from the if-it-keeps-Recall-from-being-installed-I'd-consider-it-a-push dept.
A China-aligned APT threat actor named "TheWizards" abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
According to ESET, the group has been active since at least 2022, targeting entities in the Philippines, Cambodia, the United Arab Emirates, China, and Hong Kong. Victims include individuals, gambling companies, and other organizations.
The attacks utilize a custom tool dubbed "Spellbinder" by ESET that abuses the IPv6 Stateless Address Autoconfiguration (SLAAC) feature to conduct SLACC attacks.
SLAAC is a feature of the IPv6 networking protocol that allows devices to automatically configure their own IP addresses and default gateway without needing a DHCP server. Instead, it utilizes Router Advertisement (RA) messages to receive IP addresses from IPv6-supported routers.
The hacker's Spellbinder tool abuses this feature by sending spoofed RA messages over the network, causing nearby systems to automatically receive a new IPv6 IP address, new DNS servers, and a new, preferred IPv6 gateway.
This default gateway, though, is the IP address of the Spellbinder tool, which allows it to intercept communications and reroute traffic through attacker-controlled servers.
"Spellbinder sends a multicast RA packet every 200 ms to ff02::1 ("all nodes"); Windows machines in the network with IPv6 enabled will autoconfigure via stateless address autoconfiguration (SLAAC) using information provided in the RA message, and begin sending IPv6 traffic to the machine running Spellbinder, where packets will be intercepted, analyzed, and replied to where applicable," explains ESET.
ESET said attacks deploy Spellbinder using an archive named AVGApplicationFrameHostS.zip, which extracts into a directory mimicking legitimate software: "%PROGRAMFILES%\AVG Technologies."
Within this directory are AVGApplicationFrameHost.exe, wsc.dll, log.dat, and a legitimate copy of winpcap.exe. The WinPcap executable is used to side-load the malicious wsc.dll, which loads Spellbinder into memory.
Once a device is infected, Spellbinder begins capturing and analyzing network traffic attempting to connect specific domains, such as those related to Chinese software update servers.
[...] To protect against these types of attacks, organizations can monitor IPv6 traffic or turn off the protocol if it is not required in their environment.
(Score: 3, Troll) by Dr Spin on Wednesday May 07, @12:34PM (8 children)
Does that mean Linux/Unix is home and dry?
(Asking for a friend)
Warning: Opening your mouth may invalidate your brain!
(Score: 4, Insightful) by higuita on Wednesday May 07, @12:52PM (7 children)
This affects every OS that have ipv6 and is not different from a rogue dhcp server in ipv4.
This is not a ipv6 problem at all, any system can have their network hijacked by manyways and that is why everything should use HTTPS/TLS connections, with certificate validation, as it breaks any attempt to create a Mitm or fake sites.
Now the real problem is how they could inject a package to windows, they are abusing windows update? AVG antivirus update via http maybe, based on the name of the package?
On linux, any repository that do not use https or that do not sign the packages may also be at risk
but anyway, either ESET is pointing their finger to ipv6 when they should do it to insecure use of http to download updates, or the journalist thinks that ipv6 is a much better target than http updates or is ignorant how to read the ESET report and selected the wrong target
So a better title should be:
"insecure http update is being abused by hijacked networks via rogue ipv4 dhcp and ipv6 SLAAC"
(Score: 2) by DadaDoofy on Wednesday May 07, @02:20PM (6 children)
> So a better title should be:
> "insecure http update is being abused by hijacked networks via rogue ipv4 dhcp and ipv6 SLAAC"
Why? Was there evidence TheWizards were attacking with "rogue ipv4 dhcp"? It didn't say so in the article.
(Score: 2) by Unixnut on Wednesday May 07, @04:19PM (5 children)
I think it would have been easier to detect if they tried to hijack DHCP. I know if you have two or more DHCP servers only one can be authoritative (which is usually the one you configured). If someone puts a rogue DHCP server on the network either (a) it gets ignored as it is not authoritative, or (b) it tries to be authoritative, causing a clash with the authoritative DHCP server.
Whether (a) or (b) applies, the official DHCP server will notice the event and log it, so its easy to tell if someone is trying to hijack DHCP addresses. Proper network monitoring and IDS will discover this even quicker, along with other more sophisticated methods of DHCP hijack.
As IPv4 has no auto-configuration ability it either relies on DHCP or another zeroconf type protocol to do the auto-configuration for it. Those other protocols may have similar weaknesses to be exploited as was done here with IPv6, but the difference is you would have had to specifically enable them to be at risk, while this vulnerability seems to apply to all ipv6 by default (you have to disable it explicitly).
Not the end of the world, just it may become best practice security wise to disable IPV6 auto-configuration by default, but it does remove one of the main benefits that were championed for moving to IPv6 in the first place.
(Score: 4, Insightful) by VLM on Wednesday May 07, @06:03PM (3 children)
Modern enterprise grade hardware (like 1 or 2 human generations ago) will have DHCP snooping / blocking type options on the ports, usually engaged by default.
Its a traditional PITA to install a new DHCP (ipv4) server and WTF the GD thing doesn't work, then you forget you forgot about DHCP port blocking or similar marketing name.
Its kind of a rite of passage in "real world" IT.
Again, a generation or two ago Cisco was shipping "RA Guard" which is the same thing for SLAAC. Your enterprise grade Cisco ethernet switch, since the very late 00s or so, will absolutely refuse to forward SLAAC packets unless you permit it. I "think" OpenStack virtualization by default does the same thing. I "know" that VMware virtualized networking did not give a flying f and lets it right thru. I know for a fact that proxmox does not filter by default although its a stereotype of how to tell if someone's NOT A proxmox noob if they create something like "DHCP Snoop(tm)(r)(c)" or "RA GUARD (tm)(r)(c)" using about two, maybe hour lines of code in the built in internal firewall.
I may be slightly off above, but only slightly at most AFAIK.
The problem is the worlds moving toward much cruder non-enterprise grade HW. Buy your ethernet switch from Target and plug it into your cablemodem and attach all your unpatched IoT and AV gear and unpatched phones and hope nobody takes your network over. And this isn't just home users, this is retail, small business, etc.
As an example of something I'm not sure of, "RA GUARD (tm)(c)(r)" is protected by Cisco legal, I think, but the idea is unimaginably simple and obvious and they are/were/did ram thru a RFC in the 6000 range to make it a real standard. And I haven't been keeping up wiht ipv6 trivia to know. I have been playing wiht IPv7 more than a quarter century and still have a Hurricane Electric "IPV6 Sage" Tee Shirt proving I am a real expert on IPV6 (at least as of around the turn of the century LOL).
At home I've only owned a cablemodem capable of docsis 3 aka supports ipv6 for about two years now. So far so good. Until 2023 I had to tunnel (aside from times that tunnel providers closed or shut down). I know a lot about IPv6 for a long time and I know it sucks. But all IT technology sucks and IPv6 sucks slightly less than the alternatives so all good.
(Score: 2) by VLM on Wednesday May 07, @06:12PM
I should amend my grouchy statement that at least as of three years ago traditional vmware virtual switches (both the standard and expensive distributed ones) DGAF. May have changed since. Also NSX was (is?) enough of a moving target that NSX in general is a mystery (not just DHCP blocking being uncertain, but all of it was always obscured by confuseopoly vapours)
(Score: 2) by VLM on Wednesday May 07, @06:21PM (1 child)
Proxmox: And I was motivated enough to log in and F around on a live development (not production) proxmox cluster and its about 5 minutes of mouse clicking in "Firewall" "add" then the obvious or if you live dangerously and CLI it on proxmox its a one liner using ebtables IIRC.
Technically you only have to do this once if you run proxmox intelligently and template all your VMs, they should all get a copy of the templates FW. I think.
This is not enough of an experimental cluster that I feel comfy setting up a software defined network that blocks DHCP. I think you'd create a VNet firewall. This is a nifty enough idea that it MIGHT justify the complexity of running everything on SDN instead of simple bridging like most people do. In my infinite spare time I will experiment with this architecture (aka I'm never going to get around to it, but I think it would work?)
(Score: 2) by VLM on Wednesday May 07, @06:28PM
I'm enough of a cowboy that I did it (admittedly on a dev cluster), it seems to work, on ipv4 for DHCP and ipv6 for SLAAC with some F-ing around. You set up the fw at the data center level and the VMs underneath will inherit; I think.
vnet fw on proxmox is similar enough to the built in fw on openstack that you can get yourself into all kinds of trouble over the small differences LOL.
Aside from firewalling, Proxmox software defined networking is fun!
(Score: 2) by higuita on Sunday May 11, @11:07PM
True, but a proper ipv6 network can also monitor RA and SLACC, just like a ipv4 setup can detect a rogue dhcp server
(Score: 4, Insightful) by higuita on Wednesday May 07, @12:55PM (3 children)
Read my post above, this is not a ipv6 problem, but a insecure http update download. This can happen exactly the same way in ipv4 dhcp
(Score: 2) by ElizabethGreene on Wednesday May 07, @06:04PM (2 children)
+1 agree. That's the real exploit here and I'd like to know how they're doing that; Windows update is hardened against this sort of thing; I've even seen AV ssl inspection break it because the (trusted) certificate didn't chain back to the Microsoft root CA.
(Score: 2) by ElizabethGreene on Wednesday May 07, @06:11PM (1 child)
I read TFA and it's not an attack against Windows update. It intercepts and injects malicious code into downloads from "Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng". The infection occurs when the user runs those downloads.
(Score: 2) by higuita on Sunday May 11, @11:05PM
So basically, Chinese software aren't using TLS and so open to this kind of attacks
(Score: 1, Funny) by Username on Wednesday May 07, @02:03PM (1 child)
>China-aligned APT threat actor named "TheWizards"
Who named them? I would think Chinese would have squiggly Chinese characters.
(Score: 3, Informative) by ElizabethGreene on Wednesday May 07, @06:07PM
APTs are usually named by the threat detection companies that encounter them. The attribution process is fuzzy heuristics too; It would never stand up to serious scrutiny.
(Score: 3, Funny) by pTamok on Wednesday May 07, @02:20PM (3 children)
If you want to avoid the phrase 'Man in the Middle', try using 'Malefactor in the Middle' as a retcon for the now unacceptable wording.
(Score: 1) by pTamok on Wednesday May 07, @06:47PM (2 children)
Not intended as 'Flamebait'.
The thing is, using sex- or gender- related terms where sex- and/or gender- relation is not necessary is unacceptable to a large segment of society. That's current reality. On the other hand, there is a large body of work that used the acronym/initialism MitM which is an acronym or initialism for Man-in-the-Middle. This means that if you are searching for texts on the topic, you are going to need to search for MitM, come what may, and it makes sense not to introduce a new initialism if possible, I don't want to have to search for 'Mitm OR AitM' all the time. It is simpler to find an acceptable word that fits the initialism, hence Malefactor [wiktionary.org]. If you think 'malefactor' has anything to do with 'male', then your education is sadly lacking.
Of course, using the word 'malefactor' implies the entity doing the interception has only bad intent, which the previous term did not. Companies, for example, interpose themselves in supposedly secure connections to ensure employees are not breaking external communication rules - to prevent malfeasances. Substitute terms are not necessarily going to be perfect replacements.
Any suggestion for a better word beginning the 'M'?
(Score: 2) by bzipitidoo on Wednesday May 07, @11:35PM (1 child)
> If you think 'malefactor' has anything to do with 'male', then your education is sadly lacking.
But they begin with the same 4 letters! Not 1 or 2, but 4! That can't be a coincidence. It means that men are bad! It's the Male Factor!
How about changing the acronym? To, uh, "MFitM". Male/Female in the Middle, yeah that's it.
(Score: 0) by Anonymous Coward on Thursday May 08, @04:37AM
Haven't you heard - men are great now. It's trans who are the vile sex molesters lurking in our women's bathrooms.
(Score: 1, Offtopic) by RedGreen on Wednesday May 07, @05:08PM
It just never ends forty years of proudly serving up garbage with no end in sight.
Those people are not attacking Tesla dealerships. They are tourists showing love. I learned that on Jan. 6, 2021.
(Score: 2) by fraxinus-tree on Thursday May 08, @09:08AM (1 child)
Is this already a thing?
Last time I checked, no major ISP in my country offers this. Half of the hosting providers around the world don't offer it either. When I ever encounter IPv6 enabled on anything, I consider this an omission without thinking twice and I fix it for good.
The more I try to learn about IPv6, the more it looks like a perverted, pushed to the limits example of strictly academic value. It solves a single maybe-a-problem (IPv4 address space) while adding a great deal of complexity, pretending to solve a bunch of other not-really-a-problems (I am looking at you, IPSEC).
(Score: 2) by higuita on Sunday May 11, @11:34PM
depends of the country... many have full ipv6 setup, other none...
in mine, Portugal, the 3+1 major ISP have it, but one of them only rarely enable it (you can request, some people get luck), even if they have everything ready for years.
Big USA ISP are known to be lagging in this matter, while smaller ones already enabled ipv6
Try requesting ipv6 from your ISP, if needed, tell them that you can be a beta tester.
why should you get ipv6? well, even apple is requesting app devs to use ipv6, they report up to 1.4 increase in speed and latency. ipv6 have more advance traffic control and in certain conditions, that can make big differences. if everything is perfect, ipv4 and ipv6 aren't much different, so also doesn't hurt to have it too.
(Score: 2) by gnuman on Thursday May 08, @04:18PM
Or is Microsoft not signing their updates? Or is HTTPS not used? You know ... this is really not protocol issue here at all.
(Score: 0) by Anonymous Coward on Friday May 09, @01:42AM (1 child)
Yep, the state of IPv6 is still not good enough by my standards. I currently keep IPv6 disabled for many of my stuff.
Your standards may be lower/different.
I'll wait for y'all to experience all the bleeding in the bleeding edges first.
FWIW NAT is not a bug, it often can be a very useful feature. But lots of IPv6 proponents and standards makers are _religiously_ anti-NAT.
It's almost like someone wants yet another way to track you and your devices[1]...
IPv6 Fanboy: "But OMG having NAT breaks the end to end nature of the Internet".
Uh that's exactly what I want in many cases.
IPv6 Fanboy: "BUT BUT if the firewall ever gets bypassed it would be more difficult for other devices on the Internet to talk to your server... "
Yeah what a huge disaster that would be... 🤣
[1] https://www.theregister.com/2022/03/22/legacy_ipv6_addressing_standard_enables/ [theregister.com]
yes that's legacy stuff, but just wait a while, given all the added IPv6 complexity etc I'm sure someone will find more privacy and security issues.
(Score: 2) by higuita on Monday May 12, @12:36AM
>I'll wait for y'all to experience all the bleeding in the bleeding edges first.
well, this is not bleeding edge for around 10 years already. Most people that have ipv6 don't even know they have it.
notice that most people do have ipv4+ipv6, but usually ipv6 is preferred if both exist.
>FWIW NAT is not a bug, it often can be a very useful feature.
IPV6 also have NAT... but most people that cry "NAT!!" don't even need it! what they want is a firewall (with drop incoming ipv6 connections) , that their router should already have and enabled by default.
The ipv6 NAT is usually for some corner cases, not for the same ipv4 NAT usage, but the support exist!
Read the full post:
https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no-nat-for-ipv6-but-nat-still-exists/ [infoblox.com]
Or look here for TLDR:
https://forums.raspberrypi.com/viewtopic.php?t=298878 [raspberrypi.com]
>But lots of IPv6 proponents and standards makers are _religiously_ anti-NAT.
Lot of FUD on ipv6, most of then is baseless
Many ipv4 people confuse the NAT with firewall. IPV6 *DO* have NAT, but with full public ipv6 range in the internal network, the need for nat is just a few corner cases.
Ooohh, you want some service for the internal network and don't want to mess with firewalls rules to protect it? Bind the service to the link-local - ipv6 fe80::/64 (similar to the localhost - 127.0.0.0/8, or ::1/8 in ipv6 - but is only internal, routers MUST drop any package for/to that network range) ... but hey, if you really want, you can NAT that range to the internet, it is easier to publish to the public ipv6 address, but nobody stops you from doing useless things :)
>It's almost like someone wants yet another way to track you and your devices[1]...
You have privacy extension, that you can enable (some distros already use this as default, but others just use a random ipv6 address instead of the mac address on each boot)
https://mirrors.deepspace6.net/Linux+IPv6-HOWTO/x1089.html [deepspace6.net]
enable it and for each site, it will generate a new ipv6 address in your range to create the connection... so 2 different sites will use different ipv6 address. Yes, the network part is the same, but that is no different from the ipv4, where your ipv4 is always the same for all connections, even in NAT.
i have this enabled for around 15 years maybe, right now ifconfig show around 7 ipv6 address
IPV6 have more features than ipv4, while removing stupid, dangerous and/or useless things from ipv4, nothing stop you from using all ipv6 features.. but at very least read the "Resisting the Urge to NAT IPv6" from the https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no-nat-for-ipv6-but-nat-still-exists/ [infoblox.com]
This is exactly as the "19th Century Big Wheel Bicycle" vs modern Bicycle... you can put a big wheel on modern bikes too, but you have all the disadvantages of it and no advantage at all, as modern bikes already directly solved what the big wheel was trying to solve on the first bicycles.. it worked (just like NAT), but had several problems (just like NAT), it was made a obsolete solution by modern bikes (just like ipv6)