Cyberespionage, Malware

How to stay safe from the Chinese JavaScript Tetris surveillance kit

Today’s columnist, Idan Cohen of Reflectiz, believes that as Chinese threat actors perfect their surveillance operations with the Tetris JavaScript, they will escalate and make similar attacks around the world. (Photo by Kevin Frayer/Getty Images)

Malicious JavaScript frameworks that collect sensitive data are not confined to web skimming. What was once used by individual threat actors to steal credit card information has become a fully developed state-sponsored monitoring kit. Recent reports of a Chinese JavaScript-based surveillance tool has raised alarms regarding its efficiency in extracting sensitive data while evading detection by most traditional security tools.

Using the JavaScript framework to track and monitor opposition supporters

Let’s say that a particular authoritarian state that’s notorious for tracking its citizens has found a way to use major mainstream websites as a surveillance tool. Does a site owner want to be part of this network? Well, they are already. Whenever a victim enters a specific watering hole website such as an opposition-supporting media outlet, they trigger a JavaScript framework planted there to extract sensitive data. It includes names, addresses, phone numbers, hardware IDs, and even the geolocation or a picture of the victim.

Tetris operates as a modular, customized JavaScript-based framework used as a surveillance kit that targets Chinese-speaking opposition via infected websites. Tetris exploits vulnerabilities in digital web applications found in 58 widely used websites, including Aliexpress, Baidu, QQ, and Tmall. Tetris proves the potentially unlimited power of JavaScript frameworks to steal personal information. Right now, the platform is mostly being used against Chinese citizens. When they unknowingly visit a website that’s part of the network, multiple JavaScript tools access their data and location.

The method’s efficiency lies in its ability to evade traditional security measures combined with the scope of data it collects. Rather than targeting specific victims at a time, it lets threat actors collect exponential amounts of confidential data continuously.

Tetris shows how the combination of a digital app and JavaScript can use third-party apps as part of an espionage network. The question is: Are you sure you are not part of this or a similar network?

Furthermore, as the Chinese threat actors perfect their activities against their own citizens, they will start using the same methodologies and attack vectors across the rest of the world, if they haven’t already started.

Now that we can comprehend this method’s potential scope, let’s deconstruct the technical terms and simplify the story:

How the Tetris JavaScript works

A Tetris attack starts by compromising a watering hole website. Threat actors use a watering hole to target a particular group (company, industry, region). They inject malicious code executed whenever users access the affected websites. The threat actors then gains access to a victim’s system by injecting a JavaScript file inside the compromised website’s digital applications. The JS file functions as a third-party script that runs on the client-side and establishes a connection between the end-user and the third-party vendor. This becomes the attacker’s favorable blind spot because the communications between the end-user and any third party aren’t monitored by the existing security solutions such as a web application firewall.  

The malicious JavaScript makes a JSONP (JSON with Padding) request to dozens of major Chinese websites using the script tag. Using JSONP requests, the attackers bypass cross-domain policies and collect the user’s private information as long as the victim is logged in to one of the dozens of affected services. When the browser receives the data, it sends the personal data, including sex, birthday, real name, and user ID, to an attacker-controlled server.

AT&T Cybersecurity researcher Jaime Blasco first identified this method on June 11, 2015. Blasco identified watering hole attacks that shared similar MO and platform as the latest Chinese state-sponsored Tetris attack revealed by imp0rtp3 on August 12, 2021. The attackers used the victim’s interactions with more than 50 major websites (including the top five portals in China) to exfiltrate sensitive data off of their browsers.

Security pros need to understand that a website’s dependency on JavaScript frameworks makes them an attractive security vulnerability for threat actors to exploit. It lets the threat actors bypass traditional cybersecurity tools and steal sensitive data for months undetected. It’s that effective.

What does the Chinese government gain from it?

All the watering holes observed are targeting Chinese users visiting Chinese opposition-supporting websites. It seems that these campaigns have been targeting a particular group of people. Since there was no financial gain on collecting most of the leaked personal data, it’s safe to assume that whoever’s behind these attacks looks to reveal the user’s personal information. It’s also worth mentioning that the Chinese Great Firewall (GFW) likely blocks some of the sites that the victim tries to reach.

The GFW analyzes and blocks traffic leaving China, However, Chinese users can bypass the GFW by running VPNs or TOR. In these cases, the GFW doesn’t have complete visibility into the traffic. When plaintext traffic comes out of VPNs or TOR endpoints, the GFW doesn’t know the actual IP address of the user that is visiting a specific website.

Imagine that the Chinese government wants to reveal individuals who visit certain websites sympathetic to particular causes even when they use TOR or VPNs to hide their tracks. This has been happening since at least 2013. Even if the only data the attackers can obtain are user IDs for specific websites, the threat actors can use it to pinpoint targets for espionage within the GFW.

If there’s one lesson to learn from a Tetris surveillance kit is that it’s impossible to achieve complete confidentiality. When threat actors realized the potential of third-party code intrusions, it quickly became a popular technique for cyber breaching and sensitive data leakage. There’s a vast difference between individual hackers using this method for web skimming credit card information and state-sponsored threat actors using it to spy on their citizens.

What can security teams do about it?

The average security department spends millions of dollars on creating a solid perimeter defense for its website. Still, it all misses a big chunk of code: Dozens of third parties’ code  each can bypass the process and get access to the most sensitive data. Traditional security products like a WAF or security headers like CSP can’t even detect this data leaking method. These systems don’t notice the communication takes place between the end-user and the external digital vendor.

This leaves website owners and end-users unaware of what these third-party scripts do: Where they run and how they communicate with other components or remote domains. That’s why security teams need to make informed decisions that rely on real-time data. Reduce the scope of damage that these threats impose on the enterprise by doing the following: Discover the digital ecosystem by mapping the company’s assets to ensure none are maliciously acting for someone else; routinely scan websites for any irregularities and changes made by third-party scripts; and configure notifications for any suspicious behaviors to address security breaches in real-time.

I won’t lie: If the Chinese government wants to gain access to a company’s data, they probably will find a way. It’s no surprise that even their method of choice is to exploit external digital apps and frameworks. Security teams can’t run a website without using third and fourth-party scripts; the dependency that websites build on these digital applications tremendously increases their attack surface. It’s what makes it the perfect vulnerability to exploit. That’s why security pros can’t ever ensure total prevention of this sort of cyber-attacks. But by becoming aware of the issue and potential fixes, security pros can help mitigate these attacks.

Idan Cohen, co-founder and CEO, Reflectiz

prestitial ad