Security researchers from Google Project Zero, Cyberus Technology, and Graz University of Technology have discovered two separate vulnerabilities which have set the tech industry ablaze. The vulnerabilities, aptly named Meltdown and Spectre, affect virtually every modern computer, cloud server, smart phone, tablet and internet of things (IoT) device regardless of operating system.
Meltdown appears to originate back to circa 1995, affects a limited set of hardware and allows malicious applications to bypass hardware set barriers between kernel and user process memory. Spectre on the other hand affects nearly all modern processors regardless of vendor and originates in a logic flaw on error checking of memory.
When exploited, the vulnerabilities Spectre and Meltdown can be abused by would-be cybercriminals and malicious applications to read sensitive areas of normally protected memory. These areas of memory could contain sensitive data such as personal identifiable information, credit cards, login credentials, key strokes, encryption keys or sensitive operating system information such as normally protected key memory addresses that exploits use to compromise a system.
An ideal target for these attacks would be multi-tenant environments, shared workstations, or cloud computing architectures in which a malicious user could launch these attacks in their rented account to gather data about other tenants who share the same machine. Due to the nature of this attack, users who shared the same machine would never know the attack was being leveraged against them, as the attack requires no user interaction, nor provides any visual or performance evidence that an attack is being conducted.
Hardware level vulnerabilities historically have always been extremely difficult to identify and to mitigate. The flaws ranged from performance based issues where complex CPU code would introduce unnecessary instructions thus hindering complex calculations; all the way to logic based issues which lead to CPU freezes, overheating and other physically negative effects.
As security research and cybercrime expands, both the good guys and the bad guys are revisiting hardware based attacks such as Spectre and Meltdown. With new advancements in computer exploitation, technology, cloud computing, and hardware performance, the current state of the security development lifecycle (SDL) process of hardware vendors are quite literally struggling against themselves.
Hardware based flaws, although hard to discover, often have a much longer expiration date when compared to software or application based issues. While a software based vulnerability can be usually mitigated by workarounds, patches or by a security product; a hardware based issue is many magnitudes more difficult to address. Cybercriminals already know this, and will take full advantage of these flaws while vendors, manufacturers, and developers attempt to implement these firmware updates – many of them being misapplied, forgotten or completely ignored especially by third party budget vendors.
Although it is not known if either attack has ever been leveraged in actual real-world attacks, all major browser companies, cloud providers, and OS vendors have announced this week that they will be issuing emergency patches to address both issues as soon as possible. This has led to quite a flurry of various patch schedules and rollouts, some of which have introduced performance issues and downtime to some cloud vendors. However, expected performance issues aside, there has never been a more coordinated and effective effort to squash such a widespread low-level flaw to date.
The security implications of the Meltdown and Spectre vulnerabilities are indeed catastrophic for systems engineering. At the end of the day, the guidance remains the same: users should follow best security practices by keeping their antivirus software, browsers, operating systems, and firmware up to date; avoid clicking on links distributed over e-mail, instant messages, or social media; and avoid executing file attachments. At risk users can increase their security posture by enabling per-site isolation features in their browser to mitigate against these vulnerabilities.
The biggest impact is for companies relying on shared computing resources in the cloud such as virtual private servers, virtual machines (VMs), and containers which place them at higher risk of an attacker employing these new techniques to extract secrets (passwords, encryption keys, and other sensitive data). Administrators should check with their hosting provider to determine the appropriate steps to deploy mitigations which may include applying software updates and rebooting the virtual machine.
Administrators should prioritize patch testing and validation of the newly released Microsoft security update and deploy them to shared workstations and hypervisor based systems which are at higher risk of being targeted by attackers hoping to maximize their impact.
Opera Introduces Cryptojacking Protection
Opera, the lone underdog browser, announced they have added cryptojacking protection in version 50, which was released January 3rd. Cryptojacking is a newly introduced method in which a website will use built in scripts to spin up a cryptocurrency miner inside the visitor’s browser. By using the visitors machine to mine any number of crypto cash, this allows the cryptojacker to effectively scale their chances of successfully harvesting coins.
This method has often been used in both valid experimental instances as well as for dubious purposes in which a malicious attacker compromised a website and planted the cryptojacker script on its landing page.
Attackers who use this method realize that browser scripting languages aren’t effective methods to mine Bitcoin (BTC) so they have set their sights on mining Monero. Monero, unlike Bitcoin, is a compute-heavy algorithm which allows the CPU to mine more effectively than traditional BTC-based GPU miners. Monero, also unlike BTC, is designed to be untraceable – thus being an ideal cryptocurrency for both the underground and individuals who want anonymity with their purchases.
Opera, a firm supporter of cryptocurrencies, also recently added a built-in cryptocurrency price converter in their browser that allows users to get real time prices of popular coins. Both their native price converter and native cryptojacking protection are firsts for browsers, and like all good things Opera develops first, are likely to become a trend and integrated into Chrome, Firefox and IE/Edge in the near future.
For those of you who don’t like the trend setting Opera browser, you can add cryptojacking protection using third party plugins for Chrome and Firefox. However, ensure you are not tricked into downloading a malicious plugin which, ironically could be a cryptojacking tool in disguise.
Washington DC CCTV Hackers Arrested
In January 2017, during the week of the presidential inauguration, 70% of Washington D.C.’s Metropolitan Police security cameras were reportedly compromised and taken offline. The details were sparse, but it was rumored that the attacks were targeted by various state sponsored criminals or domestic hacktivists to disrupt the presidency and hinder security of the event.
As it turned out, neither were correct. The issue was actually the work of ransomware infecting the network storage device which the CCTVs were sending their recordings to, thus effectively rendering them useless.
Fast forward to earlier this week when investigators, after several months of investigation, have uncovered that the attacks were indeed targeted and were conducted by two Romanian hackers. British authorities initially arrested two people in the UK for the attack, which turned into a deeper investigation involving the U.S. Secret Service.
In a lengthy affidavit, the U.S. Secret Service discloses that the attack was indeed conducted by several individuals and was actually the compromise of several machines which left a trail of cyber bread crumbs resulting in their arrest.
The attack was initially conducted against email addresses of seemingly random individuals, which the two Romanian and two British-based hackers targeted using malware delivery attacks disguised as seemingly benign attachments. This initial campaign allowed the attackers to compromise a single laptop device using the Cerber malware.
The attackers then noticed this employee’s home laptop connected to the juicy business network, even though the device was unauthorized. Using this as a gateway and ideal moment of opportunity, the criminals scanned the network and found several locations in which they pivoted using simple tools to compromise two other computers.
With these two other computers, the attackers were able to connect, monitor, record, and view 123 out of 187 outdoor surveillance cameras around the Washington D.C. area. These second stage machines were ultimately infected with the ransomware Dharma; this appears to be an effort to extort the device’s administrators into giving them funds in exchange for restoring their access to the cameras.
However, the attackers failed to remove forensic evidence from all three machines prior to demanding the ransom, and this information allowed authorities to track down their location and ultimately arrest them. The sloppy hackers also accessed Google mail accounts and utilized a semi-anonymous proxy sever during the hacks. Upon discovering the Gmail accounts, investigators obtained a warrant to gain access to the email and siphoned data that lead to the discovery of the hacker’s identities.
All in all, this should be a great lesson to administrators on several levels:
• Monitor and restrict access from non-work compliant machines accessing sensitive networks. These devices should always be considered compromised and their access should be completely banned (ideally) or restricted to a physically separated network at all times.
• Attacks can be targeted; however, most attacks will come from slight mistakes and moments of opportunity that attackers will readily pounce on when available. Plan accordingly, as it takes only one of these incidents to cause a breach.
• Network segregation is always suggested; devices should only talk to devices on an ‘as needed’ basis. By restricting network footprints and coverage, the attack surface is reduced and greatly impedes the ease at which attackers can move around your network.
• After a ransomware or extortion event, the team properly pulled the machines and immediately performed a forensic investigation. By having a plan in place ready to execute, the team saved time and allowed them to get access to machines before the attackers had time to clean up.
About the Cylance Research and Intelligence Team
The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.