2 cybersecurity flaws you should be freaking out about
Interestingly, both flaws came to light on the same day, Tuesday, May 14:
· The first is a Windows vulnerability known as BlueKeep that affects the Remote Desktop Protocol (RDP) service. Microsoft immediately released a patch (CVE-2019-0708), but analysts predict a nightmare in the making.
· The second flaw, known as ZombieLoad, affects almost every Intel chip since 2011 and allows attackers to steal data that has been recently accessed by the processor.
Every organization should be freaking out about these flaws right now. And by “freaking out,” we mean swiftly and diligently patching your systems, if you haven’t already.
Here’s what we know about these flaws so far.
What is BlueKeep?
As part of its May 2019 “Patch Tuesday,” Microsoft did something very unusual. The company announced it was including a patch for older versions of Windows that hadn’t been supported for years: Windows XP, Windows 7, Server 2003 and Server 2008.
Microsoft was somewhat tight-lipped about the patch, but they said it fixed a “critical” vulnerability that allowed attackers to take control of the operating system through the remote desktop service.
No authentication needed
Windows Remote Desktop Protocol is designed to let you to connect one computer to another over the Internet. Under normal conditions, there are security safeguards in place to prevent anyone from connecting to any computer, willy-nilly. The user needs the correct authentication credentials to connect.
However, the BlueKeep vulnerability allows attackers to bypass those safeguards entirely and remotely execute code on vulnerable systems without authentication.
Even with Network Level Authentication enabled, attackers might still be able to exploit the vulnerability, researchers added.
In other words, any affected systems exposed to the Internet are wide open.
Potential for widespread attack
The nature of the BlueKeep flaw also means it’s wormable, capable of propagating from one computer to another.
Once a working exploit is developed, it could be easily programmed to automatically spread outward from each exploited machine, with no further human intervention needed. Since the vulnerability allows attackers to take control of a computer remotely, software could be loaded onto one computer to assist in finding other vulnerable machines exposed to the Internet. This could lead to a large-scale attack, a la the NotPetya and WannaCry ransomware attacks of 2017, which relied on the EternalBlue exploit to infect thousands of computers around the globe, including hospitals, utility companies and some of the world’s largest corporations.
Attackers are already trying
Microsoft said there are no known exploits of this vulnerability. However, analysts agree that it’s only a matter of time. Given the critical nature of the vulnerability, researchers predict that the flaw could be exploited in a matter of days, not weeks or months. Microsoft was clear about this in its announcement, saying “it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
Almost immediately after Microsoft’s announcement, several organizations reported that they had already successfully developed exploits for BlueKeep, including McAfee, Kaspersky, Check Point, MalwareTech, Zerodium and Valthek. But for obvious reasons, they’ve kept those exploits private.
Researchers have also already detected “intense scanning activity” for vulnerable machines on the Internet. According to ZDNet, threat intelligence firm GreyNoise has determined that prospective attackers are using software to actively scour the web and log every Windows system that is currently exposed.
As ZDNet writes, this scanning is “a first sign that things are about to get worse. Really worse.”
How to fix BlueKeep? Patch right now!
Hopefully your organization isn’t using any of the outdated Windows versions that are vulnerable to BlueKeep. But the fact remains that many businesses are.
The fastest and simplest way to fix the flaw is to install the CVE-2019-0708 patch from Microsoft. Also, while you’re at it, set updates to install automatically.
ZDNet also has links to various tools that you can use to detect exploit attempts on your network and also confirm if your system is adequately patched.
For added measure, here are some additional security recommendations:
· Close any open ports that leave Remote Desktop Protocol exposed to the Internet (default port tcp/3389).
· Close any RDS ports open to LAN/DMZ.
· If you can’t close ports entirely, then restrict access to specific IP addresses or VPN connections.
· Disable RDS completely if it’s not needed.
Now, let’s move onto the second major security flaw announced this month, which is not at all related to BlueKeep …
What is ZombieLoad?
ZombieLoad is the name of a newly discovered flaw in Intel chips that allows attackers to eavesdrop on (and steal) any data that has been recently accessed by the processor.
The flaw was first discovered by researchers at Graz University of Technology in Austria, who reported it to Intel.
ZombieLoad is actually a blanket term for the vulnerability, which is in fact susceptible to four distinct exploit techniques. Other names for the techniques include Fallout and Rogue In-Flight Data Load (or RIDL). Intel prefers to call it Microarchitectural Data Sampling (or MDS). But whatever you want to call it, the core vulnerability is the same: attackers can siphon basically any data recently accessed by the computer’s CPU.
Potential for stealing sensitive data
By exploiting the MDS vulnerability, hackers can get their hands on any data that goes through the CPU, including:
· User keys
· Browser history
· Website content
· File content
· Disk encryption keys
The flaw affects not only Intel chips in personal computers, but also servers. As The Verge explains, ZombieLoad is also a vulnerability on cloud servers, “which could allow an attacker to steal information from other virtual machines running on the same PC.”
Almost every chip manufactured by Intel since 2011 is affected.
Sound familiar? It should.
ZombieLoad is actually just a new variant of similar flaws that were announced in 2018. Remember Meltdown and Spectre? Those vulnerabilities, which affected nearly all Intel processors (and some non-Intel CPUs) made over the last 20 years, fall within the same broad category of exploit, allowing attackers to spy on and steal data from the CPU.
Thus, ZombieLoad is not entirely a new threat, but instead just the latest iteration of a “new class of security vulnerability that [will] no doubt surface again and again,” according to Wired.
How does it work?
Like Spectre and Meltdown, the ZombieLoad vulnerability arises out of a processor’s design to perform “speculative execution,” which speeds up chip performance by speculating on what operations it will be asked to execute, before those operations are actually requested.
With Spectre and Meltdown, attackers could use speculative execution to “trick” the processor into accessing sensitive data. ZombieLoad is a little different in that attackers steal data from the buffers that sit between a chip’s components (i.e. between a processor and its cache), rather than from data sitting in memory (as with Meltdown).
Lots of ways it can be exploited
Attackers can use basically any of their usual means for exploiting the vulnerability on affected machines. The most obvious method would be to infect a computer with malicious software (i.e. by email attachment or a link to a malicious website). Once installed, the software would then eavesdrop on all data flowing through the processor and it could transmit that data back to the attackers.
Attackers could also target a cloud server to access any virtual machine running on it.
Fixes with performance tradeoffs
As with Spectre and Meltdown, fixing the ZombieLoad flaw means sacrificing some of the processing speed gained by speculative execution.
Intel says that decreases in performance shouldn’t be noticeable for most users. However, when you’re talking about large datacenters where thousands of processors are used to power cloud services, performance might drop as much as 9%, according to Wired.
Is your system vulnerable?
If your computers contain an Intel chip from 2011 or after, then yes, they are almost certainly at risk.
According to researchers, that includes even “the latest 9th-generation processors, despite their in-silicon mitigations for Meltdown. Ironically, 9th-generation CPUs are more vulnerable to some of our attacks compared to older generation hardware.”
Researchers at Vrije Universiteit Amsterdam have released a free tool that lets you check if your system is vulnerable.
How to patch ZombieLand
As with the BlueKeep vulnerability, the key to staying protected is updating your systems ASAP (and every time new updates become available).
Intel has already issued code to manufacturers so that they can release their own patches to users, and several manufacturers have already done so in their recent updates, including Microsoft, Google and Apple.
So far, no exploits for ZombieLand have been found in the wild, though that doesn’t mean that attackers haven’t developed them yet. Patch your systems immediately and/or check with manufacturers directly to make sure you’re protected.
Protect against cybersecurity flaws. Update your data protection
A dependable data backup system is the foundation of any business continuity strategy. Request a free demo to see how today’s leading BC/DR solutions from Datto can virtually eliminate data loss and downtime, or contact our business continuity experts for more information on how to protect your organization: call (646) 395-1170 or email [email protected].