The Connection Between GoldenSpy and MEDoc: Reducing the Security Risk of Doing Business

By Oleg Zlotnik. January 7, 2021

Employees are often required to use various desktop applications to do business. In the work-from-home era, it’s very common to find remote collaboration and video conferencing apps, such as Zoom, Teams, Webex, being used on corporate devices.

In today’s COVID-19 world, these applications are almost mandatory for efficient collaboration and productivity.
But even before COVID-19, certain applications had to be installed due to various regulation demands. For example, a finance department may need to use various global tools to report financial transactions, handle taxes, etc.

IT and security administrators are often obligated to allow these applications to be installed on the corporate desktops, to allow employees to do their work. But can these applications be trusted or do security compromises have to be made?

The Security Risk of Being Popular

Almost everyone uses video conferencing applications today, with Zoom and Microsoft Teams being the most popular. Some assume that popular applications must be secure. They wouldn’t be so popular if their security couldn’t be trusted, right?
Zoom, Microsoft, and others invest heavily in securing these applications. Sometimes they even buy an entire company to help to secure their own product. But is it always enough?

Only recently, a researcher named Oskars Vegeris found a vulnerability in Microsoft Teams. This vulnerability allowed attackers to execute code remotely on victim devices, simply by sending them a specially crafted message.

It took Microsoft some time to acknowledge and fix this vulnerability, with a fix being available only a few months after the discovery.

Exploiting vulnerabilities by simply sending an innocent-seeming message is not rare. Zoom had a similar vulnerability, where attackers could write malicious files to the disk by simply sending a chat message.

Unfortunately, in the security world being popular means also being highly targeted. It’s probably only a matter of time until the next vulnerability will be discovered in one of the popular video conferencing applications. And with employees often using more than one such application, the risk is getting higher.

The Security Risk of Following Regulations

Multinational companies sometimes face another type of challenge. In some countries, it is required to use proprietary software to report financial information.

In early 2020, when a U.K.-based company started doing business in China, it was asked by a state-owned bank in China to download endpoint software called Intelligent Tax, to facilitate the filing of local taxes. It was later discovered that this software installed a hidden backdoor that allowed attackers to execute code remotely on the company’s network. Trustwave, a US-based cybersecurity company, published a detailed report following the discovery, naming the malware GoldenSpy and linking it to the Chinese Aisino corporation. Later, Trustwave published another report following the discovery of another malware family, GoldenHelper – also embedded in Chinese tax software and also linked to the same Aisino corporation.

A similar scenario was reported in 2017, where Ukrainian tax-filing software, MEDoc, issued malicious self-updates. These self-updates spread malware, such as the Petya and Not-Petya ransomware, causing damage of over US$10 billion, according to the White House. Microsoft later published a detailed analysis of the malware and the attack chain.

The Security Risk of Using Legacy Software

Not only 3rd party vendor applications may possess a security threat. Many organizations are still using legacy applications, written without the modern security standpoint and standards.

Some of these legacy applications require elevated privileges to operate. This makes privilege escalation attacks easy if attackers are able to execute code in the context of the elevated application. It also pushes some organizations to disable the Windows User Account Control (UAC), to reduce the amount of user prompts. Usually, disabling UAC is a bad idea as it reduces the security level of the device.

Another major problem in legacy software is the lack of patches and security updates. Some of these legacy applications may be dependent on known-to-be-vulnerable components, without any mitigation means for IT administrators. This leaves organizations vulnerable, just waiting for a breach to happen. A good example of this would be SMB v1, which is still required today by certain legacy applications. EternalBlue, an SMB v1 vulnerability developed by the NSA, was leaked by the Shadow Brokers hacker group in April 2017, one month after Microsoft released patches to fix it. EternalBlue was used extensively during the WannaCry and NotPetya ransomware cyber attacks, targeting many non-patched Windows devices.

Eliminate the Risk and Do Business Safely

Well-managing a single environment with mixed types of applications – trusted and untrusted, modern and legacy, risky and non-risky – is hard. By mixing these types of applications, attackers can exploit vulnerabilities in the applications that are harder to fortify and thereby gain access to other sensitive corporate applications or data. While following common practices and basic hygiene – such as using Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) products – is usually recommended, it’s not always enough. Zero-day vulnerabilities and sophisticated attacks that can trick security products will always exist, and in this cat-and-mouse game between attackers and defenders, a single win for the attackers is enough.

One of the reasons why we built Isolated-Workspace-as-a-Service (IWaaS) is so that “trusted” and “risky” applications don’t have to be installed in the same environment. With Hysolate Workspace, organizations can easily provision, deploy, and manage Isolated Workspace-as-a-Service (IWaaS) from the cloud. IWaaS enables organizations to do business safely, by running risky or untrusted applications inside a hypervisor-grade isolated container, keeping threats away from the corporate host OS and corporate data. A hypervisor provides strong boundaries between the corporate host OS and the potentially compromised guest VM, keeping what matters safe.

About the Author

Oleg is a Software Engineer and Cyber Security veteran, with over 15 years of experience. At Hysolate, Oleg led an engineering team for several years, after which he joined as an architect to the CTO's office and has pioneered the next-gen products. Prior to Hysolate, Oleg worked at companies such as Google and Cellebrite, where he did both software engineering and security research. He began his career in the intelligence unit 8200 of the IDF and holds a B.Sc in Computer Science, Cum Laude, from the Technion.

Share this article: