Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Retbleed attack in s ...

 Business

In mid-July, researchers at the Swiss Federal Institute of Technology, Zurich, published a study describing a new attack that exploits vulnerabilities (or, if you prefer, features) in modern processors. The attack was dubbed Retbleed, and it derived from Retpoline – a defense method against a certain type of Spectre   show more ...

attack. Essentially, the authors showed that its program-compilation technique – previously thought to be effective protection against a so-called Spectre Variant 2 attack – either works only occasionally or not at all. The research, like all previous work on hardware vulnerabilities in processors, is rather complex. In this article, we will, as usual, try not to dive deep into the maze of relevant scientific papers, but to describe the results in simple words. Lets start with some background information. What is Spectre v2? Lets talk about branch prediction More than four years ago, in early 2018, two research papers describing the Spectre and Meltdown vulnerabilities were published. These are hardware vulnerabilities: a potential data theft attack is made possible by the way processors work. Since then, several more variants of Spectre have been discovered. Researchers have found more ways to attack a common class of vulnerabilities; that is, to use the processors default functionality called branch prediction for the attack. Branch prediction and speculative execution of instructions help improve processor performance significantly. In any program, execution of further steps often depends on the result of previous calculations. The simplest example is when a user enters a password to access some secret data. If the password is correct, the data is shown to the user. If the password is wrong, the user is prompted to try again. At the level of simple instructions for the CPU, this translates roughly into checking access rights to certain data in the RAM: if the necessary rights are confirmed, access to the data is granted; if not – denied. The processor can perform billions of such operations per second, and while a certain condition is being checked, its often idle (loosely speaking – waiting for a user to enter a password, or for access rights to be checked). But what if we have it use this idle time to perform the calculations that happen after the most probable result of the check in advance? By the time our hypothetical user enters their hypothetical password, the calculation result will be ready, and the user will see their secret data a little faster. But how do you know which part of your code is most likely to be executed? From statistics related to previous executions of similar instructions, of course. If our user (please note, this is a highly theoretical and extremely simplified example) enters the correct password nine times out of 10, we can prepare their secret data in advance. If the password is incorrect, we just discard the results and take a little more time to display an error message. The authors of the 2018 paper described two variants of the Spectre attack, and Variant 2 (also known as Branch Target Injection) trains a branch predictor so that it performs the instructions we need, as in reading data that the attacker shouldnt have access to. Yes, these calculations are then discarded, but their result (the highly sensitive data) is temporarily stored in the cache – from where it can be stolen. This is an extremely complex attack. Firstly, the attacker has to be able to execute code on the system under attack, albeit without the desired privileges, i.e., without access to sensitive data. For example, a user could be persuaded to open a web page containing a malicious script in their browser. Secondly, the attacker needs software on the target system that includes code suitable for the attack. In the researchers jargon, this is known as a gadget. The attack code trains the branch prediction system to speculatively execute this gadget. This causes it to access an area of memory inaccessible to the attacker. The secret data is placed in the CPU cache, from where it can be extracted very slowly – no more than tens of bits per second – by side-channel reading. Lets try to put it even simpler. The processors built-in branch prediction system doesnt separate instructions from different programs, and a single program can be used to make the processor speculatively execute an instruction its not supposed to run. Previously, this didnt appear to be a problem, as software cannot directly access data in the processors cache in any case. But, as it turns out, by reading side-channels (which is a very complex mechanism: reconstructing data based only on information about the speed of responses to read requests), the data can be extracted. Hang on. Spectre was discovered in 2018. Surely theyve patched it by now? Its not that easy with hardware vulnerabilities. First and foremost, even from this simplified description, its clear that the vulnerability, though definitely hardware-based, requires certain conditions in the software to coincide for it to be exploited. If thats the case, why not just patch the software? Thats much easier to do than upgrading hardware. Its also possible to partially fix the vulnerability in the processors through microcode updates. But a definitive solution to the problem can only be found in the release of new processors with modified hardware. Old ones in the meantime remain fully or partially vulnerable. Theres another question thats extremely important in the context of Retbleed research. What would be the cost of a software or hardware patch? Every single method of closing Spectre reduces performance. For example, the fairly obvious Indirect Branch Restricted Speculation (IBRS) system introduces additional permission checks during speculative code execution and prevents low-privilege programs from accessing highly sensitive data, making a Spectre attack impossible. But with hundreds of thousands or millions of such checks, CPU performance is bound to dip. How far? Theres research showing that a diverse set of patches for Spectre in a system led to a performance decrease of up to 25%. And here comes Retpoline, a relatively simple protection method against Spectre proposed by Google engineers and used during software compilation. As suggested by the authors of the method, replacing some instructions in typical branching situations with others doesnt affect software operability, while it does make a Spectre attack impossible. An important advantage of Retpoline over IBRS and other protection methods is just a slight degradation of no more than 5% of performance. What did the Retbleed study show? Basically, this fresh research has shown that Retpoline… doesnt work! The return instructions that the Retpoline method relied on could also be exploited in a slightly modified scheme to trick (or maliciously train) the branch predictor. The authors have even recorded a video demonstrating the attack: A Retbleed attack demo on a Linux-based system. The video shows how a hashed super-user password is stolen by a program that doesnt have access to such data. Note that the video is highly accelerated: in real-time, the password theft on an Intel-based system takes a good hour-and-a-half! The results are summarized in the following table: Summary list of processors tested for Retbleed attack possibility with Retpoline protection activated. Source. As the table shows, not entirely new, but rather up-to-date AMD Zen 1 and Zen 2 (2017–2019) and Intels Kaby Lake and Coffee Lake (2016–2017) processors are prone to a Retbleed attack. On the more modern AMD Zen 3 processors, as well as Intel Alder Lake and the earlier 9th generation processors, a Retbleed attack doesnt work. This is also due to implementation of Enhanced IBRS hardware protection in Intel processors. Cost of protection If a Spectre attack is so difficult to perform, why defend against it at all? Indeed, in order to tailor Spectre to a real-world case (with real damage to the victim), many conditions need to be met: being able to execute code on the attacked system, having attack-prone software installed, and reliably pulling data from the cache (with a certain chance of reading with errors). We previously wrote that the most realistic attack was simulated in a Chrome browser where a potential attacker could, for example, extract saved passwords from the RAM. But this was resolved with a simple protection enhancement in the browser itself, just as with any other trivial bug. Theres a probability that incremental progress in researching Spectre-like vulnerabilities someday will unexpectedly lead to the possibility of a mass attack on users computers and servers. But when it comes to truly sensitive data, Spectre must be taken into consideration now. The most obvious scenario is an attack through hosting and distributed computing providers. A typical virtual server that you can rent for a reasonable sum from a random provider is essentially a program that runs beside other customers virtual OSs on the same high-powered server. A virtual server subscriber can, by definition, run programs on it, but has no privileges to access its neighbors or the host, i.e., the controlling operating system. The separation of virtual environments and the inability to escape from your virtual space is a key security requirement for such service providers. At the same time, service providers are interested in having as many virtual systems running on the same server as possible without them causing problems for each other. This is the key to the earliest payback on expensive hardware. That said, all Spectre patches (that actually work) reduce performance, and therefore reduce ISP revenue. But providers cant ignore the problem either, because successfully stealing sensitive data doesnt even leave a trace! So when Retpoline was proposed, many grabbed at it like a lifeline to fight the new scourge. But, by January 2018, there were doubts about how reliable this method of defense was. A discussion on a Linux kernel developers mailing list shows a number of complaints about Retpoline (the author is unflattering about other methods as well). At the same time, Linus Torvalds, the creator and main custodian of Linux, made clear (in his typical sharp manner) that Retpoline is generally sufficient. The authors of Retbleed highlight Torvalds on his being judgmental by placing his categorical quote at the beginning of the paper. They also calculated the cost of real-world protection for vulnerable processors that cannot be fixed at the hardware level. Patches in the Linux kernel have resulted in performance drops of up to 39% for Intel processors and 14% for AMD processors. AMD processors turned out to be vulnerable in their own way, and the researchers discovered a phenomenon they called Phantom JMPs. It turned out that, under certain conditions, its possible to make a branch prediction system execute an arbitrary instruction even if its not there in the code under attack. Because of this, the authors had to release a brief one-page addendum to the study. They stipulate, however, that exploiting this vulnerability to do real damage is even more difficult than with traditional Spectre V2. What now? For ordinary users, the threat of Spectre attacks remains entirely virtual. Preventive patches from operating-system developers will suffice. In Windows, by the way, effective IBRS protection is enabled by default. New Linux kernel patches will possibly lead to performance degradation, which may be most noticeable in business solutions where computer hardware is squeezed to the limits. The problem is compounded by the fact that there are many Spectre variants. Retbleed could also be considered a separate variant, which works differently on processors from different manufacturers. AMD and Intel have acknowledged Retbleed as a separate vulnerability and will possibly come up with some hardware solution for it. Corporations will move to new hardware where protective measures are implemented, finding a balance between performance and security. Unfortunately, all software patches have the biggest impact on the performance of relatively old processors. Not only does software become more demanding over time, but theres also this penalty on speculative execution. If you look at the problem from a birds-eye view, this is nothing new. Developers offer a performance-enhancing solution without thinking about security. Sooner or later (later in this case: speculative execution started in the mid-1990s), it comes back to haunt everyone, and security measures have their cost, but eventually new solutions are found, and the hi-tech industry moves on. The surprise was the discovery of the problem in the hardware: its not as easy to fix as in software. And this isnt a simple bug, but rather a poor (from the security perspective) approach adopted by the industry many years ago. Lets hope that processor developers come up with new methods for safe and powerful computing before the black swan of an extremely dangerous hardware attack flies over us — one that threatens everyone, is widely known about, and can only be solved by replacing hardware completely.

image for When Efforts to Cont ...

 A Little Sunshine

Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico’s second-largest bank was fake news and harming the bank’s reputation. The   show more ...

administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download. On August 3, 2022, someone using the alias “Holistic-K1ller” posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico’s second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens. There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto. But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach. “The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” reads a letter the Breach administrator said they received from Group-IB. “We ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.” The administrator of Breached is “Pompompurin,” the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Hacker-K1ller’s sales thread because Group-IB was sending emails complaining about it. “They also attempted to submit DMCA’s against the website,” Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.” Banorte did not respond to requests for comment. Nor did Group-IB. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old. “There has been no violation of our platforms and technological infrastructure,” Banorte said. “The set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.” That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change. “Is there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,” asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. “Who does it? Instead of helping, they pushed the organization from the hill.” Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach. “If the data wasn’t real….did the bank think a cease and desist would result in the listing being removed?” Seifried wondered on Twitter. “I mean, isn’t selling breach data a worse crime usually than slander or libel? What was their thought process?” A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data). At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online. It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data — e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And it’s certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously. But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naiveté about how the cybercrime underground works.

 Malware and Vulnerabilities

The gang behind Black Basta has reached a high level of success in a short time through its double extortion techniques and is possibly an offshoot of Conti and REvil. It has claimed responsibility for compromising at least 50 organizations so far.

 Trends, Reports, Analysis

We're creating a potential gateway for a bad actor to exploit every time we create a password that leads to a critical resource, whether that password is meant for an internal or external user.

 Malware and Vulnerabilities

A new phishing campaign was found targeting Indian banking customers via preview domains from Hosting Provider Hostinger, allowing them to view website content before a domain is assigned to it. Texts, emails, and social media were being used to disseminate the campaigns hosted on phishing domains.

 Identity Theft, Fraud, Scams

Pig butchering engages the victim into what looks like an innocent conversation but is actually in a grooming stage, in which they are prepared to engage in investment-related discussions.

 Breaches and Incidents

Signal’s investigation into the incident concluded that the hacker’s access to Twilio’s internal network either allowed them to see phone numbers linked to a Signal account or revealed the SMS verification code for registering with the service.

 Threat Actors

The criminals make contact with their targets via email, and for this, they register new accounts with different consumer email providers, and they use email addresses or alias designed to look like a legitimate person.

 Feed

Ubuntu Security Notice 5569-1 - Xiang Li discovered that Unbound incorrectly handled delegation caching. A remote attacker could use this issue to keep rogue domain names resolvable long after they have been revoked.

 Feed

Whitepaper called Race Against the Sandbox - Root Cause Analysis of a Tianfu Cup bug that used a Ntoskrnl bug to escape the Google Chrome sandbox.

 Feed

Popular end-to-end encrypted messaging service Signal on Monday disclosed the cyberattack aimed at Twilio earlier this month may have exposed the phone numbers of roughly 1,900 users. "For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal," the company said. "All users can rest assured that

 Feed

Russian state-sponsored actors are continuing to strike Ukrainian entities with information-stealing malware as part of what's suspected to be an espionage operation. Symantec, a division of Broadcom Software, attributed the malicious campaign to a threat actor tracked Shuckworm, also known as Actinium, Armageddon, Gamaredon, Primitive Bear, and Trident Ursa. The findings have been corroborated 

 Feed

Cybersecurity researchers have elaborated a novel attack technique that weaponizes programmable logic controllers (PLCs) to gain an initial foothold in engineering workstations and subsequently invade the operational technology (OT) networks. Dubbed "Evil PLC" attack by industrial security firm Claroty, the issue impacts engineering workstation software from Rockwell Automation, Schneider

 Feed

UTM (Unified threat management) is thought to be an all-in-one solution for cybersecurity. In general, it is a versatile software or hardware firewall solution integrated with IPS (Intrusion Prevention System) and other security services. A universal gateway allows the user to manage network security with one comprehensive solution, which makes the task much easier. In addition, compared to a

 Feed

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "highly persistent threat actor" whose objectives align closely with Russian state interests. The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker SEABORGIUM, which it said overlaps with a hacking group also known as Callisto, COLDRIVER, and TA446. "

 Feed

A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors. Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that's akin to an "uninitialized memory read in the CPU itself." "In contrast to transient execution

2022-08
Aggregator history
Tuesday, August 16
MON
TUE
WED
THU
FRI
SAT
SUN
AugustSeptemberOctober