DNS Servers Crash Due to BIND Security Flaw
17.1.2018 securityweek Vulnerebility
Updates released by the Internet Systems Consortium (ISC) for BIND patch a remotely exploitable security flaw that has caused some DNS servers to crash.
The high severity vulnerability, tracked as CVE-2017-3145, is caused by a use-after-free bug that can lead to an assertion failure and crash of the BIND name server (named) process.
“BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in an advisory.
While there is no evidence that this vulnerability has been exploited in malicious attacks, ISC says crashes caused by the bug have been reported by “multiple parties.” The impacted systems act as DNSSEC validating resolvers, and temporarily disabling DNSSEC validation can be used as a workaround.
The vulnerability, discovered by Jayachandran Palanisamy of Cygate AB, affects BIND versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1. It has been patched with the release of BIND 9.9.11-P1, 9.10.6-P1, 9.11.2-P1 and 9.12.0rc2.
“Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.),” ISC explained.
The organization has also informed users of CVE-2017-3144, a medium severity DHCP vulnerability affecting versions 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, and 4.3.0 to 4.3.6.
“By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server,” ISC explained.
“Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.,” it added.
ISC has developed a patch and it plans on adding it to a future maintenance release of DHCP. In the meantime, users can protect themselves against potential attacks by disallowing access to the OMAPI control port from unauthorized clients. Alternatively, organizations can obtain the patch from ISC and integrate it into their own code.
Serious Flaws Found in Phoenix Contact Industrial Switches
17.1.2018 securityweek Vulnerebility
Vulnerabilities in Phoenix Contact Industrial Switches Can Allow Hackers to Disrupt Operations
Researchers have discovered potentially serious vulnerabilities in industrial switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.
According to advisories published last week by ICS-CERT and its German counterpart CERT@VDE, Phoenix Contact’s FL SWITCH industrial ethernet switches are affected by authentication bypass and information exposure flaws. Ilya Karpov and Evgeniy Druzhinin of Positive Technologies have been credited for reporting the flaws.
The security holes affect 3xxx, 4xxx and 48xx series switches running firmware versions 1.0 through 1.32. The vendor addressed the weaknesses in version 1.33, but researchers told SecurityWeek that it took the company roughly 160 days to release patches, which they haven’t been able to verify.Vulnerabilities found in Phoenix Contact industrial switches
The more serious of the flaws is tracked as CVE-2017-16743 and it has been assigned a CVSS score of 9.8, which puts it in the “critical severity” category. The vulnerability allows a remote, unauthenticated attacker to bypass authentication and gain administrative access to the targeted device by sending it specially crafted HTTP requests.
The second flaw, CVE-2017-16741, has been rated “medium severity” and it allows a remote and unauthenticated attacker to abuse a device’s Monitor mode in order to read diagnostics information. Firmware version 1.33 allows users to disable the Monitor mode.
Positive Technologies researchers told SecurityWeek that attackers can exploit the vulnerabilities to gain full control of a targeted switch and leverage it to interrupt operations in the ICS network, which can have serious consequences.
While some Phoenix Contact products do appear to be connected directly to the Internet, experts have not found any of its industrial switches on search engines such as Shodan and Censys. Positive Technologies says these industrial switches are typically used for internal PLC networks.
“This does not mean that such devices could not be found and accessed from the internet, it only means that we were not able to find such cases using shodan.io and censys.io,” researchers said.
Device Manufacturers Working on BIOS Updates to Patch CPU Flaws
17.1.2018 securityweek Vulnerebility
Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities.
The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected.
Computer manufacturers release BIOS updates to patch Meltdown and Spectre
Fortunately, tech companies have already started releasing patches and workarounds designed to prevent attacks. Unfortunately, some of the mitigations can introduce significant performance penalties for certain types of operations.
Intel has released patches, including microcode updates, for many of its processors, and AMD has promised to do the same. Intel has provided the fixes to system manufacturers and they have already released or are in the process of releasing BIOS updates.
Acer has informed customers that the Spectre and Meltdown vulnerabilities affect many of its desktop, notebook and server products. It’s unclear when BIOS updates will become available for a majority of the impacted devices, but the company has set a target date of March 2018 for server updates.
The list of impacted products includes Aspire, Extensa, Gateway, imd, Predator, Revo, ShangQi, Veriton and Wenxiang desktops; Aspire, Extensa, Gateway, Nitro, Packard Bell EasyNote, Spin, Swift, Switch, and TravelMate notebooks; and Altos, AR, AT, AW and Veriton servers.
Asus is also working on releasing BIOS updates. The company expects to release patches for affected laptops, desktops and mini PCs by the end of the month.
Asus has published a separate security advisory for motherboards that support Intel processors vulnerable to Meltdown and Spectre attacks.
Dell has already started releasing BIOS updates for affected Alienware, Inspiron, Edge Gateway, ChengMing, Enterprise Server, Latitude, OptiPlex, Precision, Vostro, Venue and XPS products. The vendor expects many more updates to become available later this month.
Dell has published a separate advisory for EMC products, including PowerEdge and Datacenter Scalable Solutions (DSS). Updates are available for many of the impacted systems.
Fujitsu has informed customers that many of its OEM mainboards, Esprimo PCs, Celsius workstations, Futuro thin clients, Stylistic, Lifebook and Celsius notebooks, Celvin storage devices, Primergy and Primequest servers, Sparc servers, and retail products are affected. However, BIOS updates are available only for a handful of them.
Intel has started integrating the processor microcode fixes into BIOS updates for NUC, Compute Stick and Compute Card mini PCs. Updates are available for many of the products and more are expected to be released later this month.
The company is also working on updates for Server Board and Visual Compute Accelerator products, but only two BIOS updates have been released to date. Intel has not provided an estimate on when more updates should become available.
HP has started releasing BIOS updates that patch the Meltdown and Spectre vulnerabilities for commercial workstations; commercial desktops, notebooks and retail PoS devices; and consumer desktops and notebooks.
Updates for the remaining systems are expected to become available later this month or in early February.
Lenovo says many of its desktop, IdeaPad, ThinkStation, Converged and ThinkAgile, storage, Hyperscale, ThinkServer, ThinkSystem, System X, network switch, and server management products are affected.
Lenovo has released BIOS updates for many of its solutions, and the company has also advised users to update their operating system and NVIDIA drivers to ensure that they are protected against Meltdown and Spectre attacks.
Gigabyte and MSI motherboards
Gigabyte has a long list of impacted motherboards, including the Z370, X299, B250, H110, Z270, H270, Q270, Z170, B150 and H170 families. The company has promised to start releasing BIOS updates in the next few days, with updates for a majority of systems expected to become available over the next few weeks.
MSI has released BIOS updates for Z370, Z270, H270, B250, Z170, H170, B150, H110, X299 and X99 motherboards. Patches are expected to become available for other devices “very soon.”
IBM has released firmware patches for some of its POWER processors. Fixes for its AIX and IBM i operating systems are expected to become available in mid-February.
Getac Technology, a Taiwan-based firm that makes rugged notebook, tablet and handheld computers, has promised to release BIOS updates by the end of this month.
Toshiba has published a list of affected Qosmio, Satellite, Portege, Tecra, Chromebook, Kirabook, AIO, Regza, Mini Notebook, Encore, Excite and dynaPad devices, but it has yet to release any updates. Some of the fixes are expected later this month.
Data center hardware provider QCT says it has integrated the microcode patches into a majority of its recent products. Super Micro has also issued fixes for many of its single, dual and multi-processor systems; SuperBlade, MicroBlade and MicroCloud products; and embedded, workstation and desktop systems.
Computing and storage solutions provider Wiwynn has released BIOS updates for its SV300G3, SV7200G3, SV5100G3 and SV5200G3 products, and more are expected to become available over the next few weeks.
Panasonic hopes to release updates for its laptops and tablets over the next few months.
Islamic State Retreats Online to 'Virtual Caliphate'
17.1.2018 securityweek CyberCrime
On the brink of defeat in Iraq and Syria, the Islamic State group has been taking refuge in its "virtual caliphate" -- but even online, experts say it is in decline.
Back in 2015, when the jihadists held territory the size of Italy, they also commanded a huge digital presence, flooding the web with slick propaganda lionising their fighters and romanticising life under their rule.
Today, with many of the top IS leaders either dead or on the run, what remains of the group's once-sophisticated propaganda machine is also a shadow of its former self.
Their media centres destroyed, remaining propagandists find themselves struggling to maintain an internet connection while battling surveillance from international intelligence services.
The jihadist group is less and less vocal on the web, largely leaving supporters whom it cannot control to speak in its name.
"It's almost as if someone has pressed the mute button on the Islamic State," said Charlie Winter, a researcher at King's College London who has been studying IS communications for years.
Between November 8 and 9 the group even went completely silent for a full 24 hours in what Winter said was an "unprecedented" break from social media.
In 2015, when IS was ruling over roughly seven million people in Iraq and Syria, its propagandists produced "content from 38 different media offices from West Africa to Afghanistan", Winter said.
But by December, more than three quarters of these outlets had been "almost totally silenced," he added.
Albert Ford, a researcher at US think-tank New America who has studied the exodus of foreign fighters to join IS, also said the group's media output was "falling off considerably".
"Fewer places to get information, fewer ways to upload it," he said.
- Pushed to the 'dark web' -
Back in March as Iraqi forces were ousting IS from their long-held bastion Mosul, an AFP journalist was able to pick through the wreckage of what was once a jihadist media centre.
Between the burnt walls of the villa in an upscale part of the city were the remains of computers, printers and broadcasting equipment.
In the months before and since, the US-led military coalition fighting IS has repeatedly announced the deaths of senior IS communications officers, usually in air strikes.
Among them was the top strategist and spokesman Abu Mohamed al-Adnani, killed in a US strike in northern Syria in August 2016.
These days IS propagandists mostly use the web to encourage supporters to launch attacks on their own initiative, with the much-weakened group unable to play a direct hand in organising them.
These calls are often issued via the "deep web", a heavily encrypted part of the internet which is almost impossible to regulate, or the Telegram app.
Winter said he had seen a trend emerging of posts seeking to cultivate a sense of nostalgia among supporters for the height of the group's power.
By portraying events three years ago a "golden age" stolen by "the enemies of Islam", IS is hoping to convince new recruits that such times could come again if they join the cause, Winter said.
Bruce Hoffman, a terrorism specialist at Georgetown University in Washington, said the principal danger of IS now lies in what he calls "enabled attackers".
A jihadist recruit such as this would have "no previous ties to terrorist organisations," Hoffman said.
"But he is furnished very specific targeting instructions and intelligence in order to better facilitate and ensure the success of his attack."
Such wannabe jihadists need look no further than the internet for abundant advice that has been available online for years -- and will merely pop up again after any attempt to remove it.
'MaMi' Mac Malware Hijacks DNS Settings
17.1.2018 securityweek Apple
Researcher Patrick Wardle has analyzed what seems to be a new piece of malware designed to hijack DNS settings on macOS devices. The threat has other capabilities as well, but they do not appear to be active.
The malware, dubbed OSX/MaMi by Wardle based on a core class named “SBMaMiSettings,” is currently only detected – at least based on its signature – by ESET and Ikarus products as OSX/DNSChanger.A and Trojan.OSX.DNSChanger. However, other vendors will likely create signatures for the threat in the upcoming hours and days.
The researcher obtained a sample of MaMi after a user reported on the Malwarebytes forums that a teacher’s Mac had been infected. The user reported that the DNS servers on the compromised system were set to 188.8.131.52 and 184.108.40.206, and they kept changing back after being removed.
Wardle has not been able to determine how the malware is being distributed, but he has found it on several websites. The expert believes the threat has likely been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.
The sample analyzed by the researcher acts as a DNS hijacker, but it also contains code for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.
The malware does not appear to execute any of these functions, but Wardle says it’s possible that they require some attacker-supplied input or other preconditions that his virtual machine may not have met. The researcher says he will continue to investigate.
Once it infects the system, the malware invokes the security tool and uses it to install a new certificate obtained from a remote location.
“OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways,” Wardle explained. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).”
The easiest way to determine if a macOS system is infected with the MaMi malware is to check DNS settings – the threat is present if the server is set to 220.127.116.11 and 18.104.22.168. The malware does not appear to be designed to target Windows devices.
The most well known DNS-changer malware is DNSChanger, a threat that made rounds in the years leading up to 2011 and which changed DNS settings as part of clickjacking and ad replacement fraud schemes. DNSChanger affected both Windows and OS X machines, and millions of devices worldwide were at risk of losing Internet connectivity after authorities took down its infrastructure.
Microsoft Brings End-to-End Encryption to Skype
17.1.2018 securityweek Social
Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.
Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.
Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.
Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.
Users enrolled in Microsoft’s Skype Insider program can already test the new feature by selecting “New Private Conversation” from the compose menu or from the recipient’s profile. As soon as the recipient has accepted the invitation to a private chat, all calls and messages in that conversation will be encrypted end-to-end, until they choose to end it.
Participation in a private conversation will be available from a single device at a time. Skype users will have the possibility to switch the conversation to any of their devices, but exchanged messages are tied to the device being used at the time.
During the preview period, private conversations will be available only to Skype Insiders running the latest version of the application. The chats are also limited to one-to-one conversations, Kilbourne explains.
The Private Conversations feature is currently available to Skype Insiders using Skype version 22.214.171.124 for iOS, Android, Linux, Mac, and Windows Desktop.
Facebook Paid $880,000 in Bug Bounties in 2017
17.1.2018 securityweek Social
Facebook received over 12,000 vulnerability submissions in 2017 and ended up paying $880,000 in bug bounties to security researchers.
Of the large number of received submissions, however, just over 400 reports were found valid during the bug bounty program’s sixth year. Last year, Facebook also paid larger bounties to the submitting researchers, as the average reward per submission increased to almost $1,900, up from $1,675 in 2016.
The number of security researchers participating in the company’s bug bounty program also increased, Jack Whitton, Security Engineer with Facebook's Product Security team, explains in a blog post. 32% of the researchers who received a reward last year submitted for the first time in 2017.
The largest bounty the company has paid to date is a $40,000 reward for ImageTragick, a remote code execution vulnerability introduced by the ImageMagick image processing suite. Last year, the company also paid a $10,000 bounty for a critical vulnerability that could result in deleting any photo from the social media network.
The largest number of valid submissions in 2017, Facebook says, came out of India. The United States ended up on the second position, followed by Trinidad & Tobago in the third place.
Facebook acknowledged more than 100 researchers as part of the bug bounty program in 2017.
“Going forward, we are going to take a number of things into consideration: dollar amount, submission validity, and more. We’re doing this to continue to encourage high-quality submissions, and we will be offering new perks to our top participants such as swag and prizes, access to exclusive events and new features,” Whitton explains.
He also reveals that Facebook is planning on investing more resources into getting more timely responses and payments to researchers in 2018.
Researchers interested in submitting reports as part of Facebook’s bug bounty program are encouraged to follow the best practices the company is listing at facebook.com/whitehat/resources.
“After celebrating our 6th anniversary, we paid out over $880,000 to researchers last year, bringing our total paid out to over $6,300,000,” Whitton says.
Facebook launched its bug bounty program in 2011 and paid over $5 million to researchers by October 2016.
US House Passes Crucial Spying Law
17.1.2018 securityweek CyberSpy
The US House of Representatives passed a crucial surveillance law Thursday that reinforced the ability of the country's spy agencies to intercept and make use of Americans' private communications.
The national security establishment saw the reauthorization of the expiring Section 702 of the Foreign Intelligence Surveillance Act as essential, warning that they would not be able to detect terror plots without it.
But rights groups and libertarian-leaning politicians of both the Democratic and Republican parties saw the bill's passage as a blow, especially since former National Security Agency contractor Edward Snowden revealed in 2013 that the NSA was using it to vacuum up massive amounts of data on Americans.
Many had hoped the renewal would strengthen protections against invasive electronic wiretapping and social media monitoring of Americans by the NSA, the country's powerful electronic espionage body, and the Federal Bureau of Investigation.
- Trump tweets stir confusion -
The House's vote for the bill came after President Trump himself sent mixed messages of his own views, tweeting Thursday morning his opposition only to make an abrupt U-turn.
In an initial tweet he said the section 702 provision had been used by the Obama administration to "so badly surveil and abuse the Trump campaign," suggesting he was opposed to the bill.
More than an hour later, he reversed himself, saying "today's vote is about foreign surveillance of foreign bad guys on foreign land. We need it!"
While nearly all lawmakers agree that 702 is an essential tool for US intelligence to safeguard national security, the bill passed the House by 256-164, showing the level of opposition to the powers it gives US spies and law enforcement. The no votes included 45 Republicans.
"The House-passed bill does absolutely nothing to defend the vast majority of law-abiding Americans from warrantless searches, and in many ways it expands the federal government's ability to spy on Americans. A concerted campaign of fear-mongering and misinformation pushed this flawed bill over the line," said Senator Ron Wyden, one of the most vocal critics of the law.
- Post-9/11 law -
Section 702 of the FISA law was passed in 2008 after the Bush administration was shown to have allowed the then-illegal surveillance of telephone and online communications of US citizens and residents in the wake of the September 11, 2001 terror attacks.
Amid concerns it gave the government too much power to spy on citizens, the statute was given a five-year limit, and was renewed in 2012.
It allows the NSA and FBI, in their surveillance on foreign targets outside of the country for national security purposes, to also collect and hold communications by US citizens, so-called incidental collection.
It also permits the CIA and FBI to search that material, which includes social media postings, in the course of criminal investigations.
The NSA and FBI have downplayed their collection and use of the materials on Americans.
But leaks and statements by officials have suggested that the amount of material collected is massive, and that the FBI routinely searches it for information on Americans.
Opponents had hoped the new bill would require agencies to obtain specific warrants to scan and make use of the communications of Americans scooped up in the process of spying on foreigners.
But a slight change that says the FBI needs a warrant to make use of the material in court does not hinder their ability to freely examine NSA files, critics said.
The bill "fails to meaningfully restrict the use of Section 702 to spy on Americans without a warrant," the American Civil Liberties Union said.
The bill could face stronger opposition in the Senate, where Senator Rand Paul has threatened a filibuster. But analysts expect that will only slow its eventual passage.
FireEye Acquires Big Data Firm X15 Software
17.1.2018 securityweek IT
Cyber threat protection firm FireEye said on Friday that it has acquired privately held big data platform provider X15 Software in a deal valued at roughly $20 million.
Under the terms of the acquisition, which closed on Jan. 11, FireEye agreed to pay approximately $15 million in equity and $5 million in cash to acquire Sunnyvale, Calif.-based X15.
FireEye says that X15’s technology will “add significant data management capabilities and provide customers with an open platform for integrating machine-generated data that can easily incorporate new security technologies and big data sources to adapt to the evolving threat environment.”
FireEye LogoShortly after acquiring security orchestration firm Invotas in February of 2016, FireEye made a push into orchestration and automation with the launch of its Security Orchestrator offering, designed to help eliminate repetitive manual processes, reduce process errors, and automate the correct response between different security controls. In late 2016, the company unveiled Helix, a platform designed to help customers efficiently integrate and automate security operations functions.
“Organizations today are overwhelmed by alerts, the number of tools required to manage their security operations, and the challenge of unifying access to the large volumes of data that matter,” John Laliberte, senior vice president of engineering at FireEye, said in a statement. “X15 Software technology will accelerate our strategy of delivering an innovative, next-gen security platform.”
FireEye claims that the integration of X15 Software’s technology will help FireEye’s security operations platform address the challenges of collecting, querying and analyzing large volumes of machine-generated data in real-time and manage security data from on-premise, hybrid and cloud environments.
X15 Software was founded in 2013 and currently employs approximately 20 employees.
Tool Detects Squatted Accounts on Social Networks, Code Repos
17.1.2018 securityweek Social
Web security company High-Tech Bridge has improved its Trademark Monitoring Radar service with a feature designed to help organizations identify squatted or fraudulent accounts created on social networks and code repositories.
Trademark Monitoring Radar is a free service that hunts for malicious domain names. The service initially allowed organizations to detect potential cybersquatting and typosquatting of their domain or brand. A feature designed to detect phishing websites was later added.
The latest feature allows organizations to find typosquatting or cybersquatting attempts on social networks and code repositories. Users simply enter the name of their own domain and the service displays a list of potentially squatted accounts found on websites such as Facebook, Twitter, YouTube, Google Plus, GitHub and Bitbucket.
High-Tech Bridge told SecurityWeek that new social networks will be added in the upcoming period. The detection algorithms and the database storing information on malicious domains are continuously improved – the company says there is an improvement of roughly 10 percent every month. The results displayed for each tested domain are updated every 24 hours.
The Trademark Monitoring Radar service is fully automated, which can result in false positives. However, the security firm pointed out that it’s virtually impossible to automatically assess the impact of each account. On the other hand, each of the potential problematic accounts is displayed as a link, making it easier for users to manually verify them.
“We prefer to give more than less,” explained Ilia Kolochenko, CEO and founder of High-Tech Bridge. “For some companies, even the same user name can pose a potential problem. We saw when relatively innocent accounts were used in sophisticated credit card fraud.”
It can be useful for organizations to identify squatted or fraudulent accounts on social media websites as they can be abused by malicious hackers in combination with social engineering for spear phishing attacks. As for code repositories, fake accounts can be leveraged for delivering malware, Kolochenko said.
Once the fraudulent domains have been identified, the targeted organization can ask the service provider to take them down. While the process is often simple for major brands, it can be more difficult for smaller companies. “It can take longer or even require an intervention from a law firm,” Kolochenko explained.
Simple Attack Allows Full Remote Access to Most Corporate Laptops
17.1.2018 securityweek Attack
Remote Attack Leverages Flaw in Intel AMT Technology
Attack is Simple to Exploit, Has Incredible Destructive Potential
Researchers have discovered a flaw in Intel's Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.
An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.
The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today. It is unrelated to the "Apocalyptic AMT firmware vulnerability" disclosed in May 2017, or the current Meltdown and Spectre issues.
The new flaw is surprising in its simplicity. "It is almost deceptively simple to exploit, but it has incredible destructive potential," explains Sintonen. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."
The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension -- the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default 'admin' password will give the attacker access to AMT.
AMT is an out-of-band hardware-based remote management tool. It is chip-level and not dependent on software or an operating system. It requires only power and a connection. Its purpose is to give IT staff remote access to, and therefore control over, corporate devices; and is particularly useful for laptops used away from the office. It is found on computers with Intel vPro-enabled processors, and workstation platforms based on specific Intel Xeon processors -- in short, the vast majority of company endpoints.
If attackers have physical access to such a device, one need only boot up the device pressing CTRL-P during the process, and log in to MEBx with 'admin'. "By changing the default password, enabling remote access and setting AMT's user opt-in to "None", a quick-fingered cyber criminal has effectively compromised the machine," writes F-Secure.
The device itself might be considered secure, with a strong BIOS password, TPM Pin, BitLocker and login credentials -- but all of these can be bypassed remotely if the attackers are able to insert themselves onto the same network segment with the victim. "In certain cases," warns F-Secure, "the assailant can also program AMT to connect to their own server, which negates the necessity of being in the same network segment as the victim."
Once such an attack has succeeded, the target device is fully compromised and the attacker has remote ability to read and modify all data and applications available to the authorized user.
Although physical access is required for the attack, the speed with which it can be accomplished makes the Evil Maid attack (so-called because such attacks can be exploited in a hotel room if a device is left unattended for a brief period of time) a viable threat.
Sintonen describes a potential scenario. "Attackers have identified and located a target they wish to exploit. They approach the target in a public place -- an airport, a cafe or a hotel lobby -- and engage in an 'evil maid' scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn't require a lot of time -- the whole operation can take well under a minute to complete," Sintonen says.
Preventing such Evil Maid attacks is simple in principle, but complex in practice, requiring granular provisioning. AMT should be disabled for all devices that are unlikely to require it. Where it is required, each device needs to be provisioned with a strong password. This needs to be done for both new and currently deployed devices.
"It is recommended to query the amount of affected devices remotely, and narrow the list of assets needing attention down to a more manageable number. For computers connected to a Windows domain, provisioning can be done with Microsoft System Center Configuration Manager," suggests F-Secure. If any device is found to have an unknown password (in many cases this will be anything other than 'admin'), that device should be considered suspect and appropriate incident response procedures should be initiated.
Sintonen found the issue in July 2017. However, he also notes that Google's Parth Shukla mentioned it in an October 2017 presentation titled 'Intel AMT: Using & Abusing the Ghost in the Machine' delivered at Hack.lu 2017. Since awareness of the issue is already public knowledge, Sintonen recommends that organizations tackle the problem as soon as possible.