Friday, November 5, 2021

This Week in Security: The Battle Against Ransomware, Unicode, Discourse, and Shrootless

We talk about ransomware gangs quite a bit, but there’s another shadowy, loose collection of actors in that arena. Emsisoft sheds a bit of light on the network of researchers and law enforcement that are working behind the scenes to frustrate ransomware campaigns.

Darkside is an interesting case study. This is the group that made worldwide headlines by hitting the Colonial Pipeline, shutting it down for six days. What you might not realize is that the Darkside ransomware software had a weakness in its encryption algorithms, from mid December 2020 through January 12, 2021. Interestingly, Bitdefender released a decryptor on January 11. I haven’t found confirmation, but the timing seems to indicate that the release of the decryptor triggered Darkside to look for and fix the flaw in their encryption. (Alternatively, it’s possible that it was released in response the fix, and time zones are skewing the dates.)

Emsisoft is very careful not to tip their hand when they’ve found a vulnerability in a ransomware. Instead, they have a network of law enforcement and security professionals that they share information with. This came in handy again when the Darkside group was spun back up, under the name BlackMatter.

Not long after the campaign was started again, a similar vulnerability was reintroduced in the encryption code. The ransomware’s hidden site, used for negotiating payment for decryption, seems to have had a vulnerability that Emsisoft was able to use to keep track of victims. Since they had a working decryptor, they were able to reach out directly, and provide victims with decryption tools.

This changed when the link to BlackMatter’s portal leaked on Twitter. It seems like many people hold ransomware gangs in less-than-high regard, and took the opportunity to inform BlackMatter of this fact, using that portal. In response, BlackMatter took down that portal site, cutting off Emsisoft’s line of information. Since then, the encryption vulnerability has been fixed, Emisoft can’t listen in on BlackMatter anymore, and they released the story to encourage BlackMatter victims to contact them. They also suggest that ransomware victims always contact law enforcement to report the incident, as there may be a decryptor that isn’t public yet.

And finally, the latest news is that BlackMatter is shutting down. The notice calls out Law Enforcement action as part of the reason for shutting down, and mentions the “latest news”. It’s speculated that this is a reference to the October 26th arrests in Ukraine and Switzerland.

AtomSilo and LockFile

Avast has released a decryptor that covers both the AtomSilo and LockFile ransomware programs. This is based on the work of [Jiří Vinopal]. It’s a simple tool that backs up the encrypted files, and then attempts to decrypt them. Winner.

To FTP, or Not To FTP?

Google has been plotting the removal of the FTP protocol from Chrome for a long time, and with version 95, they have finally finished that task. There is no longer a flag to re-enable FTP, and the code has been purged from the project. For what it’s worth, Firefox has also disabled FTP support. The rational for the change is to eliminate an attack surface, and remove code maintenance on the little-used feature. Google points out there there are very good dedicated FTP clients that we should be using.

Hidden In The Unicode

[Nicholas Boucher] and [Ross Anderson] have presented a paper detailing a really unique Unicode attack (PDF). This isn’t our first time looking at how Unicode can cause security problems, and won’t be our last. The problem here is the Unicode characters that mark text as left-to-right and right-to-left. The blocks created by those characters can be nested, resulting in some unexpected results. Let’s take a look:

bool isAdmin = false;
/* begin admins only */ if (isAdmin) {
    printf("You are an admin.\n");
/* end admins only */ }

The magic is in the comments. Here’s what the compiler sees, but the Unicode expanded into mnemonics:

/*RLO } LRIif (isAdmin)PDI LRI begin admins only */
    printf("You are an admin.\n");
/* end admins only RLO } LRI*/

Since editors will respect the Unicode control characters, manual code review will miss the trickery. Because the characters are inside comments, the compiler will ignore them and compile the program as it is actually written. The real danger here is when this technique is combined with other supply chain attack techniques.

A typical first patch for a new coder is to clean up whitespace and comments. This introduces the possibility that such a patch is malicious, and you can’t tell without looking at it with a hex editor. The authors make a trio of mitigation suggestions: compiler warnings, formal language rules disallowing such schenanigans, and visible Unicode characters in text editors and related tools.

The Rust language has already taken action on this issue. The latest version, 1.56.1, contains a compiler lint that rejects the potentially problematic Unicode characters. Github has also rolled out a warning when these characters are detected. While the new attention is welcome, do note that this has been a known problem for a while.

Spoofing Amazon to RCE Discourse

[joernchen] has published a flaw in the discourse web application. Discourse has an exposed endpoint, /webhooks/aws, that results in a call to open(), which is known to be dangerous to call with untrusted data. The protection here is that the supplied data must be signed by a signing certificate provided by Amazon, as this endpoint is specifically for AWS’s Simple notification service. At first glance, it seems bulletproof.

The problem is that the PEM certificate used for validation is specified by the incoming data. A regex verifies that the url of that certificate is actually at Amazon. Ruby’s OpenSSL certificate parsing function is willing to ignore extra XML, so long as it finds a valid certificate embedded in the data it’s given.

So, all an attacker needs to do is to host a PEM certificate at the right place in their Amazon AWS settings, and specify a URL that will embed that cert. Discourse checks the .pem URL, validates that it matches the regex, and happily confirms that the request matches that certificate, thereby running attacker provided code. The flaw has been fixed in 2.7.9, and the latest 2.8.0 beta. If you’re running Discourse, go make sure you have this update.

Microsoft Breaks macOS

In what must be just a bit of Schadenfreude, Microsoft has announced a vulnerability that they discovered in macOS. This could allow an attacker to bypass Apple’s poorly named System Integrity Protection (SIP). SIP in this case isn’t a VoIP protocol, but a technique preventing even a root user from making certain modifications to a system. SIP is also referred to as rootless in some places. Rootless bypasses have been found before. For instance, if a kernel driver has a vulnerability, running code in the kernel context will automatically defeat this protection.

The new bypass is painfully simple. When Apple signed packages are installed, they are done in a super-root context. Some packages run a post-install script, which runs using the zsh shell. When zsh is invoked, it runs /etc/zshenv script automatically. Is the problem obvious yet? Push your jailbreak code into zshenv, install a package, and the system runs it automatically. Well played.


No comments:

Post a Comment