Arbor Networks’ ASERT Team posted claims that recently discovered illicitly modified 2008 agents contained references to malicious command and control (C2) domains that have previously been linked to Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The latest research released in January 2019 suggests that those malicious C2 domains may still be active. No new vulnerabilities or exploits were discovered.

We have confirmed that it is an old agent that’s being used and have verified that all samples are the same version with patched/hacked URLs from 2008.

Neither Arbor nor Absolute have any evidence to suggest the agent has been distributed but we can say that the likely delivery mechanism of the modified agent would be through spear phishing.

Neither Arbor nor Absolute have any evidence to suggest the agent has been distributed but we can say that the likely delivery mechanism of the modified agent would be through spear phishing.

Based on our own investigation and a review of the research presented by Arbor, we do not believe that customers or partners have been exposed. However, if you have any concerns, want to talk to a member of our team or want to report a suspicious issue, we recommend that you report issues directly to Absolute and we will investigate immediately. If you have questions or concerns, please reach out directly to Absolute.

We are committed to the integrity of our software and technology, and take any disclosures very seriously. We will continue to investigate the research presented by Arbor Networks, and address any of our customers, partners or stakeholders promptly.

In 2009, Core Security research report claimed that an attacker could overwrite the legitimate version of Computrace in the BIOS with a corrupted executable. Upon review of the report and cited technique, we determined that the code would have needed to be modified and then the BIOS updated. Our OEM partners have processes in place to ensure only approved, signed BIOS updates are allowed to run. We rely on this same process to ensure the integrity of the software in the BIOS. Please refer to our initial FAQ available here.

On May 11 2018, MITRE published three common vulnerabilities and exposures relating to Absolute software dating back to 2009. CVE-2009-5150 and CVE-2009-5151 are vulnerabilities which Absolute remediated in 2014. We are investigating if the 2014 agent update also addressed CVE-2009-5152. That said, CVE-2009-5152 is not a vulnerability that can be exploited remotely as it requires an escalated local privilege on the affected system. Furthermore, the impact of CVE-2009-5152 is low, because a potential exploit would only change the activation/deactivation status of Persistence^®, a separate feature of Absolute’s software agent.

In 2014, Kaspersky researchers claimed that a legitimate version of our agent could be hijacked and the traffic could be modified (or what’s known as a Man in the Middle, MITM attack). We investigated their observations and concluded that this could only be achieved by the threat actor having administrative privileges which indicated another underlying issue at work (i.e. malware, phishing, etc).

The 2008 agent used as the basis for the malicious samples contained a configuration variable that attackers were able to modify to point to their own command and control (C2) server and recompiled the agent with multiple file attributes changed in order to appear very similar to the original. We believe that the Kaspersky research may have further informed attackers on the communication protocol between agent and server. Based on the samples we’ve reviewed, we don’t believe that the actors were using the MITM attack described in the research from 2014.

This new research doesn’t validate the research from Kaspersky, in our view, since Kaspersky claimed that a hacker could hijack and monitor the protocol of a legitimate version of the product. Based on in depth investigation of the Kaspersky claims, we found this could only be achieved by the actor having administrative privileges on the network or on the computer.

We updated the agent to ensure that communication between the agent and the server is encrypted, including the initial persistence call. We also sign our files to verify that an agent has not been modified.

We take these claims very seriously. Our internal security team and third-party partner are reviewing issues raised in recent media coverage about previous product releases from 2009 and 2014 as well as how we have worked with third party security researchers in the past.

Our technology is designed to upgrade our customers to the latest version when activated. The recent issues highlight a reverse engineered agent, which would not be a legitimate version of Absolute’s software. We also follow a number of best practices to ensure the integrity of our technology, including signing our files and working with AV companies to whitelist our current agents.

As part of a continuous security process, Absolute periodically updates our agents. The primary concerns highlighted in the Arbor report relate to the verification of our agent and was addressed in January 2015 with the release of RPCNET agent 944, which is code signed and performs a server authentication.

Customers should take steps to ensure that devices are using agent 944 or later, as well as implementing any firmware updates if published from their PC vendor. Customers can view their current agent version in the Asset report under the column ‘Agent Version’.

Any new versions of our software are submitted for whitelisting with the AV vendors when they are generally released. We have recently worked with many of them to blacklist the malicious samples as necessary.

We have a published page on our website where external users can submit potential vulnerabilities for review and we have a vetting process to review those issues reported. If discovered to be vulnerabilities, we attribute the discovery to the individual(s) or group(s) that reported it, or work with them to submit a vulnerability submission through MITRE, at their request. It’s our job to make sure that we identify, fix and communicate vulnerabilities as quickly as possible when they are discovered.

Disclaimer: prior reports have misidentified LoJack instead of Absolute LoJack for Laptops, also known as Computrace. LoJack for Laptops and Computrace are products of Absolute, not LoJack or CalAmp.