What with all the news about China looking to snare Western technology (and Westerners snaring Chinese), we are now learning more about efforts to steal intellectual property from design firms.
A reader writes,
I guess you already have seen this, but just in case:
I have been warning about AutoCAD malware since the introduction of VBA routines in DWG, which include the auto-open function. Targeting acad.lsp (and the like) was possible even longer before, but always required social engineering, as it still does today.
- D. R.
Unauthorized access to AutoCAD and the IP it holds should not come as a surprise, neither to Autodesk nor to users. I remember reading (and telling you) about it a decade ago. From 2008, here is how AutoLISP can be used as malware:
The New Attack Vector
In the new vector of attack, a file meant to protect IP is being used to steal IP. The acad.fas file is meant to encrypt AutoLISP routines so that the code cannot be borrowed, lifted, or stolen. (Normally, AutoLISP code is written and run in plain ACSII text, and so is easily inspected, reviewed, and stolen.)
AutoCAD limits its searches for support files, such as acad.fas, to specific folders. Outsiders won't know the names of project folders, necessarily. (There are some default folders.) So here is the solution, as ForcePoint describes it:
The easier and more obvious solution is to include the [malware] modules next to project files and let the user do the work by loading them and automatically executing the script along with it.
The social engineering part – i.e. tricking the user into opening the project – uses a set of lure drawings (in this case, apparently real drawings from already-infected victims) which may be selected to reflect the interests of the targeted company.
For example, companies interested in the construction business can be easily targeted with project names pretending to be concrete bases, metal alloy structures, or any element of a complex building design or ongoing tender.
These lures are often part of completely legitimate projects which have been previously acquired and become weaponized.
How It Works
Over the last few months, Forcepoint found 300 packages of drawings containing 100 versions of the acad.fas malware whose file attributes are set to Read-Only and Hidden. The .fas code sets system variable AcadLspAsDoc = 1, which tells AutoCAD to load the common acad.lsp file every time the operator opens another drawing (as documented by Autodesk). The purpose of the acad.lsp file is load additional programs in AutoCAD.
With every drawing opened by the operator, the malware learns about additional project folders, and then copies itself into them. Using AutoCAD's CDate (current date and time) system variable, the malware attempts to communicate once every 24 hours with its masters, a server running in Chinese -- and that's as far as Forcepoint got in locating the source.
How AutoCAD Protection Works
If you use AutoCAD 2014 or newer, then Autodesk provides protection in the form of
- System variable TrustedPaths specifies the folders from which files can be opened by AutoCAD; see https://knowledge.autodesk.com/support/autocad/learn-explore/caas/CloudHelp/cloudhelp/2019/ENU/AutoCAD-Core/files/GUID-2FB4611D-F141-48D5-9B6E-460EB59351AF-htm.html?st=TrustedPaths
- System variable SecureLoad allows only code located in TrustedPaths to be loaded into AutoCAD; see https://knowledge.autodesk.com/support/autocad/learn-explore/caas/CloudHelp/cloudhelp/2019/ENU/AutoCAD-Core/files/GUID-541566C6-2738-49DD-87C3-C1490E924A02-htm.html?st=secureload
- Command SecurityOptions sets the security level of AutoCAD; see https://knowledge.autodesk.com/support/autocad/learn-explore/caas/CloudHelp/cloudhelp/2019/ENU/AutoCAD-Core/files/GUID-2199A941-E183-4CAC-914C-E4538468DE64-htm.html?st=securityoptions
- External CAD Manager Control Utility allows CAD managers to turn on these settings for all computers under their control; it is included with the AutoCAD installation.
The malware, however, gets around this security system by presenting itself as a legitimate project, defeating the usefulness of TrustedPaths and SecureLoad.
Who is Affected?
The malware primarily targets energy and automotive design firms located in China, India, Turkey, and UAE, but some in the USA are affected, as well. Forcepoint thinks that malware is introduced when a CAD operator plugs a USB drive into his machine, which he received by courier from an apparently trustworthy source.
The problem is difficult to solve on the software side, as AutoLISP and other third-party code is extensively employed throughout AutoCAD, from simple pull-down menus to running design automation routines.
The solution is on the hardware side. Design firms, who take security seriously, remove USB ports and DVD drives, allowing their computers to access only the in-house server. The in-house sever is not connected tot he outside world.