When a cybercrook targets a person, he or she usually relies on tricking the victim into clicking on link bait – such as exploiting the death of Robin Williams – or opening an email attachment, spear phishing so the victim enters sensitive info on a spoofed site, or watering hole attacks that infect a legitimate site the target tends to visit. But if the attacker can get an ISP, or others, to install specific high-speed network hardware based on carrier-grade server technologies, then there is no social engineering needed. Instead, “network injection allows the exploitation of any target that views any clear-text content on the Internet provided that they pass through a network point that the attacker controls.”
It’s “hacking on easy mode,” explained a new report by Citizen Lab; “compromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet.” Network injection “allows for the ‘tasking’ of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream.”
The report looks at CloudShield Technologies’ CS-2000 hardware, a “prototype for targeted surveillance network injection,” which later morphed into “network injection appliances from both the Hacking Team and FinFisher.” Citizen Lab “tracked the use of FinFisher to 25 different countries” and the “Hacking Team is claimed to have been used in up to 60 countries worldwide.”
“An unknown number of computers around the world have been implanted with Trojan horses by government security services that siphon their communications and files.” Additional reporting by the Washington Post revealed that CloudShield’s surveillance prototype hardware could inject 254 Trojans into a target’s PC and would keep trying to infect the target up to 65,000 times. That was five years ago and only a prototype. Three years ago, the Hacking Team advertised, “Go stealth, hit a hundred thousand targets.” It’s chilling to ponder the capabilities of today.
One attack exploited Microsoft’s Live login page, that was served over HTTP, and inserted a backdoor in the target’s PC. Citizen Lab reported that the Hacking Team’s network injection appliance included a rule so that “when a target loads the login.live.com website, the INJECT-HTML-JAVA payload is deployed. This payload alerts the user of an update to java and installs the RCS agent. It is additionally possible to use an exploit for silent installation.”
Another network injection attack used by the Hacking Team to compromise YouTube, “injects malicious code into the video stream when a visitor clicks the play button.” While the user may be viewing a cute cat video, “the malicious code exploits a flaw in Adobe’s Flash video player to take control of the computer.”
Both Google and Microsoft were previously warned about the vulnerabilities, but they blew off such attacks as hypothetical. When warned about a potential YouTube attack via sending unencrypted links to videos, Google claimed that was “expected behavior” that it “won’t fix” and closed the vulnerability report. But now both Google and Microsoft “are racing to close the vulnerability.”
After Citizen Lab warned Google about the devices being used to exploit YouTube users, on July 22nd, 2014, Google said it was “accelerating two changes. All users using an extension like HTTPS Everywhere will now receive the full page and video stream over TLS. Additionally, a roll-out of full-TLS YouTube is being carried out for all users, independent of login state.” In fact, Google now gives websites that use HTTPS encryption a higher search ranking.
Matt Thomlinson, Microsoft’s VP of security, said his company “would have significant concerns if the allegations of an exploit being deployed are true.” Citizen Lab reported the issue to Microsoft on August 6 and the company “pushed out a hotfix to automatically force all users to use https://login.live.com.”
You might expect to see this kind of network injection for surveillance being deployed by the NSA, but this type of attack capability is being sold on the commercial market. FinFisher salespeople indicated the company works with VUPEN, the zero-day exploit vendor. Network injection appliances rely on exploiting clear-text traffic and count on the fact that “popular websites will not encrypt all of their traffic. In order to mitigate these types of attacks, we suggest that providers serve all content over TLS, and provide end-to-end encryption wherever possible. The use of HSTS and certificate pinning is also strongly recommended.”
In closing, Citizen Lab advised using HTTPS Everywhere and perhaps HTTP Nowhere, but that extension might break a site’s functionality…which would illustrate “how much the user experience of web browsing is still dependent on unencrypted data.” Additionally, “it would be wise to avoid downloading programs from sites that do not use HTTPS and be extremely cautious about sites that prompt you to unexpectedly install software.”