Absolute Security

Absolute Response to Arbor Research

On January 16, 2019, Arbor released an update to prior research that suggested a sophisticated exploit known as LoJax, which takes advantage of a modified 2008 Computrace/LoJack agent, may still be communicating with malicious command and control servers associated with threat groups. No new vulnerabilities or exploits were discovered.

Absolute would like to reassure its customers and partners that the report does not draw any conclusions regarding the security of Absolute’s more recent agents, platform or Persistence technology, each of which we believe is secure. We work tirelessly to ensure the security of our customers’ devices and data. Please refer to the Additional Information and Frequently Asked Questions below to address any concerns you may have or reach out to us at [email protected].

Additional Information

On May 1, 2018, Arbor Networks’ researchers issued a report that discussed a few samples of exploitation of a known vulnerability in an old version of the old 2008 Computrace/LoJack agent. We have reviewed Arbor’s claims and can confirm that more recent versions of these agents are not susceptible to this type of attack. We can also confirm that all known malicious samples are modified from the 2008 agent software original state, enabling both hash based detection of malicious binaries as well as network URL based detection of modified, malicious command and control infrastructure.

As a result of the report, on May 11 2018, MITRE published three common vulnerabilities and exposures (CVEs) relating to the 2008 and 2009 versions of Absolute’s software agent. CVE-2009-5150 and CVE-2009-5151 are vulnerabilities which Absolute remediated in 2014. We are investigating if the 2014 agent update also addressed CVE-2009-5152. That said, CVE-2009-5152 is not a vulnerability that can be exploited remotely as it requires an escalated local privilege on the affected system. Furthermore, the impact of CVE-2009-5152 is low, because a potential exploit would only change the activation/deactivation status of Persistence®, a separate feature of Absolute’s software agent.

What Can You Do Today?

We are continuing to investigate the claims laid out in Arbor’s research. Out of an abundance of caution, we have some additional suggestions on things you can do to protect yourself and your organization.

  1. Block traffic to known domains attributed to Fancy Bear and other known C2 servers. This includes but is not limited to:
    1. sysanalyticweb[.]com
    2. elaxo[.]org
    3. ikmtrust[.]com
    4. lxwo[.]org
    5. unigymboom[.]com
    6. ntpstatistics[.]com
    7. moldstream[.]md
    8. vsnet[.]co
    9. visualrates[.]com
    10. regvirt[.]com
    11. elaxo[.]org
    12. oiatribe[.]com
    13. msfontserver[.]com
    14. treckanalytics[.]com
    15. remotepx[.]net
    16. hp-apps[.]com
    17. jflynci[.]com
    18. peacefund[.]eu
    19. oiagives[.]com
    20. webstp[.]com
  2. Ensure AV/ATP solutions are updated and blacklist/quarantine files with the following MD5, SHA1, or SHA256 value:

    6eaa1ff5f33df3169c209f98cc5012d0
    10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0
    27dd9de09e22efa2ef12e9e2f462fa9da83684bdb4ec900dd86439c5758107d9

    cf45ec807321d12f8df35fa434591460
    ddaa06a4021baf980a08caea899f2904609410b9
    0860f29226069a732f988cb70ea6d51057d204d421bb709b8e759376b0c4d201

    f1df1a795eb784f7bfc3ba9a7e3b00ac
    1470995de2278ae79646d524e7c311dad29aee17
    e029ed8cfe34185c94b15c74f52d6fdf9bf9b635853c466b2589c1d9f3639200

    f391556d9f89499fa8ee757cb3472710
    2529f6eda28d54490119d2123d22da56783c704f
    060448ffd71fe2edbb5fe7c6298ad2b077e57fa6ed6d4250fbd799dd85488843

    f3c6e16f0dd2b0e55a7dad365c3877d4
    397d97e278110a48bd2cb11bb5632b99a9100dbd
    fa8de430fb491d898ee4e557977f036f2aae5f019c3b0552c9e0223da748fc27

    73ea983ec9c39fb820d086acdf439c95
    09d2e2c26247a4a908952fee36b56b360561984f
    37f15647c26d475db805048d6592aa153533ac5f4373145c75e24012a51ad9f8

    cffcae5c5551b4b9489fec5d56269d84 (MD5 only)

    bda5f83ee4a6d64d1057f19a2a1ef071 (MD5 only)

    9be30e2c2e185ccb6cdbbf585d368393 (MD5 only)

    89503b7935a05b1d26cb26ce3793a3fb (MD5 only)

    e5db592704f30d42537b1257e79ff223 (MD5 only)

    f336379bd4a129f0851a24ccea47b4ec (MD5 only)

    9157f70faaedf66688fc11f4abca83e2 (MD5 only)

Frequently Asked Questions

What did Arbor Networks’ research uncover?

Arbor Networks’ ASERT Team posted claims that recently discovered illicitly modified 2008 agents contained references to malicious command and control (C2) domains that have previously been linked to Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The latest research released in January 2019 suggests that those malicious C2 domains may still be active. No new vulnerabilities or exploits were discovered.

Is this a recent version of LoJack that’s being hijacked?

We have confirmed that it is an old agent that’s being used and have verified that all samples are the same version with patched/hacked URLs from 2008.

Was this agent distributed?

Neither Arbor nor Absolute have any evidence to suggest the agent has been distributed but we can say that the likely delivery mechanism of the modified agent would be through spear phishing.

Based on Arbor’s research, has the underlying Persistence technology been compromised?

Neither Arbor nor Absolute have any evidence to suggest the agent has been distributed but we can say that the likely delivery mechanism of the modified agent would be through spear phishing.

What if I want to confirm that I have not been exposed?

Based on our own investigation and a review of the research presented by Arbor, we do not believe that customers or partners have been exposed. However, if you have any concerns, want to talk to a member of our team or want to report a suspicious issue, we recommend that you report issues directly to Absolute and we will investigate immediately. If you have questions or concerns, please reach out directly to Absolute.

We are committed to the integrity of our software and technology, and take any disclosures very seriously. We will continue to investigate the research presented by Arbor Networks, and address any of our customers, partners or stakeholders promptly.

What are the CVEs posted regarding 2009 research?

In 2009, Core Security research report claimed that an attacker could overwrite the legitimate version of Computrace in the BIOS with a corrupted executable. Upon review of the report and cited technique, we determined that the code would have needed to be modified and then the BIOS updated. Our OEM partners have processes in place to ensure only approved, signed BIOS updates are allowed to run. We rely on this same process to ensure the integrity of the software in the BIOS. Please refer to our initial FAQ available here.

On May 11 2018, MITRE published three common vulnerabilities and exposures relating to Absolute software dating back to 2009. CVE-2009-5150 and CVE-2009-5151 are vulnerabilities which Absolute remediated in 2014. We are investigating if the 2014 agent update also addressed CVE-2009-5152. That said, CVE-2009-5152 is not a vulnerability that can be exploited remotely as it requires an escalated local privilege on the affected system. Furthermore, the impact of CVE-2009-5152 is low, because a potential exploit would only change the activation/deactivation status of Persistence®, a separate feature of Absolute’s software agent.

What was the issue in 2014?

In 2014, Kaspersky researchers claimed that a legitimate version of our agent could be hijacked and the traffic could be modified (or what’s known as a Man in the Middle, MITM attack). We investigated their observations and concluded that this could only be achieved by the threat actor having administrative privileges which indicated another underlying issue at work (i.e. malware, phishing, etc).

How is it possible to modify the Absolute agent? And why did this issue come up again with Arbor?

The 2008 agent used as the basis for the malicious samples contained a configuration variable that attackers were able to modify to point to their own command and control (C2) server and recompiled the agent with multiple file attributes changed in order to appear very similar to the original. We believe that the Kaspersky research may have further informed attackers on the communication protocol between agent and server. Based on the samples we’ve reviewed, we don’t believe that the actors were using the MITM attack described in the research from 2014.

This new research doesn’t validate the research from Kaspersky, in our view, since Kaspersky claimed that a hacker could hijack and monitor the protocol of a legitimate version of the product. Based on in depth investigation of the Kaspersky claims, we found this could only be achieved by the actor having administrative privileges on the network or on the computer.

What have we done to address the claims/mitigate the risk?

We updated the agent to ensure that communication between the agent and the server is encrypted, including the initial persistence call. We also sign our files to verify that an agent has not been modified.

Are we currently undertaking any other efforts to ensure the integrity and security of our software?

We take these claims very seriously. Our internal security team and third-party partner are reviewing issues raised in recent media coverage about previous product releases from 2009 and 2014 as well as how we have worked with third party security researchers in the past.

How can we ensure that no one is using the old agent in question (2008)?

Our technology is designed to upgrade our customers to the latest version when activated. The recent issues highlight a reverse engineered agent, which would not be a legitimate version of Absolute’s software. We also follow a number of best practices to ensure the integrity of our technology, including signing our files and working with AV companies to whitelist our current agents.

As part of a continuous security process, Absolute periodically updates our agents. The primary concerns highlighted in the Arbor report relate to the verification of our agent and was addressed in January 2015 with the release of RPCNET agent 944, which is code signed and performs a server authentication.

Customers should take steps to ensure that devices are using agent 944 or later, as well as implementing any firmware updates if published from their PC vendor. Customers can view their current agent version in the Asset report under the column ‘Agent Version’.

How do we work with the AV vendors?

Any new versions of our software are submitted for whitelisting with the AV vendors when they are generally released. We have recently worked with many of them to blacklist the malicious samples as necessary.

What happens if someone wants to report a vulnerability?

We have a published page on our website where external users can submit potential vulnerabilities for review and we have a vetting process to review those issues reported. If discovered to be vulnerabilities, we attribute the discovery to the individual(s) or group(s) that reported it, or work with them to submit a vulnerability submission through MITRE, at their request. It’s our job to make sure that we identify, fix and communicate vulnerabilities as quickly as possible when they are discovered.

Disclaimer: prior reports have misidentified LoJack instead of Absolute LoJack for Laptops, also known as Computrace. LoJack for Laptops and Computrace are products of Absolute, not LoJack or CalAmp.

Last Updated: January 16, 2019

©2021 Absolute Software Corporation. All rights reserved. ABSOLUTE, the ABSOLUTE logo, and ABSOLUTE RESILIENCE are registered trademarks of Absolute Software Corporation in the United States and/or other countries. Other names or logos mentioned herein may be the trademarks of Absolute or their respective owners. The absence of the symbols ™️ and ® in proximity to each trademark, or at all, herein is not a disclaimer of ownership of the related trademark.

Financial Services