Posted on

Intel processors are facing another major security threat SGAxe

Intel chipsets hit by another major security flaw. Mike Moore of Techradar writes SGAxe attack steals protected data from what is meant to be the safest part of an Intel processor.

Intel processors are facing another major security threat after researchers uncovered a new attack on the company’s hardware.

Known as SGAxe, the attack targets a supposedly super-secure function within Intel processors in the latest attempt to steal protected user data in a long line of attacks since 2018’s Meltdown and Spectre threats.

Intel says it has already released fixes and patches to cover some of the damage, but some issues still remain a threat, with machines using the company’s 9th generation Coffee Lake Refresh processors particularly at risk.

SGAxe attack

SGAxe breaches the security guarantees of Intel Software Guard eXtensions (SGX) services, which look to protect the inner workings of a system alongside vital data such as passwords and encryption keys.

Developed by the company, SGX is a security feature built into Intel processors that allows apps to operate and run within blocks of secure memory known as “enclaves” – protected software containers that offer hardware-based memory encryption for high-end protection.

Using SGAxe, an attacker could steal legitmate SGX attestation keys from Intel’s quoting enclave in existing SGX machines, meaning they could then impersonate such systems and gain access to target devices.

The researchers note that there is no evidence the flaw was exploited in the wild, but alerted Intel as soon as it was discovered. However SGAxe does appear to be an evolution of the CacheOut attack revealed in January, with the two exploits able to work in tandem to break into systems.

Intel says it is working on a fix to cover both attacks, with a microcode update coming soon.

“The CacheOut researchers recently informed us of a new paper referred to as SGAxe,” Intel Director of Communications Jerry Bryant said in a statement.

“It is important to note that SGAxe relies on CVE-2020-0549 which has been mitigated in microcode (confirmed by the researchers in their updated CacheOut paper) and distributed out to the ecosystem.”

The company has also published a list of affected processors for users looking to see if their systems are at risk.

Posted on

Windows 10 Systems Still Vulnerable To A Three-Month-Old Critical Security Flaw From Microsoft

Windows 10 Critical Exploit Now Confirmed, Months After Microsoft’s Emergency Update. Veteran technology reporter Dave Windey for Forbes and PC Computing reports U.S. Government cybersecurity agency warns malicious cyber actors are targeting Windows 10 systems still vulnerable to a three-month-old critical security flaw.

Cast your mind back to March 10 when the monthly Windows Patch Tuesday security updates were released by Microsoft. That same day, one critical Windows 10 vulnerability was disclosed by mistake; disclosed before a fix had been made available.

CVE-2020-0796, better known today as SMBGhost, was thought so dangerous were it to be weaponized that it merited that rarest of common vulnerability scoring system (CVSS) ratings: a “perfect” 10. Microsoft was quick to act. It issued an emergency out of band fix within days.

That’s where the good news ends.

SMBGhost is a fully wormable vulnerability that could enable remote and arbitrary code execution and, ultimately, control of the targeted system if a successful attack was launched. The vulnerability, in Microsoft’s Server Message Block 3.1.1, allows for a maliciously constructed data packet sent to the server to kick off the arbitrary code execution.

Such an attack would require both an unpatched and vulnerable Windows 10 or Windows Server Core machine and, crucially, working and available exploit code. The former should have been sorted by the emergency update being applied automatically, but that assumes every device at risk would have automatic updates enabled.

This is not the case, for a myriad of reasons, and leaves systems and data exposed.

Especially seeing as the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has just confirmed that it is aware of “publicly available and functional” proof of concept (PoC) exploit code.

What’s more, the CISA posting warns, “malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports.”

The CISA has said that it “strongly recommends using a firewall to block SMB ports from the internet,” and that the application of patches and updates for such critical vulnerabilities should be applied as soon as possible.

Microsoft’s security updates addressing SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions, can be found here.

I have reached out to Microsoft for a statement regarding the availability of exploit code and further advice for users and will update this article when I have that. In the meantime, get patching and get blocking.

Posted on

Conduent Suffers Ransomware Attack, Data Breach

IT Services Giant Conduent Suffers Ransomware Attack, Data Breach. Computer Business Review CBR reports Conduent, a $4.4 billion by revenue (2019) IT services giant, has admitted that a ransomware attack hit its European operations — but says it managed to restore most systems within eight hours.

Conduent, which says it provides services (including HR and payments infrastructure) for “a majority of Fortune 100 companies and over 500 governments”, was hit on Friday, May 29.

“Conduent’s European operations experienced a service interruption on Friday, May 29, 2020. Our system identified ransomware, which was then addressed by our cybersecurity protocols.

“This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored,” said spokesman Sean Collins.

He added: “This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”

Conduent Ransomware Attack: Maze Posts Stolen Data

The company did not name the ransomware type or intrusion vector, but the Maze ransomware group has posted stolen Conduent data including apparent customer audits to its Dark Web page.

Security researchers at Bad Packets say Conduent, which employs 67,000 globally, was running unpatched Citrix VPNs for “at least” eight weeks. (An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been widely exploited in the wild by ransomware gangs.)

In early January Bad Packets found nearly 10,000 vulnerable hosts running the unpatched VPN were identified in the US and over 2,000 in the UK. Citrix pushed out firmware updates on January 24.

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

The malware used by Maze is a binary file of 32 bits, usually packed as an EXE or a DLL file, according to a March 2020 McAfee analysis, which noted that the Maze ransomware can also terminate debugging tools used to analyse its behaviour, including the IDA debugger, x32dbg, OllyDbg and more processes, “to avoid dynamic analysis… and security tools”.

Cyber criminals have largely moved away from “spray and pray”-style attacks on organisations to more targeted intrusions, exploiting weak credentials, unpatched software, or using phishing. They typically sit in a network gathering data to steal and use to blackmail their victims before actually triggering the malware that locks down end-points.

The attack follows hot on the heels of another successful Maze breach of fellow IT services firm Cognizant in April.

Law enforcement and security professionals continue to urge companies to improve basic cyber hygiene, from introducing multi-factor authentication (MFA), to ensuring regular system patching.