SERIES: Security Now!
DATE: March 26, 2019
TITLE: Tesla, Pwned
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: This week on Security Now! we have the return of “Clippy,” Microsoft's much-loathed dancing paperclip; operation “ShadowHammer,” which reports say compromised ASUS (but did it?); the ransomware attack on Norsk Hydro aluminum; the surprise renaming of Windows Defender; a severe bug revealed in the most popular PDF-generating PHP library; an early look at Microsoft's forthcoming Chromium-based web browser; hope for preventing caller ID spoofing; a needed update for users of PuTTY; Mozilla's decision to conditionally rely upon Windows' root store; Microsoft to offer virtual Windows 7 and 10 desktops through Azure; details of the Windows 7 End of Life warning dialog; then a bit of Sci-Fi, SQRL and SpinRite news, followed by our look at the results of the much anticipated Mid-March Vancouver Pwn2Own competition - one of the results of which our episode title gives away!
SHOW TEASE: It's time for Security Now!. Birthday boy Steve Gibson is here. He is - we're going to call him “Commodore 64” today because it's his 64th birthday, and he's got a lot to talk about including the malware, the big Norwegian aluminum company. You won't believe the sign they put in the door. And a play-by-play of Pwn2Own, all three days, coming up on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 707, recorded Tuesday, March 26th, 2019: Tesla, Pwned.
It's time for Security Now!, the show where we cover your security and privacy online with the man and the plan, Panama, Steve Gibson. Actually, ever wear a Panama hat? You'd look good in a…
STEVE GIBSON: No.
LEO: You'd look great in a Panama hat.
STEVE: Mine is sort of the French beret. I'm sure you remember me in that.
LEO: You look good in a beret. I do remember that.
STEVE: I used to wear that all the time.
LEO: That was your hat.
STEVE: I just kind of fell out of the habit somehow.
LEO: It was no brim. You need one with a brim.
STEVE: Well, no. That's true, it does not keep the rain out of your eyes nearly as well as a big Panama hat.
LEO: So let me add security, privacy, and hat couture.
STEVE: That's true.
LEO: What's coming up this week?
STEVE: So we have, for Episode 707, the title of the podcast is “Tesla, Pwned.”
LEO: Oh, yeah. I saw that.
STEVE: But it wasn't a bad pwnage. It was about as mild a pwnage as it could be. On the other hand, they did drive off with a Tesla Model 3.
LEO: Yeah, yeah.
STEVE: So they're pretty happy. This, of course, was last week's three-day Pwn2Own. And it's called Pwn2Own because, if you pwn it, you own it. And they pwned it, and they're now driving it.
LEO: And a little bit of cash also. This is Fluoroacetate. They're at it again.
STEVE: They are. And what impressed me the most, I have to say, is that the prize money that they won, relative to what Zerodium would have paid, because one of the things they did would have qualified for the half a million dollar recently increased - and we talked about this a couple weeks ago - zero-day in VMware, where they were able to execute code on the host outside of the VM after just browsing to a web page, which is just like, oh, you know, that's like - that's the golden goose from Zerodium's standpoint. But they didn't sell it to Zerodium.
STEVE: I'm very impressed.
LEO: It's a proof-of-concept for Pwn2Own, really, that shows it's a benefit.
STEVE: Yeah. So the problem is normally our show notes are 14 pages, and we run out of time. We have 20 pages today. I mean, there is a lot to talk about.
LEO: I'll shut up.
STEVE: We've got the return - and, okay. Now, arguably there's a little bit of padding here because I've had some fun, too. I could not pass up the fact that we have the return of Clippy, Microsoft's much-loathed dancing paperclip, which actually is our Picture of the Week that came to me when Hawaii had their problem with that false alert. We also have Operation ShadowHammer, which reports say compromised ASUS. But I may be the only one in the industry who's a little skeptical. We'll talk about that.
We have the ransomware attack that you brought up, it was occurring during last week's podcast against Norsk Hydro aluminum, which took down across 40 different plants located globally. It was a ransomware attack. We have the surprise renaming of Windows Defender for a purpose, a severe bug revealed in a most popular PDF-generating PHP library, an early look at Microsoft's forthcoming Chromium-based Edge browser, hope for preventing caller ID spoofing, a need to update for users of PuTTY, which is a very popular freeware SSH client.
We've got Mozilla's decision to conditionally rely on Windows root store rather than their own. Microsoft will be offering virtual Windows 7 and 10 desktops through Azure and what that means. Also I heard you and Mary Jo and Paul talking about this last week, sort of some wondering about what the Windows 7 end of life, end of service life, end of update life warning dialog would look like. We now know.
I've got a tiny bit of sci-fi, some SQRL and SpinRite news, and then we're going to take a look at the much-anticipated mid-March Vancouver Pwn2Own competition, three days. And of course the title of our podcast gives away what happened during the third automotive pwning day. But I think another great podcast for our listeners.
LEO: And let me know if you need the sportscaster voice because I'm ready.
STEVE: Howard Cosell.
LEO: I could do the play-by-play if you should need it.
LEO: Clippy's back. I missed little Clippy.
STEVE: Well, okay. I was going to say you're alone in that, but I don't think you are.
LEO: He was cute. I just don't want him helping me with grocery lists, you know.
STEVE: Yes. Anyway, the Picture of the Week was sent to me back when Hawaii had that bogus ballistic missile alert. And anyway, so this is the Clippy from yesteryear. It was introduced with Office 97, I think it was, and it was taken out of commission with Office XP.
STEVE: Yeah. Anyway, much maligned and - anyway. So anyway, our Picture of the Week is Clippy saying, “It looks like you're sending out a ballistic missile alert.”
LEO: Would you like some help?
STEVE: Would you like some help? And that's what it used to do. It used to be, like, watching what you were doing.
LEO: Yeah. Annoying.
STEVE: And it would jump in and, oh, my god, so annoying. And, I mean, it was just, I don't know, I guess it wasn't right for the time. But it turns out Clippy is coming back. Well, at least for some places. In a blog posting made on April 11th, 2001 - okay, so back 17 years ago, no, 18 years ago nearly. Microsoft titled it “Farewell Clippy: What's Happening to the Infamous Office Assistant.” And their title said “in Office XP.” But what they meant was “with Office XP,” that is to say, it was introduced in Office 97, and they are saying farewell to it.
So what they wrote was: “Whether you love him or hate him” - and actually the vote was very heavily weighted toward the latter - “say farewell to Clippy automatically popping up on your screen. Clippy is a little paperclip with the soulful eyes and the Groucho eyebrows,” they wrote, “the electronic ham who politely offers hints for using Microsoft Office software.”
Okay, and I love the way they spun this. They said: “But after four years onscreen, Clippy will lose his starring role when Microsoft Office XP debuts on May 1st. Clippy, the Office Assistant introduced in Office 97, has been demoted in Office XP.” And I did enjoy this pun: “The wiry little assistant…”
LEO: Because he's made out of a paper clip, yeah.
STEVE: Uh-huh, “… is turned off by default” - I didn't even know it was still there, so I'm glad it was gone.
LEO: You could turn it on? Who would ever want to do that?
STEVE: Exactly, “…turned off by default in Office XP. But diehard supporters can turn Clippy back on if they miss him.”
STEVE: And here's the spin. Lisa Gurry, a Microsoft product manager, explained: “Office XP is so easy to use…”
LEO: Oh, please. The spin machine.
STEVE: I know, “…that Clippy is no longer necessary…”
LEO: No, it's easy.
STEVE : “…or useful.” That's right. We've finally figured out how to make our UI work, so we don't need a paperclip to come springing out and helping you. Anyway, she said: “With new features like smart tags” - whatever those are - “and task panes” - whatever those are - “Office XP enables people to get more out of the product than ever before.”
LEO: Thank god.
STEVE: Oh, whew. “These new simplicity and ease-of-use improvements really make Clippy obsolete,” she said. And then, finally: “He's quite down in the dumps,” Gurry joked. “He has even started his own campaign to try to get his old job back or find a new one.”
Now, surprisingly, that was then. A report in USA Today, well, USA Today, not today, back in 2002 stated that Microsoft banked on its customers' contempt - this is actually - USA Today said this back then. “Microsoft banked on its customers' contempt of Clippy to promote Office XP.”
LEO: There's a selling point. No more Clippy.
STEVE: That's right. No more of that - anyway.
LEO: That's funny.
STEVE: “On Thursday,” they wrote, “On Thursday, Microsoft is scheduled to unveil the last installment in a nontraditional advertising campaign that aims to sell the newest version of Office, called XP, by encouraging customers' hatred of Clippy.” Unbelievable.
So here we are now, today, finally today, 18 years later, and wouldn't you know it, Clippy's lobbying to return to the limelight appears to be paying off. Clippy is about to make a not-long-awaited comeback for Microsoft's Teams app. The effort is open source and on GitHub, so the animations are all publicly available. And I have to confess, Leo, that Clippy has become such a meme from the past that, had I him available to embellish the occasional iMessage on my iOS device, that might be kind of funny. Fun. I mean, and I put down here at the bottom a snap of one of them. We have the beer-drinking Clippy because it's 2019 now, so we can do that.
LEO: They let him drink beer?
STEVE: And he's also got a coffee mug. There's one with a coffee mug. There's one where he's holding like a Starbucks-style paper with the little heat guard slip-on dealy-do. Anyway, there's a bunch of them. They're animated, and I'm sure that someone is going to grab them off of GitHub and sprinkle them around. So I've never been much of a big fan of the emojis and things, but if we had this little bank of animated paperclips, almost because it's a dated meme I think it would be kind of fun. So I'll bet it happens.
STEVE: Okay. So now here's - this is really odd. It's called Operation ShadowHammer. And first I'm going to share Kaspersky's post about the incident. Then I'll explain what puzzles me so much about this. So Kaspersky wrote: “Earlier today” - and this just happened - “Motherboard published a story by Kim Zetter on Operation ShadowHammer.” And I should mention that Motherboard story is based on Kaspersky's research, so they're sort of self-referential here. By Kim Zetter on Operation ShadowHammer, “a newly discovered supply chain attack that leveraged ASUS Live Update software.”
And Motherboard's headline read: “Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers.” And their subtitle says: “The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company's server and used it to push the malware to machines.” And for anyone who's interested, I have the link to the whole Motherboard article in the show notes.
So Kaspersky says: “While the investigation is still in progress, and full results and technical paper will be published during SAS 2019 conference in Singapore” - which I think is only like 12 days away, so a week and a half we'll know more. They said: “We would like to share some important details” - this is Kaspersky speaking - “about the attack. In January 2019” - so two months ago, beginning of this year, they write - “we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place” - okay, and not really the utility. That's the thing that reaches back to ASUS, right, to check for any updates.
Anyway, “The attack took place between” - get this - “June and November.” Now, not meaning a single event of attack, but meaning for five months this was ongoing. So the attack took place for the span between June and November 2018. “And according to our telemetry, it affected a large number of users. ASUS Live Update,” they write, “is a utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers, and applications.” And of course we've talked about this a lot. Lenovo has this. Famously Microsoft invented this. I remember how much at the time it was like, wait a minute, you're going to update my computer without my involvement? That was a thing once. Now it's just like, okay, please bring it on.
“According to Gartner, ASUS,” writes Kaspersky, “is the world's fifth largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT [Advanced Persistent Threat] groups that might want to take advantage of their user base.” Okay, but let me tell you why this doesn't track. We'll get there. Kaspersky says: “Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time.”
LEO: Oh, so they know this because Kaspersky saw it.
STEVE: Yes. Their own Kaspersky instrumentation on those users' machines. They said: “We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger” - of course it would be because they don't have their stuff in every ASUS machine - “and is possibly affecting over a million ASUS users worldwide. The goal of the attack was to surgically target an unknown pool of users” - and, okay, listen carefully to this.
LEO: Guess who that might be. Okay.
STEVE: Well, “which were identified by their network adapters' MAC addresses.” Which is really screwball.
LEO: That's by manufacturer, then; right?
STEVE: Well, we know it's ASUS because ASUS is the infection channel. But they're selecting targets based on their MAC address. Okay. So anyway, Kaspersky says…
LEO: All a MAC address tells you is who made that device.
STEVE: Well, no. The MAC address is 48 bits.
LEO: No, there's extra stuff, but the first part of it is manufacturer; right?
STEVE: Correct. Right. So Kaspersky says: “To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples, and this list was used to identify the actual intended targets of this massive operation.”
STEVE: I know. It gets weird, Leo. “We were able to extract more than 600 unique MAC addresses from over 200 samples” - which Kaspersky got from their own customers - “used in this attack.” They said: “Of course, there might be other samples out there with different MAC addresses in their list. We believe this” - and this doesn't make sense to me, but we'll get there in a second. “We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the ShadowPad and CCleaner incidents in complexity and technique. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate ASUS certificates, AsusTek Computer Inc.” And Leo, not once but twice. We'll get there, too, in a second.
“The malicious updaters were hosted on the official liveupdate01s.asus.com and liveupdate01.asus.com ASUS update servers. Although precise attribution,” they say, “is not available at the moment, certain evidence we have collected allows us to link this behavior to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case, as well.
“A victim distribution by country for the compromised ASUS Live Updater looks as follows.” And I've got a picture of the graph in the show notes just because Kaspersky provided it. But remember this is their view into victims, and it's going to be massively skewed by their customer base. And they acknowledge that. They said: “It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world.”
LEO: Mostly in Russia.
STEVE: Yes. “In principle, the distribution of victims should match the distribution of ASUS users around the world.” They said: “We've also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack. To check this, it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware, and alerts if a match was found.”
And I have a link in the show notes for any ASUS computer user among our listeners who is listening to this thinking, ugh. It's https://kas.pr/shadowhammer. That downloads a 50k ShadowHammerCheck.zip, which then checks against the hardcoded list. They say you may also check MAC addresses online. And there it's https://shadowhammer.kaspersky.com. “If you discover that you have been targeted by this operation, please email us at” - and then they have their email address, [email protected]
So things feel fishy to me about this. First of all, ASUS official servers were being used to supply the initial malware. And the malware was signed by legitimate ASUS certificates. And though Kaspersky's brief summary didn't mention it, other coverage noted that ASUS was being uncooperative in the extreme about this, denying that anything had happened at all, 100% stonewalling. What I find so puzzling and curious is that the malware delivered by ASUS's own servers from ASUS and signed by ASUS used the victim's MAC addresses to identify individual specific ASUS machines. And what's most troubling is that no one but ASUS, the manufacturer of those machines, would reliably know what MAC addresses specific machines have.
As we know, MAC addresses, while not highly secret, neither are they widespread. A machine's MAC address is often printed on the label outside the box, and on the label underneath the machine, for example, in the case of a laptop, or on the label on the machine. But the MAC address is inherently highly local because it's not transmitted over the Internet. The MAC address, as we have often described, provides local Ethernet network hardware addressing for use within a single Ethernet subnet.
So, for example, any IP, Internet Packet router, serves as an intelligent link between separate Ethernet networks, with a different network on each of its interfaces. Unless a router is bridging two networks at the Ethernet layer, the MAC address from one network is removed, and its contained IP packet is routed to another interface where it is reencapsulated with an Ethernet packet for that other network containing its source and destination MAC addresses. So my point is how would some random external malicious agency obtain the physical hardware Ethernet MAC addresses that are only useful for ASUS customers because that's the source of this infection, across a large collection of specific ASUS machines.
Okay. So if we're brainstorming, one possibility is that these were wireless laptops. We've been talking about MAC addresses recently, and MAC address spoofing on WiFi. So if they were wireless laptops, they would have been promiscuously broadcasting their MAC address more or less constantly to every WiFi access point within range. And as we know, a MAC address is a 48-bit value composed of two halves, a 24-bit registered manufacturer number, and a 24-bit serial number within that manufacturer.
LEO: So they had the full qualified MAC address, not just the first half.
LEO: So they were specifically targeting machines.
STEVE: A machine. A machine, yes.
LEO: Well, that is interesting.
STEVE: I know. So the fact of them being ASUS laptops would have been evident from their MAC addresses. So there's, I mean, if you were stretching, some possibility that the machine's MAC addresses of specific individuals could have somehow been gathered over time. But it stretches credulity. If they were wired desktop machines, it's difficult to come up with any theory to explain how some random remote third party could obtain those machines' Ethernet MAC addresses. And if some agency was close enough to a wired machine to obtain its MAC address, it probably has physical proximity anyway, so it wouldn't need to go this weird circuitous route to get its malware into this ASUS machine.
Occam's Razor suggests that when confronted with a lack of definitive evidence, the simplest explanation is likely to be the best. And distressing as this is, this suggests that the entire thing was likely a covert and deliberate campaign, if not on the part of all of ASUS, then an insider action within ASUS. Only ASUS has the certs to sign their update downloads. From Motherboard's reporting, Motherboard said: “The attackers used two different ASUS digital certificates to sign their malware. The first expired in mid-2018, so the attackers then switched to a second newer legitimate ASUS certificate to resign their malware after this.” So what sort of security are we to believe exists at ASUS if they were not a willing or begrudging collaborator?
LEO: Let me provide a scenario.
STEVE: Okay. But let me finish. One more second.
LEO: Finish, yeah, yeah.
STEVE: So the attackers first signed their malware with ASUS's protected, guarded, super-secret code-signing certificate. And those attackers placed that ASUS-signed malware onto both of ASUS's software update servers, where it stays undetected for five months. But later, as that first certificate nears expiration, the “attackers,” in quotes, obtain ASUS updated newly freshened code-signing certificate, resign the malware with that updated cert, and replace the soon-to-be-expired malware on both of ASUS's software downloaded servers with freshly signed new malware. That's what we're to believe. And ASUS had no knowledge of any of this.
And so the least that seems feasible is that a well-placed person on the inside arranged for all of this except for the MAC addresses. That would be a very different region within this very large company because the MAC addresses would probably be in sales records for those machines, which indicate who owns which machines with which MAC addresses. So let me just finish quickly. The fact that the follow-up malicious backdoor payload was later sourced from elsewhere gives ASUS some plausible deniability, and Kaspersky indicated that attribution was unavailable at the moment, plus it's very easy to plan a bit of misdirection which would have been in ASUS's interests.
So finally Motherboard wrote: “Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails last Thursday, but has not heard back from the company,” as of yesterday. So three separate emails, ASUS doesn't respond. But Motherboard wrote: “But the U.S.-based security firm Symantec confirmed the Kaspersky findings on Friday after being asked by Motherboard to see if any of its customers had also received the malicious download. Symantec is still investigating the matter, but said in a phone call that at least 13,000 computers belonging to Symantec's customers were infected with the malicious software update from ASUS last year.”
Liam O'Murchu, director of development for the Security Technology and Response Group at Symantec, was quoted by Motherboard, saying: “We saw the updates come down from the Live Update ASUS server. They were trojanized or malicious updates, and they were signed by ASUS.” So I think that's all my coverage. So I'm just, for our listeners' sake, for five months late last year, ASUS was delivering a malicious download which, if you were one of 600 selected people by the MAC address of your machine, that machine then reached out to a trojan supply server to download additional active malware into your machine.
LEO: So of the thousands of people who were infected, only those 600 got anything malicious.
STEVE: Correct. Yes.
LEO: Oh, that's interesting. Sounds targeted.
STEVE: Yes. They were infected with - yes.
LEO: So here's the scenario. Let me offer a scenario and see if this makes sense. ASUS has this built in. This is a standard updating procedure. They have all the MAC addresses.
STEVE: Yes. Yes.
LEO: They have this built in. Presumably they sign the software when they deliver it. It's an update package. If a bad actor got into ASUS's system and replaced the update package with a malicious package, which then got signed and sent on as if it was a regular update package, all of this would fit. Except for that one little bit, which is, in order to target 600 machines you'd have to have 600 MAC addresses.
STEVE: Yes. And remember that the malware was updated when its first certificate was nearing expiration.
LEO: So the bad guy's in there. I mean, we know people, you know, bad guys sit in networks.
LEO: So let's say that ASUS, by the way, a Taiwanese company, not a Mainland China company, but let's say a bad actor from North Korea or some nation-state had access to the ASUS network, got in there, was able to put the malware in there.
LEO: Is it conceivable, I mean, when you hear that something's targeting 600 machines, that sounds like a nation-state going after individuals. It's not a mass attack; right?
STEVE: Correct. Correct.
LEO: It's a targeted attack.
STEVE: Because they're estimating in five months a million people, a million ASUS customers checked in, got this…
LEO: Because it's part of the normal ASUS update process.
LEO: Yeah. So couldn't a bad guy who had access to ASUS's network perpetrate this - I mean, it sounds like especially a nation-state bad actor - perpetrate something like this?
LEO: And I could see why ASUS would be very slow to respond because it looks really bad.
STEVE: They're, like, going holy crap, what?
LEO: Yeah. They're, I mean, the first thing, if I'm the CISO at ASUS, I'm going, guys, let's find this intruder. Let's figure this out.
STEVE: And we like ASUS. I mean, they're a great company.
LEO: Oh, they're very good.
STEVE: They make beautiful hardware.
LEO: I just want to make sure that it doesn't mean necessarily that ASUS is malicious.
STEVE: Corporate, right.
LEO: Somebody inside might be bad. Or in my opinion, I mean, look at all the companies that malicious nation-state hackers have gotten into.
LEO: And just sit there.
STEVE: An Advanced Persistent Threat where that person has really deep access to, I mean, like, again, it seems to me that the database where customer to MAC address sales records are is different from the software download/update stuff.
LEO: Right, should be, yeah. Were the MAC addresses sequential or just random? And do we know anything about those 600?
STEVE: No. In fact, in 12 days Kaspersky's - that thing is Kaspersky's own SAS. It's the Security Analyst Summit in Singapore where they're going to present a paper on this. So in two weeks we should have some more information from them.
LEO: Very interesting. I mean, it could have been us. Could have been the NSA.
STEVE: Yeah. But again, it's weird because it's limited to ASUS customers. I mean, no non-ASUS customer is going to…
LEO: Well, yeah. You start with ASUS. But you get whoever you're in; right?
STEVE: But there are 600 of them that were of interest to somebody.
LEO: What if you noticed that, I don't know, the Israeli Embassy had just purchased a large number of ASUS computers.
LEO: I don't know. I think that we need to know more, obviously.
STEVE: And that's a good point, too, because it certainly could be that there is a - if this were targeted, and we don't know targeted by whom, but if - for example, ASUS is a major brand. There's probably many enterprises who have standardized on ASUS hardware. That's what they buy. And so if you know that, like, all of your employees are using ASUS laptops…
STEVE: …and you can somehow get a list of who's using which laptop by MAC address, then…
LEO: Or just target the whole organization; you know?
LEO: I mean, maybe, who knows, it could be Lenovo doing this. We want to make ASUS customers unhappy.
STEVE: Yeah, that'll do it. So speaking of making people unhappy, Leo, we have the Norsk Hydro ransomware attack. I have a picture in the show notes that someone took of the notice scotch-taped to the door of one of the Norsk Hydro plants. And it's dated, I think it's 3/19. So it says: “Warning: Cyber Attack Against the Hydro Network. Please do not connect any devices to the Hydro Network. Do not turn on any devices connected to the Hydro Network. Please disconnect any device (Phone/Tablet etc.) from the Hydro Network. Await new update.” And then it was signed “Security.” And then there's some note handwritten in probably Norwegian next to the one that's in English. So, and you brought this breaking news to us during last week's podcast. It was just happening.
LEO: It's funny, we saw almost identical - something in the door a couple of years ago during a ransomware attack. Was it Maersk? I can't remember who it was. I think it was Maersk, the shipping line. Same kind of thing in the door. Don't connect to our network.
STEVE: You'll get hurt.
STEVE: So paraphrasing from Ars - everybody had pretty much the same coverage. Paraphrasing from Ars Technica's coverage, they said: “One of the world's biggest producers of aluminum has been hit by a serious ransomware attack that shut down its worldwide network, stopped or disrupted plants, and sent IT workers scrambling to return operations to normal. Norsk Hydro of Norway said the malware first hit computers in the United States on Monday night. By Tuesday morning, the infection had spread to other parts of the company, which operates in 40 countries, on every continent.
“Company officials responded by isolating plants to prevent further spreading. Some plants were temporarily stopped, while others, which had to be kept running continuously, were switched to manual mode where possible. The company's 35,000 employees were instructed to keep computers turned off, but were allowed to use phones and tablets to check email,” maybe using WiFi and not using their network. Or maybe they figured out…
LEO: LTE, not WiFi.
STEVE: Yeah, not going to affect them. Chief Financial Officer Eivind Kallevik said during a press conference Tuesday: “Let me be clear. The situation for Norsk Hydro is quite severe. The entire worldwide network is down, affecting our production as well as our office operations. We are working hard to contain and solve this situation and to ensure the safety and security of our employees. Our main priority now is to ensure safe operations and limit the operational and financial impact.”
According to Kevin Beaumont, who's an oft-quoted security guy and, Ars said, “tweeting in his capacity as an independent researcher and citing local media reports, the ransomware that infected Norsk Hydro is known as” - and this has been confirmed - “LockerGoga [G-O-G-A].” He said: “LockerGoga doesn't rely on the use of network traffic or on domain name system or command-and-control servers, which all allow ransomware to bypass many network defenses.”
An independent research group calling itself MalwareHunterTeam pointed to a LockerGoga sample uploaded to VirusTotal from Norway on Tuesday morning. At the time the malware was first scanned, it was detected by only 17 of the 67 biggest AV products, although detections increased once awareness of the Norsk Hydro infection grew. The malware had also once been digitally signed by security company Sectigo [S-E-C-T-I-G-O]. So the malware had been digitally signed by the security company Sectigo, but the certificate was revoked at an unknown time.
In the statement, Sectigo Senior Fellow Tim Callan wrote: “As a policy, Sectigo revokes certificates used in malware attacks and does not issue certificates…”
LEO: Oh, that's a relief.
STEVE: ”…to known malware” - it's like, oh, thank you. You know? But wait, Leo. It gets better - “to known malware purveyors.” He said: “We encourage security researchers to report instances of malware employing Sectigo certificates at [email protected]” Okay. Now, when I first read this, I thought to myself, who the heck is Sectigo? Leo? Guess who? Our old friends, Comodo.
LEO: Oh, lord.
STEVE: Now operating under a shiny new name.
LEO: Yes. The old one got a little tarnished, yeah.
STEVE: They so thoroughly ruined their previous name.
STEVE: So horse of a different color. Company by a different name. But yes, Comodo issued the certificate that signed the LockerGoga malware. So a text file that the attackers included in the malware, it's a longer file with a bunch of nonsense. But it starts out saying there was a significant flaw in the security system of your company. “You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all your data by mistake or for fun. Your files are encrypted with the strongest military algorithms, RSA-4096 and AES-256. Without our special decoder ring” - no, not ring, just decoder. “Without our special decoder, it is impossible to restore that data. Attempts to restore your data with third-party software such as Photorec, RannohDecryptor, et cetera, will lead to irreversible destruction of your data.”
LEO: Oh, god.
STEVE: Okay. So the Norsk Hydro CFO said the majority of the company's plants were operating normally, but that the network shutdown prevented plants from receiving future orders from customers. He said the losses at the moment were “minimal,” but he conceded they would grow over time if automated systems aren't restored. Kallevik - that's the CFO - was unable to provide any timetable for how long it would take to disinfect the network. He said company IT teams are working to remove the ransomware - and actually I heard in some separate reporting that Microsoft, a team from Microsoft had flown over to help with that.
He said: “Company IT teams are working to remove the ransomware from infected systems. Once that's done, the teams plan to restore lost data using company backup systems,” which he described as “good.” Asked by a reporter if the company would rule out paying the demanded ransom, the CFO said: “The main strategy is to use backup.”
Lawrence Abrams at BleepingComputer, who is of course everyone's go-to site for ransomware details, added, he said: “It should be noted that while this ransomware has had high-profile targets, it is not the most active one out there targeting companies and has not seen wide distribution.” He said: “Furthermore, it's very noisy as it consumes a lot of CPU, causes Windows Explorer to crash repeatedly, and borks the system,” he wrote, “enough while encrypting that you can't run normal programs.” In other words, it's not very stealthful while it's doing its deed. He says: “Unless it's launched on an idle machine, it would have a good chance of being spotted.”
So anyway, what I had heard in subsequent reporting is that they have removed it, and they are restoring from backup. So no mega payout. Oh, and there was no fixed price given, either. These guys, in their note, they instructed the infected company to contact them and strike up a dialog, and that the amount requested would be a function of how long it took to reach out and contact them.
LEO: Oh, yeah. Don't delay. Call today.
STEVE: Call today. That's right. So anyway, that's the background on that attack. And we're going to talk about Microsoft renaming Windows Defender. Microsoft has renamed Windows Defender Advanced Threat Protection, you know, APT, to the more generic Microsoft Defender Advanced Threat Protection. Why? Because they're offering it for the Mac. It was a post last Thursday on…
LEO: Oh, that's so interesting. Wow.
STEVE: Yeah, it really is. A Microsoft blog posting was titled: “Announcing Microsoft Defender ATP for Mac.” They said: “Today we're announcing our advances in cross-platform, next-generation protection and endpoint detection” - oh, and I should mention that Linux is coming - “endpoint detection and response coverage with a new Microsoft solution for Mac. Core components of our unified endpoint security platform, including the new Threat & Vulnerability Management also announced today, will now be available for Mac devices.
“We've been working closely with industry partners to enable Windows Defender Advanced Threat Protection customers to protect their non-Windows devices while keeping a centralized [they called it] 'single pane of glass,'” meaning everything monitored in a single location. “Now we're going a step further by adding our own solution to the options, starting with a limited preview today. As we bring our unified security solution to other platforms, we're also updating our name to reflect the breadth of this expanded coverage: Microsoft Defender ATP.
“There are two key parts for cross-platform support for Microsoft Defender ATP on Mac.” They said: “A new user interface on Mac clients called Microsoft Defender ATP. The user interface brings a similar experience” - meaning like look and feel - “to what customers have today on Windows 10 devices.” And then: “Reporting for Mac devices on Microsoft Defender ATP portal.” And then they said: “Microsoft Defender ATP can be installed on devices running macOS Mojave, High Sierra, or Sierra which you want to manage and protect.”
And then they said: “In a limited preview, this app provides next-generation antimalware protection and allows end users to review and perform configuration of their protection, including,” you know, and then they had a list of all the standard AV things - quick scan, full scan, deep scan, quarantining, blah blah blah.
And then they said: “Users will also be able to configure advanced settings: Disabling or enabling real-time protection, cloud-delivered protection, and automatic sample submission; adding exclusions for files and paths; managing notifications when threats are found; manually checking for security intelligence updates.” And they said: “Microsoft AutoUpdate service is also installed, which ensures that the app is kept up to date and properly connected to the cloud.”
So Leo, I am completely out of the loop on Mac AV. Are there multiple vendors offering Mac AV?
LEO: Oh, yeah. It's just [crosstalk] the same.
STEVE: So it's the same as on the PC?
LEO: Yeah, I mean, you know, I think you probably agree with me, I'm not a recommender of AV in general.
STEVE: You know I agree that, I mean, I've got my little fort with the flag on it looking at me from the tray. So I've got Microsoft's integrated Defender in my system where it's not bothering me.
LEO: Well, and it comes with Windows 10. It's kind of, because it's operating that way, you're not…
LEO: But that's now installing a third-party standalone AV on Mac, which I wouldn't - I don't think I would recommend. Apple does have, not an antivirus, but has some pretty sophisticated security stuff on there, including malware scanning and Gatekeeper. So I don't think you need it.
STEVE: Yeah, I mean, and I agree. And I wonder if - do you know if Microsoft's portal stuff integrates with Apple's so that you could stay native and still get this single pane of glass thing? Or do you think they're just, like, separate? I don't know.
LEO: I have no idea what the implementation specifics are. But this isn't surprising. Remember Microsoft put out that Chrome and Firefox plug-in. You talked about it last week.
LEO: So basically there's an Edge sandbox inside Chrome and Firefox.
STEVE: An Edge takeaway. Oh, you're about to go on the Internet. Let's switch you over to Edge.
LEO: But in their defense, their sandbox technology's on Edge, it's based on Edge, so that's why they do that. But I think this is the new Microsoft. They don't care that much about Windows. Windows is not the crown jewels by any means of the company anymore. And so why not put a Microsoft everywhere? It is bizarre. I would never have thought that we'd be looking at antiviruses for Macintosh from Microsoft.
STEVE: No, it is. And I wonder, I mean, homegrown? Or maybe I wonder if they acquired somebody that was already there?
LEO: Oh, that's a good question. I mean, Defender's based on Giant antivirus, remember that, way back when they bought it. But by now it's so different than Giant originally was that it's a unique product.
STEVE: But that's generally how Microsoft acquires a big new technology, you know, something that's really alien to what they already have is they just, you know, they acquire it because money is not a problem at Microsoft.
LEO: Right. So, yeah, I'd love to know more about this. And for now, I don't know about you, but I wouldn't recommend it.
STEVE: No. I just wanted to let our listeners know. And maybe there's an enterprise need for…
LEO: That's probably it; right?
STEVE: Yeah, because that is where, you know, the Azure Cloud rigmarole. Okay. So for our listeners who may be responsible for a website based on PHP, which generates PDFs on the fly, a severe security bug was found six months ago in the most popular PHP library for creating PDF files. The three most popular libraries used by web servers to create PDF files for like invoicing, purchase receipts or whatever on the fly are TCPDF - which I think is a clever name - TCPDF, MPDF, and FPDF. And as we know, well, I'm sorry. And now we know, after the very responsible disclosure by a security researcher who waited, not six hours, not six days, not six weeks, but six months after the flaw was disclosed privately so that it could be fixed, that now today we know that a serious remote code execution flaw exists in the one of those three which is the most popular, which is TCPDF.
The vulnerability is a variation of another researcher's discovery which was first found by a guy named Sam Thomas, a researcher at Secarma who in a series of experiences last summer showcased a deserialization bug - and we've talked about this, and I'll remind our listeners about that in a second - affecting PHP apps over the summer of 2018. He released a research paper detailing PHP serialization attacks against WordPress and Typo 3 CMS [Content Management System] platforms, but also the TCPDF library, which is embedded in the Contao CMS.
Then in a blog post just this past weekend, an Italian researcher who goes by the online handle Polict, P-O-L-I-C-T, revealed a new PHP serialization flaw impacting TCPDF, like in the same way as the one discovered by Thomas last summer. Polict says the vulnerability he found can be exploited two ways. The first is on websites that allow user input to be part of the PDF generation process, such as for example when adding a name or an email address or other details which would then be bound into the resulting PDF.