Meltdown - The mirror in the CPU

A new series of vulnerabilities have been disclosed (CVE-2017-5753/5715/5754) affecting the most popular computer processors, and leaving millions of devices exposed to exploitation. These vulnerabilities allow users/applications with low level privileges to view data in the memory. Data stored in the memory may include passwords, pictures, texts, and any other types. At first these vulnerabilities were thought to only affect INTEL, however other reports indicate that AMD and ARM processors are affected as well.

Meltdown and Spectre are the two trending names associated to these vulnerabilities. Meltdown implies there are no limits between applications and operating system, in this case, exploitation will allow attacker to access memory data across any  running application or processes. Spectre exploit forces/tricks programs/applications to dump memory by causing errors then this memory data can be accessed.

Fig 1.  Meltdown POC

Fig 2. Spectre POC  Modified from *

Proof of concept exploitation code suggests, side channel type attack which may require some previous steps before full exploitation (I.E Tricking user to browse page with exploit code, access server transferring code then executing). However this does not minimize the risks of these types of vulnerabilities, as for example a malicious actor could simply create an account in a popular cloud based provider then execute exploit on his/her servers and be able to see others information via memory/application leakage.

It is also very possible that these vulnerabilities will soon be chained to other exploits, enabling them to be executed in a manner that allows more streamlined memory access.

The biggest implication of these vulnerabilities is the number of devices that may be affected. Considering that Intel, AMD, ARM are probably the majority of modern processors, the task of applying mitigations seems very difficult. Some of these devices may not be patchable (Think embedded processors such as Cable Modems, Routers, and many other IoTs), some others may be patched however the current mitigations as of the writing  of this blog indicate that more than fixes they are workarounds and these workarounds, come with a price which is reduction in performance and latency. These reductions in performance may be significant enough to discourage patching these devices for some vendors.

Suggested mitigations consists applying patches at the operating system level, as deployed hardware at this point is flawed and unmodifiable.  Below a list of detailed technical resources and mitigation information.


U.S Cert


Official Intel


Official AMD


Official ARM







Official Vulnerability page with technical POC and Research information




Google Chrome


Official Microsoft


Google Project Zero

WannaCry Ransomware spreading leveraging MS17-010

The Ransomware strain "Wanna Decryptor 2.0" aka "WannaCry" is currently on a devastating run, reportedly taking offline several NHS hospital networks in the United Kingdom as well as other major organizations in Europe are reporting ransomware infections.

The JASK Labs team's initial research shows the actors have repurposed the recently (ShadowBrokers) leaked zero-day vulnerability MS17-010 in Microsoft SMB protocol.  Remember this vulnerability originated as a purportedly leaked NSA offensive tool "EternalBlue" and has now been completely weaponized by criminal malware gangs for Ransomware campaigns.

Here is a Youtube video displaying the WannaCry ransomware in action:

If you recall from our earlier blog post, we did a fairly extensive run-down on EternalBlue and already offered coverage in our product for MS17-010, back when those details first emerged.   Beginning today JASK added coverage for WannaCry in JASK Trident.  ***UPDATE WannaCry is also installing DoublePulsar backdoor as it spreads. ***

So if your wondering how WannaCry is getting into your network and how exactly is it using EternalBlue?  See the following detailed breakdown:

  1. The initial attack vector is simple Phishing based, a first stage exploit is sent via email either as an HTML/JS attachment or PDF with links to some Exploitkit (details coming soon)
  2. Second stage drops WannaCry and EternalBlue variant which starts scanning and exploiting systems on the network laterally via Windows SMB filesharing protocol.  This is dangerous (*Worm like behaviour*) because if the initial phishing victim is simply a Wifi Guest or Home computer connected to the Office VPN then it quickly spreads to any vulnerable Windows Server or Workstation on the network!
  3. Encryption (Ransomeware) routines aggressively start on any machine compromised by Eternal Blue and hidden command and control commands are stealthy routed through TOR via an onion address.  This hides the traffic from typical DNS monitoring to C2 domains.

The good news is that if you use JASK Trident you have TOR detection and Eternal Blue detections as default content.  We detect TOR using advanced network analysis using meta-data, which is a huge upgrade from the typical approach of tracking exit-node IP list's.  Our approach is much more accurate and doesn't require updating... this in itself is a huge benefit that most other security products cannot or do not support when detecting TOR!

If you are not currently a JASK user, we recommend you leverage the following Snort/Suricata rule made by the IBM X-force team and observe the below IOC's related to WannaCry.

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

We also recommend tracking TOR exit node IP's as Threat Intel if thats the only viable way you can track TOR on your network, otherwise reach out to our team to get a JASK sensor setup quickly to ensure coverage here.

The following WannaCry network IOC's were observed in AlienVault's OTX community and deployed to all JASK customers running Trident.







If you would like to learn more about WannaCry or JASK, please contact our research team [email protected]


Hadoop New Core SOC

Security teams are increasingly frustrated with legacy solutions that are not designed to address the data volumes they face today. Threat hunting and incident investigations are hindered by searches that take too long to run or simply time out. If the searches do finally run, we quickly discover critical data is missing because it was deliberately excluded due to either the costs associated with indexing it or the long term storage costs, ultimately yielding an incomplete picture.

To begin solving the problem, Hadoop becomes the first logical choice. It’s free, it is scalable, and it’s fast. Once Hadoop is in place, an interesting shift starts to occur inside the SOC – suddenly there is new demand to get more data in, extend access to more users, and of course the data has to be kept safe and secure. However, these are actually all good problems to have, you just need the right approach to ensure that Hadoop never becomes just another isolated data silo with limited data.

At JASK, we believe Hadoop is the new core of the SOC for the same fundamental reasons. We leverage Clouderas Hadoop distribution to enable security teams to capture, store and process, and drive value from security data – at massive scale – all while providing everything your organization needs to keep data safe and secure while still meeting compliance requirements.