Numando: Count once, code twice

The (probably) penultimate post in our occasional series demystifying Latin American banking trojans.

Before concluding our series, there is one more LATAM banking trojan that deserves a closer look – Numando. The threat actor behind this malware family has been active since at least 2018. Even though it is not nearly as lively as Mekotio or Grandoreiro, it has been consistently used since we started tracking it, bringing interesting new techniques to the pool of Latin American banking trojans’ tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images. Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain.

As with all the other Latin American banking trojans described in this series, Numando is written in Delphi and utilizes fake overlay windows to lure sensitive information out of its victims. Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage.

Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings (see Figure 1), which inspired our naming of this malware family.

Figure 1. Numando command processing – part of command 9321795 processing (red)

Strings are encrypted by the most common algorithm among Latin American banking trojans (shown in Figure 5 of our Casbaneiro write-up) and are not organized into a string table. Numando collects the victimized machine’s Windows version and bitness.

Unlike most of the other Latin American banking trojans covered in this series, Numando does not show signs of continuous development. There are some minor changes from time to time, but overall the binaries do not tend to change much.

Numando is distributed almost exclusively by spam. Based on our telemetry, its campaigns affect several hundred victims at most, making it considerably less successful than the most prevalent LATAM banking trojans such as Mekotio and Grandoreiro. Recent campaigns simply add a ZIP attachment containing an MSI installer to each spammed message. This installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. If the potential victim executes the MSI, it eventually runs the legitimate application as well, and that side-loads the injector. The injector locates the payload and then decrypts it using a simple XOR algorithm with a multi-byte key, as in the overview of this process illustrated in Figure 2.

Figure 2. Numando MSI and its contents distributed in the latest campaigns

For Numando, the payload and injector are usually named identically – the injector with the .dll extension and the payload with no extension (see Figure 3) – making it is easy for the injector to locate the encrypted payload. Surprisingly, the injector is not written in Delphi – something very rare among Latin American banking trojans. The IoCs at the end of this blogpost contain a list of legitimate applications we have observed Numando abuse.

Figure 3. Files used for executing Numando. Legitimate application (Cooperativa.exe), injector (Oleacc.dll), encrypted payload (Oleacc) and legitimate DLLs.

Decoy ZIP and BMP overlay

There is one interesting distribution chain from the recent past worth mentioning. This chain starts with a Delphi downloader downloading a decoy ZIP archive (see Figure 4). The downloader ignores the archive’s contents and extracts a hex-encoded encrypted string from the ZIP file comment, an optional ZIP file component stored at the end of the file. The downloader does not parse the ZIP structure, but rather looks for the last { character (used as a marker) in the whole file. Decrypting the string results in a different URL that leads to the actual payload archive.

Figure 4. The decoy is a valid ZIP file (ZIP structures highlighted in green) with an encrypted URL included in a ZIP file comment at the end of the archive (red)

The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it. The process is illustrated in Figure 5.

Figure 5. Numando distribution chain using a decoy ZIP archive

This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored. Figure 6 shows some of the decoy images the Numando threat actor uses.

Figure 6. Some BMP images Numando uses as decoys to carry its payload

Like many other Latin American banking trojans, Numando abuses public services to store its remote configuration – YouTube and Pastebin in this case. Figure 7 shows an example of the configuration stored on YouTube – a technique similar to Casbaneiro, though much less sneaky. Google took the videos down promptly based on ESET’s notification.

Figure 7. Numando remote configuration on YouTube

The format is simple – three entries delimited by “:” between the DATA:{ and } markers. Each entry is encrypted separately the same way as other strings in Numando – with the key hardcoded in the binary. This makes it difficult to decrypt the configuration without having the corresponding binary, however Numando does not change its decryption key very often, making decryption possible.

Numando is a Latin American banking trojan written in Delphi. It targets mainly Brazil with rare campaigns in Mexico and Spain. It is similar to the other families described in our series – it uses fake overlay windows, contains backdoor functionality and utilizes MSI.

We have covered its most typical features, distribution methods and remote configuration. It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family.

For any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub repository.

Hashes

SHA-1 Description ESET detection name
E69E69FBF438F898729E0D99EF772814F7571728 MSI downloader for “decoy ZIP” Win32/TrojanDownloader.Delf.CQR
4A1C48064167FC4AD5D943A54A34785B3682DA92 MSI installer Win32/Spy.Numando.BA
BB2BBCA6CA318AC0ABBA3CD53D097FA13DB85ED0 Numando banking trojan Win32/Spy.Numando.E
BFDA3EAAB63E23802EA226C6A8A50359FE379E75 Numando banking trojan Win32/Spy.Numando.AL
9A7A192B67895F63F1AFDF5ADF7BA2D195A17D80 Numando banking trojan Win32/Spy.Numando.AO
7789C57DCC3520D714EC7CA03D00FFE92A06001A DLL with overlay window images Win32/Spy.Numando.P

Abused legitimate applications

Example SHA-1 EXE name DLL name
A852A99E2982DF75842CCFC274EA3F9C54D22859 nvsmartmaxapp.exe nvsmartmax.dll
F804DB94139B2E1D1D6A3CD27A9E78634540F87C VBoxTray.exe mpr.dll
65684B3D962FB3483766F9E4A9C047C0E27F055E Dumpsender.exe Oleacc.dll

C&C servers

  • 138.91.168[.]205:733
  • 20.195.196[.]231:733
  • 20.197.228[.]40:779

Delivery URLs

  • https://enjoyds.s3.us-east-2.amazonaws[.]com/H97FJNGD86R.zip
  • https://lksluthe.s3.us-east-2.amazonaws[.]com/B876DRFKEED.zip
  • https://procjdcals.s3.us-east-2.amazonaws[.]com/HN97YTYDFH.zip
  • https://rmber.s3.ap-southeast-2.amazonaws[.]com/B97TDKHJBS.zip
  • https://sucessmaker.s3.us-east-2.amazonaws[.]com/JKGHFD9807Y.zip
  • https://trbnjust.s3.us-east-2.amazonaws[.]com/B97T908ENLK.zip
  • https://webstrage.s3.us-east-2.amazonaws[.]com/G497TG7UDF.zip

Note: This table was built using version 9 of the MITRE ATT&CK framework.

Tactic ID Name Description
Resource Development T1583.001 Acquire Infrastructure: Domains Numando operators register domains to be used as C&C servers.
T1587.001 Develop Capabilities: Malware Numando is likely developed by its operator.
Initial Access T1566 Phishing: Spearphishing Attachment Numando is distributed as a malicious email attachment.
Execution T1204.002 User Execution: Malicious File Numando relies on the victim to execute the distributed MSI file.
Defense Evasion T1140 Deobfuscate/Decode Files or Information Numando encrypts its payload or hides it inside a BMP image file, and some variants encrypt and hex encode their main payload URLs in a comment in decoy ZIP files.
T1574.002 Hijack Execution Flow: DLL Side-Loading Numando is often executed by DLL side-loading.
T1027.002 Obfuscated Files or Information: Software Packing Some Numando binaries are packed with VMProtect or Themida.
T1218.007 Signed Binary Proxy Execution: Msiexec Numando uses the MSI format for execution.
Discovery T1010 Application Window Discovery Numando monitors the foreground windows.
T1082 System Information Discovery Numando collects the Windows version and bitness.
Collection T1113 Screen Capture Numando can take screenshots.
Command and Control T1132.002 Data Encoding: Non-Standard Encoding Numando uses custom encryption.
Exfiltration T1041 Exfiltration Over C2 Channel Numando exfiltrates data via a C&C server.

Biden Administration Responds to Geopolitical Cyber Threats

In response to growing concerns regarding the recent uptick in large-scale, nation-state-backed ransomware attacks on critical infrastructure, the Biden administration is taking new action to tackle the evolving challenges posed by ransomware attacks.

When considering the cybersecurity CIA triad of confidentiality, integrity, and availability, each component is essential to the secure operation of every organization. 

However, when the consistent and reliable availability of necessary data is lost as a result of a ransomware incident, it is perhaps the most crippling of the three. Denial of access to data can cripple operations and bring everything to a grinding halt. To add insult to injury, the absolute urgency and panic that system denial creates in victims only exacerbates the challenge of responding to a ransomware attack.

Adversaries now commonly use ransomware to quickly and efficiently steal victims’ access to valuable data. The ransomware “industry” has matured in several ways: through the anonymity provided via the anonymity granted through the Internet and digital currency, combined with the low-risk/high-reward mechanics involved with ransoming a victim’s files, plus the evolution and increasing monetization of ransomware-as-a-service (RaaS). All “flavors” of customizable ransomware toolkits can be found for sale on the Dark Web. While already a troubling concept to consider, such offerings have facilitated the fast and massive global proliferation of ransomware toolkits.

Task Force Takes All-Hands-on-Deck Approach
As a result of the growth and development of sophisticated, technically knowledgeable, well-funded, and often nation-state-backed ransomware gangs, developing and deploying any lasting and comprehensive countermeasures will require a herculean effort. 

Given the increased frequency of the attacks, combined with the severity of consequences that stem from a successful strike, no single entity can possibly hope to coordinate such a large-scale disruption of these ransomware campaigns alone. A truly extensive response requirement will demand international cooperation from government organizations, private entities, and defense agencies worldwide.

In light of the significant national security implications surrounding repeated ransomware strikes against critical infrastructure, the Biden administration recently announced plans for the deployment of a cross-government ransomware task force. This task force, composed of an interagency group of senior security officials, will help to further facilitate defensive capabilities to protect against attacks by promoting data security resilience among critical infrastructure entities. 

The task force will seek to coordinate with US allies to direct any offensive responses against evolving attack campaigns, while simultaneously working to disrupt ransom payments proffered on various cryptocurrency platforms.

Additionally, the US Department of Justice announced plans to elevate ransomware investigations to the same level of priority as terrorist attacks, granting greater access to government resources to assist in mitigation efforts.

Administration officials are increasingly concerned now that ransomware attacks frequently exploit various supply chain vulnerabilities as a preferred method of compromise. Attacks such as these target popular software solutions to reach a larger pool of potential victims. Challenges surrounding these supply chain attacks plague government agencies and private sector companies alike. While many organizations are still recovering from the SolarWinds breach that occurred at the end of 2020, the recent ransomware strike against popular vendor Kaseya shows that such threats are likely to continue in the absence of a coordinated response.

Security Concerns Spark Geopolitical Tensions
Many recent ransomware attacks are believed to have originated in countries that are adversarial to the US. This poses additional challenges. The very clandestine nature of the attacks, in addition to the anonymity surrounding payment, make any kind of accountability difficult to impose. For example, the FBI claimed that the culprits of the Colonial Pipeline attack, a ransomware network known as DarkSide, are based in Russia and are operating with Russian President Vladimir Putin’s full knowledge. As expected, Putin has dismissed accusations against Moscow as unfounded. However, several US government officials have commented that even as Putin is more than likely completely aware of the criminal activity stemming from within his country’s borders, these gangs are so autonomous that Putin himself may be powerless to truly disrupt them. 

Furthermore, the Biden administration has also accused the Chinese government of helping to facilitate various cyberattacks including ransomware, extortion, theft, and even crypto-jacking. The administration alleges that China’s Ministry of State Security (MSS) was also responsible for an attack on Microsoft’s Exchange email server earlier this year that compromised more than 30,000 organizations that rely on this service to facilitate daily operations. The Department of Justice has gone one step further with China, and has officially charged four Chinese nationals with illicit computer network exploitation activities, as part of a Chinese advanced persistent threat (APT) group known as APT40.

However, there are growing concerns regarding any kind of official US retaliation against either Russia or China. Officials have expressed considerable concern regarding any form of cyber standoff that may manifest between the US and an adversarial leader or nation. There are considerable fears that any kind of retaliatory action from the US could further escalate into even more orchestrated attacks against the US, its interests, and its allies.

Only time will tell if the geopolitical posturing between these superpowers will result in a digital détente.

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at Omdia. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data connectivity … View Full Bio

Recommended Reading:

More Insights

Biden Administration Responds to Geopolitical Cyber Threats

In response to growing concerns regarding the recent uptick in large-scale, nation-state-backed ransomware attacks on critical infrastructure, the Biden administration is taking new action to tackle the evolving challenges posed by ransomware attacks.

When considering the cybersecurity CIA triad of confidentiality, integrity, and availability, each component is essential to the secure operation of every organization. 

However, when the consistent and reliable availability of necessary data is lost as a result of a ransomware incident, it is perhaps the most crippling of the three. Denial of access to data can cripple operations and bring everything to a grinding halt. To add insult to injury, the absolute urgency and panic that system denial creates in victims only exacerbates the challenge of responding to a ransomware attack.

Adversaries now commonly use ransomware to quickly and efficiently steal victims’ access to valuable data. The ransomware “industry” has matured in several ways: through the anonymity provided via the anonymity granted through the Internet and digital currency, combined with the low-risk/high-reward mechanics involved with ransoming a victim’s files, plus the evolution and increasing monetization of ransomware-as-a-service (RaaS). All “flavors” of customizable ransomware toolkits can be found for sale on the Dark Web. While already a troubling concept to consider, such offerings have facilitated the fast and massive global proliferation of ransomware toolkits.

Task Force Takes All-Hands-on-Deck Approach
As a result of the growth and development of sophisticated, technically knowledgeable, well-funded, and often nation-state-backed ransomware gangs, developing and deploying any lasting and comprehensive countermeasures will require a herculean effort. 

Given the increased frequency of the attacks, combined with the severity of consequences that stem from a successful strike, no single entity can possibly hope to coordinate such a large-scale disruption of these ransomware campaigns alone. A truly extensive response requirement will demand international cooperation from government organizations, private entities, and defense agencies worldwide.

In light of the significant national security implications surrounding repeated ransomware strikes against critical infrastructure, the Biden administration recently announced plans for the deployment of a cross-government ransomware task force. This task force, composed of an interagency group of senior security officials, will help to further facilitate defensive capabilities to protect against attacks by promoting data security resilience among critical infrastructure entities. 

The task force will seek to coordinate with US allies to direct any offensive responses against evolving attack campaigns, while simultaneously working to disrupt ransom payments proffered on various cryptocurrency platforms.

Additionally, the US Department of Justice announced plans to elevate ransomware investigations to the same level of priority as terrorist attacks, granting greater access to government resources to assist in mitigation efforts.

Administration officials are increasingly concerned now that ransomware attacks frequently exploit various supply chain vulnerabilities as a preferred method of compromise. Attacks such as these target popular software solutions to reach a larger pool of potential victims. Challenges surrounding these supply chain attacks plague government agencies and private sector companies alike. While many organizations are still recovering from the SolarWinds breach that occurred at the end of 2020, the recent ransomware strike against popular vendor Kaseya shows that such threats are likely to continue in the absence of a coordinated response.

Security Concerns Spark Geopolitical Tensions
Many recent ransomware attacks are believed to have originated in countries that are adversarial to the US. This poses additional challenges. The very clandestine nature of the attacks, in addition to the anonymity surrounding payment, make any kind of accountability difficult to impose. For example, the FBI claimed that the culprits of the Colonial Pipeline attack, a ransomware network known as DarkSide, are based in Russia and are operating with Russian President Vladimir Putin’s full knowledge. As expected, Putin has dismissed accusations against Moscow as unfounded. However, several US government officials have commented that even as Putin is more than likely completely aware of the criminal activity stemming from within his country’s borders, these gangs are so autonomous that Putin himself may be powerless to truly disrupt them. 

Furthermore, the Biden administration has also accused the Chinese government of helping to facilitate various cyberattacks including ransomware, extortion, theft, and even crypto-jacking. The administration alleges that China’s Ministry of State Security (MSS) was also responsible for an attack on Microsoft’s Exchange email server earlier this year that compromised more than 30,000 organizations that rely on this service to facilitate daily operations. The Department of Justice has gone one step further with China, and has officially charged four Chinese nationals with illicit computer network exploitation activities, as part of a Chinese advanced persistent threat (APT) group known as APT40.

However, there are growing concerns regarding any kind of official US retaliation against either Russia or China. Officials have expressed considerable concern regarding any form of cyber standoff that may manifest between the US and an adversarial leader or nation. There are considerable fears that any kind of retaliatory action from the US could further escalate into even more orchestrated attacks against the US, its interests, and its allies.

Only time will tell if the geopolitical posturing between these superpowers will result in a digital détente.

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at Omdia. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data connectivity … View Full Bio

Recommended Reading:

More Insights

8 Security Tools to be Unveiled at Black Hat USA

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2021-40669
PUBLISHED: 2021-09-16

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.

CVE-2021-40670
PUBLISHED: 2021-09-16

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.

CVE-2021-29763
PUBLISHED: 2021-09-16

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.

CVE-2021-29825
PUBLISHED: 2021-09-16

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.

CVE-2021-29842
PUBLISHED: 2021-09-16

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.

8 Security Tools to be Unveiled at Black Hat USA

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2021-40669
PUBLISHED: 2021-09-16

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.

CVE-2021-40670
PUBLISHED: 2021-09-16

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.

CVE-2021-29763
PUBLISHED: 2021-09-16

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.

CVE-2021-29825
PUBLISHED: 2021-09-16

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.

CVE-2021-29842
PUBLISHED: 2021-09-16

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.

8 Security Tools to be Unveiled at Black Hat USA

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2021-40669
PUBLISHED: 2021-09-16

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.

CVE-2021-40670
PUBLISHED: 2021-09-16

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.

CVE-2021-29763
PUBLISHED: 2021-09-16

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.

CVE-2021-29825
PUBLISHED: 2021-09-16

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.

CVE-2021-29842
PUBLISHED: 2021-09-16

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.

HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Organizations that don’t implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.

BLACK HAT USA 2021 – Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle — director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol — this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon’s application load balancer, and websites using Imperva’s cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, “all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place,” with the new protocol. “Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer.”

According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. 

“A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end,” he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.

“This set up is ridiculously common,” he noted.  Kettle pointed to Amazon’s Application Load Balancer, for example, where this communication cannot be disabled. Such HTTP/2 downgrades and protocol translations gives attackers a way to carry out Desync attacks, Kettle said.

HTTP Desync attacks basically abuse weaknesses in how back-end servers interpret and respond to consecutive requests from a front-end server, load-balancer, or proxy server. For example, front-end servers speaking HTTP/2 follow a specific format for conveying message length to the back-end server. But a back-end server that only speaks HTTP/1.1 will not recognize the data because it derives information about the length of a request via other methods. 

Attackers can take advantage of disagreements over message length between the front-end server and back-end server to essentially interfere with the way an application might handle requests.

High-Profile Targets
To show how such an attack would work, Kettle pointed to an exploit he executed against Netflix where front-end servers performed HTTP downgrading without verifying request lengths. The vulnerability allowed Kettle to develop an exploit that triggered Netflix’s back-end to redirect requests from Netflix’s front-end to his own server. That allowed Kettle to potentially execute malicious code to compromise Netflix accounts, steal user passwords, credit card information, and other data. Netflix patched the vulnerability and awarded Kettle its maximum bounty of $20,000 for reporting it to the company.

In another instance, Kettle discovered that Amazon’s Application Load Balancer had failed to implement an HTTP/2 specification regarding certain message-header information that HTTP/1.1 uses to derive request lengths. With this vulnerability, Kettle was able to show how an attacker could exploit it to redirect requests from front-end servers to an attacker-controlled server.  He found a vulnerable law-enforcement access portal while using the Amazon load balancer.

Almost every website using the Amazon load balancer was vulnerable to exploit, Kettle said. So, too, was a CMS powering multiple news sites such as Huffington Post – and every website using an Imperva WAF, he added.

During his presentation, Kettle highlighted several other exploits he had developed to take advantage of vulnerabilities that arise when organizations downgrade HTTP/2 to HTTP. He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

“Please just avoid HTTP/2 downgrading,” he advised. “Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won’t work.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Organizations that don’t implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.

BLACK HAT USA 2021 – Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle — director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol — this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon’s application load balancer, and websites using Imperva’s cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, “all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place,” with the new protocol. “Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer.”

According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. 

“A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end,” he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.

“This set up is ridiculously common,” he noted.  Kettle pointed to Amazon’s Application Load Balancer, for example, where this communication cannot be disabled. Such HTTP/2 downgrades and protocol translations gives attackers a way to carry out Desync attacks, Kettle said.

HTTP Desync attacks basically abuse weaknesses in how back-end servers interpret and respond to consecutive requests from a front-end server, load-balancer, or proxy server. For example, front-end servers speaking HTTP/2 follow a specific format for conveying message length to the back-end server. But a back-end server that only speaks HTTP/1.1 will not recognize the data because it derives information about the length of a request via other methods. 

Attackers can take advantage of disagreements over message length between the front-end server and back-end server to essentially interfere with the way an application might handle requests.

High-Profile Targets
To show how such an attack would work, Kettle pointed to an exploit he executed against Netflix where front-end servers performed HTTP downgrading without verifying request lengths. The vulnerability allowed Kettle to develop an exploit that triggered Netflix’s back-end to redirect requests from Netflix’s front-end to his own server. That allowed Kettle to potentially execute malicious code to compromise Netflix accounts, steal user passwords, credit card information, and other data. Netflix patched the vulnerability and awarded Kettle its maximum bounty of $20,000 for reporting it to the company.

In another instance, Kettle discovered that Amazon’s Application Load Balancer had failed to implement an HTTP/2 specification regarding certain message-header information that HTTP/1.1 uses to derive request lengths. With this vulnerability, Kettle was able to show how an attacker could exploit it to redirect requests from front-end servers to an attacker-controlled server.  He found a vulnerable law-enforcement access portal while using the Amazon load balancer.

Almost every website using the Amazon load balancer was vulnerable to exploit, Kettle said. So, too, was a CMS powering multiple news sites such as Huffington Post – and every website using an Imperva WAF, he added.

During his presentation, Kettle highlighted several other exploits he had developed to take advantage of vulnerabilities that arise when organizations downgrade HTTP/2 to HTTP. He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

“Please just avoid HTTP/2 downgrading,” he advised. “Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won’t work.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Organizations that don’t implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.

BLACK HAT USA 2021 – Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle — director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol — this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon’s application load balancer, and websites using Imperva’s cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, “all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place,” with the new protocol. “Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer.”

According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. 

“A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end,” he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.

“This set up is ridiculously common,” he noted.  Kettle pointed to Amazon’s Application Load Balancer, for example, where this communication cannot be disabled. Such HTTP/2 downgrades and protocol translations gives attackers a way to carry out Desync attacks, Kettle said.

HTTP Desync attacks basically abuse weaknesses in how back-end servers interpret and respond to consecutive requests from a front-end server, load-balancer, or proxy server. For example, front-end servers speaking HTTP/2 follow a specific format for conveying message length to the back-end server. But a back-end server that only speaks HTTP/1.1 will not recognize the data because it derives information about the length of a request via other methods. 

Attackers can take advantage of disagreements over message length between the front-end server and back-end server to essentially interfere with the way an application might handle requests.

High-Profile Targets
To show how such an attack would work, Kettle pointed to an exploit he executed against Netflix where front-end servers performed HTTP downgrading without verifying request lengths. The vulnerability allowed Kettle to develop an exploit that triggered Netflix’s back-end to redirect requests from Netflix’s front-end to his own server. That allowed Kettle to potentially execute malicious code to compromise Netflix accounts, steal user passwords, credit card information, and other data. Netflix patched the vulnerability and awarded Kettle its maximum bounty of $20,000 for reporting it to the company.

In another instance, Kettle discovered that Amazon’s Application Load Balancer had failed to implement an HTTP/2 specification regarding certain message-header information that HTTP/1.1 uses to derive request lengths. With this vulnerability, Kettle was able to show how an attacker could exploit it to redirect requests from front-end servers to an attacker-controlled server.  He found a vulnerable law-enforcement access portal while using the Amazon load balancer.

Almost every website using the Amazon load balancer was vulnerable to exploit, Kettle said. So, too, was a CMS powering multiple news sites such as Huffington Post – and every website using an Imperva WAF, he added.

During his presentation, Kettle highlighted several other exploits he had developed to take advantage of vulnerabilities that arise when organizations downgrade HTTP/2 to HTTP. He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

“Please just avoid HTTP/2 downgrading,” he advised. “Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won’t work.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

FragAttacks Foil 2 Decades of Wireless Security

Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.

The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.

The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.

The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.

“The fragmentation and aggregation functionality of Wi-Fi were never considered security-essential, so no one really looked at them,” he said, adding: “This really shows that all implementations are vulnerable — even, surprisingly, those that don’t support fragmentation and those that don’t support aggregation.”

The vulnerabilities — which Vanhoef described as design flaws in the IEEE 802.11 standard, more commonly known as Wi-Fi — were described in a paper released in June. The issues allow a local attacker who has fooled a victim into connecting to an attacker-controlled server to then insert themselves into the Wi-Fi network as a machine in the middle.

Vanhoef characterized these as design flaws because the specific mitigations are optional and not required, a lesson for future implementers of the standard.

“We should adopt defenses early, even if the concerns are theoretic, because that, for example, would have prevented the aggregation design flaw,” he said. In addition, testing the software should be part of the credentialing process for vendors’ devices, he added. “We should keep fuzzing devices; … the Wi-Fi Alliance could fuzz devices while they are being certified.”

Vanhoef discovered three design flaws in the current Wi-Fi standard. The first, CVE-2020-24588, allows an attacker to abuse the way that Wi-Fi aggregates smaller data packets into larger frames to optimize wireless data rates. The researcher used the attack to send victims on the local Wi-Fi network to an attacker-controlled domain name service (DNS) server, and then onto malicious website.

A second flaw, CVE-2020-24587, takes advantage of the specification’s failure to verify that each fragment of a packet is using the same encryption key. Using a specially constructed packet, an attacker can append code onto a legitimate fragment of the victim’s original packet.

“While this actually seems secure, the problems begin when fragmentation is combined with session-key renewal,” Vanhoef said. “When the key is renewed, the packet numbers will be reset to 0. … The problem is that the receiver will reassemble the packets even if the sender used different encryption keys.”

The final flaw, CVE-2020-24586, takes advantage of the lack of deletion of packet fragments from legitimate users on a Wi-Fi network. A malicious user can cache packets on the Wi-Fi network, which, under certain circumstances, will be inserted into other users’ packets.

To allow vendors and researchers to verify the issues, Vanhoef published a testing tool to GitHub. The software requires the credentials of the Wi-Fi network, so it is not considered an attack tool.

Many device makers still do not handle vulnerability disclosure well. Vanhoef worked with the Wi-Fi Alliance to disclose the issues to vendors, and most issued patches. Vanhoef modified the test tool for specific vendors and continues to work with the group to support vendors.

“To my surprise, some companies were not happy, even if they managed to write patches for most devices,” he said. “I was actually happy that most devices got patches, because usually that is not the case for Wi-Fi.”

At the end of 2020, two new security measures became standard for WPA3 — operating channel validation and beacon protection — and while they make the fragmentation attacks harder, they are still possible.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights