Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The attack is reportedly confined to Russia, but as with similar attacks, it's likely to spread. US-based security teams should make sure anyone who uses Telegram for work has the latest version, and warn employees not to open attachments from unknown sources.
Kaspersky Lab has reported the discovery of a zero-day flaw in popular messaging app Telegram that allowed hackers to install backdoors and cryptomining malware.
The Telegram hack, which only targets the Telegram desktop app, works by exploiting the right-to-left override (RLO) function used to display alphabets that read right to left, like Hebrew and Arabic. Using RLO to rename part of a file, as was the case in this attack, can convince a user to download malicious code disguised as a different type of file.
In a detailed breakdown of how the Telegram hack works, Kaspersky Lab malware analyst Alexey Firsh said the attack was only detected inside Russia, but that's no reason to become complacent—attacks like this can easily spread.
Making a malicious message
RLO can be done on a document or message, as is the case when using a right-to-left alphabet. The unicode character U+202E will also reverse any text that comes after it, and can be used in file names as well as documents.
Clicking on the malicious file prompts a Windows security warning, as shown in the image below. Like similar attacks involving disguised files, the attack on the desktop Telegram app is relying on users to ignore warnings that, if read, should raise red flags.
What attackers are installing
Kaspersky Lab discovered two distinct malware types while investigating the Telegram RLO attack: Cryptomining software and a backdoor that used the Telegram API as a command and control protocol.
The cryptomining software installed by the attack, like others, uses the victim's CPU and GPU to mine cryptocurrency for the attacker.
SEE: Infographic: Almost half of companies say cybersecurity readiness has improved in the past year (Tech Pro Research)
Cryptomining malware is dangerous, and can have a destructive effect on hardware that's pushed to its limits for extended periods of time. That's where the danger ends—the same of which can't be said for the command and control software attackers are also installing.
The full list of commands available to the attacker, shown below, allow an attacker to install additional malware, steal system information, or kill processes that threaten its operation.
Kaspersky Lab also reported that its investigations uncovered the local cache of a user's Telegram on a server belonging to an attacker, meaning it's possible for attackers to steal personal data as well.
Kaspersky reached out to the Telegram team, and it said the zero day is no longer working in its tests of updated Telegram software.
Other chat programs and outdated versions of Telegram may still be vulnerable. IT teams need to be sure users who have Telegram are updated to the latest version, and that all users are trained on the importance of not opening files from unknown sources.
- Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
- Android malware: Millions fall victim to drive-by cryptocurrency miner (ZDNet)
- Cryptomining malware spread via US, UK and Australian government sites (TechRepublic)
- A giant botnet is forcing Windows servers to mine cryptocurrency (ZDNet)
- North Korea is likely underwriting cyberattacks by mining Monero (TechRepublic)