Cyber security Attack through blender?

In the past 2 days, the company I work for had a Security Breach. Full blown Ransomware attack.
The IT Team on site is convinced that Blender’s Core was used as a conduit to gain access through to our servers.

At the time, the Team and myself had our machines up and running rendering out some animation sequences.

Is it possible for someone to gain access into a network through blender?

I’m not speaking on behalf of the Blender Foundation and all opinions expressed herein are my own.

Blender does not connect to the internet nor does it require a network connection by default. The scenario you’re describing seems rather unlikely.

I can think of the following attack vectors, they all seem improbable:

  • The server had a genuine add-on installed and activated that opens a listener socket. This add-on would have to be vulnerable to a remote code execution (RCE) vulnerability, the attacker would have to develop an exploit for this specific add-on and the network security would have to be severely lacking so that an attacker could connect to and compromise the server running Blender. This would be an incredibly tailored attack that requires insider knowledge.
  • A malicious .blend file was opened that exploited a vulnerability in Blender itself. Similar to the first case this would mean custom exploit and that someone would’ve had to open that .blend file on the server.
  • A malicious third-party add-on was accidentally installed by your team.

While I cannot say with certainty that none of these scenarios happened, it seems that these are not the likeliest explanation of how ransomware found it’s way into your company’s network. Using infected USB sticks, opening email attachments, installing software for non-reputable sources, malicious websites and social engineering would be common attack vectors. Your post doesn’t include any facts that would support the idea that Blender or one of its add-ons has been leverage as part of the attack chain. Keep in mind that ransomware can remain dormant for quite a while, until it becomes active. Thus the point in time where the infection was discovered can be weeks or months apart from when the infection occurred.

We cannot provide a security analysis or draw a definitive conclusion from the information you’ve provided. It would probably be a good idea to hire a cybersecurity firm that can analyze the breach to identify the point of entry and potentially get law enforcement involved as well.

7 Likes

What exactly convinced your IT Team to think so, if we may know?

1 Like

same disclaimer as @Robert applies here: I’m not speaking on behalf of the Blender Foundation and all opinions expressed herein are my own.

you seem to be “evidence shopping” to support a conclusion that the IT team has already made. Ask them to support their case rather than have us guessing on what may have happened.

Don’t get me wrong i’m not ruling blender in or out here, but without further information suggesting blender is the culprit about as valid as suggesting Nicolas cage walked into your facility carrying a USB stick.

9 Likes

As a person who has been using blender for many years now, and have been fighting for the last year and a half for my team to migrate across to blender. This is the last thing I needed to happen.

We have been having amazing success with blender and am only looking for Proof to validate that this was not on blender and rather elsewhere. Our facility has multiple servers we connect to, one of these servers house our models and files. That was the first server to be squashed in this attack. The track back came to a machine that was only being used to render animations. This machine I personally monitor and use.

The only addons used are purchased through blendermarket (HardOps, BoxCutter, Flip Fluids) The connection between that machine and the server was active as the files were proxied off the server.

Our Animation and modeling team are also the only team on site running Windows10, all the other Machines on site are Macs. With our servers running Windows as-well.

At the moment, Management are trying to see if there are other alternatives instead of Blender, and I really don’t want to go down that path.

One of the servers we Connect to that house our models and assets was the first server to be lost in the Attack. An initial back trace connected it to one of our render units (that I personally manage). It was found that the attack was initialized elsewhere at first, IT department and outside contractors are convinced that it used blender as a Conduit to gain access into the server once they got access to the Render machine mentioned.

Thanks for your reply Robert, I really appreciate this.

I have just forwarded your Reply off to Management on my side.

Thanks Again.

if blender manufactured knifes, your question is about equivalent to hey we got a dead guy, could it have been one of your knifes? if so specifically which one? beyond a “i guess” you really can’t expect much from us, you seem to think it’s one of our knifes, for all we know your guy got run over by a bus.

Asking us to list ways how to commit murder with a knife until your IT team goes “oh yeah! that one! that’s totally what happened!” is putting the cart before the horse a tiny bit. I do not think having a guessing game is an appropriate way to get to the bottom of this.

I’m not here to tell you how to run your IT department, but i’d approach this in the following way

  1. make an image backup of the compromised server to safe guard all artifacts of the compromise
  2. Audit all .blend and addons on said server backup for nefarious behavior in an isolated environment
  3. If you find any suspicious .blends / addons figure out how those made it onto your network
7 Likes

@MentoneZA, if your IT team has more information about possible vulnerabilities in Blender or malicious third-party files for Blender, we’d appreciate if they could forward us details (foundation at blender.org and brecht at blender.org can be used to contact us).

As others have mentioned, Blender does not connect to the network or internet in the default configuration. And so far, I have not heard about malicious add-ons, .blend files or other exploits for Blender that have been found in the wild. But certainly one must be careful with what to install or run, just like other 3D apps.

10 Likes

There are still other processes running on that machine and possible attack vectors which do have an internet connection and could download and run said ransomeware. You probably want to push back on your security team a bit and get them to double check they didn’t do something questionable like leave it with weak security or facing out to the public internet or something. Right now the “blender caused it” hypothesis they came up with is rather dubious as such an attack out in the wild is currently unheard of.

If their suggestion of fault is legitimately causing your company to switch it’s production pipeline and it does not fix the vulnerability, then they are super liable for this claim. The responsible thing for them to do would be to verify if it was something coming blender and report such an attack as posted by brecht, or walk back their statement if it turns out to be false.

1 Like

Hi, did you read email on this machine and read attachments? Most of the known ransomware come from attachments.

Is there and antivirus/antimalware installed in the PC and your network|Pc is protected by a firewall?

Three of the most common ransomware attack vectors are:

  • Email phishing.
  • Remote desktop protocol (RDP)
  • Software vulnerabilities.

Email and RDP are the most probable causes…
As Brecht mentionned, if they found a vulnaribility from Blender, please forward the details.

5 Likes

How does the Windows Defender behave, if someone tries to install daily Blender?

Some years ago, I remember that installing Blender on a Windows machine popped up a dialogue. It warned about Blender being not registered and that Blender might be a potential thread.

This time I suddenly was pulled in into a discussion about Blender being a potential risk.

Please consider how people might react after they face a Windows Defender’s waring message. A question I found on quora: “I just caught my 17-year-old on our family’s computer looking for “Blender 3D”. Is it a virus? Should I ban him? How can I tell him that not all software is safe?”

I won’t be surprised if some people become afraid and jump to conclusions about Blender after Windows Defender spawned a warning (claiming that Blender is not registered and might be a potential thread on security).

That warning is displayed for any unsigned application.
All official blender versions are signed. Even daily builds. Maybe earlier that was not the case.

1 Like

Hahah no way

4 Likes

It happened some years ago, the message repelled a team leader. The same happened earlier, I was not allowed to install Blender on a Windows machine.

Just now (a few minutes ago) I tried to install again official Blender on a Windows 10 box. It was listed as registered app, there was no terrifying message. Checked daily build on Windows 10: no terrifying message, too. I am so glad this changed.

If someone is too spooked by warnings for executable you can recommend them windows store version of blender: https://www.microsoft.com/en-us/p/blender/9pp3c07gtvrh

1 Like

One of the posts above mentioning that cybersecurity firm by user sadernalwis seems to be linking to an obvious fraudulent website/service. They ask you to report security incidents and require you to fill in many details. Very unusual for a legit service. Very suspicious, if you ask me. I think the post (and user) should be removed.

2 Likes

@MentoneZA Do you have any updates on this? By the way, I forgot to mention the other typical attack vectors in my original comment. Stolen/reused credentials are quite typically used and there may also be zero days against the OS or common services running on them.

1 Like