Meltdown Anyone?!

OK….so that is melted cheese…got your attention though. Who doesn’t love melted cheese.  Although we can talk about warm cheddar until the cows come home, the post is about the Meltdown and Spectre exploits and their impact on Intel, ARM, and AMD processors.

As per Windows Central – Security researchers have disclosed two new exploits that can be executed against modern processors. Dubbed Meltdown and Spectre, the exploits use similar methods to impact processors from Intel, AMD, and ARM across PCs, mobile devices, and in the cloud. The researchers explain:

“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

Meltdown, the researchers say, has only been assessed to impact Intel processors. However, the range of potentially affected processors is vast.

“More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”

Spectre, on the other hand, appears to have a much wider reach. According to researchers, nearly every type of device is affected by Spectre; it has been verified to work across Intel, AMD, and ARM processors. Spectre is harder to exploit than Meltdown, but researchers caution that it is also harder to guard against.

Fixes are being released as we speak. Apple has already released “mitigations” for iOS and macOS – https://support.apple.com/en-us/HT208394

Next Chapter in My Career…

Hello all. I have been super excited to post this – just waiting for it to be official. I will be starting with KPMG in their Advisory practice on August 14, 2017. I am looking forward to re-joining such a fabulous company. I am super thankful to Raytheon and Forcepoint for a great 2+ years running Product Security. I have had the opportunity to lead a fabulous team – @GSMcNamara and @peta_bread_, two fabulous human beings and super-smart guys. Will also miss all the great people in engineering at Forcepoint that I have had the opportunity to work with and call friends (way too numerous to list). I am hoping everyone will keep in touch. Forcepoint is a great company focusing on the human-side of security and will continue to be successful as they put out new products to protect organizations. For those who want to keep in touch, my personal e-mail is still the same. I also still on Twitter and LinkedIn using the same handles.

Petya…let us take a breath…

Hello All. So most of you know what is going on in the cyber security world…Petya. If you have no idea what I am talking about, then you may want to read a website or turn on the TV. Petya is a form of malware, more specifically ransomware. Although it has bubbled to the surface a few days a go, it has actually been around since 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system.

As per Wikipedia, “Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants due to these differences in operation. In addition, although it purports to be ransomware, it is unable to actually revert its changes.”

Some further valuable analysis findings:

Distribution methods

The malware is distributed via phishing e-mails.
For further distribution within the network the malware uses:

  • MS17-10 vulnerability (like WannaCry).
  • Remote access to WMI (Windows Management Instrumentation)
  • Command line:
  • “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”.
  • The malware also uses «PSEXEC» toolkit or some similar tool (we are currently investigating this as well as the source of credentials used to infect remote systems via WMI).

Encryption

  • The malware clears system logs using the following command:
    «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:» to make further analysis more difficult.
  • It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner (“schtasks” and “at” commands).
  • After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted).
  • If the computer is shut down before the reload, MBR can be reestablished with “bootrec /FixMbr” command. (in Vista+, for Windows XP “fixmbr” can be used).
  • In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

Recommendations

  • Recommendations that we have pulled together still indicate the same remediation as Wannacry, with the following:
  • Install required Windows updates (MS17-10): – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Turn off SMB1:
    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
  • It is also advised to block the execution of «PSEXEC.EXE» software on potentially compromised machines and block remote access to WMI.