Researchers from Arbor Networks' ASERT Threat Intelligence Team recently published a report titled, "Lojack Becomes a Double Agent." It outlines how threat actors are altering legitimate recovery utility software and simulating its command and control servers to gain access to target machines.
Richard Hummel is manager of the ASERT Threat Research Team, and he joins us to describe their work.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Richard Hummel: [00:01:42] Our researchers have a lot of interpersonal relationship with various researchers across the field.
Dave Bittner: [00:01:46] That's Richard Hummel. He's manager of the ASERT Threat Intelligence team at Arbor Networks, the security division of NETSCOUT. The research we're discussing today is titled "LoJack Becomes a Double-Agent."
Richard Hummel: [00:01:59] This particular one came as a tip to one of those researchers. Initially, when we received it, it was, hey, here's a malicious binary, there's something, you know, off about it. We didn't really have a whole lot to go on. So that's kind of what kicked off our research into this particular finding.
Dave Bittner: [00:02:13] Describe to me what's going on with Lojack. I remember, years ago, I think Lojack started out as a brand that would protect your cars from being stolen, and then somewhere over the years that brand pivoted and became known for protecting computers.
Richard Hummel: [00:02:28] Kind of what led us to the whole Lojack research, if you will, back in 2014, was a Black Hat presentation that some researchers did on what was then known as Computrace. Since then, it's been purchased and it's been rebranded to be Lojack, which essentially installs an agent on your system, at the firmware level, that allows you to track your laptop should it ever be stolen. So that's kind of where the software is that we're dealing with.
Richard Hummel: [00:02:53] The actual software itself, to our knowledge, has not been modified as far as functionality. The code remains the same. If you compare a legitimate Lojack sample with one of the ones using a hijacked C2, they're identical. A hundred percent function matching across the board. So the problem isn't stemming from Absolute, or Lojack software itself. Essentially, the attackers are taking that copy of the software, and simply replacing the C2 in it with one of their own.
Dave Bittner: [00:03:22] I see. Well, take us through how Lojack works. How does it maintain its persistence on a machine?
Richard Hummel: [00:03:28] Sure. So, there's an agent. The researchers back in 2014 dubbed this "small agent." But basically what it does is the agent itself embeds itself in a BIOS or UEFI firmware. And from there, whenever the system is rebooted, it embeds code into something called "autochck.exe," and that basically is what's going to maintain it's persistence on the machine itself. So, any time you were to swap a drive out, if you rebooted the system, or even if you reformat it, it's going to persist, because it's actually at the firmware level, rather than a software level.
Richard Hummel: [00:04:02] So, it's a unique method of maintaining persistence, and it's great for Lojack itself, right? Because if somebody grabs your computer and steals it, and they swap out a drive so they can actually use it, you're still able to then locate your laptop. So it's a really cool persistence mechanism, and it's really unfortunate that attackers abused that, and kind of leveraged that for their own purposes.
Dave Bittner: [00:04:24] And so, the legitimate functionality of the Lojack install, what sorts of things does it allow you to do?
Richard Hummel: [00:04:32] So, that's one of the things that makes it appealing to an attacker, right, is Lojack itself allows you to execute arbitrary code. It comes with it natively, and because it's running at the firmware level it also has system permissions. So, essentially, it provides a backdoor into an infected machine, one running a Lojack sample that has this malicious C2, and an attacker can use that access to essentially do what they want. If they have additional malware or payloads that they want to distribute, that's as trivial as sending that command via their C2 back to the agent installed. And then they can then install additional malware, or whatever that may be.
Dave Bittner: [00:05:08] Describe to us, what exactly have the bad guys modified here to have it look at their own command-and-control servers?
Richard Hummel: [00:05:15] There is a configuration within Lojack itself that has the C2 pointing to legitimate Lojack command-and-control servers. All right, this is pretty typical. If you need to find your laptop, you have to have a way to communicate with it, right? So it has to have some sort of callback to Lojack itself so that they can then locate your machine. The attackers have basically swapped out that C2 check-in with one of their own. And it's fairly trivial. It's only encrypted with a single-byte XOR key that is actually hardcoded into the binary itself. And the attackers, when they replace the C2, they also will pad any extra bytes with the XOR key. So, it's relatively simple for us to go in and strip out the C2, but that's literally the only change that they've made, to our knowledge, of the software itself.
Dave Bittner: [00:06:02] So, to the person who has this running, it looks like a perfectly normally-functioning copy of Lojack, doing all the things it's supposed to be doing.
Richard Hummel: [00:06:10] Correct. And from what we've seen, we have one live C2, that was live as of yesterday, when it checks into that malicious C2, it actually responds as if it is a Lojack server. So, the communication protocol looks very similar.
Dave Bittner: [00:06:25] In terms of attribution, who do we think is up to this?
Richard Hummel: [00:06:30] I think we have a moderate confidence on it right now, because all of the attribution that we have stems from infrastructure. There's no code to go on. There's no, like, tick marks or anything like that, where we can say definitively that this has been seen in other malware samples from X group, right? So, what we're looking at is the actual C2s themselves, and some research over the past several months and past year point some of those C2s to Fancy Bear, or APT28. I think they're also known as Pawn Storm. Several of those C2s were actually seen in some phishing campaigns that Jigsaw Security had reported on in the past. So that leads us to believe that the operation might be related to APT28, or Fancy Bear.
Dave Bittner: [00:07:13] The way that they're going at this makes it pretty effective at avoiding antivirus detection.
Richard Hummel: [00:07:18] Correct, yeah. When we first started looking at this, a lot of the different AV scanners had maybe two of fifty-plus identifications for it. And, of those, they listed it as a risk tool or something that, hey, this could potentially cause harm to your system, but it wasn't listed as outright malicious or malware itself. Which is pretty common, right? I mean, you're installing software that's planting something in your firmware. So, sure, it should be risky, but it didn't label it as malware. And that's because, to the antivirus scanner, it looked legitimate, right? It looked just like a Lojack sample.
Richard Hummel: [00:07:52] And the C2s themselves can be swapped out in any given sample. So, it's kind of hard to stay ahead of that game and say, oh, let's go ahead and blacklist all these C2s, because we don't know them until we've analyzed the sample. So, yeah, it's very effective at evading antivirus, because they're basically using legitimate software that just checks in somewhere else.
Dave Bittner: [00:08:11] Now, do you have any sense for how people are getting this altered version of Lojack on their machines?
Richard Hummel: [00:08:18] We don't. We've speculated, we have some theories, but we were just looking at APT28 itself. What are their TTPs and tactics? And, in the past, they've used a lot of phishing to distribute their payloads, so we looked at some of the more recent stuff that Jigsaw Security reported on. They have several documents there with macro droppers, and we ran some of those and we looked to see, do any of those drop Lojack? And we haven't been able to confirm that.
Richard Hummel: [00:08:44] So, right now, we don't know how they're getting on systems, or even if they are. It could be that we found these samples, or we were tipped off to these samples, and the attackers are in testing mode. So, we don't have any confirmation of these actually impacting users in the wild. And we have been working with Absolute, and so they're very aware of this. And so, as things develop, we'll continue to work with them, and share our findings back and forth.
Dave Bittner: [00:09:07] So, in terms of folks protecting themselves against this, what are your recommendations?
Richard Hummel: [00:09:12] So, obviously, the IOCs that we list here in the report are very good. Make sure that your systems are blocking those domains. If you have the hashes that we've shared, clearly those are going to be representative of these malicious samples. Now, it's not going to identify all of them for sure. It's just going to identify the five that we have listed in the blog. But honestly, to our knowledge right now, that's the best way that you can block this, is by making sure those domains are blacklisted and that your systems cannot communicate with those.
Richard Hummel: [00:09:39] We do push all of this stuff to our systems, so we are detecting if and when we see any of this Lojack activity, we can get alerted on those. And then it can enable our research to go further and look at those, and strip out those C2s, and then again feed those back into our process. But that seems to be the best way, at this point, to block the activity.
Dave Bittner: [00:09:58] What's your take on how this contributes to, I suppose, a certain level of uncertainty? You know, it's a, I suppose, a "who watches the watchmen" kind of thing. You know, we install these systems on our computers to help protect us, but along with that comes a certain level of trust that the information they're going to be sending back to their own servers is going to be well protected, encrypted, and so on.
Richard Hummel: [00:10:22] Absolutely. And as far as we know, there's there's nothing wrong with that process itself. From what we can tell, and obviously we're not sitting at the host environment, so we don't know if an attacker is getting in directly and tampering with Lojack samples that are already installed on systems. We don't know that. All we've been able to glean is these samples in the wild that have been tampered with. So, that communication protocol between a host with installed Lojack and actual Lojack servers, as far as we know, that's not been compromised. And I guess I'm probably not the best person to speak to that, that would be something that Absolute and their security engineers would be best postured to do that.
Richard Hummel: [00:11:01] But as far as we can tell, the problem stems from an attacker getting a hold of a sample and cracking it, if you will. Similar to what a lot of these different gamers do, they grab a copy of a game, they crack it, and they fix it so that the key can run without validation or purchase. That's kind of what we see here right? They're taking a legitimate sample, they're reverse engineering it to the point where they can swap out that C2, and then redeploying that. It really doesn't have anything to do with Absolute and Lojack vendor itself. It's more along the lines of the attacker taking advantage of something that's already in existence.
Dave Bittner: [00:11:36] So, I suppose it's fair to say that we can expect some updates coming from the Lojack folks themselves to probably take care of this?
Richard Hummel: [00:11:45] I do know that the last response that we had from them, that they were looking at internally investigating. As far as I know, their posture is that none of their clients have been impacted. So, again, I can't speak to their internal processes. That'd be something we'd want to reach out to them for comment. But yes, any time we find any updates, or if we find additional samples, or additional C2s, we're keeping an open dialogue. We want to make sure that we're transparent with them, and that we're sharing any of our findings that's going to help them and any of their clients.
Dave Bittner: [00:12:13] I'm wondering, just from a larger point of view, you know, we started out today talking about how this came to you all from a tip. I wonder if you could describe to me the sense of community there is among the researchers, those of you who are looking into these sorts of things. How many of these conversations happened in backchannels, in Slack groups, or things like that, you all do keep in touch with each other, yes?
Richard Hummel: [00:12:38] Yes. Just from my perspective, and being around in the field now for the past ten years, there's a lot of people in the field, but it's a very small community, if that makes any sense.
Dave Bittner: [00:12:47] Yeah.
Richard Hummel: [00:12:48] So yes, a lot of us sit in trusted groups. We sit in chat rooms, we have mailing lists, there's a number of ways that we keep in touch. But we do. We share a lot of information back and forth, and often we share those free of charge, because we want to help the entire community. Obviously, there's some things that you have to have close-hold, right? You have to run a business, for instance. But, when we can, we try to share as often as we can.
Richard Hummel: [00:13:14] And with the NETSCOUT Arbor side of the house, we don't monetize our intel like this, right? So, when we can, we try to blog them out publicly, and then get those in front of as many people as we can, to help protect them from the particular threats. And any time we come across threats like this, we're automatically feeding all of those into our system, so that clients, you know, running any of our appliances are going to be protected. That's, like, our first line of business. And then from there we look at, how can we show this back into the community, how can we bring awareness to this and help other people be protected as well?
Dave Bittner: [00:13:45] In your experience, what would your advice be, I'm thinking about the person who's coming up through school or maybe considering a career change, and they think that this sort of research may be something that they're interested in. What are the attributes that you see the successful people who are doing this kind of work have?
Richard Hummel: [00:14:01] Honestly, for me, it boils down to passion and self-starting. I didn't receive any formal training when I got into this; it was more of self-driven thing. Now, granted, I was in the Army for a while, so I did some intel. But when it comes to reverse engineering, when it comes to the security aspect, and looking at threats from a reverse engineering or technical standpoint, for me, that was self-taught, self-driven. And I just had a passion about the field. I thought it was super interesting finding out what the attackers do, how the attacker thinks, what they're going to do with a particular binary, and trying to figure that out, to me was self-satisfaction.
Richard Hummel: [00:14:35] And I know a lot of other people in the field, a lot of the successful people have that same passion. A drive to figure out what's going on, and then feed that back into the community to make sure people are protected. So, I think that's a key aspect that I look for in other security researchers, not only from my team, but those that I work with as well.
Dave Bittner: [00:14:54] And from a hiring point of view, what sort of work would you like to see? I'm thinking, you know, is this a situation where, if someone has done that work on their own, if they're a self-starter, they might not necessarily need all of the certifications and the traditional education, from your point of view?
Richard Hummel: [00:15:10] Sure, and honestly, certifications may play a role in a particular position, but it's not the end-all, be-all, right? A lot of times with, when I'm looking at a particular resume or somebody for hire, I don't necessarily hold certificates in high regard. Instead, I look at who they are as a person, what they've done for the community, do they have their own personal blog? What are they giving back? Are they in any of the trust groups? Do they contribute?
Richard Hummel: [00:15:36] But then, also, I want to evaluate their technical skills, right? So, if they've done this on their own and they have some blogs, that, to me, lends credence to the fact that, yes, they know how to do this, they know how to do it well and effectively. There's also some internal things you could do to test that out, such as giving a particular sample of malware and saying, hey, reverse this, send me back a report, and then evaluate how they did.
Richard Hummel: [00:15:58] So there's a lot of things you can do there. But I like, from my standpoint, is to evaluate what they've done for the community, and what they've given back.
Dave Bittner: [00:16:09] Our thanks to Richard Hummel from Arbor Networks' ASERT team for joining us. The research is titled "Lojack Becomes a Double-Agent," and you can check it out on their website.
Dave Bittner: [00:16:20] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:16:28] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:16:36] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society. Learn more at hewlett.org/cyber.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.