Meltdown - The mirror in the CPU

A new series of vulnerabilities have been disclosed (CVE-2017-5753/5715/5754) affecting the most popular computer processors, and leaving millions of devices exposed to exploitation. These vulnerabilities allow users/applications with low level privileges to view data in the memory. Data stored in the memory may include passwords, pictures, texts, and any other types. At first these vulnerabilities were thought to only affect INTEL, however other reports indicate that AMD and ARM processors are affected as well.

Meltdown and Spectre are the two trending names associated to these vulnerabilities. Meltdown implies there are no limits between applications and operating system, in this case, exploitation will allow attacker to access memory data across any  running application or processes. Spectre exploit forces/tricks programs/applications to dump memory by causing errors then this memory data can be accessed.

Fig 1.  Meltdown POC

Fig 2. Spectre POC  Modified from * https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#file-spectre-c-L50

Proof of concept exploitation code suggests, side channel type attack which may require some previous steps before full exploitation (I.E Tricking user to browse page with exploit code, access server transferring code then executing). However this does not minimize the risks of these types of vulnerabilities, as for example a malicious actor could simply create an account in a popular cloud based provider then execute exploit on his/her servers and be able to see others information via memory/application leakage.

It is also very possible that these vulnerabilities will soon be chained to other exploits, enabling them to be executed in a manner that allows more streamlined memory access.

The biggest implication of these vulnerabilities is the number of devices that may be affected. Considering that Intel, AMD, ARM are probably the majority of modern processors, the task of applying mitigations seems very difficult. Some of these devices may not be patchable (Think embedded processors such as Cable Modems, Routers, and many other IoTs), some others may be patched however the current mitigations as of the writing  of this blog indicate that more than fixes they are workarounds and these workarounds, come with a price which is reduction in performance and latency. These reductions in performance may be significant enough to discourage patching these devices for some vendors.

Suggested mitigations consists applying patches at the operating system level, as deployed hardware at this point is flawed and unmodifiable.  Below a list of detailed technical resources and mitigation information.

 

U.S Cert

https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities

 

Official Intel

https://security-center.intel.com/advisories.aspx

 

Official AMD

https://www.amd.com/en/corporate/speculative-execution

 

Official ARM

https://developer.arm.com/support/security-update

 

MITRE

CVE-2017-5715

CVE-2017-5753

CVE-2017-5754

 

Official Vulnerability page with technical POC and Research information

https://www.meltdownattack.com

 

Mozilla

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

 

Google Chrome

https://support.google.com/chrome/answer/7623121?hl=en

 

Official Microsoft

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

 

Google Project Zero

https://googleprojectzero.blogspot.com/


2018 CYBER SECURITY PREDICTIONS

Predicting big events in cyber security can be a tricky task. Attacks seem to have waves of innovation and adaptation then plateau and stay low on the radar, only to come back years later in new forms or adapted to other new exploits. An example of this is the use of encryption and destructive software in malicious ransomware campaigns. Both have been used before but are now repurposed in a much more effective manner. Predicting malicious campaigns or new exploits, is made even more difficult because of new software or hardware with unreleased bugs and vulnerabilities that may drive and shift attack and defense paradigms

With the creation of new technology and development of new software applications, the possibility of abuse and exploitation is always parallel. Hence, predicting these type of events may be linked to the creation or widespread adaptation of new technologies, even though we have seen at times how code that was allegedly a decade old as of 2017 was still very powerful..

Cyber attack trends and the use of weaponized code are also inexorably tied to geopolitical factors, as cyber has become part of warfare. It is known that once such code is disclosed, it will be repurposed and adapted to exploits and known type of attack vectors to make them more effective. Example of that is the addition of EternalBlue to WannaCry ransomware software last year.

The internet is now, more than ever, embedded everywhere, from Personal Area Networks, Home AI, Internet of Things and the corresponding big data distributed backends needed to interconnect and process their information in the cloud. They have blurred the edge and made the internet part of our homes, bringing its risks with them. The adoption of Artificial Intelligence in cyber security is still its infancy and yet to be developed. Just as AI is being used mainly to drive defense technologies, however, it is a matter of time until this technology is adapted as well for malicious purposes. With all these caveats in mind, here is what past and present events suggest may happen this year:

  • Exploitation of IoT will increase as they become pervasive in homes and companies. AI technology is here to stay, it is still unknown how many risks and vulnerabilities these devices may have, as such devices are incorporated into houses and companies, it is very likely that malicious actors will target and successfully exploit them.     
  • Likely a byproduct of the IoT home networking exploitation, 1TB plus volumetric DDoS attacks will increase in frequency, as more devices are available for exploitation and abuse, hence being added to attack botnets.

 

  • SMS will be discarded as authentication tool due to phone porting, SS7 and MFA phishing attacks. This is a clear trend as of last quarter of this year, however it is likely to grow in numbers, to a point where SMS will have to be discarded as an authentication factor.

 

  • Cell phone Infrastructure driven attacks. Vulnerabilities in cellphone/wireless spectrums will be targeted to pivot to critical infrastructure (Power, Transportation and other utilities). This type of infrastructure is known to connect in many instances, parts of our critical infrastructure such as Dams, bridges, pumps, etc. This cell phone infrastructure will continue to be targeted and we might witness actual effects on critical infrastructure.

 

  • Ransomware / Destructive malware used against critical infrastructure. In 2017 we witnessed the targeting of governments via specially crafted and obfuscated ransomware, destructive code. Examples of that were the attacks against Britain’s NHS and Ukrainian infrastructure including nuclear power plants. The time will come where these types of attacks pass through our current defenses and affect our critical infrastructure. This likely will happen during 2018.

 

  • Mega breaches will continue, not too long ago SQL injections where the main drivers of mega breaches, nowadays Amazon S3 buckets seem to have replaced them as the driver of mega breaches and data disclosures. This is unfortunately likely to continue as research indicates there are still plenty of unsecured S3 buckets, plus high value target organizations.  

 

  • AI/ML tech will be weaponized. This is inevitable as malicious actors will eventually find a way to incorporate current  AI/ML technology into their attacks, this may likely happen either via addition to DDoS or exploitation attacks.

 

  • Client based exploits (Phishing) will continue to be the main vector of attack as enterprises harden up defenses. Phishing continues to be a challenging attack vector to defend against, and pretty much an unsolved problem for enterprises, this will keep driving these types of attacks.

 

  • Identity "Firewalls" will become a thing. With prevalence of stolen identity information, a tool or mechanism that detects unauthorized use will have to be created. It may imply a new identity framework or technology beyond current "identity protection services".

 

  • Devastating cyber attack may lead to "break up" of internet. It is a matter of time until an attack with grave effects on people's way of life leads to a forced "break up" of the internet. This means the days of reaching governments, airplanes, cars, nuclear plants, dams, etc via internet from everywhere may be numbered.

Single Sign On: Feature or Threat?

A conflicting issue between usability and security is at the core of single sign on capabilities. The use of single sign on (SSO) is from the perspective of usability, a must have. SSO is required to maintain efficency within a workplace. Modern enterprise users are constantly using multiple applications, accessing, sharing, storing data across multiple file shares, sending, downloading emails, authenticating through VPNs, mobile devices, etc. Without single sign on, each step would inhibit productivity levels.  It would be impossible, from the functional view of user interactions and tasks, to require them to authenticate every time they access a resource, read, write or modify a file. It is very clear that SSO is a fundamental need for enterprises.

However SSO represents a single point of failure and a driving factor for credential reuse/extraction attacks. This means attackers can gain access to a variety of resources by simply obtaining and reusing credentials. If organization defense posture is weak, this creates a risk that can come from  simply snooping over someone’s shoulder, reading a sticky note, or all the way to a sophisticated targeted phishing, malware execution, social engineering or post exploitation attack, where attackers can obtain user credentials and then proceed to gain access and move laterally across an organization.

There have been significant numbers of breaches and known compromises that started by simply obtaining credentials from users, and even administrators as malicious actors tend to pretext and target them. Weak passwords and policies clearly augment the damage that an attack of this type can cause. In some cases the reuse of passwords, for example, has exposed not only targeted organizations, but partners and even defense service providers.

Credential reuse/extraction attacks, used in post exploitation environments, provide powerful tools to move around the enterprise leveraging SSO technologies. Very popular tools such as Mimikatz are designed to especifically exploit SSO features. Tools like this allow attackers to perform things such as Pass The Hash, Pass The Ticket and other related credential extraction/reuse attacks.

These type of attacks and tools constantly evolve as new ways of abusing/exploiting SSO features are discovered. Recently security researcher Juan Diego found a method to extract NTLM hashes that then can be reused (or cracked) to obtain credentials in a post exploitation environments to then move laterally. In spite of all the attacks already available and upcoming, single sign on cannot be abandoned.

Single sign on can be fortified by using strong password policies and complementing monitoring and detection technologies such as JASK Trident. JASK Trident uses a number of multiple sources of information and contextual indicators to detect abnormal activity and credential reuse attacks, these multi contextual indicators are based in experience security operation center operators along with machine learning models.

The following figures show multi contextual indicators used by JASK Trident, that can indicate credential extraction/reuse.

Fig 1 Shows Lateral Movement activity alert (SMB) Scanning

Fig 2 Shows First Seen Access - SMB Share

JASK Research team has produced a threat advisory outlining a proof of concept of this new attack and specific steps for mitigation.  Access the Threat Advisory by clicking here.


Beyond WannaCry: The NotPetya Ransomware attack

Reports earlier today, spread of a widespread infectious worm distributing the well known Ransomware: Petya, targeting the Ukraine infrastructure (Power, Transportation, Finance) and other big companies around the world. It later came to light, that this attack could possibly not be a variant of Petya, but an entirely new kind of ransomware attack, leading to it also being called NotPetya. No matter the name, the findings indicate an ongoing campaign with similar attack vectors as the WannaCry infestation in May 2017, thus leading experts to believe it is the next evolution in a possible series of attacks that will continue to affect companies around the world.

Screenshots of Petya/NotPetya:

Ransomware detection from JASK's product:

Initial reports in the community suggest EternalBlue exploit may be present in some of the researched samples. This would enable the ransomware payload to spread rapidly and aggressively. Further lateral movement would only occur if the targeted environment is not patched.

Other reports indicate that the main attack vector is phishing, a MS office file that proceeds to download malicious payload once user has opened and enabled Macros. Some of the code reported shows a Powershell syntax downloading an executable, there are also other code snippets showing lateral movement using Powershell.

It is important to clarify that even if your systems are patched, some ransomware versions will use compromised user credentials to search, probe, copy, and execute malicious payload based on the rights given to such user. This means spreading and infestation is possible but limited to user's credentials and rights in targeted shares.

These versions of malicious code seem to be using EternalBlue in some cases and in others extracting credentials of compromised systems to move laterally and further infestation. In addition, there are reports of more than one variance of the malicious code currently in play. This makes it more difficult for companies in compromising situations to detect and remediate.

A quick check on BlockChain.info indicates several payments have been made to bitcoin address related to this attack https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX  . The email address referenced in the message hosted on POSTEO has been apparently disabled, preventing the actors behind the attack to receive communications, making it even more difficult to get any type of keys to decrypt.

Current consistent indicators suggest this ransomware campaign is based on the following vectors:

  • Malicious document delivered via email
  • PS code downloads malicious payload
  • User must open file and allow execution
  • Malicious file mimic Petya ransomware signatures
  • Malicious code proceeds to probe for shares adjacent to victim machine and possibly checking for EternalBlue execution. If successful then it proceeds to copy, write and execute ransomware payload on every share. If privileges are high (admin) code will proceed to encrypt MBR, if not it will encrypt specific files.
  • Other instances, malicious code uses credentials of compromised user/machine and only writes to those shares user has privileges
  • Machine is rebooted via scheduled task
  • Messages are presented on screen.

JASK technology already has the capabilities of detecting this type of ransomware attack, as this version uses similar methods as WannaCry. JASK can also detect malicious file download and unusual SMB share access. This attack is more targeted than WannaCry and it seems to specifically target infrastructure companies. This code also more versatile than WannaCry as it checks for EternalBlue or it spreads by SMB rights from compromised user.

 

 

Mitigations:

US-Cert Ransomware prevention/mitigation info

US-Cert Petya bulletin

Petya IOCs & Yara Rules

IBM X-Force Snort signatures

JASK Eternal Blue & WannaCry detection

 

 

 

 

 

 

 

 


WannaCry Ransomware spreading leveraging MS17-010

The Ransomware strain "Wanna Decryptor 2.0" aka "WannaCry" is currently on a devastating run, reportedly taking offline several NHS hospital networks in the United Kingdom as well as other major organizations in Europe are reporting ransomware infections.

The JASK Labs team's initial research shows the actors have repurposed the recently (ShadowBrokers) leaked zero-day vulnerability MS17-010 in Microsoft SMB protocol.  Remember this vulnerability originated as a purportedly leaked NSA offensive tool "EternalBlue" and has now been completely weaponized by criminal malware gangs for Ransomware campaigns.

Here is a Youtube video displaying the WannaCry ransomware in action:

https://m.youtube.com/watch?feature=youtu.be&v=T062Ke10jpY

If you recall from our earlier blog post, we did a fairly extensive run-down on EternalBlue and already offered coverage in our product for MS17-010, back when those details first emerged.   Beginning today JASK added coverage for WannaCry in JASK Trident.  ***UPDATE WannaCry is also installing DoublePulsar backdoor as it spreads. ***

So if your wondering how WannaCry is getting into your network and how exactly is it using EternalBlue?  See the following detailed breakdown:

  1. The initial attack vector is simple Phishing based, a first stage exploit is sent via email either as an HTML/JS attachment or PDF with links to some Exploitkit (details coming soon)
  2. Second stage drops WannaCry and EternalBlue variant which starts scanning and exploiting systems on the network laterally via Windows SMB filesharing protocol.  This is dangerous (*Worm like behaviour*) because if the initial phishing victim is simply a Wifi Guest or Home computer connected to the Office VPN then it quickly spreads to any vulnerable Windows Server or Workstation on the network!
  3. Encryption (Ransomeware) routines aggressively start on any machine compromised by Eternal Blue and hidden command and control commands are stealthy routed through TOR via an onion address.  This hides the traffic from typical DNS monitoring to C2 domains.

The good news is that if you use JASK Trident you have TOR detection and Eternal Blue detections as default content.  We detect TOR using advanced network analysis using meta-data, which is a huge upgrade from the typical approach of tracking exit-node IP list's.  Our approach is much more accurate and doesn't require updating... this in itself is a huge benefit that most other security products cannot or do not support when detecting TOR!

If you are not currently a JASK user, we recommend you leverage the following Snort/Suricata rule made by the IBM X-force team and observe the below IOC's related to WannaCry.

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

We also recommend tracking TOR exit node IP's as Threat Intel if thats the only viable way you can track TOR on your network, otherwise reach out to our team to get a JASK sensor setup quickly to ensure coverage here.

The following WannaCry network IOC's were observed in AlienVault's OTX community and deployed to all JASK customers running Trident.

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

xxlvbrloxvriy2c5.onion

sqjolphimrr7jqw6.onion

gx7ekbenv2riucmf.onion

cwwnhwhlz52maqm7.onion

76jdd2ir2embyv47.onion

57g7spgrzlojinas.onion

If you would like to learn more about WannaCry or JASK, please contact our research team [email protected]

References:

https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#416a1b09e599

https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/

http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/