AutoCad Security Bug Still a Risk, It Turns Out

January 03, 2018 / Votiro Labs

Credit card information is nice, and identity theft is a profitable industry – but for hackers, the big money is in industrial espionage. When hackers invade a corporate network, using their tricks to inveigle victims into granting them access to their computers via spear phishing campaigns aided by social engineering, it’s most often corporate secrets they’re after. Admitting the loss of trade secrets is very bad business, so exact numbers are hard to come by, but the best estimates say that American firms lose up to $500 billion a year in stolen intellectual property – theft that costs Americans over a million jobs a year.

With intellectual property largely digitized today, trade secrets – in the form of documents, spreadsheets, images, etc. – are all stored in databases, and in many situations they are also stored on computers belonging to the individuals who created/invented/developed/improved the item in question. To get to that data, hackers need to jump through several hoops: 1) Design a specific agent or method that will enable them to steal the information they seek 2) Determine which computers to attack (that of the designer, a central database, etc.) 3) Find a way to install said agent on a user’s computer and/or corporate server 4) Build a method which will enable them to fetch the information they are after.

Sometimes, us good guys get lucky, and we are able to shine a light on the nefarious methods used by industrial espionage hackers – and in this post, we discuss a method used by hackers targeting Autocad users. Autocad, of course, is an application for computer-aided design (CAD). Released in 1982, it is used by Millions of customers world-wide to achieve a variety of design purposes – architecture, product design, urban planning, and much more. For motivated hackers, raiding a designer’s computer for the latest iteration of designs and drawings of an ‘iPhone killer’ – the kind of thing a designer might use Autocad for – is likely to lead them to spend many sleepless nights figuring out ways to worm their way into a system, and abscond with their desired treasure.

Clever hackers developed already years ago a remote code execution method that would enable them to hijack Autocad files. Remote code execution vulnerability CVE-2013-3665 was a memory corruption vulnerability which was initiated when the user opened a maliciously crafted drawing file. That vulnerability worked in conjunction with two other vulnerabilities, CVE-2014-0819 and CVE-2014-0818, which were a “file search path vulnerability.” A phishing message was used to allow hackers entry to a system, enabling them to deliver a modification to a file called acad20XX.lsp (written in Autocad’s AutoLISP markup language), a startup file that Autocad automatically looked for when opening.

The corrupted file had the ability to replicate itself throughout a user’s computer, and as Autocad would seek the first instance of acad20XX.lsp it finds (such as in the same folder as the drawing itself), the corrupted file became the hacker’s ticket to steal. Once installed, the file could hijack .DLL routines Autocad relies on (via Virtual Basic scripts), and ensure that it runs every time an Autocad drawing (.DWG) file was opened – simply by adding a single line of code: (“(if (findfile “cad.fas”)(load “cad.fas”))”). The hacker could copy the file in use to a mail message, as well as send itself to the victim’s contacts, again in the form of a malicious archive:

Note, however, hackers can’t do this anymore – unless they try a little harder. New versions of Autocad have eliminated these vulnerabilities, and since 2014 does not ship with the VBA engine installed as OEM. But if a user has VBA installed, and they are not careful, they could still end up a victim of this attack; Autocad still allows Macros in the form of VB scripts, and drawing files can be shipped with macros to enable task automation. The scripts operate “behind the scenes,” thus enabling hackers to evade the safety measures built into Autocad and carry out this kind of attack. With a little social engineering (see images below), a hacker could smoothly get a user to install the requisite file with its macro, giving them the green light they seek to invade a system.


And social engineering could be even easier to pull off in these circumstances; imagine a designer seeing a message like this, panicking that they are about to lose the many hours of hard work they put into their designs. Victims under those circumstances are truly putty in the hands of hackers – who can basically walk in and raid their victims’ systems, perhaps putting the company out of business, and their victim out of a job.

To combat these malicious attacks – including attacks based on macros, which no other anti-virus or cyber-security system can arrest – Votiro offers its CDR (Content Disarm and Reconstruction) security system. CDR keeps malware away by dissecting incoming messages or files that try to make their way onto a server. The system examines all incoming files at its lowest data level, and removes the offending code, reconstructing the file with all its attributes and capabilities. Thus malware gets “arrested” before it finds its way to a user’s system. CDR could be the answer to preventing industrial espionage altogether – and helping designers keep their secrets.

Recent Posts
< Back to Blog