#SauronsEye: researching & defending against modern Corruptor-Injector Network (CIN) attack systems
For the past several months, cryptostorm has been investigating and documenting a series of seemingly-disconnected, network-level anomalies reported to us by network members as well as members of our own team. By mid-March, one of our staffers ("pj") had evidence that his local network and computing resources had been corrupted by malicious modifications somewhere in his infrastructure. He "air-gapped" the network, and as a preventative measure also offlined the computers used by our core team on a day-to-day basis, until they could be verified as uninfected. He wrote up that process in several earlier posts ('#SVGbola' & 'it mostly comes out at night')
Since then, we have continued to deepen our understanding of what we initially dubbed #SauronsEye, an assumed malware variant. Our findings have lead to a conclusion that is, in hindsight, both obvious and alarming in its implications: we have not been studying a newly-discovered, standalone example of malware but rather a globally-deployed interlocking system of network-based malware injection, traffic hijacking, route corrupting and rootkit implantation technologies initially exposed to public view by Edward Snowden, in 2013.
We refer to this class of network attach technologies as Corruptor-Injector Networks, or CINs, in order to separate them from conventional malware models because of the qualitative differences between these two classes. CINs are distributed, multi-layered, network-based assemblies of many interconnected technologies whose publicly-visible traces are extremely difficult to capture and forensically analyse as compared to conventional malware. Further, the capabilities of CINs as a class vastly overshadow even the most aggressive of modern malware examples.
We also document trace evidence that the #SauronsEye CIN itself is making use of 'session prions,' extremely compact injections of custom-generated malformed code syntax and/or exotic characters into web sessions. Like biological prions, these tiny insertions appear capable of initiating systems-level collapses of host immune functionality in surprising and powerful ways.
In this paper, we take a high-level approach to the topic and focus primarily on the impact of CINs on internet activity and, most importantly, newly-designed defensive tactics, tools, and methodologies we at cryptostorm are deploying to protect our members and the larger community from the risk of CINful fall from online grace.
☂ ☂ Process and Contents
The primary author of this paper (pj), has struggled to find a format best suited to sharing these findings with the community, encouraging further contributions, and providing actionable advice to non-technical audiences who are concerned with the risk of CIN infections. Our chosen model is composed of this initial essay, which stays largely nontechnical and high-level, using it as an outline into which additional detail and findings can be added on a continuous basis. Indeed, we plan to echo this thread to a wiki-based platform best-suited for this project.
For now, we publish this to set forth the documentary framework and research findings we have accrued this far.
The contents of this essay are as follows:
- »» defining the category: Corruptor-Injector Networks
»» the coming of the CINs into the world of internet communications, and what this means for the future of network security and online resources overall.
» defending against the temptations and risks of CIN, novel systems-level proposals and services cryptostorm is currently deploying to provide protection against these new threat models.
» a first-person summary of life under the "quantumcurse" of CIN targeting, and the challenges involved in overcoming these dystopic weapons in today's online environment.
» session prions: forensic traces and theoretical explorations of post-scripting, web-based infection vectors that confound our conventional assumptions regarding malware, browser security, and online privacy.
» links to resources - including the Snowden documents - that offer hard proof of the existence and widespread deployment of CIN attack systems, and provide useful guidance for future research and defensive projects.
We strongly encourage feedback and contributions to this work, which itself remains in-progress and is likely to do so for a considerable period of time.
☂ ☂ An observational definition of Corruptor-Injector Networks
As a category, CINs such as #SauronsEye exhibit a small set of observable attributes that reflect the manner in which they operate as large-scale network systems. This ground-level view of their operation is helpful in making sense of the way they operate in the real world.
Prior to any direct interaction with an active CIN, targeted individuals are chosen ("selected") by a CIN operator or analyst. This selection can then be implemented by tasking the listening posts of the CIN across the internet to make immediate notice of any network sessions meeting a fingerprint definition intended to include the target (and likely many other individuals, if necessary). When a live network session meeting the selector criteria is observed by the network, a separate 'shooter' system injects a corrupted additional data fragment into the target's ongoing network session.
If the sessions targeted are https/tls encrypted, automated systems making use of the extensive security failures of existing "certification authority" pre-encryption session validation are exploited to enable Man-in-the-Middle status, and payload injection. Often, these attacks require temporary hijacking of IP routing settings on the pathway from the target to the server she may be visiting at the time. Such hijacks range from DNS cache poisoning methods to ARP -based exploits, rooting of ISP-level routers, and as-yet-unknown techniques the NSA claims to have which enable it to transparently spoof any IP address (4 or 6) worldwide. These targeted network sessions need not be to a particular, special website - the goal is simply to add the payload to an existing network session so it can be delivered to the target computer.
That data will reach the target's computer and, when it arrives, open a door for further communications with the CIN. In a multi-step process, that initial foothold on the client computer expands into full administrative control ("root"). This accomplished, the CIN rootkit is able to hide itself from most external view by the computer's owner, and to put in place multiple recovery mechanisms in the event some or all of its original form is lost through deletion or routine system updates. This involves modular components that are delivered surreptitiously to the infected computer via an 'expert system' that takes into account operating system, network connection characteristics, and other variables. #SauronsEye, a NSA-operated CIN, has written internally that its initial infection procedures require little or no human interaction after initial selection is made.
Once installed, the CIN rootkit begins amassing data from the local computer, as defined by the original selection. This will likely include web browsing history, web cache, documents, and full logs of operating system activity. Further, it will capture for later upload pre-encrypted instant message chats, emails, and web sessions which are stored as seemingly-innocuous cache locally and trickle-exfiltrated via available physical network interfaces. In the case of #SauronsEye, the NSA notes that they have taken extreme measures to ensure that any client-installed software code is not discovered and captured for analysis; they reference self-destructive abilities in such software, in the event triggers suggest it is at risk of being exposed.
Firsthand reports and internal documents regarding #SauronsEye confirm that modifications to hard-drive/sector-level software are made by the CIN's infection agents, to ensure it remains active even after full hard drive deletions. The exact details of these functions are not yet publicly known, nor is their technical profile well-understood. However, it is clear that hard drives once infected with CIN-based software will likely need to be physically destroyed, as their integrity is permanently compromised.
The infected machine will be silently shifted over to a proxy-based network connection with the larger internet, allowing for full transparent control of local routing decisions and DNS lookups. In some cases, the local operating system is shifted over to a virtualised/paravirtualised/containerized model in order to enable full transparent network proxy control, as well as full OS kernel control. The target now uses her computer only from within the confines of an "evil hypervisor" - ring0 - and has no direct access to the kernel of her own operating system. Efforts to update operating system or applications in a way that would risk undermining the CIN's control or functions are redirected to modified installation files that are designed to remove that risk. In at least one instance, #SauronsEye was observed to have mounted the entire local hard drive partition table as a remotely-accessible resource, allowing it to be remote-loaded realtime, in full, by CIN operators.
Little is known of the procedures involved in de-selecting targets of existing CINs, or if such a process even exists. Once selected, targets will find themselves re-infected irrespective of the computer they use to connect to the internet, or the local internet connection in place. There is no reference to overt destruction of local computer hardware or stored data by the CINs documented thus far, but this ability is both inherent in their total OS control and strongly to the benefit of the CIN if there is a risk of their local installation being exposed by an end user.
All of the data exfiltrated to the CIN during the infection's span - which could cover years of time - is stored in repositories by the CIN which are then available for full wildcard query access via analysts there. Some or most may never be reviewed by a human being, and will sit idle in data stores indefinitely; however, all is available and indexed if and when needed.
In documents leaked by Snowden in 2013, the NSA's CIN architects admit they are able to infect millions of simultaneous targets and manage those infections concurrently. These admissions come in documented dated in the 2009-2012 timespan, so by now these numbers have inevitably grown larger. Further admissions are made that class-based selection of targets is already underway; for example, system administrators are targeted for infection in order to gain access to their administration credentials, and thus enable privileged access to other targets on the networks they administer. Thus, targets of CIN infection may not only have no idea why they are targeted, they may merely be indirect targets caught in the CIN's crossfire.
Finally we note that data captured and loaded to databases by the NSA under the pretext of "national security" are being widely shared with standard law enforcement entities, as well as other U.S. government agencies such as the IRS. This includes so-called "incidental capture" data from unintended targets of surveillance, whose information nevertheless is likely to ends up in the hands of local law-enforcement via remotely-available query tools the NSA has created to expand law enforcement access to their massive surveillance databases. When such data is used in domestic prosecutions, its origin in the NSA is hidden from the courts in a process called "parallel construction," so that legal problems associated with these mass surveillance systems are avoided.
No NSA employee, ex-employee, officer, or executive has ever been prosecuted for their role in overly-aggressive surveillance tactics, despite widespread agreement that such programs have routinely broken criminal statutes both in the US and in the rest of the world. However, NSA ex-employees who have reported these illegal abuses to the public have been aggressively prosecuted, jailed, and subjected to extreme forms of extra-legal pressure.
Of all the legally-dubious programs of mass surveillance undertaken by the NSA, it is quite possible that their first-of-its-kind CIN - #SauronsEye - is the most flagrantly, broadly, and deeply illegal under basically any statutory regime worldwide. With no oversight by courts or the public, millions of private computers are infected with the most tenacious, aggressive, and privacy-destructive software tools known to exist today. In some cases, hardware will become inoperable entirely - due to CIN malfunction, attempts to remove the CIN infection that trigger "suicide daemons" and brick hardware, and so on. Further, the economic and personal costs of these persistent, all-encompassing, seemingly inescapable infections have not yet been estimated by likely run to large numbers which grow larger each year.
☂ ☂ One: Corruptor-Injector Networks, and the coming of CIN to life online
In general, our understanding of new threats in digital technology lag considerably behind the pace of development of these threats themselves. Rarely do we see examples of theoretical descriptions of threats preceding their appearance in the wild, but rather it is routinely the case that first we have sightings of previously-undocumented attacks that later are studied and described in the civilian literature. In short, there was no category called "computer viruses" before the first virii were already out in the wild - the category followed behind the tangible example, by a considerable degree.
This dynamic is once again to be found in the case of CINs - lacking a category name for these entities, we are left attempting to shoe-horn them into previous categorical descriptions that fit poorly. As we have documented #SauronsEye, this stumbling block has been painfully impossible to ignore: without a category into which we could place these findings, they tended to fall through the cracks in terms of specialised researchers, analytic tools, and publication venues. There is little sense in proposing a new category for every new thing, of course, but we feel it is more than justified in this case - CINs are qualitatively different from other types of attack technology, and our ability to study and understand them is badly handicapped if we cannot group them into a class of similar entities.
We propose the name CIN because it brings together three of the core characteristics of these systems:
- One, the capability that distinguishes a CIN from any other distributed ("cloud") online resource is its reliance on subverting other, existing systems in order to spread and remain extant over time. In one sense, the metaphor of a parasite could be used - the infection of a host, and symbiotic interaction over time between the two. However, that fails to account for the changing of the host by the infection agent - which is more like a virus capturing the DNA replication components of its "host" cell entirely, in order to create more copies of itself. CINs represent a syncretic combination of these models, which relies fundamentally on corrupting executable code and component functionality at many layers of network technology, on an ongoing basis. Additionally, they sow large-scale corruption of network routing and DNS resolution systems, as part of their core operating model - another corruption of otherwise-healthy, globally important resources. Thus, in a biblical sense, we observe that they act as corruptors.
Two, we have observed that CINs make use of injection-based attacks both for initial infection of targeted individuals, and in order to remain installed and functional on these target systems over time. The injections that we have observed largely take the form of changed payload in network traffic - with a particular emphasis on small modifications of binary packages pulled from operating system 'repositories' online, as well as http-based css and font files sent from webservers to browsers. In both cases, the data received by targets is not the same as what was sent by the original provider (or the original provider was entirely elbowed aside in the process), and an injected addition to the data channel has been interposed into the session. This is a qualitatively different attack model than the conventional one of 'rooting' servers and pushing out infection materials from there; it is also transient, difficult to document, and as such far less likely to be noticed and defended against in general. These systems are therefore injectors at core.
Three, the interconnected and distributed nature of these systems confirms that they exist as network-based entities, or they cannot exist at all. Like taking one leaf from a stand of aspen trees, capturing one session prion or other fragment of a CIN is not capturing the CIN itself, for it exists as a collection of inter-connected systems: a network. There are not prior examples of network-category malware - "#malnet" - that we know of in any scale or degree of widespread deployment, and as such we emphasise that CINs are natively-born creatures of the network.
Finally, CINs make the challenge of reliable attribution considerably more difficult than it already was with other types of attack technology... which was already quite high. Often, even if a client-level fragment of CIN technology is captured - a session prion, or corrupted repository package for example - it has no overt connection to anything whatsoever. Most likely, it's "call-out" ability is not self-contained, but relies on interactions with other subtly-corrupted components of the target computing environment... and those will reach out across the network via encrypted channels that traverse standard commercial CDNs and are nearly impossible to fully map as a result. While we believe that CINs will be individually fingerprinted as researchers become more familiar with their characteristics, we also expect that such fingerprinting will be essentially behavioral rather than dissective as in conventional approaches. And of course, given the resources required to build, deploy, and administer functional CINs, it is highly unlikely their handlers will be so sloppy as to leave overt, discoverable fingerprints on target-deployed components. This requires, therefore, new approaches and creativity in the field of forensic exploration and attribution assignment - another characteristic common to all CINs.
Let us be clear: Corruptor-Injector Networks are not a theoretical future possibility. The exist today, at large scale, and inevitably will both expand in individual reach and be joined by newly-developed CINs as time goes by. The NSA alone, as Snowden's whistleblowing documented, was already capable of spreading CIN-based infections to millions of targets, years ago... and was aggressively expanding that program given that it was so effective against their targets. Needless to say, #SauronsEye is not the only CIN in existence - we assume, and literature support us, that there are a handful of global CINs already in full production, with smaller regional examples perhaps totally in a dozen or two more.
Inevitably, the massive scope and expense of #SauronsEye - the original CIN, as it were - follows an accelerating downward cost curve and private CINs are not only feasible but all but mandatory for powerful transnational entities seeking leverage online. "Attacks always get better, not worse" goes a much-repeated aphorism from mathematical cryptography. In the same way, CIN capabilities will increase, their costs will decrease, and we find ourselves all but wallowing in CIN online (sorry, had to do it). The time to study, and protect against, these threats is now - not when they are so widespread as to be all but crippling for unprotected network usage.
☂ ☂ Safety & security in a corrupted, unstable, virulent network environment
Lasciate ogni speranza, voi ch'entrate
("abandon all hope, ye who enter here")
...so reads the inscription under which all entrants to the Inferno must pass. Are CINs so menacing, all-seeing, and expansive that we must preemptively abandon any hope of successfully defending against them online? This is apparently a tempting pre-clusion for many people when first informed of the nature of CIN: new, complex, fluid, and shadowy (one colleague immediately labelled it "DarkBEAST" when she understood its nature), this class of threats can seem at first blush to be all but impossible to defend oneself from. Further, some colleagues have felt tempted to take a "act like it's not happening" stance in the face of this new attack, rather than face what seems an impossible task fo defending against it.
Fortunately, there is no need to surrender in advance in this struggle to retain the integrity, security, and reliability of online communications in the face of massive surveillance weaponry. Already, cryptostorm is implementing a number of defensive mechanisms - based on our findings in this CIN research in recent months - and we are happy to share our designs, concepts, and full source code with the larger community in hopes others can echo these defenses into their own networks, as well as expand on them in new ways.
Yes, it is possible to remain free from the wages of CIN... but it requires a new way of considering attack modelling, forensic investigation, and defensive-toolkit development & deployment in production. In short this vast, globally-installed surveillance machine - #SauronsEye - is nevertheless vulnerable to agile, creative, community-based counter-strategies. This escalating "arms race" of surveillance munitions - a race where only one side is armed - continues to offer forward-thinking citizens the ability to remain safe, secure, and private online... but only if they step sideways from expired models of security and move fluidly into new, effective defensive models.
...we've decided to do an early publication of the first portion of this essay, so it's available for review and feedback even as the team finished editing the final components - further, we're splitting forensic and technical materials and discussion into (soon-to-be-created) separate threads in this new subforum...
☂ ☂ ðëëþ.be ☂ ☂