further investigation is necessary to firm up that idea.

Despite the age of the leaked NSA files, he also mused that this activity could be ongoing. Many of these tools and techniques are notably dated (or “old-school” as he describes it in his excellent talk on the topic at the OPCDE Virtual Summit):

For example, the dropper, GPUpdates.exe, is an executable packager based on commercial software called Zip 2 Secure, which was last updated in 2012. The malware also sets up some other DLL files that reuse off-the-shelf commodity software for tasks including turning on microphones, key logging, and screen grabbing. It also includes an ancient packet sniffer.

Researchers at malware analysis company MalwareLab.pl investigated the EYService orchestrator that controlled the malware and found a long if-else tree that triggered various commands. These included recording audio, listing files and programs, and setting the command and control (C2) server.

He explained that the assets used appear to place the attack files between 2010 and 2013, and the attack targets Windows XP and prior. This doesn’t mean that the attack group is defunct, though. He added:

I don’t think this has subsided. If anything this is a super-old-school version and I’m sure there’s got to be some Vista-and-forward Windows version.

Latest Naked Security podcast

A team of 13 analysts at the Internet Watch Foundation (IWF) have used machine learning to help them figure out what secret code words are used by online communities of perverts to covertly talk about child sexual abuse images.

The IWF is a UK-based charity that every year removes tens of thousands of depraved images.

Sarah Smith, the technical projects officer who’s overseen IWF’s work, told Wired that the charity has been working on its database of paedophile slang for more than 10 years.

The abusers who trade this imagery have been developing a private, secret language over that time. At the dawn of the IWF’s work, over a decade ago, predators were openly sharing content through newsgroups, forums and on dedicated websites, often with clear descriptions of what the pictures depicted.

Chris Hughes, who leads the IWF’s team of 13 analysts, told Wired that back then, finding the content was as simple as a web search. You didn’t have to go to the Dark Web to find the material, given that it was easily available on the open web, he said:

It was possible to go to a search engine, type it in and get exactly what you wanted.

Up until a few weeks ago, the IWF’s database of paedophile slang contained about 450 words and phrases used to refer to abuse images. But over the last few weeks, that database has expanded to contain 3,681 more entries, with several hundred more still to be added.

Smith told Wired that the breakthrough came from the IWF’s development of an intelligent crawler that identifies new potential keywords. It works similar to those used by search engines such as Google’s: the IWF’s crawler scans parts of the web for potentially abusive content, including comments left on images or videos and metadata attached to files.

It’s targeted on what the IWF already knows, scanning sites that the IWF has already identified as potentially having child sexual abuse material.

The IWF has a huge database of URLs that it’s taken down over two decades of working on the scourge of abusive imagery. It’s now also incorporating machine learning technologies to help identify phrases commonly used.

Words and phrases don’t get added unless they appear in multiple places and are verified by humans. Otherwise, were innocuous phrases to be added automatically, it could lead to censorship.

The IWF isn’t publishing its list of keywords, for obvious reasons: it doesn’t want to show its cards to the predators. What the charity can say is that paedophiles use quotidian language, or made-up words, to refer to various types of abuse.

Hughes:

Some of them are almost alien. They don’t necessarily make a nice tidy word or phrase. They could be a collection of characters that don’t make an actual word.

He said it could be something as simple as a phrase like “purple cushions.” That’s not an actual example from the newly enlarged database. It’s just something that Hughes could see in front of him during his interview with Wired. “Purple cushions” is an illustration of how simple words can be used to indicate particular content, where that content can be found, the victim’s name, or a specific set of images.

Here’s Hughes again:

If you were to read something like that on a forum, where every other conversation is perhaps less covert, then we would take that phrase, do some additional searching on different sites and see if it produces results that give us an indication that ‘purple cushions’ is a phrase that people are using openly.

Abusers sometimes combine keywords with other words to impart meaning. Sometimes, they use several at one time to refer to certain images or behaviors, and sometimes they’re used in a particular combination.

Most of the newly expanded list of keywords are in English, but there are also terms in Dutch and German. In 2018, when the IWF removed 105,000 sites that were hosting abuse imagery, they found that some of the terms had been translated from Spanish. To further obscure meaning, some of the keywords were actually acronyms from one language, such as Spanish, that were then used with the English language, Hughes said.

Given the many layers of obfuscation, and given the danger of censoring everyday language that doesn’t have darker meaning, discerning context is crucial in this work, Smith said:

We have to try and follow the offender mindset and look at how they might be going about finding this content and try to disrupt that and cut those routes off.

The IWF expects that eventually, its members will implemented the expanded keywords list. It has more than 140 members, including Apple, Amazon, Google, Microsoft and Facebook, as well as Zoom, law enforcement groups and mobile phone operators.

Implementation will take some time, but the hope is that eventually, it will lead to the discovery and eradication of more child sexual abuse imagery than is now uncovered by the existing technique of using a database of hashed images to stop existing, previously identified content from being uploaded.

Smith:

By having a greater understanding of these slang terms that are associated with these images, we can find websites and locate images that we haven’t seen before. The significant amount of keywords we have now identified will make it very much harder for them to be able to use those to identify and locate this type of content.

Latest Naked Security podcast

Cybersecurity outfit ZecOps just published a blog post that is intriguingly entitled You’ve Got (0-click) Mail!

According to the article, the company recently did a forensic investigation into iPhones that had apparently been hacked.

Amongst the artefacts they found were suspiciously-constructed emails, dating right back to January 2018, that seemed to be targeting some sort of unknown iOS bug.

Fast-forward through what was no doubt a lot of serious machine code spelunking, and ZecOps worked out that the suspicious emails were, indeed, deliberately booby-trapped.

Just viewing or opening the emails, without clicking anything in the email itself, could cause one of two different crashes in the Apple mail app, and the crashes were provoked by content in the email that almost certainly didnt arise by chance.

For example, several of the so-called indicators of compromise (IoCs) published by ZecOps include the text strings AAA...AAA.

When strings of As appear in suspicious content, and then numbers that come out as 0x4141...4141 in hexadecimal show up in crash dumps provoked by that suspicious content (0x41414141 is the ASCII code for AAAA), there’s something very PoC-like (a PoC is a proof of concept) about what you’re seeing.

The string AAA...AAA is very commonly used in bug-hunting because it’s easy to type in; it’s a valid string of pure ASCII capital letters; it stands out notably in binary form as 0x4141...4141; and, on Intel chips at least, the string itself decompiles neatly into a sequence of single-byte machine code instructions (INC RCX operations on 64-bit Intel, as it happens) that don’t themselves mess with memory.

In ZecOps’s own words, the company has formed the opinion that an unknown attack group “purchased the exploit from a third-party researcher in a Proof of Concept (POC) [form] and used [it] ‘as-is’ or with minor modifications (hence the 4141..41 strings)“.

By tracing and analysing the crashes that the booby-trapped messages provoked, the researchers uncovered not one but two different memory overflow bugs in the message-handling library used by Apple’s email app.

Modern email messages are usually formatted as text laid out in a format called MIME, short for Multipurpose Internet Mail Extensions.

MIME allows emails to be split into multiple parts, including the message body, embedded images, and attachments such as images, videos and documents.

Apple’s MIME-processing library, it turns out, keeps its data in memory until a certain data size is reached (2Mbytes, apparently), after which it is saved to disk storage and accessed as needed.

This is a common programming technique – it helps to ensure not only that small data objects can be processed quickly, but also that big ones don’t bog down the rest of the device by eating up too much RAM.

The bugs here related to the point at which the MIME software library switched from caching message data in RAM to caching it on disk.

Ironically, the first vulnerability they found didn’t seem much use to an attacker on its own – it seems to have been an unintended side effect of the second vulnerability they uncovered, which they consider to be the one that the attackers were relying upon.

ZecOps disclosed the problems to Apple in February 2020, and was able to supply a PoC by the end of March 2020 to help Apple work on the bug .

How bad is it?

The good news is that Apple has already worked a fix into the next release of iOS, currently denoted 13.4.5 Beta, but as the version name indicates, this isn’t an official full release yet.

The other good news is that even though these newly disclosed bugs are technically zero day vulnerabilities, and even though at least one attack group seems to have been using them as one component in targeted attacks in the wild, they’re apparently not exploitable on their own.

As ZecOps says:

Q: Does the vulnerability require additional information to succeed?

A: Yes, an attacker would need to leak an address from the memory in order to bypass ASLR. We did not focus on this vulnerability in our research.

ASLR, of course, is address space layout randomisation, by which the operating system avoids using predictable memory locations for loading code and data.

This means that even if remote attackers can poke dangerous content into RAM – what’s often called shellcode in the jargon – they have little or no idea where it will end up, so they can’t reliably transfer control over it to take over the app. (Most likely, the app will simply crash.)

Additionally, attackers would need a secondary kernel-level vulnerability to get system-level control and thereby to escape from the strictures of the vulnerable app.

Of course, email apps typically contain plenty of juicy data all of their own, so a double-vulnerability compromise of the email app alone is still a worthwhile result for any attacker.

What to do?

As we’ve mentioned, the good news is that a permanent patch is due when the current iOS version (13.4.5) emerges from its Beta release.

So watch out for Apple’s next iOS update and make sure you get it as soon as it’s ready.

The other good news is these holes don’t seem to be directly exploitable, so their public disclosure during the current Beta program isn’t a direct invitation to crooks to start piling into iPhones around the world.

If you’re worried because you think your company profile aligns with the possible victims alluded to in ZecOps’s blog article, you could consider switching to a different email app until the next iOS update comes out.

Gmail and Outlook, for example, have their own email apps that you can use instead of Apple’s one, even if it means using two or more apps instead of leaving all your messsages to the built-in iPhone app.

Even though Apple’s own email app comes with iOS, it can be removed from your device (unlike core apps such as Safari, Phone and Messages).

To remove an app, hold down any app icon until all your icons start shaking (that’s the signal that you can move them around), and any removable apps will show up with an [X] button in the top left corner.

You can reinstall removed system apps via the App Store at any time – the built-in email app is called simply Mail by Apple.

Latest Naked Security podcast