Intel Processors Zombieload Flaw

Yet another chip flaw allows attackers to steal any data that’s recently been accessed by the processor. Almost every Intel chip manufactured since 2011 is vulnerable. The good news is that attackers must be able to run code on the machine, which requires the machine to have already been compromised in some other manner. 

Microsoft, Apple, and Google have already issued updates to stop the vulnerability, which takes advantage of Microarchitectural Data Sampling. AWS has also patched their hypervisors and published this Security Release.

Red Hat’s YouTube channel has an excellent video detailing the MDS exploit.

Codedamn has a short video demonstrating the attack in action.

IoT Device Compromises Casino’s Database

An unnamed North American casino had its high-roller database stolen. An interesting but not uncommon story in the modern world of cybersecurity. Let’s ratchet the quirkiness up a notch; the hackers breached the network through an IoT thermostat in a fish tank located in the Casino’s lobby. This latest hack calls back into question the inherent insecurity associated with the drastic increase in Internet-connected devices.

The statistics are staggering. The IoT industry is holding steady at 19.2% compound annual growth. IoT usage in industrial manufacturing is expected to reach nearly one trillion dollars by 2020. The number of IoT devices currently in use is estimated at thirty-one billion. That number is expected to rise to over seventy-five billion by 2025.

These connected devices drastically expand the attack surface, and unlike traditional networked devices, security is often an afterthought if addressed at all.  Thermostats, refrigerators, light bulbs, smart speakers, picture frames…these single or narrow-use devices are churned out at competitive prices, and if we’ve learned anything over the last decade it’s that security is hard.

Robert Hannigan ran the British government’s digital-spying agency, Government Communications Headquarters, from 2014 to 2017 and recently spoke at the WSJ CEO Council Conference in London, “With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem… I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.”

Calling for stronger regulations, he added, “It’s probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself,” he said. “The problem is these devices still work — the fish tank or the CCTV camera still work.”

Memcached DDOS Attack Reaches 1.7 Terabits

There’s a new DDOS attack in town and it’s a doozy. This amplification attack takes advantage of unsecured (misconfigured) Memcached servers and the return-on-investment is staggering. Sending a forged request to a susceptible Memcached server on port 11211 will trigger a response to the intended target that has been amplified by a factor of 51,000. The result is the largest sustained denial of service attacks in history. GitHub successfully withstood a 1.3 Terabit-per-second attack and several days later an unnamed company in the United States was buffeted by a 1.7 Tbps attack.

According to Wikipedia, “Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.” The Memcached software is free and open-sourced and runs on Linux, OS X, and Windows, with wide spread adoption over the last decade.

Usually, these types of servers are used internally, disconnected from the public internet and only accessible within a trusted network to improve performance. But it appears a lot of people have been leaving Memcached servers exposed to the open internet where they can be discovered and exploited by just about anyone.

Indeed, tools have already started cropping up enabling the ‘script-kiddies’ to also take advantage without understanding the underlying technology. One such tool, written in C, comes complete with a pre-complied list of 17,000+ vulnerable Memcached servers. Another, written in Python, leverages Shodan to search for and obtain a fresh list of vulnerable servers. Both tools automate the sending of spoofed UDP packets. 

The original version of Memcached, created by Brad Fitzpatrick, did not support the UDP protocol. That functionality was added in 2008 by Facebook. The change was made without providing for mean to authenticate as developers falsely assumed that these servers would only run inside trusted networks. Later versions of the software eventually added authentication support for TCP but again left UDP out of the loop. That was, of course, until terabit-level denial of service attacks broadsided several sites last week. The open-source project was quickly updated to lock down the UDP port by default.

Similar to herd immunity, sites will not be safe from this attack until enough Memcached servers are patched or otherwise secured. A process that many experts predict will take quite some time.