The Hacker News — Cyber Security, Hacking, Technology News

Security researchers from Microsoft and Google have discovered a fourth variant of the data-leaking Meltdown-Spectre security flaws impacting modern CPUs in millions of computers, including those marketed by Apple.

Variant 4 comes weeks after German computer magazine Heise reported about a set of eight Spectre-class vulnerabilities in Intel CPUs and a small number of ARM processors, which may also impact AMD processor architecture as well.

Variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715), known as Spectre, and Variant 3 (CVE-2017-5754), known as Meltdown, are three processor vulnerabilities disclosed by Google Project Zero researchers in January this year.

Now, Microsoft and Google researchers have disclosed Variant 4 (CVE-2018-3639), dubbed Speculative Store Bypass, which is a similar Spectre variant that takes advantage of speculative execution that modern CPUs use to potentially expose sensitive data through a side channel.

Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues and is discarded if not.

However, the speculative-execution design blunders can be exploited by malicious software or apps running on a vulnerable computer, or a nefarious actor logged into the system, to trick the CPU into revealing sensitive information, like passwords and encryption keys, stored in system memory and the kernel.

Unlike Meltdown that primarily impacted Intel chips, Spectre affects chips from other manufacturers as well.

Spectre and Meltdown Continues to Haunt Intel, AMD, ARM

The latest Variant 4 flaw affects modern processor cores from Intel, AMD, and ARM, as well as IBM's Power 8, Power 9, and System z CPUs—threatening almost all PCs, laptops, smartphones, tablets, and embedded electronics regardless of manufacturer or operating system.

Speculative Store Bypass attack is so far demonstrated in a "language-based runtime environment." The most common use of runtimes, like JavaScript, is in web browsers, but Intel had not seen any evidence of successful browser-based exploits.

Linux distro giant Red Hat has also provided a video outlining the new Spectre flaw, alongside publishing a substantial guide:


Besides Variant 4, Google and Microsoft researchers have also discovered Variant 3A, dubbed "Rogue System Register Read," a variation of Meltdown that allows attackers with local access to a system to utilize side-channel analysis and read sensitive data and other system parameters.

Intel has classified Variant 4 as "medium risk" because "many" of the exploits that Speculative Store Bypass attack would exploit were fixed by browsers like Safari, Edge, and Chrome during the initial set of patches.

"Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes—mitigations that substantially increase the difficulty of exploiting side channels in a web browser," Intel says in its advisory. "These mitigations are also applicable to Variant 4 and available for consumers to use today."

However, since there is the potential for new exploits, Intel and its partners (including PC makers and OEM system manufacturers) are releasing BIOS and software microcode updates for Variant 4 in the "coming weeks."

Spectre Mitigations to Result in Another Performance Hit

The mitigation will be turned off by default, providing customers the choice of whether to enable it or not. If enabled, Intel observed a performance hit of approximately 2 to 8 percent on overall scores for benchmarks like "SYSmark 2014 SE and SPEC integer rate on client and server test systems."

ARM and AMD are also releasing security patches for their respective chips, with ARM saying the latest Spectre variant impacts only a small number of Arm Cortex-A cores and is mitigated with an Arm-developed firmware update.

AMD also released a whitepaper, advising users to leave the fix disabled due to the inherent difficulty of performing a successful Speculative Store Bypass attack and saying:

"Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process." 

"Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules."

In short, there will not be a permanent solution (rather than just mitigation) for Spectre-like exploits until Intel, and other chip makers release updated chips. So users are strongly recommended to follow good security practices that protect against malware and ensure their software is up-to-date.

Widespread routers' DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.

Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users' login credentials and the secret code for two-factor authentication.

According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.

Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.

How the Roaming Mantis Malware Works

Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.

So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

• fake apps infected with banking malware to Android users,
• phishing sites to iOS users,
• Sites with cryptocurrency mining script to desktop users

"After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk)," researchers say.

To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.

Once installed, the attackers can control infected Android devices using 19 built-in backdoor commands, including–sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps, ping and more.

If the victims own an iOS device, the malware redirects users to a phishing site that mimics the Apple website, claiming to be 'security.app.com,' and asks them to enter their user ID, password, card number, card expiration date and CVV number.
Besides stealing sensitive information from Android and iOS devices, researchers found that Roaming Mantis injects a browser-based cryptocurrency mining script from CoinHive on each landing page if visited using desktop browsers to mine Monero.

Keeping in mind these new capabilities and the rapid growth of the campaign, researchers believe that "those behind it have a strong financial motivation and are probably well-funded."

Here's How to Protect Yourself from Roaming Mantis

In order to protect yourself from such malware, you are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

Since the hacking campaign is using attacker-controlled DNS servers to spoof legitimate domains and redirect users to malicious download files, you are advised to make sure the sites you are visiting has HTTPS enabled.

You should also disable your router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.

Android device users are always advised to install apps from official stores, and disable the installation of apps from unknown sources on their smartphone by heading on to Settings → Security → Unknown sources.

To check if your Wi-Fi router is already compromised, review your DNS settings and check the DNS server address. If it does not match the one issued by your provider, change it back to the right one. Also change all your account passwords immediately.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Last week, we reported about the first network-based remote Rowhammer attack, dubbed Throwhammer, which involves the exploitation a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

However, a separate team of security researchers has now demonstrated a second network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.

The research was carried out by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.

If you are unaware, Rowhammer is a critical issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing attackers to change the contents of the memory.

The issue has since been exploited in a number of ways to escalate an attacker's privilege to kernel level and achieve remote code execution on the vulnerable systems, but the attacker needed access to the victim’s machine.

However, the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.

This causes a high number of memory accesses to the same set of memory locations, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.

The resulting data corruption can then be manipulated by the attacker to gain control over the victim's system.

"To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache," the researcher paper [PDF] reads.

Since caching makes an attack difficult, the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.

Researchers tested Nethammer for the three cache-bypass techniques:

• A kernel driver that flushes (and reloads) an address whenever a packet is received.
• Intel Xeon CPUs with Intel CAT for fast cache eviction
• Uncached memory on an ARM-based mobile device.

All three scenarios are possible, researchers showed.

In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

Since the Nethammer attack technique does not require any attack code in contrast to a regular Rowhammer attack, for example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.

Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.

For more in-depth details on the new attack technique, you can head on to this paper, titled "Nethammer: Inducing Rowhammer Faults through Network Requests," published by the researchers earlier this week.

For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability.

Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app just by sending them a message—without requiring any user interaction.

To understand more about the first code injection vulnerability (CVE-2018-10994), you can read our previous article covering how researchers find the Signal flaw and how it works.

The only difference between the two is that the previous flaw resides in the function that handles links shared in the chat, whereas the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.
In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.

If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction.

Exploiting Signal Code Injection to Steal Plaintext Chats

Until now the proof-of-concept payloads used to demonstrate code injection vulnerabilities in Signal were limited to embedding an HTML iFrame, or image/video/audio tags onto the victim's desktop app.

However, researchers have now managed to craft a new PoC exploit that could allow remote attackers to successfully steal all Signal conversations of the victims in the plaintext just by sending them a message.

This hack literally defeats the purpose of an end-to-end encrypted messaging app, allowing remote attackers to easily get the hold on users' plain-text conversations without breaking the encryption.

Attackers Could Possibly Steal Windows Password As Well

What's worse?

In their blog post, the researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.

"In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it," the researchers explain.

Though they haven't claimed anything about this form of attack, I speculate that if an attacker can exploit code injection to force Windows OS to initiate an automatic authentication with the attacker-controlled SMB server using single sign-on, it would eventually hand over victim's username, and NTLMv2 hashed password to the attackers, potentially allowing them to gain access to the victim's system.

We have seen how the same attack technique was recently exploited using a vulnerability in Microsoft Outlook, disclosed last month.

I can not verify this claim at this moment, but we are in contact with few security researchers to confirm this.

Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.

However, The Hacker News has learned that Signal developers had already identified this issue as part of a comprehensive fix to the first vulnerability before the researchers found it and reported them.

Signal app has an auto-update mechanism, so most users must have the update already installed. You can read this guide to ensure if you are running updated version of Signal.

And if you don’t, you should immediately update your Signal for desktop as soon as possible, since now the vulnerability poses a severe risk of getting your secret conversations exposed in plaintext to attackers and further severe consequences.

A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system.

The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems.

Whenever your system joins a network, it’s the DHCP client application which allows your system to automatically receive network configuration parameters, such as an IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The vulnerability resides in the NetworkManager integration script included in the DHCP client packages which is configured to obtain network configuration using the DHCP protocol.

Felix Wilhelm from the Google security team found that attackers with a malicious DHCP server, or connected to the same network as the victim, can exploit this flaw by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim's system running vulnerable DHCP client.

Although full details of the vulnerability have not been released, Wilhelm claims his PoC exploit code is so short in length that it even can fit in a tweet.

Meanwhile, Barkın Kılıç, a security researcher from Turkey, has released a tweetable proof-of-concept exploit code for the Red Hat Linux DHCP client vulnerability on Twitter.
In its security advisory, Red Hat has confirmed that the vulnerability impacts Red Hat Enterprise Linux 6 and 7, and that all of its customers running affection versions of the dhclient package should update their packages to the newer versions as soon as they are available.

"Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers," Red Hat warns.

Fedora has also released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other popular Linux distributions like OpenSUSE and Ubuntu do not appear to be impacted by the vulnerability, as their DHCP client implementation doesn't have NetworkManager integration script by default.