President Obama issued an executive order recently in response to address Russia’s cyberattacks against the United States. There are sanctions against Russian individuals and entities, and a number of Russian diplomats have been ordered to leave the US within 72 hours. This order is representative of the huge impact that cyber security has on international relations, but less immediately apparent are the implications this has for businesses and individuals.
Among the entities added to the Specially Designated Nationals and Blocked Persons list (SDN) is a company described as “ZORSECURITY (f.k.a. ESAGE LAB; a.k.a. TSOR SECURITY)”. Esage Lab seems to best known in English-speaking countries for a software product, “Bootkit Remover”, that was promoted by users of popular malware removal forums a few years ago.
While Bootkit Remover has not been updated to work with Windows 10, and has been discontinued by Esage, popular forums where users describe and troubleshoot malware infections frequently recommended the software to users (and host downloads of the software that are independent of the Esage site). These forums rank very highly on Google search results for malware-related terms, so there are probably still users that download the Esage Lab Bootkit Remover.
(This screenshot is redacted simply to keep more users from going there and following these instructions blindly. Your IT staff is probably very familiar with this forum and could name it after a glance at this image.)
While there is no indication that Esage’s Bootkit Remover has malicious code within it, ask yourself if you’re comfortable having your software vendors answer to a foreign power’s intelligence service, especially for code that runs at the highest levels of privilege on your system.
Think about it in terms of attack surface: you’ve spent time and effort on preventing unwanted and dangerous code from running on your internal systems, and yet there is the potential that you might willingly install software that allows for cyber espionage, and pay for the privilege! If the software you install automatically updates and “phones home” to the vendor, you could very well be the recipient of a targeted malicious “upgrade” one day.
Does your organization have process by which they vet vendors in technology purchases and software installations for these nation-state relationships? How would you even know? Only by vigilant monitoring and testing of your internal network, in addition to your existing external attack surface defenses, can you identify when the software you have deployed has been turned against you.
As an industry, information security professionals will have to adopt an intelligence community mindset to identify potential threats and conflicts of interest in their clients’ vendor lists.