![The Danger in Clicking 'OK' [CPRadio] - podcast episode cover](https://assets.metacast.app/images/episode/artwork/v9BA6XMn)
Produced by Pimedia. Hi, I'm Raan Levy. Welcome to CP Radio. A year ago, this podcast re recounted one of the most momentous decisions in cybersecurity history. It concerned one of those most inedible images known to computer users. Every a button from Microsoft programs like Word and Excel security warning, our computers would read macros have been disabled, and then there was an option for you to click to enable content. The option to enable macros was always a tricky one.
A small sect of power users really loved using macros to streamline and automate the various ways they used Microsoft products. The vast majority of us never used them though, or probably even knew what macro were, So when we opened files and were presented with the option to enable macros, we often just hit okay because we didn't know better. But there is a problem with defaulting two okay. We've known this for years, and even though Microsoft has fixed
their problem, we're still suffering as a result of this instinct. Today, consider the fox It pdf reader. When it comes to PDF viewing software, Adobe Acrobat Reader is clearly top dog. It's probably what you use, but among its competition, Fox sit Reader is a significant player. It's got over seven
hundred million users spread across two hundred countries. Among its customers are high level government entities like the US Air Force, Army, and Navy, and major cooperations Morgan Stanley, Amazon, and Microsoft, to name just a few. The widespread popularity of fox seat reader makes see it extra crucial that no subtle
security flawers end up sleeping past notice. That's why Anthony Sterefo's reverse engineer at Checkpoint Research recently tested fox it in x mon and Exploited Detection and Analytics tool for detecting zero day exploits.
We got a notification from x mored, which is like a vulnerability kind of sundbox. I would call it with a triggered like a malicious behavior on a PDF file. Once we saw that the dynamic analysis of the PDF was triggering like a malicious command, I started analyzing it statically. So I used some tools that are for static analysis of the PDFs, like PDFs Analyze.
The issue. It turned out was deeper than just one malicious threat. Say you're using fox it to open up a PDF file you don't know is malicious, you'll initially get a pop up. Some features have been disabled to avoid potential security risks. Only enable these features. If you trust this document, then you get two options. Trust this document one time only or always. So far, so good.
But with the pdf Antonis who was looking at Once he made his choice, he got a second message asking largely the same thing, but in more words, it went something like, the file may contain programs, macros or viruses that could potentially cause damage to your computer. Only open the file when you are sure it is safe, and so on again. Here there are two options open and do not open.
The problem in this case is that Foxy Prider is a creating a SOLVB pop up messages that by the fault once you click there, like the default opsio provides you a malicious activity.
How many of us are going to read the first pop up let alone the second nearly identical one, Maybe if you're being attentive, but not if you're busy, distracted, or just lazy. You just want to click through, and the options available aren't presented equally for your lazy brain. The open button is highlighted in blue as if it's just beckoning you to click.
It, so it has all default top show like even if you don't read that all the pop up messages and you just click in it. You are going to execute the malicious command. And this is what the threat actors were taking that one that's off.
Think of this not as a software exploit, but a human one. A design flaw that allowed a threat actor to more easily fish their victims by getting them to click the button that would enable their malicious behavior, and all of this without the hacker having to trick the victim in any way or do any work at all. The program is built to get people to click the
button that causes their demise on its own. Though this isn't the end of the world, it only starts to become a problem in the context of broader fishing attacks.
I remembered there was one tactle that was kind of an interesting one that was using a malicious PDIA file.
The file didn't contain any kind of exploit that triggered upon clicking okay. Rather, it included a hyperlink that directed victims to a second attachment.
And then it was downloading from Trello, which is legalityimate the website.
Hosting malicious activity on legitimate popular sites like Trello proved useful it meant that browsers and Internet traffic monitors wouldn't think twice if a victim visited and clicked on the attached file.
A PDF with a fox It vulnerability, and then it was executing like a command line, a power cell command.
By the end of this attacker's chain of events from the foxheit PDF, the user downloads remcoss.
Red It's like a remote access Troyan which can perform all kind of like activities like get access to the computer of the victim, like a few sensitive files, upload sensitive files, further infect the system, still even credentials as far as I know, and takes crinslets of the computer.
This particular threat actor, dating back to March first, seemed to be exploiting fox It in Southeast Asian countries like Korea and Vietnam. As Anthonys and his colleagues looked into this threat though, it only became bigger. Operating under the moniker at sid and killer TV, an individual claiming to be an ethical hacker with more than twenty two years of experience, had been selling a number of malicious tools on Telegram since twenty twenty two. As of April twenty seventh,
one of them was a foxed reader exploit. The malicious program boasted of quote one hundred percent bypass with anti viruses, plus Gmail, Yahoo, Facebook, and Hotmail file sharing restrictions, which sounds fake, which you'd hope is fake.
Most of the places, like the Gmail Facebook, when you set a fight, if it's unleasius, they are going to trigger for example, if it's unexecutable, it's going to trigger a warning or is not even going to allow you to sell that file to the coddact that you are trying to send it. But with this word ability, everything was bypassed. Gmail was not able to the deck, like Facebook was not able to detect Silent Killer.
TV's exploits really could bypass traditional security checks in major social media and mail platforms, but it wasn't because his malicious code was so amazing and sophisticated.
In the majority of the cases, theerability was never prickered because everyone was using Adobe.
Cybersecurity researchers have a set of tools they typically used to investigate threats, like anti virus and sandboxes. Anthony's found that his all used Adobe Reader to open PDFs by default.
If you are trying to exploit a specific software like fox It, you'll need to have it in your soundbox and execute samples with that software. With Foxy, but if the majority of the sandboxes are using Adobe, we never SeeAbility.
Exploits happened to scart past analysts radars because of this simple quirk in their sandby only x Man that program we mentioned the beginning of the show ran Anthony's PDF files in both the Adobe and Foxed viewers. This might explain why after some further investigation, Antonisili's colleagues found so many other thread actors exploiting fox It instead of its more popular alternative Adobe. They found espionage actors like India's DONT Team AKAAPTC thirty five and low level e criminals
like silent Killer TV. They each incorporate Foxed pdf into their own custom design attack chains with an end goal to deploy remote ex smellware like Agent Tesla, Asyncrat, dc rad, nanocoor, Rat, n j Rat, Pony, venom Rat, and x worm. In light of these threats to fox It readers earlier this year, the checkpoint researchers brought their findings to the program's.
Developers, Recabota Nime, giving me to my attention that instead of versions twenty four three. But there is that they are going to fix it. They did that fix even earlier. So the fix that they provided, in my opinion, is not the perfect one, but it is a fix that will solve the problem of the users just clicking okay or the clicking enter without checking what is being asked. So what they actually did was to switch the default option from open that it was before two don't open.
So basically everything is the same now as ever, but instead of open being highlighted in blue, do not open is highlighted instead. It's not nothing. Foxy users will now likely end up not choosing open quite as often for documents they shouldn't open, but that might not save most of them.
Thirty of the pdfiles that I observed, once you were clicking them and opening them, it was a black page. That still for users that are just users of the computers, if they see that okay, I click don't open and I see a wide page, maybe they think if I click open, they will see the actual content of the PDF file. My opinion, Foxitree that needs to do in the future a more robust fix which will not let thread tactles take advantage of the software against the users.
One more robust type of fix might be too band for example, executing files from remote servers, a classic indicator of hacker behavior. More advanced solutions might involve detecting and blocking the kinds of commands hacker use in the course of their attack chains.
In order for this vulnerability to trigger, they need to use some specific pdf A keywords that trigger the command line. So this type I would possibly not allow these keys to execute anything.
In the grand scheme of cybersecurity. The design issue in Foxed pdf reader is really very minor, but it speaks to a much larger and more impactful phenomenon will probably have to deal with for as long as there are computers around. The instinct to default two Okay, I'm not even talking about the ignorance that goes into clicking it or the laziness. I'm talking about the way our brain works that we default to believing in what we see.
Social engineering experts have preyed on this aspect of our human nature to trick employees of companies into opening emails, giving them sensitive information on the phone, or sending a large amount of money to an unknown bank account, and for years, users of Microsoft products enabled macros simply to get rid of the notification because it didn't even register
as something to worry about. I'm careful to call this an instinct and aspect of our nature rather than an issue or flaw in human psychology, because ultimately it's a good thing. Imagine if we all walked around every day scrutinizing every little thing that comes our way, worried that everything anyone might say could be a lie. Society would break down. We would all be unhappy. In the best case scenario, we would all just be extremely tired every day,
having to expand so much mental energy. In his book Talking to Strangers, Malcolm Gladwell points out how people who are extremely careful and untrusting of others can sometimes times achieve amazing things in the world, but often at the cost of their own well being, and they have to be the exception, not the norm. So he writes, quote, we could start by no longer penalizing one another for defaulting to truth. To assume the best about another is
the trait that has created modern society. Those occasions where our trusting nature gets violated are tragic, but the alternative to abandon trust as a defense against predation and deception is worse in cybersecurity. We often tell people don't trust emails, even if it seems legitimate. Always check the sender before you do X, make sure you check Y and Z first. And yet cyber attacks keep rising every year because this
just isn't sustainable. The average person gets around one hundred and twenty emails a day, and a lot of you listening right now, we'll find that number laughingly low. You just don't have the energy to double check every communication you receive, every button you click in every software program you use throughout the day. That's why to close our today's story, we're going to leave you with a bit of advice that might be a little easier to implement. Just you know, keep an eye out for stuff.
This can't happen, even though Facebook does not allow malicious spiles to be said through charts, but actually it can happen, So be careful. Just read whatever, and whenever you're not sure about something, does better and don't open it.
Don't worry over every email you get, or every message online or every file attached to them. Just be aware in general that they could be something other than what they seem. Keep the thought in the back of your mind. You'll open a document click okay once, but then the second time you've got the option, maybe a little voice in your head will tell you take a second and look at this. It might well help you avoid a potential headache. That's it for this episode. Thank you for listening.
For past episodes of the podcast, visit Checkpoint Research blog at research dot checkpoint dot com, and you can follow Checkpoint Research on Twitter or follow me at at rand Levy do't r a n l e v I. Sipy Radio is produced by p I Media, written by Innate Nelson, produced by Hila Sheemish, and edited and narrated by me rand Levy. See you next episode, Bye bye.
What did you want to Do