This Week Safe: The Battle Against Ransomware, Unicode, Discourse and Shrootless


We talk a lot about ransomware gangs, but there is another obscure and cowardly collection of actors in this arena. Emsisoft sheds some light on the network of researchers and law enforcement agencies working behind the scenes to thwart ransomware campaigns.

Darkside is an interesting case study. This is the group that made headlines around the world by hitting the Colonial Pipeline, shutting it down for six days. What you might not realize is that the Darkside ransomware had a weakness in its encryption algorithms from mid-December 2020 until January 12, 2021. Interestingly, Bitdefender released a decryptor on January 11. I couldn’t find a confirmation, but the timing seems to indicate that the release of the decryptor prompted Darkside to find and fix the loophole in their encryption. (Alternatively, it’s possible that it was released in response to the fix and the time zones are skewing the dates.)

Emsisoft is very careful not to tip his hand when it discovers a vulnerability in ransomware. Instead, they have a network of law enforcement and security professionals with whom they share information. This again came in handy when the Darkside group was re-formed, as BlackMatter.

Shortly after restarting the campaign, a similar vulnerability was reintroduced into the encryption code. The hidden ransomware site, used to negotiate payment for decryption, appears to have had a vulnerability that Emsisoft may have used to track victims. Since they had a working decryptor, they were able to directly contact and provide the victims with decryption tools.

This changed when the link to the BlackMatter portal was leaked on Twitter. It seems that many people don’t have a high regard for ransomware gangs and have taken the opportunity to notify BlackMatter using this portal. In response, BlackMatter removed this portal site, severing Emsisoft’s line of information. Since then the encryption vulnerability has been fixed, Emisoft can no longer listen to BlackMatter and they have published the story to encourage BlackMatter victims to contact them. They also suggest that ransomware victims always contact law enforcement to report the incident, as there may be a decryptor that is not yet public.

And finally, the latest news is that BlackMatter shuts down. The notice calls for the action of law enforcement as part of the reason for the closure and mentions the “latest news”. It is assumed that this is a reference to the arrests of October 26 in Ukraine and Switzerland.

AtomSilo and LockFile

Avast released a decryptor which covers both the AtomSilo and LockFile ransomware programs. This is based on the work of [Jiří Vinopal]. It is a simple tool that backs up the encrypted files and then attempts to decrypt them. Winner.

To FTP or not to FTP?

Google has long planned to remove the FTP protocol from Chrome, and with version 95, they finally finished this task. There is no longer a flag to re-enable FTP and the code has been purged from the project. For what it’s worth, Firefox has disabled FTP support as well. The reason for this change is to eliminate an attack surface and remove code maintenance on infrequently used functionality. Google points out that there are some very good dedicated FTP clients that we should be using.

Hidden in Unicode

[Nicholas Boucher] and [Ross Anderson] presented an article detailing a truly unique Unicode attack (PDF). This isn’t the first time we’ve looked at how Unicode can cause security issues, and it won’t be the last. The problem here is the Unicode characters marking the left-to-right and right-to-left text. The blocks created by these characters can be nested, leading to unexpected results. We’ll take a look:

bool isAdmin = false;
/* begin admins only */ if (isAdmin) {
    printf("You are an admin.n");
/* end admins only */ }

The magic is in the comments. Here’s what the compiler sees, but Unicode has grown into mnemonics:

/*RLO } LRIif (isAdmin)PDI LRI begin admins only */
    printf("You are an admin.n");
/* end admins only RLO } LRI*/

Since editors will respect Unicode control characters, manual code review will miss the trick. Since the characters are inside the comments, the compiler will ignore them and compile the program as it is actually written. The real danger here is when this technique is combined with other supply chain attack techniques.

A typical first fix for a new coder is to clean up spaces and comments. This introduces the possibility that such a fix could be malicious, and you can’t tell without looking at it with a hex editor. The authors make a trio of mitigation suggestions: compiler warnings, formal language rules prohibiting such schemas, and Unicode characters visible in text editors and associated tools.

Rust tongue has already taken action about this question. The latest version, 1.56.1, contains a lint compiler that rejects potentially problematic Unicode characters. Github also deployed a warning when these characters are detected. While the new attention is welcome, note that this has been a known issue for a while.

Amazon Spoofing at RCE Speech

[joernchen] posted a flaw in the speech web application. The speech has an exposed end point, /webhooks/aws, which results in a call to open(), which is known to be dangerous to call with unreliable data. The protection here is that the data provided must be signed by a signing certificate provided by Amazon, as this endpoint is specifically for AWS Simple Notification Service. At first glance, it looks bulletproof.

The problem is that the PEM certificate used for validation is specified by the incoming data. A regular expression checks that the URL of this certificate is on Amazon. Ruby’s OpenSSL certificate parser is prepared to ignore the extra XML, as long as it finds a valid certificate embedded in the data provided to it.

So, all an attacker needs to do is host a PEM certificate in the right place in their Amazon AWS settings and specify a URL that will embed this certificate. The speech checks the .pem URL, validates that it matches the regular expression and happily confirms that the request matches this certificate, thus executing the code provided by the attacker. The flaw has been fixed in version 2.7.9 and the latest beta version 2.8.0. If you are using Discourse, make sure you have this update.

Microsoft breaks macOS

In what must be just a bit of Schadenfreude, Microsoft announced a vulnerability discovered in macOS. This could allow an attacker to bypass Apple’s misnamed System Integrity Protection (SIP). SIP in this case is not a VoIP protocol, but a technique that prevents even a root user from making certain changes to a system. SIP is also referred to as rootless in some places. Workarounds without root have already been found. For example, if a kernel driver has a vulnerability, running code in the context of the kernel will automatically override that protection.

The new derivation is painfully simple. When Apple signed packages are installed, they are done in a super-root context. Some packages run a post-install script, which runs using the zsh shell. When zsh is invoked, it is executed /etc/zshenv script automatically. Is the problem already obvious? Push your jailbreak code in zshenv, install a package, and the system will run it automatically. Good game.


About Author

Comments are closed.