S3 Ep140: So you think you know ransomware?

LISTEN AND LEARN

Gee Whizz BASIC (probably). Think you know ransomware? Megaupload, 11 years on. ASUS warns of critical router bugs. MOVEit mayhem Part III.

No audio player below? Listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.  Router woes, Megaupload in megatrouble, and more MOVEit mayhem.

All that and more on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

Paul, how do you do?


DUCK.  Just a disambiguation for our British and Commonwealth English listeners, Doug…


DOUG.  “Router.” [PRONOUNCED UK-STYLE AS ‘ROOTER’, NOT US-STYLE AS ‘ROWTER’]


DUCK.  You don’t mean the woodworking tools, I guess?


DOUG.  No! [LAUGHS]


DUCK.  You mean the things that let crooks break into your network if they’re not patched in time?


DOUG.  Yes!


DUCK.  Where the behaviour of what we would call a ‘ROOTER’ does to your network more like what a ‘ROWTER’ would do to the edge of your table? [LAUGHS]


DOUG.  Exactly! [LAUGHS]

We will get to that shortly.

But first, our This Week in Tech History segment.

Paul, this week, on 18 June, way back in 1979: a big step forward for 16-bit computing as Microsoft rolled out a version of its BASIC programming language for 8086 processors.

This version was backward compatible with 8-bit processors, making BASIC, which had been available for the Z80 and 8080 processors, and was found on some 200,000 computers already, an arrow in most programmers’ quivers, Paul.


DUCK.  What was to become GW-BASIC!

I don’t know whether this is true, but I keep reading that GW-BASIC stands for “GEE WHIZZ!” [LAUGHS]


DOUG.  Ha! [LAUGHTER]


DUCK.  I don’t know whether that’s true, but I like to think it is.


DOUG.  Alright, let’s get into our stories.

Before we get to stuff that’s in the news, we are pleased, nay thrilled, to announce the first of three episodes of Think You Know Ransomware?

This is a 48-minute documentary series from your friends at Sophos.

“The Ransomware Documentary” – brand new video series from Sophos starting now!

The first episode, called Origins of Cybercrime, is now available for viewing at https://sophos.com/ransomware.

Episode 2, which is called Hunters and Hunted, will be available on 28 June 2023.

Episode 3, Weapons and Warriors, will drop on 5 July 2023.

Check it out at https://sophos.com/ransomware.

I have seen the first episode, and it is great.

It answers all the questions you may have about the origins of this scourge that we keep fighting year after year, Paul.


DUCK.  And it feeds very nicely into what regular listeners will know is my favourite saying (I hope I haven’t turned it into a cliche by now), namely: Those who cannot remember history are condemned to repeat it.

Don’t be that person! [LAUGHS]


DOUG.  Alright, let’s stick on the subject of crime.

Prison time for two of the four Megaupload founders.

Copyright infringement at issue here, Paul, and about a decade in the making?

Megaupload duo will go to prison at last, but Kim Dotcom fights on…


DUCK.  Yes.

Remember last week when I paraphrased that joke about, “Oh, you know what buses are like? None come for ages, and then three arrive at once?” [LAUGHTER]

But I had to parlay it into “two arrive at once”…

…and no sooner had I said it than the third one arrived. [LAUGHTER]

And this is out of New Zealand, or Aotearoa, as it’s alternatively known.

Megaupload was an infamous early so-called “file locker” service.

That’s not “file locker” as in ransomware that locks up your files.

It’s “file locker” like a gym locker… the cloud place where you upload files so you can get them later.

That service got taken down, primarily because the FBI in the US got a takedown order, and alleged that its primary purpose was actually not so much to be a mega *upload* service as to be a mega *download* service, the business model of which was based on encouraging and incentivising copyright infringement.

The primary founder of this business is a well known name: Kim Dotcom.

And that really is his surname.

He changed his name (I think he was originally Kim Schmitz) to Kim Dotcom, created this service, and he’s just been fighting extradition to the US and continues to do so, even though the Aotearoa courts have ruled that there’s no reason why he can’t be extradited.

One of the other four, a chap by the name of Finn Batato, sadly died of cancer last year.

But two of the other individuals who were the prime movers of the Megaupload service, Mathias Ortmann and Bram van der Kolk…

…they fought extradition (you can understand why) to the US, where they potentially faced large prison sentences.

But eventually they seemed to have done a deal with the courts in NZ [New Zealand/Aotearoa] and with the FBI and the Department of Justice in the US.

They agreed to be prosecuted in NZ instead, to plead guilty, and to assist the US authorities in their ongoing investigation.

And they ended up with prison sentences of 2 years 7 months and 2 years 6 months respectively.


DOUG.  The judge in that case had some interesting observations, I felt.


DUCK.  I think you’re right there, Doug.

Notably, that it wasn’t a question of the court saying, “We accept the fact that these massive megacorporations all around the world lost billions and billions of dollars.”

In fact, the judge said that you have to take those claims with a pinch of salt, and quoted evidence to suggest that you can’t just say that everybody who downloaded a pirated video would otherwise have bought the original.

So you can’t add up the monetary losses in the way that some of the megacorps like to do so.

Nevertheless, he said, that doesn’t make it right.

And even more importantly, he said, “You really did hurt the little guys as well, and that matters just as much.”

And he quoted the case of an indie software developer from the South Island in NZ who had written to the court to say, “I noticed piracy was making a big dent in my income. I found that 10 or 20 times I had to appeal to Megaupload to have infringing content taken down; it took me a lot of time to do that, and it never made the slightest difference. And so I’m not saying that they are entirely responsible for the fact that I could no longer make a living out of my business, but I am saying I went to all this effort to get them to take the stuff down which they said they would do, but it never worked.”

Actually that came out elsewhere in the judgment… which is 38 pages, so it’s quite a long read, but it’s very readable and I think it’s very well worth reading.

Notably, the judge said to the defendants that they had to bear responsibility for the fact that they admitted that they didn’t want to get too tough on copyright infringers because “Growth is mainly based on infringement.”

And he also noted that they devised a takedown system that basically, if there were multiple URLs to download the same file…

…they kept one copy of the file, and if you complained about the URL, they would take down *that URL*.


DOUG.  Ah ha!


DUCK.  So you would think they’d removed the file, but they would leave the file there.

And he described that as follows: “You knew, and intended, that takedowns would have no material effect.”

Which is exactly what this indie Kiwi software developer had claimed in his statement to the court.

And they certainly must have made a lot of money out of it.

If you look at the photos from the controversial raid on Kim Dotcom back in 2012…

…he had this enormous property, and all these flash cars with weird number plates [vehicle tags] like GOD and GUILTY, as though he was anticipating something. [LAUGHS]

Megaupload takedown makes headlines and waves as Mr Dotcom applies for bail

So, Kim Dotcom is still fighting his extradition, but these other two have decided that they want to get it all over with.

So they pleaded guilty, and as some of our commenters have pointed out on Naked Security, “Golly, for what it seems that they did when you read through the judgment in detail, it does sound that their sentence was light.”

But the way it was calculated is the judge worked out that he thought that the maximum sentences they should get under Aotearoa law should be about 10 years.

And then he figured, based on the fact they were pleading guilty, that they were going to cooperate, that they’re going to pay back $10 million, and so on and so on, that they should get 75% off.

And my understanding is that means that they will put to bed this fear that they will be extradited to the US, because my understanding is the Department of Justice has said, “OK, we’ll let the conviction and the sentencing happen in another country.”

More than ten years on, and still not over!

You’d better say it, Doug…


DOUG.  Yesss!

We will keep an eye on this.

Thank you; let’s move on.

If you’ve got an ASUS router, you may have some patching to do, although quite a murky timeline here for some pretty dangerous vulnerabilities, Paul.

ASUS warns router customers: Patch now, or block all inbound requests


DUCK.  Yes, it isn’t incredibly clear quite when these patches came out for the various many models of router that are listed in the advisory.

Some of our readers are saying, “Well, I went and had a look; I’ve got one of those routers and it’s on the list, but there are no patches *now*. But I did get some patches a little while ago that seemed to fix these problems… so why the advisory *now*?”

And the answer is, “We don’t know.”

Except, perhaps, that ASUS have discovered that the crooks are onto these?

But it’s not just, “Hey, we recommend you patch.”

They’re saying you need to patch, and if you’re unwilling or unable to do so, then we “strongly recommend to (which basically means ‘you had better’) disable services accessible from the WAN side of your router to avoid potential unwanted intrusions.”

And that’s not just your typical warning, “Oh, make sure that your admin interface isn’t visible on the internet.”

They’re noting that what they mean by blocking incoming requests is that you need to turn off basically *everything* that involves the router accepting the outside initiating some network connection…

…including remote administration, port forwarding (bad luck if you use that for gaming), dynamic DNS, any VPN servers, and what they call port triggering, which I guess is port knocking, where you wait for a particular connection and only when you see that connection do you then fire up a service locally.

So it’s not just web requests that are dangerous here, or that there might be some bug that lets someone log in with a secret username.

It’s a whole range of different types of network traffic that if it can reach your router from the outside, could pwn your router, it seems.

So it does sound terribly urgent!


DOUG.  The two main vulnerabilities here…

…there is a National Vulnerability Database, the NVD, which scores vulnerabilities on a scale of one to ten, and both of these are 9.8/10.

And then there’s a whole bunch of other ones that are 7.5, 8.1, 8.8… a whole bunch of stuff that’s pretty dangerous here. Paul.


DUCK.  Yes.

“9.8 CRITICAL”, all in capital letters, is the kind of thing that means [WHISPERING], “If the crooks figure this out, they are going to be all over it like a rash.”

And what’s perhaps the weirdest about those two 9.8/10 badness-score vulns is that one of them is CVE-2022-26376, and that’s a bug in HTTP unescaping, which is basically when you have a URL with funny characters in, like, spaces…

…you can’t legally have a space in the URL; you have to put %20 instead, its hexadecimal code.

That’s pretty fundamental to processing any sort of URL on the router.

And that was a bug that was revealed, as you can see from the number, in 2022!

And there’s another one in the so called Netatalk protocol (that provides support for Apple computers) which was the vulnerability, Doug, CVE-2018-1160.


DOUG.  That was a long time ago!


DUCK.  It was!

It was actually fixed in a version of Netatalk which I think was version 3.1.12, which came out on 20 December *2018*.

And they’re only warning about “you need to get the new version of Netatalk” right now, because that too, it seems, can be exploited via a rogue packet.

So you don’t need a Mac; you don’t need Apple software.

You just need something that talks Netatalk in a dodgy way, and it can give you arbitrary memory write access.

And with a 9.8/10 bug score, you have to assume that means “remote outsider pokes in one or two network packets, takes over your router completely with root level access, remote code execution horror!”

So quite why it took them that long to warn people that they needed to get the fix for this five year old bug…

…and why they didn’t actually have the fix for the five year old bug five years ago is not explained.


DOUG.  OK, so there is a list of routers that you should check, and if you can’t patch, you’re supposed to do all that “block all the inbound stuff”.

But I think our advice would be patch.

And my favourite advice: If you’re a programmer, sanitise thine inputs, please!


DUCK.  Yes, Little Bobby Tables has appeared yet again, Doug.

Because one of the other bugs that wasn’t at the 9.8 level (this was at the 7/10 or 8/10 level) was CVE-2023-28702.

It’s basically the MOVEit-type bug all over again: Unfiltered special characters in web URL input could cause command injection.

So that sounds like a pretty broad brush for cybercriminals to paint with.

And there was CVE-2023-31195 that caught my attention, under the guise of a Session hijack.

The programmers were setting what are essentially authentication token cookies… those magic strings that, if the browser can feed them back in future requests, proves to the server that earlier on in the session the user logged in, had the right username, the right password, the right 2FA code, whatever.

And now they’re bringing this magic “access card”.

So, you’re supposed to tag those cookies, when you set them, so that they will never get transmitted in unencrypted HTTP requests.

That way it makes it much harder for a crook to hijack them… and they forgot to do that!

So that’s another thing for programmers: Go and review how you set really significant cookies, ones that either have private information in them or have authentication information in them, and make sure you are not leaving them open to inadvertent and easy exposure.


DOUG.  I am marking this down (against my better judgment, but this is the second of two stories so far) as one that we will keep an eye on.


DUCK.  I think you’re right, Doug, because I don’t really know why, given that for some of the routers these patches had already appeared (albeit later than you might have wanted)… why *now*?

And I guess that part of the story may still have to emerge.


DOUG.  Turns out that we absolutely cannot *not* keep an eye on this MOVEit story.

So, what do we have this week, Paul?

MOVEit mayhem 3: “Disable HTTP and HTTPS traffic immediately”


DUCK.  Well, sadly for Progress Software, the third bus came along at once, as it were. [LAUGHTER]

So, just to recap, the first one was CVE-2023-34362, which is when Progress Software said, “Oh no! There’s a zero-day – we genuinely didn’t know about this. It’s a SQL injection, a command injection problem. Here’s the patch. But it was a zero-day, and we found out about it because ransomware crooks, extortion crooks, were actively exploiting this. Here are some Indicators of Compromise [IoCs].”

So they did all the right things, as quickly as they could, once they knew that there was a problem.

Then they went and reviewed their own code, figuring, “You know what, if the programmers made that mistake in one place, maybe they made some similar mistakes in other parts of the code.”

And that led to CVE-2023-35036, where they proactively patched holes that were like the original one, but as far as they knew, they found them first.

And, lo and behold, there was then a third vulnerability.

This one is CVE-2023-35708, where it seems that the person who found it, surely knowing full well that Progress Software was entirely open to responsible disclosure and prompt reaction…

…decided to go public anyway.

So I don’t know whether you call that “‘full disclosure” (I think that’s the official name for it), “irresponsible disclosure” (I’ve heard it referred to like that by other people at Sophos), or “dropping 0-day for fun”, which is how I think of it.

So that was a little bit of a pity.

And so Progress Software said, “Look, somebody dropped this 0-day; we didn’t know about it; we’re working on the patch. In this tiny interim period, just turn off your web interface (we know it’s a hassle), and let us finish testing the patch.”

And within about a day they said, “Right, here is the patch, now apply it. Then, if you want, you can turn your web interface back on.”

So I think, all in all, although it’s a bad look for Progress Software for having the bugs in the first place…

…if this should ever happen to you, then following their kind of response is, in my opinion, a pretty jolly decent way to do it!


DOUG.  Yes, we do have praise for Progress Software, including our comment for this week on this story.

Adam comments:

Seems like rough going for MOVEit lately, but I applaud them for their quick, proactive, and apparently honest work.

They could theoretically have tried to keep this all quiet, but instead they’ve been pretty up-front about the problem and what needs to be done about it.

At the very least it makes them look more trustworthy in my eyes…

…and I think that’s a sentiment that’s shared with others as well, Paul.


DUCK.  It is indeed.

We’ve heard the same thing on our social media channels too: that although it’s regrettable they had the bug, and everyone wishes they didn’t, they’re still inclined to trust the company.

In fact, they may be inclined to trust the company more than they were before, because they think that they keep cool heads in a crisis.


DOUG.  Very good.

Alright, thank you, Adam, for sending that in.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…


BOTH.  Stay secure!

[MUSICAL MODEM]


go top