Vulnerability: Variants 3a and 4 of Side Channel Vulnerabilities

On May 21st, two vulnerabilities (CVE-2018-3640 –  Variant 3A- Rogue System Register Read and CVE-2018-3639 – Variant 4 – Speculative Store Bypass) were publicly disclosed.  These vulnerabilities indicate new variants of the Spectre and Meltdown class of hardware vulnerabilities and use “side-channel attacks” against speculative execution on many CPU architectures. Each of the vulnerabilities, Variants 3a and 4, attempt to exploit AMD, ARM and Intel CPUs. The effects vary from vendor to vendor. Details are scarce at this time on how an attacker would use these vulnerabilities in practical attacks.

A “side-channel attack,” targets the implementation of a computer system rather than the actual implemented software or algorithm.  The Spectre and Meltdown class of vulnerabilities use cache side-channel attacks, or monitor the cache within CPUs, to gain access to sensitive information that was previously unavailable through normal access.  Variant 3a uses a method of exploitation known as “Rogue System Register Read,” while Variant 4 uses an attack called speculative store bypass. Both vulnerabilities are highly complex and take advantage of various features of the “speculative execution” within various CPU architectures. Both if executed properly could result in unauthorized access to information within a system’s memory, such as passwords or other sensitive data.

The Proficio Threat Intelligence Recommendations:

  • Stay tuned for any type of practical attack that is being carried out in the wild against organizations leveraging these vulnerabilities. Note that these are difficult and complex vulnerabilities to leverage in practical attacks.
  • Apply standard patches and updates to both hardware, software, and operating systems that would mitigate risks of these vulnerabilities.

General Info – Click Here

Method: PyRoMine Malware

In early April, Fortinet’s FortiGuard Labs discovered a cryptocurrency mining malware that leverages EternalRomance, a remote code execution attack, that was coined, PyRoMine. The EternalRomance exploit was initially discovered in the giant “treasure trove” that was the NSA data leak last year thanks to the ShadowBrokers.

The malware can be found in the form of a standalone executable file that, when executed, will run as a background process, silently stealing CPU resources unbeknownst to its victims. The end goal of this malware is to mine Monero for profits.

PyRoMine sets up a hidden default account on the user’s machine with system administrator privileges, using the password “P@ssw0rdf0rme,” as well as, enabling Remote Desktop Protocol which could be used in the future for re-infection and/or further attacks.

EternalRomance exploit targets SMBv1 Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft patched this vulnerability very quickly after the tools were made public. However, individuals and enterprises alike have been quite slow when it comes to patching the known vulnerabilities and could still be affected by this malware.

Proficio Threat Intelligence Recommendations:

  • Update Windows hosts to use SMBv2
  • Do not allow Remote Desktop Protocol Open from the internet

General Information –  Click Here