PlunderVolt: A new Vulnerability found in Intel Processors

PlunderVolt: A new Vulnerability found in Intel Processors

Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs.

It was reported by three academics from three different universities across Europe that a new attack was re that affects the integrity of data stored in the highly-secured area of Intel CPUs called the Intel SGX.  The attack exploits an interface which is in charge of controlling the voltage regulation of the Intel processor, this interface is something that many gamers will recognize as it is the same one that is used to overclock their CPUs.  The attack is aptly named, Plundervolt.

How it works

Plundervolt only targets Intel Software Guard eXtensions (SGX). The Intel SGX, for those unfamiliar with it, is a powerful security feature that is found on all modern Intel CPUs that keeps very sensitive data for applications to ensure that other applications are unable to access it.

By using the CPU’s energy management interface, it is able cause some changes in the SGX data just by altering the electrical voltage and frequency of the SGX memory cells. This causes bugs and faults appear within the data and operations which SGX handles.  Meaning, instead of destroying, Plundervolt sabotages output to weaken the encryption of SGX and even cause errors within apps that might have not been there before to exploit and steal data.

However, unlike other attacks, Plundervolt cannot be exploited remotely like luring users into a website and then being able to execute the attack.  Plundervolt needs to run from an app of an infected hosts with root or admin privileges.  So getting a successful attack may be harder compared to other attacks but once they are able to get in your system, they will be able to exploit your system much faster than most other attacks.

What Intel CPUs are infected and where can we get a fix?

According to Intel, the following CPU series are vulnerable to Plundervolt attacks:

Intel® 6th, 7th, 8 th, 9th & 10th generation CoreTM processors

Intel® Xeon® Processor E3 v5 & v6

Intel® Xeon® Processor E-2100 & E-2200 families

Plundervolt is nothing that end-users should worry about. It’s an attack vector that is of little interest for malware authors since it’s hard to automate at scale. It is, however, an attack vector that could be weaponized in targeted attacks, against specially selected targets. If Plundervolt is a serious threat depends on each user’s threat matrix.

For those who are looking for the update to fix this vulnerability, you may refer to the microcode and BIOS update here.

For any inquiries with regards to this vulnerability or any other security questions, you may call us at 8893-9515 and we would be happy to help you!

Malware VPNFilter is on the Rise as Infected Routers Increase

Malware VPNFilter is on the Rise as Infected Routers Increase

On May 24, a report was published by security researchers upon the discovery of a group who had infected more than 500,000 home and small-enterprise routers in at least 54 countries with their malware VPNFilter.  This malware can attack, collect research, steal key credentials, monitor SCADA protocols, and install a kill command to destroy your device via your infected router.  These attacks have been happening since 2016, however there has been a spike in infections in recent weeks, mostly in Ukraine.  This has prompted the researchers to publish their report early due to its high threat and vulnerability level to the identified systems involved.

From observations from the researchers, they’ve noticed that VPNFilter’s infection goes through 3 stages:

Stage 1

Infected router enables the deployment and spread of the malware by locating target servers with downloadable images from Photobucket.com, extracting an IP address, and recognize several types of CPU architectures running on Busybox and Linux-based firmware. Redundant command and control mechanisms identify and adapt, such that if the Photobucket download fails, Stage 1 will download from ToKnowAll.com. It also listens for a trigger packet from the attackers, checking for the IP from api.ipify.org and stores it for later use. In this stage, the core malware code survives in infected systems even when rebooted.

Stage 2

It deploys intelligence collection such as file collection, command execution, device management and data exfiltration. It also deploys self-destruct capabilities. It can assess the network value the server holds, especially if the system holds potential interest to the threat actors. The actors can then decide if they can use the network to continue gathering data or use the system to propagate through the connections. The self-destruct function in this stage overwrites critical portions of the device for a reboot directive, destroying the firmware once attackers trigger the built-in kill command and leaving the device unrecoverable.

Stage 3

This stage contains modules that act as plugins for Stage 2. One packet acts as a sniffer for collecting data and intercepting traffic, such as website credentials theft and Modbus SCADA protocols, while another plugin allows for automated communication to ToR. Other plugins that have yet to be identified were observed to be included in this stage.

According to the researchers, you should take the following steps to help protect your systems from VPNFilter:

  • Reset your routers to restore its factory default settings. Rebooting stops Stages 2 and 3 from running on infected devices, at least until Stage 1 reinstalls both processes
  • Update the router’s firmware immediately once the manufacturers release the patch

For Trend Micro Smart Home Network users, you can be assured protection from this threat with the following rules implemented:

  • 1054456 WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB-103321)
  • 1054457 WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB-103321)
  • 1055170 EXPLOIT Generic Arbitrary Command Execution -1
  • 1056614 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -1 (BID-57760)
  • 1058664 WEB Cisco Linksys E1500 and E2500 Router Directory Traversal Vulnerability (BID-57760)
  • 1058665 WEB Cisco Linksys E1500 and E2500 Router Password Change Vulnerability (BID-57760)
  • 1058980 WEB Cross-site Scripting -14
  • 1059209 WEB Cisco Linksys E1500 and E2500 Router OS Command Injection Vulnerability (BID-57760)
  • 1059253 WEB Netgear DGN1000 And Netgear DGN2200 Security Bypass Vulnerability (BID-60281)
  • 1059264 WEB QNAP VioStor NVR and QNAP NAS Remote Code Execution Vulnerability (CVE-2013-0143)
  • 1059672 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -2 (BID-57760)
  • 1132723 WEB GD Library libgd gd_gd2.c Heap Buffer Overflow -1 (CVE-2016-3074)
  • 1133310 WEB Netgear R7000 Command Injection -1.1 (CVE-2016-6277)
  • 1133463 SSDP Simple Service Discovery Protocol Reflection Denial of Service Vulnerability
  • 1133464 WEB Netgear WNDR1000v4 Router Remote Authentication Bypass
  • 1133572 WEB Shell Spawning Attempt via telnetd -1.b
  • 1133802 WEB Netgear NETGEAR DGN2200 dnslookup.cgi Remote Command Injection (CVE-2017-6334)
  • 1133908 EXPLOIT QNAP Transcode Server Command Execution
  • 1134566 NETBIOS MikroTik RouterOS SMB Buffer Overflow -1 (CVE-2018-7445)
  • 1134567 NETBIOS MikroTik RouterOS SMB Buffer Overflow -2 (CVE-2018-7445)

If you have further inquiries on the above malware, you may contact us at 893-9515 and we will be happy to answer them!

Cryptomalware attacks become more prevalent with the increased popularity of Cryptocurrency

Cryptomalware attacks become more prevalent with the increased popularity of Cryptocurrency

Cyptocurrency has been a hot topic over the last year, you may have heard plenty of people investing in this currency (such as BitCoin) hoping to strike it rich as its value has been highly volatile.  As revolutionary of an idea as it is for the market, there also those who wish to profit through this new-found trend by using unscrupulous means as well.  This is apparent with the introduction of a new type of malware which specifically targets such users whom use cryptocurrency, cryptomalware.

Just like how there is variety with ordinary malware, cryptomalware comes in different forms as well, ranging from client-side web scripts to mobile applications.  As of now, the usual modus operandi of cryptomalware are to target your computer to use its computing power to mine currency or to directly steal currency by intercepting your purchases by rerouting your payments to the criminal’s wallets instead.  Even IoT devices are now being targeted by these hackers in a way to expand their operations, knowing that the computing power of these devices are not as powerful as servers or laptops.

Cryptocurrency mining unlike many other malicious malware actively uses your computer for its computational resources to mine cryptocurrency.  This process puts a great strain on infected device and could cause its lifespan to significantly decrease.  A recent study from Trend Micro found that the most detected home event was cryptocurrency mining, showing that this is becoming more prevalent now even in the average consumers home.  To help mitigate the threat, below are a few tips on what you can do to lessen your chances on getting infected:

  • Regularly update devices with their latest firmware to prevent attackers from taking advantage of vulnerabilities to get into systems.
  • Change devices’ default credentials to avoid unauthorized access.
  • Employ intrusion detection and prevention systems to deter malicious attempts.
  • Be wary of known attack vectors, such as socially engineered links, attachments, and files from suspicious websites, dubious third-party applications, and unsolicited emails.

For increased security against these threats, you may also want to consider getting a proactive security such as Trend Micro™ XGen™ security.  With high-fidelity machine learning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads, it will give you that second layer of defense to help secure your endpoint from threats like cryptomalware.

To learn more about cryptomalware  you may check this link or you may contact us directly at 893-9515 and we will do our best to answer your inquiries.

Cryptocurrency Malware CoinHive becomes the 6th most common Malware

Cryptocurrency Malware CoinHive becomes the 6th most common Malware

CoinHive, the cryptocurrency miner that made the news in September when it was discovered that the EITest campaign was using it to trick victims into paying for their services or handing out financial data via tech support scams.  However, a new report from coindesk.com reveals that the malware is becoming more widespread as it reaches 6th place on the list of most common malware in the world.

CoinHive works by providing website owners and operators a Javascript code that they can embed into their site. What this code does is that it covertly uses the website visitor’s processing power to mine the Monero cryptocurrency. This give both sides mutual benefits, as CoinHive keeps a portion of the mined amount, while the website owner keeps the rest. Unfortunately for website visitors, they won’t know that their processor is being used without their knowledge. While Coinhive itself is a legitimate company, its rather dubious method of operation often lends itself to abuse by malicious threat actors.

While Cryptomining malware is still not as well known as other malware like ransomware, the report from Coindesk is alarming as it shows that this threat is growing fast.   Stealthy and non-intrusive are attributes of cryptocurrency mining that might be helping in its rapid growth.  Decreased performance and latency caused by the cryptocurrency malware are annoying but can be hard to pinpoint to them as the cause.  Also, with multiple infected systems, the miner essentially gains more and more personal miners for himself without the computer owners knowledge.

Defending against CoinHive

Users who want to prevent CoinHive from using their resources may do the following:

  • Block Javascript-based applications from running on their browsers
  • Implementation of best practices to avoid engineered schemes such as the EITest campaign
  • Regularly update and patch your software (especially on your browsers)

Users should also look into effective security solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security, which protect end users and businesses from threats by detecting and blocking malicious files and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring and application control that minimize the impact of this cryptocurrency miners and other threats.

Learn more about Trend from our Product page or contact us at 893-9515!

An Advisory from CT Link Systems, Inc. for WannaCry Ransomware Attacks

An Advisory from CT Link Systems, Inc. for WannaCry Ransomware Attacks

You may have heard over the weekend of the recent attacks of ransomware called WannaCry, which has targeted almost 200,000 computers across 150 countries.  While a killswitch has been found to help lessen the spread of WannaCry, many still believe that a new strain of WannaCry will soon come out which will bypass this quick fix.

Microsoft has released its statement on this issue while also providing its customers the solution to prevent the malicious software from affecting you, installing the security update MS17-010  and more recently they released security patches for older operating systems such as XP which can be found on this link.  However, for those of our current Trend Micro users who cannot update their patches as soon as possible we have work arounds in which you can do in the meantime.  Below are the products of Trend Micro that can be used to prevent the attacks (please make sure to follow the correct patch or pattern for the product):

For our clients who are not using Trend Micro, we strongly urge you to patch your Windows with MS17-010 (for versions such as XP please refer to this link).  For any questions or inquiries you have with regards to ransomware or how you can protect you system, please contact us at 893 9515 and we will be happy to help!