Security Weekly 2

Security Weekly 2

Security Weekly 2: A Hole In All Systems With Intel Core, Apple Displays a Certificate From a Trojan, Ransomware Flooded the Planet

It was completed almost ten years ago, and now it became widely known: a vulnerability was revealed in the Intel Management Engine firmware. In the notification from Intel the versions from 6.0 to 11.6 are indicated, and, this, for a minute, all versions, starting from 2008, from platforms for Intel Core processors of the first generation.

Intel Core has holes in all systems

Those who know well what I can do is already scary. It can read and write to any area of RAM and storage, monitor what’s happening on the screen, send and receive anything from the network, ignoring the firewall running in the system, and all this without leaving any traces in the logs. According to rumors, even encryption of the disk ME bypasses without straining. Inhumanly useful thing.

I know it’s clear that building a legitimate hardware backdoor into the motherboard, you need to tighten the nuts in the security system as much as possible, which Intel did. The IME code, for example, is encrypted with a 2048-bit key. But as usual, something went wrong, and now the progressive public has for sure learned about the possibility of remotely gaining access to ME management functions. Under the threat of machines in which AMT technologies, ISM and SBT are implemented. Well, that is all in all on Intel chipsets for Intel Core.

  • True, Intel in its announcement indicates that there is no vulnerability on conventional consumer systems, and it seems to be similar to the truth – there is no AMT, ISM, and SBT. But we also understand that consumer product, by and large, differs from corporate settings in the firmware. So in this case too: as researchers have already discovered, it is possible to exploit the hole on the consumer chipset, not only remotely, but locally. That is, for example, any malware from userspace is fully capable of gaining unlimited power over the system.

People in the subject immediately began to recall that some people hinted at the presence of holes in the ME in the last year. Damien Zammit cursed that ME’s security is based on the closed code, which for arm analysts is not an insoluble problem. And Charlie Demerjian from SemiAccurate, in general, said that researchers have long poked these vulnerabilities in Intel. Hearing about this, Threatpost asked Intel a logical question – that supposedly it was, – but William Moss from Intel did not confess anything. According to him, the company learned about everything only in March, and in May a patch is ready. What else do you want from Intel, ungrateful ?!

  • The patch is a good thing. But we also understand that besides the motherboards of Intel itself, there are a lot of other motherboards on their chipsets. For them, Intel does not answer – they dropped the patch and forgot. But whether a hole in their firmware will be covered by these third-party manufacturers, and when, it’s a question. In the meantime, it is proposed to disable remote control technologies in CMOS Setup and to demolish the corresponding Intel utilities from the system. Well, OK.

Apple revoked the certificate from the Trojan for OS X

News. Last week, Check Point caught a new interesting Trojan for Macs – OSX/Dok. He is engaged in wiretapping traffic and is able to fully control all communications on the infected machine, including encrypted channels. This is done simply – the browser is populated with a proxy controlled by intruders, and all the traffic goes through it. Previously, the Trojan installs its root certificate in the system, so the browser believes the proxy server certificate, and it becomes difficult to determine what HTTPS traffic is being intercepted.

Apple revoked the certificate from the Trojan for OS X

It spreads OSX / Dok through phishing, the victims receive letters with a zip file, which is actually an executable file. If the naive user of the Mac clicks on the file, the Trojan is copied to / User / Shared and shows a message that the archive is corrupt, leave it alone. Then he finds the AppStore in the boot menu and gets in his place. After a system reboot, it shows a window with an update notification and requires a password. While the victim does not enter the password, nothing can be done on the computer. And when he enters, Doc gets admin rights.

To create all this disgrace, and to remain undetected, the Trojan is allowed by Apple’s legitimate digital signature of the developer, whether stolen or received especially for dark matters. In terms of security, it was a real honest Trojan, Apple approved. Well, now Apple has revoked the certificate and, Doc can no longer deceive us.

Most of the malicious programs are Trojans-extortionists

News. Study. Verizon Enterprise annually produces a study on various cyber incidents, which the company investigates for the year. Last year, they had to deal with 40 thousand incidents, of which 1935 – various hacking. Conclusions are very disturbing: ransomware attacks of various kinds have grown by 50%.

Most of the malicious programs are Trojans-extortionists

Cybercriminals began to work thinner. If before a typical Cryptoclock with the grace of the 1st Cavalry broke into the machine and encrypted everything that was encrypted (and more often it was sent far away, since nothing valuable was on the machine), now he sits quietly and is looking for really important data. To do this, they mastered the non-file attack techniques, and even remembered the good old macros for MSWord.

The main security problem for Verizon is not enough to spread the two-factor authentication. In most cases, hackers have enough brute force and phishing to do everything they want with the victim.