Social engineering
What with all the news about China looking to snare Western technology (and Westerners snaring Chinese), we are now learning more about efforts to steal intellectual property from design firms.
A reader writes,
I guess you already have seen this, but just in case:
https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft
I have been warning about AutoCAD malware since the introduction of VBA routines in DWG, which include the auto-open function. Targeting acad.lsp (and the like) was possible even longer before, but always required social engineering, as it still does today.
- D. R.
Unauthorized access to AutoCAD and the IP it holds should not come as a surprise, neither to Autodesk nor to users. I remember reading (and telling you) about it a decade ago. From 2008, here is how AutoLISP can be used as malware:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:ALisp/Bursted.A
The New Attack Vector
In the new vector of attack, a file meant to protect IP is being used to steal IP. The acad.fas file is meant to encrypt AutoLISP routines so that the code cannot be borrowed, lifted, or stolen. (Normally, AutoLISP code is written and run in plain ACSII text, and so is easily inspected, reviewed, and stolen.)
AutoCAD limits its searches for support files, such as acad.fas, to specific folders. Outsiders won't know the names of project folders, necessarily. (There are some default folders.) So here is the solution, as ForcePoint describes it:
The easier and more obvious solution is to include the [malware] modules next to project files and let the user do the work by loading them and automatically executing the script along with it.
The social engineering part – i.e. tricking the user into opening the project – uses a set of lure drawings (in this case, apparently real drawings from already-infected victims) which may be selected to reflect the interests of the targeted company.
For example, companies interested in the construction business can be easily targeted with project names pretending to be concrete bases, metal alloy structures, or any element of a complex building design or ongoing tender.
These lures are often part of completely legitimate projects which have been previously acquired and become weaponized.
How It Works
Over the last few months, Forcepoint found 300 packages of drawings containing 100 versions of the acad.fas malware whose file attributes are set to Read-Only and Hidden. The .fas code sets system variable AcadLspAsDoc = 1, which tells AutoCAD to load the common acad.lsp file every time the operator opens another drawing (as documented by Autodesk). The purpose of the acad.lsp file is load additional programs in AutoCAD.
With every drawing opened by the operator, the malware learns about additional project folders, and then copies itself into them. Using AutoCAD's CDate (current date and time) system variable, the malware attempts to communicate once every 24 hours with its masters, a server running in Chinese -- and that's as far as Forcepoint got in locating the source.
How AutoCAD Protection Works
If you use AutoCAD 2014 or newer, then Autodesk provides protection in the form of
- System variable TrustedPaths specifies the folders from which files can be opened by AutoCAD; see https://knowledge.autodesk.com/support/autocad/learn-explore/caas/CloudHelp/cloudhelp/2019/ENU/AutoCAD-Core/files/GUID-2FB4611D-F141-48D5-9B6E-460EB59351AF-htm.html?st=TrustedPaths
- System variable SecureLoad allows only code located in TrustedPaths to be loaded into AutoCAD; see https://knowledge.autodesk.com/support/autocad/learn-explore/caas/CloudHelp/cloudhelp/2019/ENU/AutoCAD-Core/files/GUID-541566C6-2738-49DD-87C3-C1490E924A02-htm.html?st=secureload
- Command SecurityOptions sets the security level of AutoCAD; see https://knowledge.autodesk.com/support/autocad/learn-explore/caas/CloudHelp/cloudhelp/2019/ENU/AutoCAD-Core/files/GUID-2199A941-E183-4CAC-914C-E4538468DE64-htm.html?st=securityoptions
- External CAD Manager Control Utility allows CAD managers to turn on these settings for all computers under their control; it is included with the AutoCAD installation.
The malware, however, gets around this security system by presenting itself as a legitimate project, defeating the usefulness of TrustedPaths and SecureLoad.
Who is Affected?
The malware primarily targets energy and automotive design firms located in China, India, Turkey, and UAE, but some in the USA are affected, as well. Forcepoint thinks that malware is introduced when a CAD operator plugs a USB drive into his machine, which he received by courier from an apparently trustworthy source.
The problem is difficult to solve on the software side, as AutoLISP and other third-party code is extensively employed throughout AutoCAD, from simple pull-down menus to running design automation routines.
The solution is on the hardware side. Design firms, who take security seriously, remove USB ports and DVD drives, allowing their computers to access only the in-house server. The in-house sever is not connected tot he outside world.
I disagree. The problem is extremely simple to solve on the software side, and has in fact been solved since AutoCAD 2016 with the LEGACYCODESEARCH system variable (one of the things available in SecurityOptions). It's rare that there would be any need to have any code (e.g. acad.fas) automatically loaded just because it's in the Start In or drawing folders, and this system variable lets you turn that feature off. I know of one person who uses this facility to do project-specific startup stuff, but it's rare and there are alternative mechanisms available.
Upshot: set LEGACYCODESEARCH=0 and the problem goes away. As a CAD Manager, set the equivalent when creating your installation deployment and you can also specify that the user can't override it.
I suggested such a simple solution to Autodesk, many years before it was implemented. It was very frustrating to see that when some attention was finally paid to this issue, a lot of effort initially went into far more complex, troublesome, and less than fully effective security measures instead. A proper solution arrived eventually, but millions of users were exposed to unnecessary risk for years on end.
Fortunately in BricsCAD, acad.fas just gets ignored so these viruses will do nothing. It would be possible to write a BricsCAD equivalent but nobody has - yet - so for now we can get by without LEGACYCODESEARCH.
Posted by: Steve Johnson | Dec 17, 2018 at 04:33 AM
D.R. replies:
I think the main idea behind this kind of attack is the use of AutoCAD PROJECTS. You don't send a DWG (which cannot be infected this way), but you send a complete project (by USB, CD or mail).
The project consists of multiple DWGs (xrefs), maybe some support files (shapes/fonts) and a hidden acad.lsp/fas. As AutoCAD automatically runs an acad.lsp from within the project folder (which I think it does), using the project infects the system.
Posted by: Ralph Grabowski | Dec 17, 2018 at 07:05 AM
That's the point of what I wrote in my comment: you can (and should!) turn off that auto-loading in 2016 and later. It's off by default, which is as it should be. Please see the docs on LEGACYCODESEARCH.
Posted by: Steve Johnson | Dec 17, 2018 at 05:28 PM