What if the very tools designed to safeguard IT systems can become “traitorware”, a gateway for malicious actors?
Adam Rice, a seasoned Security Engineer at Huntress, came across such a potential danger lurking within one such tool—Splunk.
Widely recognized as a leading log ingestion tool, Splunk possesses immense power to collect and analyze vast amounts of data.
However, Rice’s exploration exposed a flaw that transforms this trusted software into what he aptly terms “traitorware.”
Rice uncovered how Splunk’s core features could be weaponized, presenting a harrowing threat to sensitive data and system security.
This insidious phenomenon occurs when seemingly benign tools betray the trust placed in them to perform malicious actions, leaving organizations vulnerable to nefarious exploits.
While malware regularly pops up in cybersecurity news, the very real possibility of anyone creating ‘traitorware’ in trusted IT systems is rarely discussed.
Spotting traitorware
The heart of Rice’s investigation revolved around the Splunk Universal Forwarder (UF), a component known for its remote code execution (RCE) feature.
Remarkably, Rice accomplished his proof of concept without resorting to RCE, instead focusing on custom Splunk configurations to establish a malevolent infrastructure.
By ingeniously manipulating cascading configuration files within Splunk, Rice created a deceptive output for logs—a malicious rsyslog server under his control.
Through meticulous experimentation, he demonstrated the chilling capabilities of using Splunk as a “living off the land” command and control (C2) server—a technique employed by cybercriminals to exploit legitimate software and functions for their malicious actions.
This exploit’s success hinged on the ability to add configurations to the outputs.conf file loaded into memory, strategically avoiding overwriting existing configurations that might raise suspicions.
By deploying a new Splunk app comprising specifically crafted configurations, Rice achieved a significant breakthrough.
His setup enabled the exfiltration of data from compromised systems while remaining inconspicuous amidst the legitimate log streams, effectively exploiting Splunk’s intended functionality.
“What I found is not only is it possible, but it’s scary in terms of capabilities. I want to inform the wider community since these are issues that can be fixed with easy architectural changes,” Rice wrote in his first report on traitorware.
Splunk is a powerful log collection tool widely used in enterprise environments. It offers various features and functionalities that can be enhanced through technical apps (TAs) and add-ons.
These apps range from simple configuration files for monitoring specific directories to complex user interfaces with executable code capabilities.
One notable example is the Splunk Add-on for Windows, which extends Splunk’s capabilities for gathering information from Windows hosts.
This add-on is highly popular, boasting over 415,000 downloads (as of the time of writing). It enables the Splunk Universal Forwarder (UF) to collect additional log data from the system by leveraging PowerShell scripts and custom inputs.
Taking his enquiry further, Rice created a scenario where the Splunk UF is utilized as a Remote Access Trojan (RAT) on the system, allowing it to receive arbitrary PowerShell commands from a remote server.
To accomplish this, he used a custom Splunk app, leveraging the PowerShell input functionality provided by Splunk.
Rice clarified that his findings are not to be misconstrued as vulnerabilities or bugs within Splunk. The potential for abuse happens through configuration settings supported by the tool.
“I chose Splunk for this demonstration because it’s one of my favorite tools, and I felt it provided a good illustration of just how simple these attacks can be,” Adam Rice told The Cyber Express.
“Any tool or piece of software with a wide range of access to your network & infrastructure, IAM, or sensitive data has the potential to be exploited as traitorware. One of the most common types of software we see abused in this way are RMM tools, such as ConnectWise Control, Anydesk, and Pulseway, among others.”
This brings us to an important question: can any security system become traitorware? How do we differentiate them from malware?
What exactly is traitorware?
“In the context of cybersecurity, traitorware can refer to software or systems that betray the trust placed in it to perform malicious actions. These techniques differ from malware as they are usually used to stage the malware, or provide a point to deploy malware,” Rice told The Cyber Express.
According to Itay Glick, VP of Products at OPSWAT, traitorware differs from traditional malware because it leverages legitimate software or trusted functionalities to carry out malicious actions.
“Traditional malware is about disrupting systems or stealing data. Traitorware focuses on covertly collecting sensitive information or monitoring user activities,” Glick told The Cyber Express.
“What makes it particularly concerning is its deceptive nature, as it often masquerades as legitimate software or devices, making it difficult for users to detect its presence.”
Traitorware utilizes the existing features and capabilities of software, often operating system components or installed tools, to achieve its malicious goals.
It can exploit the inherent trust placed in such software, not necessarily Splunk, making it particularly concerning as it bypasses conventional security measures and can go undetected for extended periods.
“The concern lies with the abuse of these types of platforms. Who’s monitoring the security tools for threats? I love this Laton quote ‘Quis custodiet ipsos custodes?’, which means ‘who will guard the guards?’,” Rice said.
How to tackle traitorware
Cybersecurity professionals unanimously point out that there are ways to convert legit IT security software into traitorware. However, their opinions vastly vary when it comes to techniques of spotting traitorware.
“I don’t think there are general guidelines that work because traitorware takes so many forms, from printer dots to DRM software,” Paul Bischoff, consumer privacy advocate at Comparitech, told The Cyber Express.
He has a valid reason for that: traitorware’s definition encompasses the processes too. Security researchers contacted by The Cyber Express listed some examples of traitorware-like attacks, such as:
- Abusing administrative or monitoring tools to gain unauthorized access or collect sensitive information.
- Exploiting legitimate remote access software to establish unauthorized connections or control remote systems.
- Manipulating trusted software updaters to deliver malicious payloads or gain persistence on compromised systems.
- Subverting antivirus or security software to disable or bypass protection mechanisms.
- Leveraging system management tools for unauthorized system modifications or data exfiltration.
However, OPSWAT’s Glick said that certain indicators such as unexpected data usage or network activity, unexplained battery drain, increased device heat, unusual pop-ups or system behavior, or unexplained changes in settings or permissions can be used as red flags.
“Suspicious processes running in the background or unknown applications appearing on the device can also be warning signs of presence of traitorware. Some of this can be detected by sandbox technology,” he said.
Detecting the presence of traitorware can be challenging since it often operates within the boundaries of trusted software. However, there are some techniques and indicators that individuals or organizations can look out for:
- Monitoring unexpected or unauthorized network connections or traffic patterns.
- Noticing unusual system behavior, such as increased resource usage or unexplained system modifications.
- Identifying suspicious processes or services running on the system.
- Regularly reviewing logs and auditing system activities for anomalies.
- Keeping an eye on unexpected or unauthorized changes to software configurations or settings.
- Being vigilant about unrecognized or unauthorized software installations or updates.
These indicators, along with proper security monitoring and incident response practices, can help in identifying the presence of traitorware.
“Performing regular security scans using reputable antivirus or anti-malware software can also help detect potential threats. Using multiscanning technology can also help to achieve top detection rate for known traitorware,” Glick said.
Apart from the obvious security problems, traitorware rakes up privacy issues too, raising ethical and legal concerns.
Traitorware and the legal and ethical issues
In terms of legal and ethical considerations, the use of traitorware raises concerns regarding user privacy and trust in software.
There may be regulations and guidelines in place depending on the jurisdiction to address cybersecurity and privacy concerns.
“Some countries have specific regulations or guidelines in place to address privacy concerns and protect individuals from unauthorized surveillance,” Glick pointed out.
For example, data protection laws and regulations, such as the European Union’s General Data Protection Regulation (GDPR), aim to safeguard individual privacy rights and require organizations to handle personal data responsibly.
This puts the legal liability of any privacy breaches resulting from traitorware squarely on the shoulders of the organisation that harbours it.
“Reading privacy policies, using privacy-enhancing tools, and supporting organizations and initiatives that promote privacy rights can also help individuals protect their privacy in the face of traitorware threats,” Glick added.
Due diligence, beginning with choosing hardware and software from trusted, reputable manufacturers and developers, helps in mitigating the legal liability, pointed out Comparitech’s Bischoff.
“Traitorware could use dark patterns to trick users into activating it, which might qualify as being deceptive and therefore illegal. Ethically, no device or software should betray your privacy or attempt to change your device’s functionality behind your back,” he said.
Adam Rice prescribers CISA’s recent guide for securing remote access software as an excellent resource for organizations looking to educate themselves against the threat of abuse of these tools.
“Outside of RMM tools, it’s challenging to generalize advice. Suppose there is a software or tool with broad access to the organization. In that case, you should ask, ‘If a malicious actor gains access to this tool, how much damage can they do?’,” he said.
“If the answer is more than “not much,” you should consider adding additional controls around that tool. Those controls will depend entirely on the tool itself, how it’s deployed, and the environmental context.”
