Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The attack relies in part on the LoJack small implant loader being trusted by antivirus software, as the software has legitimate purposes.
- There is no indication that LoJack’s infrastructure itself has been compromised.
The popular device security software LoJack—previously known as Computrace—has been used in attacks by the Russian state-sponsored cyber espionage group «Fancy Bear.»
LoJack, which under normal circumstances allows subscribers to remotely lock and delete files from their own computer in the event of loss or theft, relies partially on a dropper embedded in the BIOS of computers, which is inserted from the factory with the cooperation of participating OEMs. These include Apple, Acer, ASUS, HP, Lenovo, Dell, Toshiba, and Samsung, according to the Absolute Software website.
The attack, as described in a report by the ASERT security research division of Arbor Networks, relies on a modified version of the «small agent» rpcnetp.exe program, which is registered as a system service and downloads the full theft recovery agent. That file stores the download URL «using a single byte XOR key,» the report said, with that data being «blindly trusted,» making it relatively trivial to change that key to a malicious URL.
Accordingly, the researchers indicate that the legitimate nature of LoJack as an anti-theft utility has prompted antivirus programs to ignore the rpcnetp.exe loader, or categorize it as a «risk tool,» making LoJack an attractive option for hackers to go undetected.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
The actual delivery mechanism for this attack is as of yet unknown, though Fancy Bear has been known to engage in phishing in past attacks.
The modified rpcnetp loader, which communicates with a server that simulates the same protocol that LoJack’s legitimate server uses, grants attackers essentially unlimited control over a given device. Additionally, because the LoJack design relies on a BIOS-embedded dropper, the software can persist across OS reinstallation or swapping hard drives, the report said, though it has not been demonstrated that the compromised file has been flashed to a device BIOS, allowing the attack to persist.
The researchers note that the attack requires a modified loader to communicate with servers controlled by the hackers, so there is no reason to believe that the authentic LoJack servers have been compromised.
Fancy Bear, otherwise known as APT28, Pawn Storm, Sofacy Group, Sednit, or Strontium, has been identified by multiple independent security research firms as the originators of a number of attacks since 2014. They have been named as the responsible party for attacks against the 2017 German Federal election, the International Association of Athletics Federations (IAAF), and the United States Democratic National Committee, under the moniker «Guccifer 2.0.»