Tag Archives: attacks

WannaMine cryptojacker targets unpatched EternalBlue flaw

New research detailed successful cryptojacking attacks by WannaMine malware after almost one year of warnings about this specific cryptominer and more than a year and a half  of warnings about the EternalBlue exploit.

The Cybereason Nocturnus research team and Amit Serper, head of security research for the Boston-based cybersecurity company, discovered a new outbreak of the WannaMine cryptojacker, which the researchers said gains access to computer systems “through an unpatched [Server Message Block, or SMB] service and gains code execution with high privileges” to spread to more systems.

Serper noted in a blog post that neither WannaMine nor the EternalBlue exploit are new, but they are still taking advantage of those unpatched SMB services, even though Microsoft patched against EternalBlue in March 2017.

“Until organizations patch and update their computers, they’ll continue to see attackers use these exploits for a simple reason: they lead to successful campaigns,” Serper wrote in the blog post. “Part of giving the defenders an advantage means making the attacker’s job more difficult by taking steps to boost an organization’s security. Patching vulnerabilities, especially the ones associated with EternalBlue, falls into this category.”

It is fair to say that any unpatched system with SMB exposed to the internet has been compromised repeatedly and is definitely infected with one or more forms of malware.
Jake Williamsfounder and CEO, Rendition Infosec

The EternalBlue exploit was famously part of the Shadow Brokers dump of National Security Agency cyberweapons in April 2017; less than one month later, the WannaCry ransomware was sweeping the globe and infecting unpatched systems. However, that was only the beginning for EternalBlue.

EternalBlue was added into other ransomware, like GandCrab, to help it spread faster. It was morphed into Petya. And there were constant warnings for IT to patch vulnerable systems.

WannaMine was first spotted in October 2017 by Panda Security. And in January 2018, Sophos warned users that WannaMine was still active and preying on unpatched systems. According to researchers at ESET, the EternalBlue exploit saw a spike in use in April 2018.

Jake Williams, founder and CEO of Rendition Infosec, based in Augusta, Ga., said there are many ways threat actors may use EternalBlue in attacks.

“It is fair to say that any unpatched system with SMB exposed to the internet has been compromised repeatedly and is definitely infected with one or more forms of malware,” Williams wrote via Twitter direct message. “Cryptojackers are certainly one risk for these systems. These systems don’t have much power for crypto-mining (most lack dedicated GPUs), but when compromised en-masse they can generate some profit for the attacker. More concerning in some cases are the use of these systems for malware command and control servers and launching points for other attacks.”

2018 Pwnie Awards cast light and shade on infosec winners

The Meltdown and Spectre side-channel attacks that exploit weaknesses in major processors scored the top spot in two of three Pwnie Award categories — Best Privilege Escalation Bug and Most Innovative Research — but missed on the prize for the most overhyped vulnerability.

The Pwnie Awards, a longtime staple of the Black Hat security conference, are often compared to the Academy Awards, but with spray-painted pony statues, fewer movie stars and more questionable prizes for things like Lamest Vendor Response and Most Overhyped Bug.

This year, the Pwnie Award for Most Innovative Research went to the researchers who discovered the Meltdown and Spectre design flaws. That prize goes to “the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post,” according to the Pwnie Awards website. The Pwnie Awards website described Meltdown and Spectre in its nomination for most overhyped bug:

Meltdown and Spectre were vulnerabilities in the way branch prediction worked which would allow attackers the ability to read memory. It was pretty awesome and affected most systems. But at some point, they [sic] hype train jumped the tracks a bit. The normally extremely accurate Fox News called it the worst computer bug in history. One of the researchers who discovered it agreed, calling it ‘probably one of the worst CPU bugs ever found.’ Bloomberg agreed, the Verge said it was a catastrophe.

Meltdown and Spectre also got the Pwnie Award for Best Privilege Escalation Bug — a nod toward the seriousness of the flaws, given how unusual it is for a research team to win in more than one category.

Also worthy of honor

Other Pwnie Awards honored more of the best of security research from the past year, including the following:

  • The Pwnie for Best Server-Side Bug went to the Intel Advanced Management Technology remote vulnerability, a flaw which enabled an exploit that could bypass endpoint protections, including the Windows firewall.
  • The Pwnie for Best Client-Side Bug went to researchers Georgi Geshev and Rob Miller, who built an exploit chain against Android that used 11 bugs in six different applications and was referred to by the Pwnie Awards as “The 12 Logic Bug Gifts of Christmas.”
  • Pwnie for Best Cryptographic Attack went to researchers Hanno Böck, Juraj Somorovsky and Craig Young for their work on the Return Of Bleichenbacher’s Oracle Threat, also known as the ROBOT attack.

The Pwnie Awards initially solicited nominations in 16 categories, but awarded prizes only in the eight categories that received the most nominations, including a Lifetime Achievement Award given to Michal Zalewski, also known as lcamtuf, former director of information security engineering at Google and author of the classic hacker field guide, Silence on the Wire.

Lamest Vendor Response and Most Overhyped Bug

Some of the stiffest competition may have been for the booby prizes.

The competition for overhyped bugs has been fierce recently, as contenders continue to commission websites, logos and social media handles for bugs that might be less than compelling. The nominees for this Pwnie Award honor this year included the Meltdown and Spectre vulnerabilities in microprocessors reported in January, as well as the apparent EFAIL vulnerability in end-to-end encryption technology that turned out to be an issue in email clients.

The winner was a not-quite-tongue-in-cheek parody, Holey Beep, complete with website, logo and tracking assignment as CVE-2018-0492. Beep, a Unix command, “does what you’d expect: it beeps,” according to the description from the Holey Beep website. “Beep allows you to control pitch, duration, and repetitions” of the tone.

But it also can give an attacker root on the target system. “Its job is to live inside shell/perl scripts and allow more granularity than one has otherwise. It is controlled completely through command line options. It’s not supposed to be complex, and it isn’t — but it makes system monitoring (or whatever else it gets hacked into) much more informative. Also it gives you root.”

Meanwhile, Bitfi, maker of the Bitfi Wallet, was the late-entry surprise winner of the Pwnie Award for Lamest Vendor Response. Although the Bifi situation played out just days before Black Hat, The Register reported it received thousands of nominations after hackers comprehensively cracked the devices and demonstrated numerous security failures in the design. Bitfi backed off its offer of a six-figure bounty to any hacker who could manage to hack it by standing behind a very narrow definition of what constituted a hack — namely, pulling the private key off of a device that doesn’t store the key.

The well-documented hacks came after Bitfi’s executive chairman, John McAfee, extolled the device as “the world’s first unhackable storage for cryptocurrency and digital assets.”

As Rev. Robert Ballecer put it on Twitter:

Web cache poisoning attacks demonstrated on major websites, platforms

Major websites and platforms may be vulnerable to simple yet devastating web cache poisoning attacks, which could put millions of users in jeopardy.

James Kettle, head of research at PortSwigger Web Security, Ltd., a cybersecurity tool publisher headquartered near Manchester, U.K., demonstrated several such attacks during his Black Hat 2018 session titled “Practical Web Cache Poisoning: Redefining ‘Unexploitable.'” Kettle first unveiled his web cache poisoning hacks in May, but in the Black Hat session he detailed his techniques and showed how major weaknesses in HTTPS response headers allowed him to compromise popular websites and manipulate platforms such as Drupal and Mozilla’s Firefox browser.

“Web cache poisoning is about using caches to save malicious payloads so those payloads get served up to other users,” he said. “Practical web cache poisoning is not theoretical. Every example I use in this entire presentation is based on a real system that I’ve proven can be exploited using this technique.”

As an example, Kettle showed how he was able to use a simple technique to compromise the home page of Linux distributor Red Hat. He created an open source extension for PortSwigger’s Burp Suite Scanner called Param Miner, which detected unkeyed inputs in the home page. From there, Kettle was able to change the X-Forwarded-Host header and load a cross-site scripting payload to the site’s cache and then craft responses that would deliver the malicious payload to whoever visited the site. “We just got full control over the home page of RedHat.com, and it wasn’t very difficult,” he said.

In another test case, Kettle used web cache poisoning on the infrastructure for Mozilla’s Firefox Shield, which gives users the ability to push application and plug-in updates. When the Firefox browser initially loads, it contacts Shield for updates and other information such as “recipes” for installing extensions. During a different test case on a Data.gov site, he found an “origin: null” header from Mozilla and discovered he could manipulate the “X-Forwarded-Host” header to trick the system so that instead of going to Firefox Shield to fetch recipes, Firefox would instead be directed to a domain Kettle controlled.

Kettle found that Mozilla signed the recipes, so he couldn’t simply make a malicious extension and install it on 50 million computers. But he discovered he could replay old recipes, specifically one for an extension with a known vulnerability; he could then compromise that extension and forcibly inflict that vulnerable extension on every Firefox browser in the world.

“The end effect was I could make every Firefox browser on the planet connect to my system to fetch this recipe, which specified what extensions to install,” he said. “So that’s pretty cool because that’s 50 million browsers or something like that.”

Kettle noted in his research that when he informed Mozilla of the technique, they patched it within 24 hours; but, he wrote, “there was some disagreement about the severity so it was only rewarded with a $1,000 bounty.”

Kettle also demonstrated techniques that allowed him to compromise GoodHire.com, blog.Cloudflare.com and several sites that use Drupal’s content management platform. While the web cache poisoning attacks he demonstrated were potentially devastating, Kettle said they could be mitigated with a few simple steps. First, he said, organizations should “cache with caution” and if possible, disable it completely.

However, Kettle acknowledged that may not be realistic for larger enterprises, so in those cases he recommended diligently scanning for unkeyed inputs. “Avoid taking input from HTTP headers and cookies as much as possible,” he said, “and also audit your applications with Para Miner to see if you can find any unkeyed inputs that your framework has snuck in support for.”

BGP hijacking attacks target payment systems

Researchers discovered BGP hijacking attacks targeting payment processing systems and using new tricks to maximize the attackers hold on DNS servers.

Doug Madory, director of internet analysis at Oracle Dyn, previously saw border gateway protocol (BGP) hijacking attacks in April 2018 and has seen them continue through July. The first attack targeted an Amazon DNS server in order to lure victims to a malicious site and steal cryptocurrency, but more recent attacks targeted a wider range of U.S. payment services.

“As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites.  By using long TTL values in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared — maximizing the duration of the attack,” Madory wrote in a blog post. “The normal TTL for the targeted domains was 10 minutes (600 seconds).  By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped.”

Madory detailed attacks on telecom companies in Indonesia and Malaysia as well as BGP hijacking attacks on U.S. credit card and payment processing services, the latter of which lasted anywhere from a few minutes to almost three hours. While the payment services attacks featured similar techniques to the Amazon DNS server attack, it’s unclear if the same threat actors are behind them.

Justin Jett, director of audit and compliance for Plixer, said BGP hijacking attacks are “extremely dangerous because they don’t require the attacker to break into the machines of those they want to steal from.”

“Instead, they poison the DNS cache at the resolver level, which can then be used to deceive the users. When a DNS resolver’s cache is poisoned with invalid information, it can take a long time post-attacked to clear the problem. This is because of how DNS TTL works,” Jett wrote via email. “As Oracle Dyn mentioned, the TTL of the forged response was set to about five days. This means that once the response has been cached, it will take about five days before it will even check for the updated record, and therefore is how long the problem will remain, even once the BGP hijack has been resolved.”

Madory was not optimistic about what these BGP hijacking attacks might portend because of how fundamental BGP is to the structure of the internet.

“If previous hijacks were shots across the bow, these incidents show the internet infrastructure is now taking direct hits,” Madory wrote. “Unfortunately, there is no reason not to expect to see more of these types of attacks against the internet.”

Matt Chiodi, vice president of cloud security at RedLock was equally as worried and warned that these BGP hijacking attacks should be taken as a warning.

“BGP and DNS are the silent warriors of the internet and these attacks are extremely serious because nearly all other internet services assume they are secure. Billions of users rely on these mostly invisible services to accomplish everything from Facebook to banking,” Chiodi wrote via email. “Unfortunately, mitigating BGP and DNS-based attacks is extremely difficult given the trust-based nature of both systems.”

DHS details electrical grid attacks by Russian agents

The Department of Homeland Security has offered more details on electrical grid attacks by Russian agents, and experts said the details show how air-gapping isn’t as secure as some may think.

In a briefing on Monday, DHS officials expanded on details of electrical grid attacks by Russian groups like Dragonfly 2.0. The briefing was the first time DHS released this amount of information in an unclassified setting, according to a report by The Wall Street Journal.

DHS said Russian hackers first targeted key industrial control vendors in order to steal credentials and access air-gapped and isolated utility networks. DHS also expanded the scope of the electrical grid attacks, saying there were “hundreds of victims,” although it is unclear if “victims” in this case refers to systems, substations, or utilities and vendors combined. Attackers reportedly stole confidential information about the utilities to learn how the industrial control systems (ICS) work and DHS said they had enough access to “throw switches.”

Ray DeMeo, COO and co-founder of Virsec, noted that “relying on air-gapping for security is a dangerous anachronism.”

Air gaps are easily being bridged by social engineering, password theft, or, in the case of Stuxnet, a few rogue USBs left in Tehran coffee houses. With the increasing convergence of IT and OT systems, the control systems that manage critical infrastructure are increasingly networked and connected,” DeMeo wrote via email. “Plus, conventional security tools that rely on signatures must be connected in order to get the latest updates. Almost all of the recent attacks, successful attacks on power plants and other critical infrastructure have bypassed air gaps.”

Rohyt Belani, CEO and co-founder of Cofense, said even with isolation electrical grid attacks are still possible.

“Even though SCADA networks and other critical infrastructure may be segmented, there are always legitimate remote access systems in place from where administrators of those systems can log in and control them,” Belani wrote via email. “Attackers often gain their initial foothold in a corporate network via spear phishing and then move laterally to identify such key systems, which they then attempt to compromise to further their sphere of influence into critical systems.”

Michael Magrath, director of global regulations and standards at OneSpan Inc., said these electrical grid attacks, like other hacks “exploit the weakest link in the security chain — the people.” Magrath was also concerned about part of The Wall Street Journal report that claimed DHS was investigating if Russian hackers had ways to defeat multifactor authentication.

“To be clear, multifactor authentication is not ‘one size fits all.’ There are numerous approaches and technologies available with varying degrees of security and usability. For example, one-time passwords transmitted via SMS are very convenient and widely deployed. However, this multifactor authentication approach has been proven to be unsecure with [one-time passwords] being intercepted,” Magrath wrote via email. “Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.” 

DHS claimed it has been warning utilities about potential attacks since 2014. Joseph Kucic, CSO at Cavirin, said via email the utilities “have failed to implement the necessary changes so DHS went public to embarrass the utilities into taking the needed actions (timing was on the DHS side with all the Russia media attention).” 

David Vergara, head of security product marketing at OneSpan Inc., said “this is big game hunting for cybercriminals.”

“The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure,” Vergara wrote via email. “It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties.”

Potential damage of electrical grid attacks

It was unclear from the DHS report what the extent of damage these electrical grid attacks could be.

Katherine Gronberg, vice president of government affairs at ForeScout Technologies, said in the past, electrical grid attacks were “ostensibly motivated by money, business disruption, hacktivism or espionage.”

“Now, we are facing a very real and targeted threat to U.S. national security. A successful attack on systems such as power plants, dams or the electric grid could have severe repercussions and could possibly lead to the loss of human life and disruption of society,” Gronberg wrote via email. “With so much on the line, securing critical infrastructure must be top of mind. Recent efforts by the DHS, DOE and key congressional committees suggest that it is. But we have to tackle this problem as the shared responsibility it is. It likely will entail some difficult decisions at all levels, from policymakers to power producers to consumers.”

Andrea Carcano, co-founder and CPO of Nozomi Networks, noted that since the electrical grid attacks reported by DHS didn’t result in blackouts, it raises the “question if the attackers intentionally only went so far.”

“Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay,” Carcano wrote via email. “It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”

Physical security keys eliminate phishing at Google

Google claims it has completely eliminated successful phishing attacks against its employees through the use of physical security keys and Universal Second Factor.

Google began introducing and evaluating physical security keys in 2014 and by early 2017 all 85,000-plus Google employees were required to use them when accessing company accounts. In the time since, the company told Brian Krebs, no employee has been successfully phished.

A Google spokesperson said the decision to use the Universal Second Factor (U2F) physical security keys instead of software-based one-time-password (OTP) authentication was based on internal testing.

“We believe security keys offer the strongest protections against phishing,” a Google spokesperson wrote via email. “We did a two-year study that showed that OTP-based authentication had an average failure rate of 3%, and with U2F security keys, we experienced zero percent failure.”

Lane Thames, senior security researcher at Tripwire, based in Portland, Ore., said the main reason these software-based apps are less secure is “because attackers can potentially intercept these OTPs remotely.”

“Another issue is the bulk production of OTPs that users can store locally or even print. This is done in order to make the 2FA [two-factor authentication] process a little easier for end users or so end users can save OTPs for later use, if they don’t have access to their phones when the code is needed,” Thames wrote via email. “This is akin to a similar problem where users write passwords and leave them around their workspace.”

However, John Callahan, CTO at Veridium, an identity and access management software vendor based in Quincy, Mass., noted that there are also benefits to users opting for 2FA via smartphone.

“Some people who use a U2F key fear losing it or damaging it. This is where biometrics can play a key role. Methods using biometrics are helping to prevent attacks,” Callahan wrote via email. “Using biometrics with the Google Authenticator app is a secure solution, because a mobile phone is always nearby to authenticate a transaction.”

Moving companies to physical security keys

Physical security keys implementing U2F was the core part of Google’s Advanced Protection Program, which it rolled out as a way for high-risk users to protect their Google accounts. A physical security key, like a YubiKey, can authenticate a user simply by inserting the key into a computer, tapping it against an NFC-capable smartphone or connecting to an iOS device via Bluetooth.

Nadav Avital, threat research manager at Imperva, based in Redwood Shores, Calif., said, “in an ideal world,” more companies would require multifactor authentication (MFA).

In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered.
Nadav Avitalthreat research manager at Imperva

“In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered. Unfortunately, most people don’t use [2FA or MFA], neither physical nor software-based, because they don’t understand the implications or because they prefer simplicity over security,” Avital wrote via email. “Clients can suffer from fraud, data theft or identity theft, while the company can suffer from reputation damage, financial damage from potential lawsuits and more.”

Richard Ford, chief scientist at Forcepoint, a cybersecurity company based in Austin, Texas, said worrying about the best way to implement 2FA might be premature, as “we still have oodles of companies still using simple usernames and password.”

“Getting off that simple combo to something more secure provides an immediate plus up for security. Look at your risk profile, and try and peer a little into the future,” Ford said. “Remember, what you plan today won’t be reality for a while, so you want to skate to where the puck is going. With that said, please don’t let perfect be the enemy of good.”

Petitioning the board

Experts noted that not all IT teams will have as easy a time convincing the board to invest in making physical security keys or another form of multifactor authentication a requirement as Google would.

Matthew Gardiner, cybersecurity expert at Mimecast, a web and email security company based in Lexington, Mass., suggested framing the issue in terms of risk reduction.

“It is hard to quantify risk unless you have experienced a recent breach. Using MFA is not a theoretical idea; it is now a security best practice that is incredibly cheap and easy to use from a multitude vendors and cloud service providers,” Gardiner wrote via email. “I can only assume that if organizations are still only using a single-factor of authentication in support of B-to-B or B-to-E applications that they must think they have nothing of value to attackers.”

Ford said it was probably best not to spear phish the board for effect, “no matter how tempting that might be.”

“I would, however, suggest that the Google data itself can be of tremendous value. Boards understand risk in the scope of the business, and I think there’s plenty of data now out there to support the investment in more sophisticated authentication mechanisms,” Ford wrote. “Start with a discussion around Google and their recent successes in this space, and also have a reasoned — and money-based — discussion about the data you have at risk. If you arm the board with the right data points, they will very likely make the right decision.”

X-Agent malware lurked on DNC systems for months after hack

The malware backdoor allegedly implanted by Russian intelligence agents during attacks on the Democratic National Committee remained on systems at least six months after the hack was first discovered.

The indictment of Russian intelligence officers regarding the hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) included many shocking details, including the assertion that the X-Agent malware was still on DNC systems in October 2016.

The timeline of events according to the indictment showed that the Russian threat actors began spearphishing DNC and DCCC staffers in March 2016 and infiltrated DNC and DCCC systems using stolen credentials in April. Between April and June, the hackers installed the X-Agent malware backdoor and other tools and began to steal data.

“Despite the Conspirators’ efforts to hide their activity, beginning in or around May 2016, both the DCCC and DNC became aware that they had been hacked and hired a security company (‘Company 1’) to identify the extent of the intrusions,” investigators wrote in the indictment. “By in or around June 2016, Company 1 took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained on the DNC network until in or around October 2016.”

The indictment does not mention how or why the X-Agent malware remained on DNC systems. In addition to attempts to remove the hackers and their tools from DNC systems by “Company 1” — assumed to be CrowdStrike, the company publicly known to have been called in to investigate the attack — the indictment noted that the attackers themselves also tried to clean their own tracks.

According to the indictment, the attackers tried to “delete their presence on the DCCC network using the computer program CCleaner” and that the attackers attempted connecting to the X-Agent malware on June 20, 2016, after CrowdStrike had allegedly disabled the backdoor.

Sean Sullivan, security advisor at F-Secure, discounted the possibility that the X-Agent malware might have been left on the DNC systems intentionally in order to track the attackers.

“Malware campaigns such as this use many parts and the goal is to move laterally across the network, collecting admin passwords along the way. Rooting out such infestations is time-consuming incident response work. Shutting down the entire network might have sped up the process, but that would have introduced significant challenges to the DNC’s political campaigns,” Sullivan wrote via email. “The DNC was dealing with a backdoor — so it was possible to continue day-to-day operations while doing incident response. And that sort of work just takes time to get it all.”

New Spectre variants earn $100,000 bounty from Intel

Researchers found new speculative execution attacks against Intel and ARM chips, and the findings earned them a $100,000 reward under Intel’s bug bounty.

The new methods are themselves variations on Spectre v1 — the bounds check bypass version of Spectre attacks — and are being tracked as Spectre variants 1.1 and 1.2.

The new Spectre 1.1 has also earned a new Common Vulnerabilities and Exposures (CVE) number, CVE-2018-3693, because it “leverages speculative stores to create speculative buffer overflows” according to Vladimir Kiriansky, a doctoral candidate in electrical engineering and computer science at MIT, and Carl Waldspurger of Carl Waldspurger Consulting.

“Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming gadgets that can be used to build alternative attack payloads,” Kiriansky and Waldspurger wrote in their research paper. “In a speculative data attack, an attacker can (temporarily) overwrite data used by a subsequent Spectre 1.0 gadget.”

Spectre 1.2 does not have a new CVE because it “relies on lazy enforcement” of read/write protections.

“Spectre 1.2 [is] a minor variant of Spectre v1, which depends on lazy PTE enforcement, similar to Spectre v3,” the researchers wrote. “In a Spectre 1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers and code metadata, including v-tables [virtual tables], GOT/IAT [global offset table/import address table] and control-flow mitigation metadata. As a result, sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective.”

As the research paper from Kiriansky and Waldspurger went live, Intel paid them a $100,000 bug bounty for the new Spectre variants. After the initial announcement of the Spectre and Meltdown vulnerabilities in January 2018, Intel expanded its bug bounty program to include rewards of up to $250,000 for similar side-channel attacks.

I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.
Nick BilogorskiyCybersecurity strategist, Juniper Networks

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, also noted that the research into these new Spectre variants was partially funded by Intel.

“When implemented properly, bug bounties help both businesses and the research community, as well as encourage more security specialists to participate in the audit and allow CISOs to optimize their security budgets for wider security coverage,” Bilogorskiy wrote via email. “These bugs are new minor variants of the original Spectre variant one vulnerability and have similar impact. They exploit speculative execution and allow speculative buffer overflows. I expect that more variants of Spectre and/or Meltdown will continue to be discovered in the future.”

ARM and Intel did not respond to requests for comment at the time of this post. ARM did update its FAQ about speculative processor vulnerabilities to reflect the new Spectre variants. And Intel published a white paper regarding bounds check bypass vulnerabilities at the same time as the disclosure of the new Spectre variants. In it, Intel did not mention plans for a new patch but gave guidance to developers to ensure bounds checks are implemented properly in software as a way to mitigate the new issues.

Advanced Micro Devices was not directly mentioned by the researchers in connection with the new Spectre variants, but Spectre v1 did affect AMD chips. AMD has not made a public statement about the new research.

White House WannaCry attribution leaves unanswered questions

Althoucepted the White House assertion that North Korea was behind the WannaCry attacks, some took issue with the government’s stance.gh experts ac

In the original announcement of the WannaCry attribution on Monday and in the press conference on Tuesday, Tom Bossert, homeland security adviser to the White House, reiterated the need to hold those responsible for the attacks accountable.

“As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations,” Bossert wrote in an op-ed in the Wall Street Journal. “Malicious hackers belong in prison, and totalitarian governments should pay a price for their actions. The rest of us must redouble our efforts to improve our collective defenses. The tool kits of totalitarian regimes are too threatening to ignore.”

However, experts noted a large omission in this accountability: the fact that the WannaCry ransomware was built on cyberweapons developed by and subsequently stolen from the National Security Agency (NSA).

Jake Williams, a former member of the Tailored Access Operations team for the NSA and founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., noted on Twitter than Bossert never used the words “NSA” or “leak” in the WannaCry attribution op-ed.

“If a Somali terrorist blew up a bomb in NYC using explosives supplied by the Syrian government, I don’t think we’d ever talk about the attack without talking about Syria. Whether you like it or not, the U.S. supplied the “explosives” for WannaCry. We need to own this,” Williams wrote on Twitter.

“And it’s not just WannaCry. AES-NI, NotPetya, and multiple other malware samples have used EternalBlue. But don’t stop at EternalBlue. We’ve had customers hit with other leaked exploits. I don’t think we’ll ever account for the full damage caused by these leaks,” Williams wrote. “Public opinion around nuclear weapons would change if we admitted we couldn’t secure them and we’d be attacked by our own stolen weapons. Let’s have adult discussions about this happening in the cyber domain and cut out the White House propaganda.”

During the press conference on Tuesday, Bossert was directly asked about the NSA’s role in developing EternalBlue and the leak of the NSA cyberweapons by the Shadow Brokers and Bossert avoided the question, instead saying that the U.S. has “led the most transparent vulnerabilities equities process in the world.”

Erasing Kaspersky

In addition to glossing over the NSA’s  connection to WannaCry, Bossert and the White House also omitted Kaspersky Lab’s contribution to the WannaCry attribution case. Although Bossert gave credit to Microsoft and Facebook for fighting WannaCry attacks and noted that the U.K., New Zealand, Canada, Australia, Canada and Japan all agreed that North Korea was behind the attacks, Bossert didn’t give credit to Kaspersky.

Kaspersky Lab’s investigation team was the first to draw a connection between North Korea’s Lazarus hacking group in June 2017, just one month after the initial WannaCry attacks.

However, the only mention of Kaspersky in Bossert’s comments was a reminder that the U.S. government counts Kaspersky as untrustworthy due to possible — but unverified — connections with the Russian government, and has moved to ban Kaspersky products from government systems.

Given the current political climate, it seems unlikely that the administration will publicly acknowledge Kaspersky’s work in cyber threat intelligence and attribution.
Jake Williamsfounder of consulting firm Rendition InfoSec LLC

Williams was not surprised by this omission.

“Given the current political climate, it seems unlikely that the administration will publicly acknowledge Kaspersky’s work in cyber threat intelligence and attribution,” Williams told SearchSecurity. “However, there is little doubt they are making use of those same reports behind closed doors. Kaspersky continues to be an important source of cyber threat Intelligence data, including reporting on attackers linked to the Russian government.”

Cooperation between government and private sector    

As part of the push for accountability, Bossert and the White House said there needed to be closer relations between the public and private sectors following the WannaCry attribution. Bossert wrote that stopping malicious behavior “requires governments and businesses to cooperate to mitigate cyber risk and increase the cost to hackers. The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.”

Scott Petry, co-founder and CEO of Authentic8, said pushing for this kind of cooperation is reasonable and not all that new.

“The Department of Homeland Security has pushed a number of initiatives — for instance their Enhanced Cybersecurity Services where sensitive threat intel is distributed to authorized recipients. They’ve pushed commercial organizations to provide more intel to DHS for dissemination,” Petry told SearchSecurity. “These initiatives have run into some headwinds though, since organizations have been unable or unwilling to share meaningful attack data. There are compliance and data privacy issues as well as the conditioned response of not disclosing breaches in a timely fashion.”

Matt Suiche, founder of managed threat detection company Comae Technologies, also noted that the process for such cooperation is not clear.

“Collaboration between entities is very important we saw it with the recent epidemies — WannaCry, NotPetya, etc. — through the infosec community on Twitter. Very useful and detailed descriptions of how the malwares were working, and even responses from individuals (kill switches) while the big security companies were too slow to provide intelligent feedback,” Suiche told SearchSecurity. “But the question is: Are they just saying it for PR or do they have a pre-set of trusted partners they will only communicate with? If tomorrow a security start-up wants to collaborate and help DHS, is there an official channel for this?”

Data protection trends: Ransomware, M&A deals dominate news

From the constant threat of ransomware attacks to looking ahead to the European Union’s General Data Protection Regulation, backup vendors had a lot to tackle in 2017. And there was even a lot of movement among vendors themselves, with several big names making acquisitions to gain footholds in important markets.

Here we run down the year’s top data protection trends and news.

Ransomware protection gains strength

The ransomware epidemic is not slowing down. While ransomware has been out there for some time now, it made international headlines in May when the WannaCry strain simultaneously hit 300,000 machines in 150 countries. Other strains have made big news and caused problems for organizations of all sizes this year. Statistics vary, but many organizations say ransomware attacks are on the rise.

While WannaCry didn’t end up pulling in as much ransom as the attackers likely anticipated, that attack and others had organizations scrambling and making data protection a top focus. Often, backup and recovery is the only way out after ransomware hits. And that focus was evident with backup vendors as well, as data protection trends in this area included adding ransomware-specific features.

  • Acronis built a new version of its Active Protection technology — integrated into Acronis True Image backup software — that uses machine learning to help prevent ransomware viruses from corrupting data. It attempts to detect suspicious application behavior before file corruption. Active Protection is available in Acronis Backup software.
  • BackupAssist launched CryptoSafeGuard, part of its data protection software for SMBs, which works with existing antimalware software. It scans and detects suspicious activity in source files that can be related to ransomware, then sends alerts and blocks backup jobs from running.
  • Druva built ransomware monitoring and detection tools into its InSync endpoint data protection software. The software flags unusual activity occurring to data and helps identify the last good snapshot to recover the entire data set or individual files.
  • Unitrends Recovery Series physical appliances and Unitrends Backup virtual appliances use predictive analytics to determine the probability that ransomware exists in an environment. The vendor alerts customers when it detects the virus, so they can immediately restore from the last legitimate recovery point.

Mergers and acquisitions aplenty

The data protection 2017 market saw a large amount of merger and acquisition activity, particularly in the second half of the year. Cloud backup provider Carbonite was especially busy.

Here are several major moves from the past year:

  • Security and data protection vendor Barracuda is going private, following its purchase in November by equity firm Thoma Bravo for $1.6 billion.
  • Vista Equity Partners in October acquired data protection vendor Datto and will merge it with IT management provider Autotask, in a play to bring several technologies under one roof for SMBs, including backup and disaster recovery, professional services automation and networking continuity. Earlier in the year, Datto bought cloud-based networking provider Open Mesh.
  • Carbonite purchased Datacastle’s endpoint backup in August, which gives the growing cloud backup vendor better scalability and a bigger play in the SMB market. That same month, Code42 announced it is shutting down its consumer cloud backup product in 2018 to focus on other sectors and referring consumers to Carbonite. Earlier in the year, Carbonite bought Double-Take Software to improve its high-availability technology.
  • Peak 10 closed on a $1.675 billion acquisition of ViaWest in August, which will lead to a data protection suite of services between the cloud services providers that includes storage, backup and replication.
  • Axcient, which provides cloud-based disaster recovery and data protection, and EFolder, which offers cloud business continuity, cloud file sync and cloud-to-cloud backup, announced in July that they are merging.
  • Data protection vendor Arcserve in July acquired Zetta and its cloud backup and disaster recovery, following its purchase earlier in the year of FastArchiver for on-premises or public cloud emails.

The convergence and hyper-convergence of data protection

As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017.

As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017. Several vendors this year launched backup for hyper-converged products, with at least one data protection product focused solely on the Nutanix Acropolis Hypervisor (AHV).

The Unitrends Recovery Series backup appliances and Unitrends Backup virtual appliances feature integration for AHV. The vendor also protects all hypervisors that run on Nutanix and supports VMware, Hyper-V and Citrix XenServer hypervisors. Veeam, Commvault and Rubrik are among the other data protection vendors that recently launched or will launch backup for AHV.

Comtrade Software in June launched its HYCU dedicated to AHV backup. The vendor later in the year updated its product with increased support for Nutanix storage and backup management features.

Commvault went to a place it didn’t originally plan on going: the hardware market. The vendor launched its first scale-out integrated hardware appliance for data protection as it attempts to compete with Rubrik and Cohesity, as well as traditional backup vendors. The HyperScale platform is part of Commvault’s product strategy to build out its data services with software-defined storage and convergence. Converged secondary storage — one of the data protection trends that continues to grow — handles such nonprimary tasks as backup, archiving, test and development, and disaster recovery.

Ready or not, here comes GDPR

Companies are scrambling to ensure compliance with the European Union’s General Data Protection Regulation, which goes into effect in May and covers data produced by EU citizens and data stored within the union. It consists of 99 articles, including a rule that gives individuals the right to force organizations to delete all personal data.

But the rule requiring companies to notify customers of a data breach within 72 hours struck a chord this year via the Equifax breach. The company discovered it in July and reported it publicly in September. Companies not in compliance with GDPR face millions of dollars in fines.

Surveys routinely show that companies are not adequately prepared for GDPR. Some vendors, though, are trying to help aid compliance. For example, Veritas’ Integrated Classification Engine uses machine learning to identify sensitive and personal data.

Data protection trends take on storage growth

Tape storage got a capacity bump with the release of LTO-8. The latest version, launched two years after LTO-7 hit the market, features 32 TB of compressed capacity per tape, sustained data transfer rates of up to 1,180 MBps for compressed data, uncompressed capacity of 12.8 TB and an uncompressed transfer rate of 472 MBps. Tape is seen as a safe, offline backup in the face of cyberattacks such as ransomware. Plus, the massive capacity can help with long-term retention of huge data sets that continue to grow.

“No business measures data storage in terabytes anymore,” analyst Jon Toigo wrote in a November SearchDataBackup article. “… So LTO-8, with its 32 TB capacity, seems to be just what the doctor ordered for companies most likely to make big use of tape technology: cloudies and data-intensive verticals, such as healthcare, surveillance, research labs, and oil and gas. These firms are putting tape back to use in an old, secondary storage role.”

What’s old has become new again.