Lucene search

qualysblogJuan C. PerezQUALYSBLOG:E761CF659F35F9F5C29FB50D76B98C3E
HistoryFeb 16, 2018 - 5:06 p.m.

Hackers Hit the Olympics, While Patch Tuesday and Meltdown / Spectre Keep IT Departments On Edge

Juan C. Perez





This week offered a representative sampling of different corners of the cyber security world: The monthly Patch Tuesday, a brazen attack against the Olympics, new Meltdown and Spectre concerns, and a boost for Intel’s bug bounty program.

Oh, and the gargantuan Equifax data breach may have been even bigger than previously thought.

Winter Olympics hack confirmed

The 2018 Winter Olympics in Pyeongchang, South Korea are in full swing, featuring the world’s best ice skaters, skiers, hockey players and snowboarders, and also attracting, unfortunately, malicious hackers.

Attackers’ goals seem to be to disrupt the games in a variety of ways by interfering with and disabling IT systems.

Officials confirmed that hackers disrupted the opening ceremony by knocking the Winter Olympics’ website offline for 12 hours, which prevented people from printing tickets, and by disabling WiFi service at the stadium.

While the officials were tight-lipped about the nature and source of the attacks, Cisco Talos blogged that it has identified “with moderate confidence” malware samples used by the cyber criminals.

_Part of the opening ceremony of the 2018 Winter Olympics. (Credit: The Voice of America) _

The “Olympic Destroyer” malware, which Cisco Talos described in detail but whose infection vector remains unknown, isn’t designed to steal data but rather “to perform only destructive functionality.”

The malware aims to render infected machines unusable by deleting shadow copies and event logs, and by trying to use Microsoft Windows’ PsExec and WMI to “move through the environment.”

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” reads the blog post.

Not that this came as a surprise, as the games’ leaders and Olympics organizations have been targeted for months by hackers. In fact, the U.S. Computer Emergency Readiness Team (CERT) warned travelers about cyber security risks at the games, and recommended a series of safety tips.

Busy Patch Tuesday

The Patch Tuesday monthly bug fixing extravaganza featured fixes for 55 Microsoft vulnerabilities and for 45 Adobe vulnerabilities. Considering that IT departments have been dealing with the frenzy, glitches, concerns and confusion caused by the Spectre and Meltdown vulnerabilities since early January, these new Microsoft and Adobe patches offer no rest for the weary.

One vulnerability that should be a top priority for patching is CVE-2018-0825, which impacts StructuredQuery in Windows servers and workstations, according to Jimmy Graham, a Product Management Director at Qualys.

“Exploitation of this vulnerability would be through a malicious file and would lead to remote code execution,” Graham wrote in Qualys’ blog.

Microsoft also patched vulnerabilities in Microsoft Outlook which could lead to remote code execution, while most of the others are fixes for the Scripting Engine, which primarily impacts browsers. “These patches should be prioritized on workstation-type devices,” Graham wrote.

Among the Adobe vulnerabilities, the two affecting Flash “should be patched immediately” because they are being actively exploited, Graham recommended.

The Outlook bugs – CVE-2018-0852 and CVE-2018-0850 – got special attention in the press, with ThreatPost labeling them as “nasty,” Computerworld calling them “ominous,” and The Register waxing poetic: “Roses are red, Windows error screens are blue. It’s 2018, and an email can still pwn you.”

Dustin Childs from Zero Day Initiative explained that what makes CVE-2018-0852 uniquely dangerous is that “the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution” even if users don’t actively open the message, launch attachments nor click on links.

Meanwhile, CVE-2018-0850 is even more volatile, according to Childs, because attackers can exploit it by simply sending a maliciously crafted email to a victim. “You read that right – not viewing, not previewing, but upon receipt,” he wrote.

Say it ain’t so, Equifax

Back in September, Equifax shocked the world with its disclosure of a massive breach of sensitive personal information from 145.5 million consumers. In recent days, we got a strong aftershock.

It turns out that in addition to names, Social Security numbers, birth dates, addresses, driver’s license numbers and credit card numbers, the data thieves may have also stolen tax identification numbers, email addresses, phone numbers and additional driver’s license data.

“The fact that hackers accessed even more data shows both the vast amount of information that Equifax holds and the risks at stake for consumers given the level of personal information that has been compromised,” reads The Wall Street Journal’s article.

New ways to exploit Meltdown / Spectre

While Meltdown and Spectre haven’t yet been exploited in real-world attacks, the known methods to abuse them increased this week after researchers created a tool that found new ways to leverage the CPU bugs.

“Our automated synthesis techniques uncovered another variant of each Spectre and Meltdown – SpectrePrime and MeltdownPrime,” the Princeton University and Nvidia researchers wrote in a paper. “While the software fix for our Prime variants is largely the same, these attacks bring to light new considerations when it comes to microarchitectural mitigation.”

In other words, researchers claim the findings shed new light on how to create CPUs that aren’t vulnerable to the Meltdown and Spectre flaws. The implication is that new designs that Intel and other CPU makers say eliminate these vulnerabilities may need to be reworked.

The paper, which is titled “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols,” prompted a variety of reactions, from dire (“Hate to ruin your day, but… Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits”) to optimistic (“Don’t panic about the new ‘Prime’ Meltdown and Spectre CPU exploits”).

Meanwhile, Intel’s initial reaction to the research study was to downplay its conclusions, telling The Register that existing hardware mitigations will be “effective against the methods described in that report.”

Qualys has been on top of the Meltdown / Spectre issue from the very start, dispensing advice and insight publicly in blog posts, news articles and webcasts, as the industry scrambles to deal with these vulnerabilities, which affect most Intel CPUs released in the past 20 years, as well as a smaller quantity of ARM and AMD CPUs.

Meltdown (CVE-2017-5754) provides access to all physical memory, including kernel memory, via a user mode, ring 3 process, so that “any process running in the system can access all the contents of physical memory,” Qualys Product Management Director Jimmy Graham said recently during a webcast.

Attackers could steal passwords, grab private keys and do whatever necessary to escalate their system privileges to administrator levels. “Anything that can be stored in memory can be accessed through Meltdown,” Graham said.

Meanwhile, Spectre (CVE-2017-5753, CVE-2017-5715) impacts Intel, AMD, and ARM CPUs by abusing branch prediction and speculative execution, resulting in data leakage from compromised processes.

Intel beefs up bug bounty program

And in related news, Intel is trying to make its bug bounty program more attractive for security researchers. Rick Echevarria, Intel’s VP and GM of Platform Security, outlined in a blog post three changes in the program:

  • Making it open to all security researchers. Until now, participation was via invitation only.
  • Launching a program focused on side channel vulnerabilities – such as Meltdown and Spectre – with disclosure awards of up to $250,000.
  • Raising bounty awards across the board, with awards of up to $100,000 for other areas.

“We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data,” he wrote.

Or as the Mercury News put it: “Intel is hoping the spectre of more bounties might lead to fewer meltdowns in the area of semiconductor security.”


In other InfoSec news …