jeudi 29 juin 2017

Infection as automatic update

0/ Intro

Everybody is talking about Petya^WNotPetya^WGolde^WPetWr^WAPT2^Wwhatever, and security researcher are doing their best in order to understand all the gory details under this so-called ransomware (or wiper?). Let them continue to do this hard work (thanks guys/girls for you to exist and provide insights), I want to focus on a specific point: the Infection Vector.

1/ Infection Vector

At this time of writing, the infection vector seems to come from M.E.Doc. https://web.archive.org/web/20170627204128/http://www.me-doc.com.ua/?&lang=en M.E.Doc is a company which seems related to tax payment and accounting. I didn't checked, but news said it's widespread, and the home page has a direct link to updates: https://web.archive.org/web/20170606134558/http://www.me-doc.com.ua/pages/obnovlenie.php

The alleged vector worked like this:

  • M.E.Doc was hacked (or a part of it)
  • The automatic update feature was abused
  • All users of M.E.Doc software downloaded a malware instead of a legitimate update

This reminds the waterholing way to infects users, where you infect website visited by your victims. But waterholing is hard because you need to have some 0days to infect your victims.

The infection vectors turns automatic updates to infection!

2/ The importance of this new vector

And that point is new. This is a nice and clean infection vector:

  • You can target precisely your users if you want (think APT, espionage) or widespread (think ransomware, banking trojan), just choose your software to update!
  • No need to search for 0day! The role of update mechanism is to download, execute and install software
  • Bypass everything: Administrators have already authorized automatic updates, whitelisted sites, and give rights for updates. Yes, because every security guy/girl shoots "DO UPDATES! ALWAYS! MANDATORY! NOW!" (And yes, I'm the first one to say it).

I think that's the main information to learn from this attack. A new vector is in town, how can we handle it to control its damage power. When your legitimate tools evolve into deadly weapon that bites you, how can you survive?


3/ attack surface

I've booted my windows VM, and just let it run. I got some warning about the update of winSCP, openoffice and firefox (yep, I don't boot it often).
I wonder how many program are updated through their own channels. We know that some update domains are still in plain HTTP, some other are not digitally signed, and do we know if updaters check the signatures, etc..

Worst, I wonder how many legit programs are outdated, abandoned, and for whom DNS update domains are now for sale. Look for old software, search for domain, buy them, and you have an attack vector. You won't get many victims, but it can become really targeted if a company still use one of those abandoned software. Is there any domain containing "update" in this list today: https://www.expireddomains.net/backorder-expired-domains/  ?

I'm not even speaking of all DNS related problems bitsquatting or just the forgotten payment for the domain, or DNS hijacking, etc..

z/ Outro

If the security researcher are right, you don't have to care for this malware. It was a one shot fire and it won't be triggered again.

However, I think it's urgent to check all your software base, verify all of those download points, and verify the mechanism. Signatures and/or PGP base updates won't help because you have to take into account that all of the update infrastructure can be corrupted. So, in probability, the search for quick win pirates will search for non digitally signed updates, then for HTTP (in case of MITM), and only after weak updates websites.

In other word, I'll prepare backups and recovery plans.