Journalists of the publication Zdnet Mozilla engineers drew attention to the numerous abuses of the Firefox Send service, which was actively used to distribute the malware. Currently, the service is temporarily suspended (for the duration of the investigation), and the developers promise to improve it and add a button "Report violation".
Firefox Send was launched in March 2019. The service is a private file hosting service and allows Firefox users to share files. All files downloaded and transferred via Firefox Send are stored in encrypted form, and users can set the retention period for files on the server, as well as set the permissible number of downloads before this “expiration date” expires. The service was available to all users at send.firefox.com.
Although Mozilla engineers planned Firefox Send, thinking about the privacy and security of their users, since the end of 2019, the service has become very popular not among ordinary people, but among malware developers.
In most cases, hackers exploit the service in a very simple way: they download the malware payloads into Firefox Send, where the file is stored in encrypted form, and then paste the links to this file, for example, into their phishing emails.
ZDNet writes that in the past few months, Firefox Send has been used to store payloads of a wide variety of campaigns, from ransomware before financially oriented malvari, from banking trojans before spivariattacking human rights defenders. The service was abused by such famous hack groups as FIN7, REVil (Sodinokibi), Ursnif (Dreambot) and Zloader.
British information security expert Colin Hardy explains exactly what factors attract malware authors to the Firefox Send service. So, Firefox URLs are considered reliable in many organizations, that is, spam filters do not detect or block them. In addition, attackers do not have to invest time and money in creating and maintaining their own infrastructure if they use Mozilla servers. And, as mentioned above, Firefox Send encrypts files, which prevents the work of security solutions, and links to download malware can be configured so that they expire after a certain time or number of downloads, which complicates the work of information security experts.
The growing number of malicious operations associated with Firefox Send has not escaped the attention of the information security community. Because of this, over the past few months, experts have regularly complained about the lack of a mechanism for reporting abuse or the “Report a file” button that could be used to stop malicious operations.
While preparing a publication about these problems, ZDNet reporters turned to Mozilla for a comment, wanting to know the organization’s position regarding the placement of malware, as well as the status of the development of a mechanism for reporting violations.
Mozilla’s response surprised both journalists and information security professionals, as the organization immediately suspended the Firefox Sens service and announced that it was working to improve it.
“We will temporarily take Firefox Send offline while we improve the product. Before restarting the (service), we will add a violation reporting mechanism to supplement the existing feedback form, and we will also require all users who want to share content using Firefox Send to log in using their Firefox account, ”representatives said Mozilla
Currently, the timing of the return of Firefox Send online is unknown. All links to Firefox Send have stopped working, which means that all malicious campaigns that used the service are also temporarily disabled.