Mozilla has temporarily suspended the Firefox Send file-sharing service as the organization investigates reports of abuse from malware operators and while it adds a “Report abuse” button.
The browser maker took down the service today after ZDNet reached out to inquire about Firefox Send’s increasing prevalence in current malware operations.
Firefox Send — launched for secure file-sharing in 2019
Mozilla launched Firefox Send in March 2019. The service provides secure and private file-hosting and file-sharing capabilities for Firefox users. Despite its name, the service is in reality accessible for anyone accessing the send.firefox.com web portal.
All files uploaded and shared through Firefox Send are stored in an encrypted format, and users can configure the amount of time the file is saved on the server and the number of downloads before the file expires.
Firefox Send: From ransomware to surveillanceware
However, while Mozilla launched Firefox Send with the privacy and security of its users in mind, since late 2019, Firefox Send has seen broader adoption in the malware community.
In most cases, the use is usually the same. Malware authors upload malware payloads on Firefox Send, the file is stored in an encrypted format, and then hackers share the links inside emails they send to their targets.
Over the past few months, Firefox Send has been used to store payloads for all sorts of cybercrime operations, from ransomware to financial crime, and from banking trojans to spyware used to target human rights defenders.
FIN7, REVil (Sodinokibi), Ursnif (Dreambot), and Zloader are just some of the few malware gangs and strains that have been seen hosting payloads on Firefox Send.
In an interview with ZDNet today, Colin Hardy, a UK cybersecurity researcher, took the time to describe some of several features that have drawn malware authors to Firefox Send.
For starters, Hardy said that Firefox URLs are natively trusted within organizations, meaning that email spam filters won’t detect or even be configured to block Firefox Send URLs.
Second, cybercrime gangs don’t have to invest any of their own time and financial resources into putting together a file-hosting infrastructure. They can just use Mozilla’s servers.
Third, Send encrypts data, hindering malware detection solutions, and download links can be configured to expire after a certain time or number of downloads, hindering incident response efforts.
“Send also has a Password protect feature, again making it easier to escape detection from perimeter devices,” Hardy said.
The rising number of malware operations abusing Firefox Send has not escaped the cyber-security community and the various malware-hunting groups.
For the past few months, security experts have complained about the lack of a “Report Abuse” mechanism or “Report File” button they could use to take down malware operations that have abused the platform.
Last month, security researchers filed a bug report on the Mozilla bug tracker, asking Mozilla to add a Report Abuse system.
Earlier today, ZDNet reached out to the Mozilla to inquire about the malware-hosting issues we found, and the status of the Report Abuse mechanism.
While we were expecting a simple status update, Mozilla surprised both us and the cyber-security community by taking a proactive approach and almost immediately suspending the entire Firefox Send service while they worked to improve it.
“These reports are deeply concerning on multiple levels, and our organization is taking action to address them,” a Mozilla spokesperson told ZDNet today.
“We will temporarily take Firefox Send offline while we make improvements to the product. Before relaunching, we will be adding an abuse reporting mechanism to augment the existing Feedback form, and we will require all users wishing to share content using Firefox Send to sign in with a Firefox Account.
“We are carefully monitoring these developments and looking critically at any additional next steps,” Mozilla added.
There was no timeline provided for Firefox Send’s return, at the time of writing. Any Firefox Send links are now down, meaning that any malware operation relying on the service has also been thwarted.