VirusTotal Accidental Disclosure: Breaking OpSec or Sophisticated Attacker?
During May’s Patch Tuesday (May 8, 2018), Microsoft quietly patched two zero-day vulnerabilities (CVE-2018-4990 and CVE-2018-8120) that were discovered in Adobe Acrobat Reader and Windows 7 and Server 2008/R2. When combined, these two zero-days could form an extremely power cyber-weapon. The first vulnerability (4990) would allow shell code to be run in Adobe Acrobat while the second vulnerability (8120) would allow the code to escape the Adobe Acrobat sandbox, effectively giving remote code execution to a remote attacker. These patches were made possible by the discovery of these two zero-day vulnerabilities by security firm ESET when they analyzed a PDF file that was uploaded to the Google-owned security firm VirusTotal.
What exactly is VirusTotal? VirusTotal is an online security platform used by developers and security researchers to upload code, URLs, or files they wish to be analyzed. The data is uploaded to VirusTotal for analysis and run through over 70 different anti-virus engines and blacklisting services from most of the major security vendors. It is a completely free service and legitimate users would normally upload a file to check if it is malicious or to find out if code they are writing would be incorrectly flagged (false positive) as malicious by any AV engines or blacklisting services. The results of the analysis are freely shared publicly and with the participating security vendors in order to improve their catch rate (win-win-win).
When malware authors upload their work to VirusTotal, it acts as a double-edged sword. The authors can easily determine if their code has been discovered or blocked by most major security vendors, but they also run the risk and increase the chances of being discovered. Files and URLs submitted to VirusTotal are permanently stored and become available to anyone who wishes to examine or analyze them.
When the story first broke that someone had uploaded a PDF file with two zero-day exploits, most media outlets pointed to poor Operational Security (OpSec) on the part of the malware authors. There was one major peculiarity with the PDF file that was analyzed by ESET. The PDF file that contained the zero-days contained no malicious payload. That meant a lot of work and effort went into developing the attack code, but without any type of payoff. Security researchers developing proof of concept attacks often run the built-in Windows calculator program (calc.exe) as proof of their ability to remotely run arbitrary code (remote code execution). The thought is that if an attacker can run calc.exe (a benign process), they could potentially run any code they wish. The malicious PDF in question dropped an empty Visual Basic (VBS) script into the startup folder of the target machine. The lack of malicious payload led some to believe that the file was in early development and that by uploading it to VirusTotal, destroyed any chance of becoming a mature attack vehicle. Accidentally breaking OpSec would not be new to the world of state-sponsored APT crews, as The GRU (Russia’s Military Intelligence Directorate) were unmasked as Guccifer 2.0 because someone forgot to turn on their VPN.
An alternative (and in my opinion, more likely) theory is that the attackers were extremely sophisticated, likely state-sponsored, and that uploading the file to VirusTotal was a planned stage of the attack. Microsoft tipped their hats towards the authors stating that while there was no malicious payload attached to the PDF, the file and authors demonstrated high levels of both vulnerability discovery and exploit writing. If the authors possessed such a high level of sophistication, they would be highly unlikely to make such a rookie mistake. It is much more likely that the attackers took a calculated risk by uploading the code to VirusTotal. It’s absolutely possible that the attackers had two versions of the PDF: one version with the exploit, but no malicious payload to upload to VirusTotal and a second version with the same exploits, but containing the malicious payload. The attackers likely knew through reconnaissance or the nature of their target that they would be running anti-virus software made by one of the 70 vendors that are partnered with VirusTotal, so it would be highly beneficial to know whether they would be caught or go undetected. The attackers would have believed that the risk of early detection by one of the VirusTotal partners was outweighed by the benefit of a successful attack (likely spear phishing campaign). The gamble paid off because not a single one of VirusTotal’s partners detected the PDF file to be malicious at the time of upload.
If this narrative were true, this is not the first time attackers used VirusTotal to figure out if they had been discovered. In 2007, an early version of Stuxnet (version 0.5) was uploaded to VirusTotal, but it remained undetected until later versions were discovered and researchers were examining old files for similar code. Since VirusTotal and its partners follow standard responsible disclosure procedures, notifying affected vendors and giving them 90 days to fix the vulnerability before publicly disclosing them, the attackers would have had a 90-day window with which to perform their attack. For sophisticated attackers with a specific target in mind, that would have been more than enough time. Burning two zero-day exploits would come at a very high cost (developmental, opportunity cost, selling it to other attackers) which provides more evidence that the attackers were likely state-sponsored. Recent research suggests that true zero-days are becoming more rare and more valuable than ever.
With the way recently discovered zero-day vulnerabilities are being used, it is more important than ever to have a defense-in-depth strategy to protect users and assets from being exploited. If state-sponsored groups with seemingly unlimited resources are going after you, they will eventually succeed. It is only a matter of how much effort they will have to go through and the level of exposure when a breach occurs. Many security tools and training will help with this, but in the end fighting a state will seem like trying to guard a screen door.