This Week In Security: The Battle Against Ransomware, Unicode, Discourse, And Shrootless

We talk about ransomware gangs quite a bit, but there’s another shadowy, loose collection of actors in that arena. Emsisoft sheds a bit of light on the network of researchers and law enforcement that are working behind the scenes to frustrate ransomware campaigns.

Darkside is an interesting case study. This is the group that made worldwide headlines by hitting the Colonial Pipeline, shutting it down for six days. What you might not realize is that the Darkside ransomware software had a weakness in its encryption algorithms, from mid December 2020 through January 12, 2021. Interestingly, Bitdefender released a decryptor on January 11. I haven’t found confirmation, but the timing seems to indicate that the release of the decryptor triggered Darkside to look for and fix the flaw in their encryption. (Alternatively, it’s possible that it was released in response the fix, and time zones are skewing the dates.)

Emsisoft is very careful not to tip their hand when they’ve found a vulnerability in a ransomware. Instead, they have a network of law enforcement and security professionals that they share information with. This came in handy again when the Darkside group was spun back up, under the name BlackMatter.

Not long after the campaign was started again, a similar vulnerability was reintroduced in the encryption code. The ransomware’s hidden site, used for negotiating payment for decryption, seems to have had a vulnerability that Emsisoft was able to use to keep track of victims. Since they had a working decryptor, they were able to reach out directly, and provide victims with decryption tools.

This changed when the link to BlackMatter’s portal leaked on Twitter. It seems like many people hold ransomware gangs in less-than-high regard, and took the opportunity to inform BlackMatter of this fact, using that portal. In response, BlackMatter took down that portal site, cutting off Emsisoft’s line of information. Since then, the encryption vulnerability has been fixed, Emisoft can’t listen in on BlackMatter anymore, and they released the story to encourage BlackMatter victims to contact them. They also suggest that ransomware victims always contact law enforcement to report the incident, as there may be a decryptor that isn’t public yet.

And finally, the latest news is that BlackMatter is shutting down. The notice calls out Law Enforcement action as part of the reason for shutting down, and mentions the “latest news”. It’s speculated that this is a reference to the October 26th arrests in Ukraine and Switzerland.

AtomSilo and LockFile

Avast has released a decryptor that covers both the AtomSilo and LockFile ransomware programs. This is based on the work of [Jiří Vinopal]. It’s a simple tool that backs up the encrypted files, and then attempts to decrypt them. Winner.

To FTP, or Not To FTP?

Google has been plotting the removal of the FTP protocol from Chrome for a long time, and with version 95, they have finally finished that task. There is no longer a flag to re-enable FTP, and the code has been purged from the project. For what it’s worth, Firefox has also disabled FTP support. The rational for the change is to eliminate an attack surface, and remove code maintenance on the little-used feature. Google points out there there are very good dedicated FTP clients that we should be using.

Hidden In The Unicode

[Nicholas Boucher] and [Ross Anderson] have presented a paper detailing a really unique Unicode attack (PDF). This isn’t our first time looking at how Unicode can cause security problems, and won’t be our last. The problem here is the Unicode characters that mark text as left-to-right and right-to-left. The blocks created by those characters can be nested, resulting in some unexpected results. Let’s take a look:

bool isAdmin = false;
/* begin admins only */ if (isAdmin) {
    printf("You are an admin.\n");
/* end admins only */ }

The magic is in the comments. Here’s what the compiler sees, but the Unicode expanded into mnemonics:

/*RLO } LRIif (isAdmin)PDI LRI begin admins only */
    printf("You are an admin.\n");
/* end admins only RLO } LRI*/

Since editors will respect the Unicode control characters, manual code review will miss the trickery. Because the characters are inside comments, the compiler will ignore them and compile the program as it is actually written. The real danger here is when this technique is combined with other supply chain attack techniques.

A typical first patch for a new coder is to clean up whitespace and comments. This introduces the possibility that such a patch is malicious, and you can’t tell without looking at it with a hex editor. The authors make a trio of mitigation suggestions: compiler warnings, formal language rules disallowing such schenanigans, and visible Unicode characters in text editors and related tools.

The Rust language has already taken action on this issue. The latest version, 1.56.1, contains a compiler lint that rejects the potentially problematic Unicode characters. Github has also rolled out a warning when these characters are detected. While the new attention is welcome, do note that this has been a known problem for a while.

Spoofing Amazon to RCE Discourse

[joernchen] has published a flaw in the discourse web application. Discourse has an exposed endpoint, /webhooks/aws, that results in a call to open(), which is known to be dangerous to call with untrusted data. The protection here is that the supplied data must be signed by a signing certificate provided by Amazon, as this endpoint is specifically for AWS’s Simple notification service. At first glance, it seems bulletproof.

The problem is that the PEM certificate used for validation is specified by the incoming data. A regex verifies that the url of that certificate is actually at Amazon. Ruby’s OpenSSL certificate parsing function is willing to ignore extra XML, so long as it finds a valid certificate embedded in the data it’s given.

So, all an attacker needs to do is to host a PEM certificate at the right place in their Amazon AWS settings, and specify a URL that will embed that cert. Discourse checks the .pem URL, validates that it matches the regex, and happily confirms that the request matches that certificate, thereby running attacker provided code. The flaw has been fixed in 2.7.9, and the latest 2.8.0 beta. If you’re running Discourse, go make sure you have this update.

Microsoft Breaks macOS

In what must be just a bit of Schadenfreude, Microsoft has announced a vulnerability that they discovered in macOS. This could allow an attacker to bypass Apple’s poorly named System Integrity Protection (SIP). SIP in this case isn’t a VoIP protocol, but a technique preventing even a root user from making certain modifications to a system. SIP is also referred to as rootless in some places. Rootless bypasses have been found before. For instance, if a kernel driver has a vulnerability, running code in the kernel context will automatically defeat this protection.

The new bypass is painfully simple. When Apple signed packages are installed, they are done in a super-root context. Some packages run a post-install script, which runs using the zsh shell. When zsh is invoked, it runs /etc/zshenv script automatically. Is the problem obvious yet? Push your jailbreak code into zshenv, install a package, and the system runs it automatically. Well played.

20 thoughts on “This Week In Security: The Battle Against Ransomware, Unicode, Discourse, And Shrootless

    1. Actually it is ‘transparent’ net. :) It’s not a deal breaker. There are many ftp clients that can do the job.

      The PI OS has an sftp server available by default. Use it a lot when transferring programs up to the RPI or to get files off the RPI. Handy when working from the command line.

      At work we use sftp for some of our ‘external’ data transfers. On a private link we still use ftp. Go figure.

  1. Colonial Pipeline’s billing system was compromised while the operational technology systems were not affected. According to CNN sources in the company, the inability to bill the customers was the reason for halting the pipeline operation.

    1. Not convinced. If they knew what was in the pipe and who was taking it, they could work out who to bill for what later. So if they couldn’t do that, then they couldn’t know what was being supplied to whom, which effectively means the operations was affected.

      1. You’re not convinced that a corporation decided they rather halt pumping than spend extra money? You obviously don’t understand how corporations work.

        The fact that you are not convinced has no bearing on reality. This was public knowledge at the time of the hack.

    1. What sort of Schrödinger’s Grandparents do you have who are technically apt enough to need to be downloading things hosted on FTP sites, yet paradoxically technically inept enough to not know how to operate an FTP client?

  2. “Microsoft Breaks macOS”, could this finally be a way to remove Siri without the massive faf involved in disabling SIP long enough to purge it from my system, only for the bugger to get re-installed with an update.

  3. I hate Unicode. Unicode is bad (and has many other problems than only the one mentioned here). I use non-Unicode locale and non-Unicode text editors, to avoid the problem mentioned.

    (If you need to write in other languages such as Japanese or Hebrew or whatever, then you can use the appropriate encodings for those languages (e.g. EUC-JP for Japanese writing), instead of Unicode.)

  4. In Linux/xBSD SFTP & SCP usually come built-in with OpenSSH. Most people at the CLI use SFTP over SCP. SCP is a bit faster than SFTP, both SCP and SFTP use the same encryption as SSH, SFTP has more options compared with SCP.[1][2] For Windows there is WinSCP.[3][4] WinSCP (Windows Secure Copy) is a free and open-source SSH File Transfer Protocol (SFTP), File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol (SCP) client for Microsoft Windows. WinSCP is usually downloaded as an installer, however you can download WinSCP as a standalone/portable application.[5]

    * References:

    1. SCP or SFTP: Which is Better?

    https://www.cerberusftp.com/comparing-scp-vs-sftp-which-is-better/

    2. Is SCP More Secure Than SFTP?

    https://www.ipswitch.com/blog/is-scp-more-secure-than-sftp

    3. WinSCP – Wikipedia

    https://en.wikipedia.org/wiki/WinSCP

    4. WinSCP – Home

    https://winscp.net/eng/index.php

    5. WinSCP – Standalone/Portable Operation

    https://winscp.net/eng/docs/portable

Leave a Reply to przemek klosowskiCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.