CyberWire Daily - Threat actors hijack Lojack. [Research Saturday]
Episode Date: May 19, 2018Researchers from Arbor Networks' ASERT Threat Intelligence Team recently published a report titled, "Lojack Becomes a Double Agent." It outlines how threat actors are altering legitimate recovery util...ity software and simulating its command and control servers to gain access to target machines. Richard Hummel is manager of the ASERT Threat Research Team, and he joins us to describe their work. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Our researchers have a lot of interpersonal relationship with various researchers across the field.
That's Richard Hummel. He's manager of the ACERT threat intelligence team at Arbor Networks, the security division of NETSCOUT.
The research we're discussing today is titled, LoJack Becomes a Double Agent.
This particular one came as a tip to one of those researchers.
Initially, when we received it, it was, hey, here's a malicious binary. There's something
off about it. We didn't really have a whole lot to go on. So that's kind of what kicked off our
research into this particular finding. Describe to me what's going on with LoJack. I mean,
I remember years ago, I think LoJack started out as a brand that would protect your cars from being stolen.
And then somewhere over the years, that brand pivoted and became known for protecting computers.
Kind of what led us to the whole LoJack research, if you will, back in 2014,
was a Black Hat presentation that some researchers did on what was then known as CompuTrace.
Since then, it's been purchased and it's been rebranded to be LoJack,
which essentially installs an agent on your system at the firmware level
that allows you to track your laptop should it ever be stolen.
So that's kind of where the software is that we're dealing with.
The actual software itself, to our knowledge, has not been modified as far as functionality.
The code remains the same.
If you compare a legitimate LoJack sample with one of the ones using a Hijack C2, they're identical, 100% function
matching across the board. So the problem isn't stemming from Absolute or LoJack software itself.
Essentially, the attackers are taking that copy of the software and simply replacing the C2 in it
with one of their own.
I see. Well, take us through how LoadJack works. How does it maintain its persistence on a machine?
Sure. So there's an agent. The researchers back in 2014 dubbed this small agent. But basically what it does is the agent itself embeds itself in a BIOS or UEFI firmware. And from there,
embeds itself in a BIOS or UEFI firmware.
And from there, whenever the system is rebooted,
it embeds code into something called autocheck.exe.
And that basically is what's going to maintain persistence on the machine itself.
So anytime you were to swap a drive out,
if you rebooted the system,
or even if you reformatted,
it's going to persist because it's actually
at the firmware level rather than a software level.
So it's a unique method of maintaining persistence. And it's great for LoJack itself,
right? Because if somebody grabs your computer and steals it, and they swap out a drive so they
can actually use it, you're still able to then locate your laptop. So it's a really, it's a cool
persistence mechanism. And it's really unfortunate that attackers have used that and kind of leveraged that for their own purposes.
And so the legitimate functionality of a LoJack install, what sorts of things does it allow you to do?
So that's one of the things that makes it appealing to an attacker, right?
Is LoJack itself allows you to execute arbitrary code.
It comes with it natively.
And because it's running at the firmware level,
it also has system permissions. So essentially, it provides a backdoor into an affected machine,
one running a Lojack sample that has this malicious C2. And an attacker can use that
access to essentially do what they want. If they have additional malware or payloads that
they want to distribute, it's as trivial as sending that command via their C2 back to the
agent installed. And then they can then install additional malware, whatever that may be.
Describe to us what exactly have the bad guys modified here to have it look at their own
command and control servers. There is a configuration within Lojack itself that has
the C2 pointing to legitimate Lojack command and control servers, right?
This is pretty typical. If you need to find your laptop, you have to have a way to communicate with it, right?
So it has to have some sort of callback to Lojack itself so that they can then locate your machine.
The attackers have basically swapped out that C2 check-in with one of their own.
And it's fairly trivial.
C2 check-in with one of their own. And it's fairly trivial. It's only encrypted with a single byte XOR key that is actually hard-coded into the binary itself. And the attackers, when they
replace the C2, they also will pad any extra bytes with that XOR key. So it's relatively simple for
us to go in and strip out those C2, but that's literally the only change that they've made
to our knowledge of the software itself.
So to the person who has this running, it looks like a perfectly normally functioning copy of LoJack doing all the things it's supposed to be doing.
Correct. And from what we've seen, we have one live C2 that was live yesterday.
When it checks into that malicious C2, it actually responds as if it is a LoJack server.
So the communication protocol looks very similar.
In terms of attribution, who do we think is up to this?
I think we have a moderate confidence on it right now because all of the attribution that we have stems from infrastructure.
There's no code to go on.
There's no tick marks or anything like that where we can say definitively that this has been seen in other Maurer samples from X group, right? So what we're looking at is the actual C2s
themselves. And some research over the past several months and past year points some of those C2 to
Fancy Bear or APT28. I think they're also known as Pond Storm. Several of those C2s were actually seen in some phishing campaigns that Jigsaw Security had reported on in the past.
So that leads us to believe that the operation might be related to APT28 or Fancy Bear.
The way that they're going at this makes it pretty effective at avoiding antivirus detection.
Correct. Yeah.
When we first started looking at this, a lot of the different
AV scanners had maybe two of 50 plus identifications for it. And of those, they listed it as a risk
tool or something that, hey, this could potentially cause harm to your system, but it wasn't listed as
outright malicious or malware itself, which is pretty common, right? I mean, you're installing
software that's just planting something in your firmware. So sure, it should be risky. But it didn't label it as malware. And that's because to the antivirus scanner, it looked legitimate, right? It looked just like a LoJack sample.
to stay ahead of that game and say, oh, let's go ahead and blacklist all of these C2 because we don't know them until we've analyzed the sample. So yeah, so it's very effective at evading
antivirus because they're basically using legitimate software that just checks in somewhere
else. Now, do you have any sense for how people are getting this altered version of LoJack on
their machines? We don't. We've speculated. We have some theories. But we were just looking at APT28 itself.
What are their TTPs and tactics?
And in the past,
they've used a lot of phishing
to distribute their payloads.
So we looked at some of the more recent stuff
that Jigsaw Security reported on.
They have several documents there
with macro droppers.
And we ran some of those.
We looked to see,
do any of those drop LoJack?
And we haven't been able to confirm that.
So right now, we don't know how they're getting on systems,
or even if they are.
It could be that we found these samples,
or we were tipped off to these samples,
and the attackers are in testing mode.
So we don't have any confirmation
of these actually impacting users in the wild.
And we have been working with Absolute,
and so they're very aware of this.
And so as things develop, we'll continue to work with them and share our findings back and forth.
So in terms of folks protecting themselves against this, what are your recommendations?
So obviously, the IOCs that we list here in the report are very good. Make sure that your systems
are blocking those domains. If you have the hashes that we've shared, clearly those are gonna be represented
of these malicious samples.
Now it's not gonna identify all of them for sure.
It's just gonna identify the five
that we have listed in the blog.
But honestly, to our knowledge right now,
that's the best way that you can block this
is by making sure those domains are blacklisted
and that your systems cannot communicate with those.
We do push all of this stuff to our systems.
So we are detecting if and when we see any of this logic activity, we can get alerted on those,
and then it can enable our research to go further and look at those and strip out those CTUs and then again, feed those back into our process. But that seems to be the best way at this point
to block the activity. What's your take on how this contributes to, I suppose, a certain level of
uncertainty? You know, it's, I suppose, a who watches the watchman kind of thing. You know,
we install these systems on our computers to help protect us, but along with that comes a certain
level of trust that the information they're going to be sending back to their own servers is going
to be well protected, encrypted, and so on.
Absolutely. And as far as we know, there's nothing wrong with that process itself.
From what we can tell, and obviously we're not sitting at the host environment, so we don't know if an attacker is getting in directly and tampering with LoJack samples that are already
installed on systems. We don't know that. All we've been able to glean is these samples in the wild that have been tampered with. So that communication protocol between a host with installed LoJack and
actual LoJack servers, as far as we know, that's not been compromised. And I guess I'm probably not
the best person to speak to that. That'd be something that Absolute and their security
engineers would be best postured to do that. But as far as we can tell, the problem stems from an attacker getting a hold of a sample
and cracking it, if you will, similar to what a lot of these different gamers do.
They grab a copy of a game, they crack it, and they fix it
so that the key can run without validation or purchase.
That's kind of what we see here, right?
They're taking a legitimate sample, they're reverse engineering it to the point where they can swap out that C2,
and then redeploying that. It really doesn't have anything to do with Absolute and LoJack
vendor itself. It's more along the lines of the attacker taking advantage of something
that's already in existence. So I suppose it's fair to say that we can expect some updates
coming from the LoJack folks themselves to probably take care of this.
I do know that last response that we had from them, that they were looking at internally investigating.
As far as I know, their posture is that none of their clients have been impacted.
So, again, I can't speak to their internal processes.
That would be something we'd want to reach out to them for comment.
But, yes, anytime we find any updates or if we find additional samples or additional C2s, we're keeping an open dialogue. We want to
make sure that we're transparent with them and that we're sharing any of our findings that's
going to help them and any of their clients. Yeah, I'm wondering, just from a larger point
of view, you know, we started out today talking about how this came to you all from a tip. I
wonder if you could describe to me the sense of community there is among the researchers,
those of you who are looking into these sorts of things,
or how many of these conversations happen in back channels, in Slack groups, or things like that.
You all do keep in touch with each other, yes?
Yes. Just from my perspective and being around in the field now for the past 10 years,
there's a lot of people in the field, but it's a very small community, if that makes any sense.
Yeah. So yes, a lot of us sit in trusted groups. We sit in chat rooms. We have mailing lists.
There's a number of ways that we keep in touch, but we do. We share a lot of information back
and forth. And often we share those free of, because we want to help the entire community.
Obviously there's some things that you have to have close hold, right?
You have to run a business for instance, but when we can, we try to share as often as we
can.
Um, and with the Netscout Arbor side of the house, we don't monetize our intel like this,
right?
So when we can, we try to blog them out publicly and then
get those in front of as many people as we can to help protect them from the particular threat.
And anytime we come across threats like this, we're automatically feeding all those into our
systems so that clients, you know, running any of our appliances are going to be protected. That's
like our first line of business. And then from there, we look at how can we share this back
into the community? How can we
bring awareness to this and help other people be protected as well? In your experience, what would
your advice be? I'm thinking about the person who's coming up through school or maybe considering a
career change, and they think that this sort of research may be something that they're interested
in. What are the attributes that you see the successful people who are doing this kind of
work have? Honestly, for me, it boils down to passion and self-starting. I didn't receive any formal
training when I got into this. It was more of a self-driven thing. Now, granted, I was in the
army for a while, so I did some intel. But when it comes to reverse engineering, when it comes to
the security aspect and looking at threats from a reverse engineering or technical standpoint,
for me, that was self-taught, self-driven.
And I just had a passion about the field.
I thought it was super interesting finding out what the attackers do,
how that attacker thinks,
what they're going to do with a particular binary
and trying to figure that out.
To me, it was self-satisfaction, right?
And I know a lot of other people in the field,
a lot of the successful people have that same passion,
a drive to figure out what's
going on and then feed that back into the community to make sure people are protected.
So I think that's a key aspect that I look for in other security researchers,
not only from my team, but those that I work with as well.
And from a hiring point of view, what sort of work would you like to see? I'm thinking,
is this a situation where if someone has done that work on their own,
if they're a self-starter, they might not necessarily need all of the certifications
and the traditional education from your point of view? Sure. And honestly, certifications
may play a role in a particular position, but it's not the end-all be-all, right? A lot of times
when I'm looking at a particular resume or somebody for hire, I don't necessarily
hold certificates in high regard.
Instead, I look at who they are as a person, what they've done for the community.
Do they have their own personal blog?
What are they giving back?
Are they in any of the trust groups?
Do they contribute?
But then also, I want to evaluate their technical skills, right?
So if they've done this on their own and they have some blogs that, to lends credence to the fact that yes, they know how to do this,
they know how to do it well and effectively. There's also some internal things you could do
to test that out, such as giving them a particular sample of malware and saying,
hey, reverse this, send me back a report, and then evaluate how they did. So there's a lot
of things you can do there. But I like from my standpoint is to evaluate what they've done for the community and what they've given back.
Our thanks to Richard Hummel from Arbor Network's ACERT team for joining us.
The research is titled, LoJack Becomes a Double Agent, and you can check it out on their website.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. Thank you.