The browser manufacturer Mozilla has discontinued the “Firefox Send” service until further notice after ZDNet discovered an increasing abuse of Firefox Send in current malware operations.
Firefox Send started in March 2019. The service offers secure and private file hosting and file sharing functions for Firefox users. Despite its name, the service is accessible to anyone who accesses the send.firefox.com web portal.
All files uploaded and shared through Firefox Send are saved in an encrypted format, and users can configure the length of time the file is saved on the server and the number of downloads before the file expires.
However, while Mozilla launched Firefox Send with user privacy and security in mind, Firefox Send has become very popular with hackers since late 2019.
In most cases the usage is usually the same. Cybercriminals upload malware payloads to Firefox Send, the file is saved in an encrypted format, and then hackers share the links in emails that send them to their destinations.
In recent months, Firefox Send has been used to store payloads for all types of cybercrime, from ransom to financial crime and from banking Trojans to spyware that is used against human rights defenders.
FIN7, REVil (Sodinokibi), Ursnif (Dreambot) and Zloader are just a few of the few malware gangs and strains that saw payloads host on Firefox Send.
In an interview with the ZDNet, Colin Hardy, a British cybersecurity researcher, describes some of several features that have made malware authors aware of Firefox Send. Hardy notes that Firefox URLs are inherently trustworthy, which means that email spam filters don’t recognize Firefox send URLs or are even configured to block Firefox send URLs.
Second, cyber gangs do not have to invest time and financial resources in building a file hosting infrastructure. You can simply use Mozilla’s servers. Third, Send encrypts data, which hinders malware detection solutions, and download links can be configured to expire after a certain time or number of downloads, making it more difficult to respond to incidents. “Send also has a password protection feature, which in turn makes it easier to avoid detection by perimeter devices,” explains Hardy.
The cyber security community has not escaped the growing number of malware operations that misuse Firefox Send. In recent months, security experts have complained about the lack of a “report abuse” mechanism or a “report file” button that they could use to target malware operations that have abused the platform.
Last month, security researchers submitted a bug report about the Mozilla bug tracker and asked Mozilla to add a system to report abuse. ZDNet contacted Mozilla to inquire about the malware hosting issues we found and the status of the report abuse mechanism.
While we expected a simple status update, Mozilla surprised both us and the cyber security community by taking a proactive approach and immediately disabling the entire Firefox Send Service as they worked to improve it. “These reports are deeply worrying and our organization is taking action to address them,” a Mozilla spokesman told ZDNet.
“We will temporarily take Firefox Send offline while we work on improvements. Before the restart, we will add an abuse reporting mechanism to extend the existing feedback form. We will also require all users who want to share content using Firefox Send to sign in with a Firefox account. We are carefully monitoring these developments and are critically reviewing all further next steps. ”
There is currently no schedule for Firefox Send to return. All Firefox send links are no longer available, which means that all malware operations that rely on this service have also been thwarted.