1
00:00:01,679 --> 00:00:10,759
Speaker 1: Produced by Pimedia. Hi, I'm Raan Levy. Welcome to CP Radio.

2
00:00:14,599 --> 00:00:17,559
A year ago, this podcast re recounted one of the

3
00:00:17,559 --> 00:00:22,280
most momentous decisions in cybersecurity history. It concerned one of

4
00:00:22,320 --> 00:00:26,920
those most inedible images known to computer users. Every a

5
00:00:26,960 --> 00:00:32,039
button from Microsoft programs like Word and Excel security warning,

6
00:00:32,280 --> 00:00:36,719
our computers would read macros have been disabled, and then

7
00:00:36,960 --> 00:00:40,520
there was an option for you to click to enable content.

8
00:00:41,200 --> 00:00:44,880
The option to enable macros was always a tricky one.

9
00:00:44,960 --> 00:00:48,640
A small sect of power users really loved using macros

10
00:00:48,679 --> 00:00:53,560
to streamline and automate the various ways they used Microsoft products.

11
00:00:54,320 --> 00:00:57,799
The vast majority of us never used them though, or

12
00:00:57,880 --> 00:01:02,159
probably even knew what macro were, So when we opened

13
00:01:02,200 --> 00:01:05,680
files and were presented with the option to enable macros,

14
00:01:05,959 --> 00:01:09,879
we often just hit okay because we didn't know better.

15
00:01:10,599 --> 00:01:14,040
But there is a problem with defaulting two okay. We've

16
00:01:14,079 --> 00:01:17,480
known this for years, and even though Microsoft has fixed

17
00:01:17,519 --> 00:01:22,079
their problem, we're still suffering as a result of this instinct. Today,

18
00:01:22,719 --> 00:01:27,040
consider the fox It pdf reader. When it comes to

19
00:01:27,239 --> 00:01:32,359
PDF viewing software, Adobe Acrobat Reader is clearly top dog.

20
00:01:32,599 --> 00:01:36,680
It's probably what you use, but among its competition, Fox

21
00:01:36,680 --> 00:01:40,480
sit Reader is a significant player. It's got over seven

22
00:01:40,519 --> 00:01:45,000
hundred million users spread across two hundred countries. Among its

23
00:01:45,040 --> 00:01:49,879
customers are high level government entities like the US Air Force, Army,

24
00:01:49,959 --> 00:01:55,079
and Navy, and major cooperations Morgan Stanley, Amazon, and Microsoft,

25
00:01:55,159 --> 00:01:58,879
to name just a few. The widespread popularity of fox

26
00:01:58,920 --> 00:02:02,480
seat reader makes see it extra crucial that no subtle

27
00:02:02,599 --> 00:02:07,760
security flawers end up sleeping past notice. That's why Anthony

28
00:02:07,799 --> 00:02:13,080
Sterefo's reverse engineer at Checkpoint Research recently tested fox it

29
00:02:13,240 --> 00:02:17,439
in x mon and Exploited Detection and Analytics tool for

30
00:02:17,599 --> 00:02:20,080
detecting zero day exploits.

31
00:02:20,759 --> 00:02:24,000
Speaker 2: We got a notification from x mored, which is like

32
00:02:24,159 --> 00:02:28,919
a vulnerability kind of sundbox. I would call it with

33
00:02:29,319 --> 00:02:33,319
a triggered like a malicious behavior on a PDF file.

34
00:02:34,000 --> 00:02:37,280
Once we saw that the dynamic analysis of the PDF

35
00:02:37,879 --> 00:02:43,400
was triggering like a malicious command, I started analyzing it statically.

36
00:02:44,039 --> 00:02:48,039
So I used some tools that are for static analysis

37
00:02:48,080 --> 00:02:51,879
of the PDFs, like PDFs Analyze.

38
00:02:52,879 --> 00:02:56,199
Speaker 1: The issue. It turned out was deeper than just one

39
00:02:56,360 --> 00:03:02,000
malicious threat. Say you're using fox it to open up

40
00:03:02,039 --> 00:03:06,400
a PDF file you don't know is malicious, you'll initially

41
00:03:06,599 --> 00:03:09,560
get a pop up. Some features have been disabled to

42
00:03:09,719 --> 00:03:13,639
avoid potential security risks. Only enable these features. If you

43
00:03:13,759 --> 00:03:17,840
trust this document, then you get two options. Trust this

44
00:03:17,960 --> 00:03:22,599
document one time only or always. So far, so good.

45
00:03:23,080 --> 00:03:26,439
But with the pdf Antonis who was looking at Once

46
00:03:26,479 --> 00:03:29,840
he made his choice, he got a second message asking

47
00:03:29,960 --> 00:03:33,199
largely the same thing, but in more words, it went

48
00:03:33,280 --> 00:03:37,439
something like, the file may contain programs, macros or viruses

49
00:03:37,680 --> 00:03:41,319
that could potentially cause damage to your computer. Only open

50
00:03:41,360 --> 00:03:44,319
the file when you are sure it is safe, and

51
00:03:44,400 --> 00:03:48,360
so on again. Here there are two options open and

52
00:03:48,639 --> 00:03:49,439
do not open.

53
00:03:52,039 --> 00:03:55,400
Speaker 2: The problem in this case is that Foxy Prider is

54
00:03:55,439 --> 00:04:00,280
a creating a SOLVB pop up messages that by the

55
00:04:00,360 --> 00:04:04,159
fault once you click there, like the default opsio provides

56
00:04:04,199 --> 00:04:05,719
you a malicious activity.

57
00:04:07,000 --> 00:04:10,319
Speaker 1: How many of us are going to read the first

58
00:04:10,400 --> 00:04:15,199
pop up let alone the second nearly identical one, Maybe

59
00:04:15,199 --> 00:04:19,519
if you're being attentive, but not if you're busy, distracted,

60
00:04:19,720 --> 00:04:23,279
or just lazy. You just want to click through, and

61
00:04:23,319 --> 00:04:27,600
the options available aren't presented equally for your lazy brain.

62
00:04:28,079 --> 00:04:31,639
The open button is highlighted in blue as if it's

63
00:04:31,720 --> 00:04:33,879
just beckoning you to click.

64
00:04:33,639 --> 00:04:37,519
Speaker 2: It, so it has all default top show like even

65
00:04:37,639 --> 00:04:39,399
if you don't read that all the pop up messages

66
00:04:39,399 --> 00:04:41,759
and you just click in it. You are going to

67
00:04:41,759 --> 00:04:45,800
execute the malicious command. And this is what the threat

68
00:04:45,839 --> 00:04:47,560
actors were taking that one that's off.

69
00:04:48,959 --> 00:04:52,759
Speaker 1: Think of this not as a software exploit, but a

70
00:04:52,839 --> 00:04:56,199
human one. A design flaw that allowed a threat actor

71
00:04:56,279 --> 00:04:59,519
to more easily fish their victims by getting them to

72
00:04:59,639 --> 00:05:03,439
click the button that would enable their malicious behavior, and

73
00:05:03,600 --> 00:05:06,480
all of this without the hacker having to trick the

74
00:05:06,560 --> 00:05:09,319
victim in any way or do any work at all.

75
00:05:09,600 --> 00:05:12,439
The program is built to get people to click the

76
00:05:12,480 --> 00:05:16,279
button that causes their demise on its own. Though this

77
00:05:16,639 --> 00:05:19,199
isn't the end of the world, it only starts to

78
00:05:19,279 --> 00:05:23,319
become a problem in the context of broader fishing attacks.

79
00:05:23,839 --> 00:05:26,639
Speaker 2: I remembered there was one tactle that was kind of

80
00:05:26,959 --> 00:05:31,120
an interesting one that was using a malicious PDIA file.

81
00:05:32,240 --> 00:05:35,920
Speaker 1: The file didn't contain any kind of exploit that triggered

82
00:05:36,040 --> 00:05:40,800
upon clicking okay. Rather, it included a hyperlink that directed

83
00:05:40,879 --> 00:05:43,040
victims to a second attachment.

84
00:05:44,120 --> 00:05:48,199
Speaker 2: And then it was downloading from Trello, which is legalityimate

85
00:05:48,279 --> 00:05:49,360
the website.

86
00:05:49,879 --> 00:05:54,759
Speaker 1: Hosting malicious activity on legitimate popular sites like Trello proved

87
00:05:55,040 --> 00:05:59,279
useful it meant that browsers and Internet traffic monitors wouldn't

88
00:05:59,319 --> 00:06:02,720
think twice if a victim visited and clicked on the

89
00:06:02,759 --> 00:06:03,879
attached file.

90
00:06:04,480 --> 00:06:08,279
Speaker 2: A PDF with a fox It vulnerability, and then it

91
00:06:08,399 --> 00:06:12,000
was executing like a command line, a power cell command.

92
00:06:12,639 --> 00:06:15,560
Speaker 1: By the end of this attacker's chain of events from

93
00:06:15,600 --> 00:06:19,439
the foxheit PDF, the user downloads remcoss.

94
00:06:19,120 --> 00:06:24,160
Speaker 2: Red It's like a remote access Troyan which can perform

95
00:06:24,279 --> 00:06:28,959
all kind of like activities like get access to the

96
00:06:29,000 --> 00:06:33,680
computer of the victim, like a few sensitive files, upload

97
00:06:33,759 --> 00:06:39,279
sensitive files, further infect the system, still even credentials as

98
00:06:39,319 --> 00:06:42,879
far as I know, and takes crinslets of the computer.

99
00:06:43,839 --> 00:06:47,759
Speaker 1: This particular threat actor, dating back to March first, seemed

100
00:06:47,759 --> 00:06:51,120
to be exploiting fox It in Southeast Asian countries like

101
00:06:51,279 --> 00:06:54,920
Korea and Vietnam. As Anthonys and his colleagues looked into

102
00:06:54,959 --> 00:06:58,720
this threat though, it only became bigger. Operating under the

103
00:06:58,720 --> 00:07:02,920
moniker at sid and killer TV, an individual claiming to

104
00:07:02,959 --> 00:07:05,560
be an ethical hacker with more than twenty two years

105
00:07:05,560 --> 00:07:09,040
of experience, had been selling a number of malicious tools

106
00:07:09,079 --> 00:07:13,399
on Telegram since twenty twenty two. As of April twenty seventh,

107
00:07:13,639 --> 00:07:17,399
one of them was a foxed reader exploit. The malicious

108
00:07:17,439 --> 00:07:21,800
program boasted of quote one hundred percent bypass with anti viruses,

109
00:07:22,120 --> 00:07:27,519
plus Gmail, Yahoo, Facebook, and Hotmail file sharing restrictions, which

110
00:07:27,680 --> 00:07:31,079
sounds fake, which you'd hope is fake.

111
00:07:32,639 --> 00:07:37,600
Speaker 2: Most of the places, like the Gmail Facebook, when you

112
00:07:37,639 --> 00:07:40,600
set a fight, if it's unleasius, they are going to

113
00:07:40,639 --> 00:07:43,439
trigger for example, if it's unexecutable, it's going to trigger

114
00:07:43,439 --> 00:07:45,319
a warning or is not even going to allow you

115
00:07:45,519 --> 00:07:48,120
to sell that file to the coddact that you are

116
00:07:48,120 --> 00:07:52,160
trying to send it. But with this word ability, everything

117
00:07:52,439 --> 00:07:55,720
was bypassed. Gmail was not able to the deck, like

118
00:07:55,839 --> 00:07:58,800
Facebook was not able to detect Silent Killer.

119
00:07:58,879 --> 00:08:03,720
Speaker 1: TV's exploits really could bypass traditional security checks in major

120
00:08:03,759 --> 00:08:07,959
social media and mail platforms, but it wasn't because his

121
00:08:08,319 --> 00:08:12,079
malicious code was so amazing and sophisticated.

122
00:08:13,240 --> 00:08:17,079
Speaker 2: In the majority of the cases, theerability was never prickered

123
00:08:17,120 --> 00:08:19,000
because everyone was using Adobe.

124
00:08:19,680 --> 00:08:23,680
Speaker 1: Cybersecurity researchers have a set of tools they typically used

125
00:08:23,720 --> 00:08:28,839
to investigate threats, like anti virus and sandboxes. Anthony's found

126
00:08:29,000 --> 00:08:33,519
that his all used Adobe Reader to open PDFs by default.

127
00:08:34,440 --> 00:08:38,559
Speaker 2: If you are trying to exploit a specific software like

128
00:08:38,639 --> 00:08:41,679
fox It, you'll need to have it in your soundbox

129
00:08:41,759 --> 00:08:47,960
and execute samples with that software. With Foxy, but if

130
00:08:48,000 --> 00:08:53,279
the majority of the sandboxes are using Adobe, we never SeeAbility.

131
00:08:53,879 --> 00:08:57,919
Speaker 1: Exploits happened to scart past analysts radars because of this

132
00:08:58,200 --> 00:09:02,759
simple quirk in their sandby only x Man that program

133
00:09:02,840 --> 00:09:06,279
we mentioned the beginning of the show ran Anthony's PDF

134
00:09:06,279 --> 00:09:10,679
files in both the Adobe and Foxed viewers. This might

135
00:09:10,799 --> 00:09:15,759
explain why after some further investigation, Antonisili's colleagues found so

136
00:09:16,000 --> 00:09:19,840
many other thread actors exploiting fox It instead of its

137
00:09:19,960 --> 00:09:24,960
more popular alternative Adobe. They found espionage actors like India's

138
00:09:25,039 --> 00:09:30,919
DONT Team AKAAPTC thirty five and low level e criminals

139
00:09:31,000 --> 00:09:35,080
like silent Killer TV. They each incorporate Foxed pdf into

140
00:09:35,200 --> 00:09:38,559
their own custom design attack chains with an end goal

141
00:09:38,720 --> 00:09:45,480
to deploy remote ex smellware like Agent Tesla, Asyncrat, dc rad, nanocoor, Rat,

142
00:09:45,720 --> 00:09:49,480
n j Rat, Pony, venom Rat, and x worm. In

143
00:09:49,600 --> 00:09:52,879
light of these threats to fox It readers earlier this year,

144
00:09:53,159 --> 00:09:57,440
the checkpoint researchers brought their findings to the program's.

145
00:09:56,919 --> 00:10:04,360
Speaker 2: Developers, Recabota Nime, giving me to my attention that instead

146
00:10:04,360 --> 00:10:08,440
of versions twenty four three. But there is that they

147
00:10:08,440 --> 00:10:11,919
are going to fix it. They did that fix even earlier.

148
00:10:12,679 --> 00:10:16,279
So the fix that they provided, in my opinion, is

149
00:10:16,320 --> 00:10:19,879
not the perfect one, but it is a fix that

150
00:10:20,080 --> 00:10:24,559
will solve the problem of the users just clicking okay

151
00:10:25,200 --> 00:10:29,080
or the clicking enter without checking what is being asked.

152
00:10:29,720 --> 00:10:33,639
So what they actually did was to switch the default

153
00:10:33,639 --> 00:10:37,399
option from open that it was before two don't open.

154
00:10:38,159 --> 00:10:42,080
Speaker 1: So basically everything is the same now as ever, but

155
00:10:42,200 --> 00:10:45,720
instead of open being highlighted in blue, do not open

156
00:10:45,960 --> 00:10:50,639
is highlighted instead. It's not nothing. Foxy users will now

157
00:10:50,799 --> 00:10:54,039
likely end up not choosing open quite as often for

158
00:10:54,200 --> 00:10:58,440
documents they shouldn't open, but that might not save most

159
00:10:58,440 --> 00:10:59,399
of them.

160
00:11:00,080 --> 00:11:03,759
Speaker 2: Thirty of the pdfiles that I observed, once you were

161
00:11:04,399 --> 00:11:07,360
clicking them and opening them, it was a black page.

162
00:11:08,240 --> 00:11:14,480
That still for users that are just users of the computers,

163
00:11:15,159 --> 00:11:18,480
if they see that okay, I click don't open and

164
00:11:18,519 --> 00:11:21,320
I see a wide page, maybe they think if I

165
00:11:21,360 --> 00:11:25,159
click open, they will see the actual content of the

166
00:11:25,399 --> 00:11:29,200
PDF file. My opinion, Foxitree that needs to do in

167
00:11:29,240 --> 00:11:34,240
the future a more robust fix which will not let

168
00:11:34,360 --> 00:11:38,679
thread tactles take advantage of the software against the users.

169
00:11:39,519 --> 00:11:42,720
Speaker 1: One more robust type of fix might be too band

170
00:11:42,799 --> 00:11:47,320
for example, executing files from remote servers, a classic indicator

171
00:11:47,480 --> 00:11:52,360
of hacker behavior. More advanced solutions might involve detecting and

172
00:11:52,399 --> 00:11:55,639
blocking the kinds of commands hacker use in the course

173
00:11:55,679 --> 00:11:57,200
of their attack chains.

174
00:11:57,799 --> 00:12:01,440
Speaker 2: In order for this vulnerability to trigger, they need to

175
00:12:01,519 --> 00:12:08,440
use some specific pdf A keywords that trigger the command line.

176
00:12:08,759 --> 00:12:13,720
So this type I would possibly not allow these keys

177
00:12:13,879 --> 00:12:15,600
to execute anything.

178
00:12:18,919 --> 00:12:22,600
Speaker 1: In the grand scheme of cybersecurity. The design issue in

179
00:12:22,720 --> 00:12:27,000
Foxed pdf reader is really very minor, but it speaks

180
00:12:27,039 --> 00:12:31,080
to a much larger and more impactful phenomenon will probably

181
00:12:31,159 --> 00:12:33,480
have to deal with for as long as there are

182
00:12:33,519 --> 00:12:38,039
computers around. The instinct to default two Okay, I'm not

183
00:12:38,120 --> 00:12:41,360
even talking about the ignorance that goes into clicking it

184
00:12:41,720 --> 00:12:44,799
or the laziness. I'm talking about the way our brain

185
00:12:44,879 --> 00:12:48,919
works that we default to believing in what we see.

186
00:12:50,360 --> 00:12:53,840
Social engineering experts have preyed on this aspect of our

187
00:12:53,919 --> 00:12:58,320
human nature to trick employees of companies into opening emails,

188
00:12:58,519 --> 00:13:01,720
giving them sensitive information on the phone, or sending a

189
00:13:01,799 --> 00:13:05,320
large amount of money to an unknown bank account, and

190
00:13:05,440 --> 00:13:09,879
for years, users of Microsoft products enabled macros simply to

191
00:13:09,919 --> 00:13:13,679
get rid of the notification because it didn't even register

192
00:13:13,960 --> 00:13:17,480
as something to worry about. I'm careful to call this

193
00:13:17,799 --> 00:13:21,799
an instinct and aspect of our nature rather than an

194
00:13:21,919 --> 00:13:26,759
issue or flaw in human psychology, because ultimately it's a

195
00:13:26,799 --> 00:13:30,480
good thing. Imagine if we all walked around every day

196
00:13:30,799 --> 00:13:35,080
scrutinizing every little thing that comes our way, worried that

197
00:13:35,279 --> 00:13:39,960
everything anyone might say could be a lie. Society would

198
00:13:39,960 --> 00:13:43,039
break down. We would all be unhappy. In the best

199
00:13:43,080 --> 00:13:47,240
case scenario, we would all just be extremely tired every day,

200
00:13:47,519 --> 00:13:52,200
having to expand so much mental energy. In his book

201
00:13:52,360 --> 00:13:56,039
Talking to Strangers, Malcolm Gladwell points out how people who

202
00:13:56,080 --> 00:14:00,279
are extremely careful and untrusting of others can sometimes times

203
00:14:00,279 --> 00:14:03,720
achieve amazing things in the world, but often at the

204
00:14:03,799 --> 00:14:07,000
cost of their own well being, and they have to

205
00:14:07,039 --> 00:14:10,000
be the exception, not the norm. So he writes, quote,

206
00:14:10,320 --> 00:14:13,440
we could start by no longer penalizing one another for

207
00:14:13,679 --> 00:14:17,600
defaulting to truth. To assume the best about another is

208
00:14:17,639 --> 00:14:21,840
the trait that has created modern society. Those occasions where

209
00:14:21,840 --> 00:14:26,440
our trusting nature gets violated are tragic, but the alternative

210
00:14:26,639 --> 00:14:30,639
to abandon trust as a defense against predation and deception

211
00:14:31,279 --> 00:14:38,200
is worse in cybersecurity. We often tell people don't trust emails,

212
00:14:38,279 --> 00:14:42,360
even if it seems legitimate. Always check the sender before

213
00:14:42,399 --> 00:14:45,879
you do X, make sure you check Y and Z first.

214
00:14:46,440 --> 00:14:51,080
And yet cyber attacks keep rising every year because this

215
00:14:51,480 --> 00:14:55,399
just isn't sustainable. The average person gets around one hundred

216
00:14:55,440 --> 00:14:58,240
and twenty emails a day, and a lot of you

217
00:14:58,320 --> 00:15:02,440
listening right now, we'll find that number laughingly low. You

218
00:15:02,720 --> 00:15:06,200
just don't have the energy to double check every communication

219
00:15:06,360 --> 00:15:10,399
you receive, every button you click in every software program

220
00:15:10,639 --> 00:15:14,440
you use throughout the day. That's why to close our

221
00:15:14,519 --> 00:15:17,320
today's story, we're going to leave you with a bit

222
00:15:17,399 --> 00:15:20,879
of advice that might be a little easier to implement.

223
00:15:21,879 --> 00:15:24,759
Just you know, keep an eye out for stuff.

224
00:15:26,279 --> 00:15:31,840
Speaker 2: This can't happen, even though Facebook does not allow malicious

225
00:15:31,840 --> 00:15:35,559
spiles to be said through charts, but actually it can happen,

226
00:15:36,039 --> 00:15:41,240
So be careful. Just read whatever, and whenever you're not

227
00:15:42,200 --> 00:15:45,360
sure about something, does better and don't open it.

228
00:15:47,519 --> 00:15:51,639
Speaker 1: Don't worry over every email you get, or every message

229
00:15:51,679 --> 00:15:55,879
online or every file attached to them. Just be aware

230
00:15:56,000 --> 00:15:59,279
in general that they could be something other than what

231
00:15:59,440 --> 00:16:02,399
they seem. Keep the thought in the back of your mind.

232
00:16:02,720 --> 00:16:06,399
You'll open a document click okay once, but then the

233
00:16:06,679 --> 00:16:10,240
second time you've got the option, maybe a little voice

234
00:16:10,279 --> 00:16:13,000
in your head will tell you take a second and

235
00:16:13,279 --> 00:16:16,519
look at this. It might well help you avoid a

236
00:16:16,559 --> 00:16:31,399
potential headache. That's it for this episode. Thank you for listening.

237
00:16:31,600 --> 00:16:35,039
For past episodes of the podcast, visit Checkpoint Research blog

238
00:16:35,120 --> 00:16:37,840
at research dot checkpoint dot com, and you can follow

239
00:16:37,919 --> 00:16:41,559
Checkpoint Research on Twitter or follow me at at rand

240
00:16:41,679 --> 00:16:45,080
Levy do't r a n l e v I. Sipy

241
00:16:45,159 --> 00:16:48,879
Radio is produced by p I Media, written by Innate Nelson,

242
00:16:49,159 --> 00:16:52,600
produced by Hila Sheemish, and edited and narrated by me

243
00:16:52,879 --> 00:16:58,399
rand Levy. See you next episode, Bye bye.

244
00:17:00,639 --> 00:17:02,120
Speaker 2: What did you want to Do