Zombie CPU leaking your data!
Now you guys are probably familiar with the Spectre and Meltdown vulnerabilities that plagued processors recently but according to an article by thehackernews.com called “New Class of CPU Flaws Affect Almost Every Intel Processor Since 2011” a new set of vulnerabilities were discovered by academic researches that plague intel processors. These attacks are being called Microarchitectural Data Sampling Attacks since they leak data from buffers (storage areas) within the processor. Currently three types of MDS attacks exist FALLOUT, ZOMBIELOAD,RIDL, and a second RIDL style attack.
The CVEs are:
CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS)(Fallout)
CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS) (RIDL)
CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS) (Zombieload)
CVE-2019-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (RIDL)
The vulnerabilities can be exploited on PCs and Cloud environments. They also allow an attacker to leak info such browser history, disk encryption keys, and passwords. It’s also very difficult to detect if the attacks have been executed because no logs or evidence is readily available. Currently only intel processors are affected and multiple vendors including Microsoft, Apple, Linux, Google, and Amazon have either patched or applied mitigations against these attacks.
Essentially, the vulnerability abuses the way Intel processor shares internal memory between different cores of the processor. The sharing and loading of memory allowed for a sibling process to read leaked data. This is a very simplified explanation and if you are interested in learning more I would highly recommend looking up the websites for the vulnerabilities at https://zombieloadattack.com and https://mdsattacks.com for more insight on the vulnerabilities themselves.
WhatsApp called you and installed malware!
Moving from processors to apps
Facebook released a security advisory for its whatsapp’s messaging platform. Outdated versions of the app are vulnerable to a remote attack from an attacker. The attack does not require any actions on the part of the user and the latest version of whatsapp has a patch to mitigate against this attack.
The attack depends on a buffer overflow within whatsapp’s VOIP(Voice over internet Provider) part of the app and uses malformed packets that appear to mimic voice packets. Once the buffer overflow succeeds and the attacker has control then it is possible to install a malicious program to steal info, credentials, or anything else on the device.
The vulnerability has been given CVE-2019-3568 for my interested listeners.
As well, for my listeners that are new to buffer overflow attacks it essentially means you write more data that the program has made space for and when you overwrite excessive data you will eventually overwrite the part of the program that controls what is executed next and once an attacker has control of what gets executed he can run his own malicious code.
Forbes Magazine now includes malware!
Magazine giant Forbes has been infected with malware that was harvesting payment credentials!
According to a tweet by Bad Packets Report, hackers were able to infect Forbe’s subscription website with a credit skimming malware. When someone put in card numbers, expiration dates, and other credit card related credentials they would be collected by the malware.
Imagine going to sign up for a subscription and then a few days later and out of nowhere your card is getting charged at either random websites or at a grocery store across the country.
The tweet shows the source code obfuscated to prevent easy readability and freenom’s abuse api was used to take down the offending website being able to resolve using it’s domain name. The malware also appears to have used websockets to communicate with the malicious server. The threat appears to be cleared but anyone who signed up for forbes while the malware was active should change out their credit and/or debit cards as quickly as possible.
Now some details I would like to cover in addition to the story is that freenom is a free domain registrar. Freenom.com allows users to register a free domain ending in top level domains like .tk,.ml,.ga,.cf, and .gq when I went to see what was available. As well for my listeners that are starting to get into the tech world I want to explain how having the domain no longer resolve stopped the threat.
When a request goes out to the Domain Name Server or DNS it wants to know the IP or location of the server. In this case it appears the attacker was not using a static server but was using dns to make sure the malware would resolve in the event he needed to swap server IPs. Once the dns stopped telling the malware where the server ip is at then the malware can no longer send its payload, i.e. stolen credit cards, to the malicious server.
Developer’s best friend has been attacked.
According to techcrunch.com’s article “After breach, Stack Overflow says some user data exposed”, the user database was not compromised but privileged web requests were accessed that could return names, emails, or IP addresses for users. Stack Overflow has indicated they will contact those affected by the web requests. Stack overflow has said it terminated the access of the attacker who gained access and is auditing logs to determine how much the attacker was able to access.
The attacker was able to exploit a bug in a development tier of stackoverflow.com and elevate their access on the production tier of stackoverflow.com.
It is noted that the Teams, business, and enterprise customers of stackoverflow.com are not affected but I would always advise to veer on the side of caution and always be proactively monitor and following good security practices.
So guys there is no 100% hackproof system or entity. It is a constantly evolving field but ExploitBrokers will be here to keep you up-to-date and informed. This has been your host Lauro and until the next hacker news episode I’m logging off.