Amieltech LLC

Technical Support

Windows, Linux, BSD, Cisco

Contact: Amiel

Phone : 678-292-3086

Email : mail at amieltech.com

pk (cell/tablet): 70adde25964610fd

pk (offline): FAB2AEDD5E7F3F71

TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Original release date: January 04, 2018 | Last revised: February 10, 2018

Systems Affected

CPU hardware implementations

Overview

On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory.

Description

CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.

More details of these attacks can be found here:

Impact

An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer’s kernel memory, including keystrokes, passwords, encryption keys, and other valuable information.

Solution

Mitigation

NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit. 

After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.

Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.

For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches.  NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits.  A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Antivirus

Typical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:

More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.

Vendor Links

The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.

Note: NCCIC strongly recommends:

Link to Vendor InformationDate Added
AmazonJanuary 4, 2018
AMDJanuary 4, 2018
AndroidJanuary 4, 2018
AppleJanuary 4, 2018
ARMJanuary 4, 2018
CentOSJanuary 4, 2018
ChromiumJanuary 4, 2018
CiscoJanuary 10, 2018
CitrixJanuary 4, 2018
DebianJanuary 5, 2018
DragonflyBSDJanuary 8, 2018
F5January 4, 2018
Fedora ProjectJanuary 5, 2018
FortinetJanuary 5, 2018
HPJanuary 19, 2018
GoogleJanuary 4, 2018
HuaweiJanuary 4, 2018
IBMJanuary 5, 2018
IntelJanuary 4, 2018
JuniperJanuary 8, 2018
LenovoJanuary 4, 2018
LinuxJanuary 4, 2018
LLVM: variant #2January 8, 2018
LLVM: builtin_load_no_speculateJanuary 8, 2018
LLVM: llvm.nospeculatedloadJanuary 8, 2018
Microsoft AzureJanuary 4, 2018
MicrosoftJanuary 4, 2018
MozillaJanuary 4, 2018
NetAppJanuary 8, 2018
NutanixJanuary 10, 2018
NVIDIAJanuary 4, 2018
OpenSuSEJanuary 4, 2018
OracleJanuary 17, 2018
QubesJanuary 8, 2018
Red HatJanuary 4, 2018
SuSEJanuary 4, 2018
SynologyJanuary 8, 2018
Trend MicroJanuary 4, 2018
UbuntuJanuary 17, 2018
VMwareJanuary 10, 2018
XenJanuary 4, 2018

 

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.


TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer

Original release date: November 14, 2017 | Last revised: November 22, 2017

Systems Affected

Network systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.

For a downloadable copy of IOCs, see:

NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:

Description

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.

It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer

The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:

Technical Details

As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.

Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.

Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.

Detection and Response

This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.

When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.

Network Signatures and Host-Based Rules

This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.

Network Signatures

alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)

___________________________________________________________________________________________________

YARA Rules

rule volgmer
{
meta:
    description = "Malformed User Agent"
strings:
    $s = "Mozillar/"
condition:
    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
}

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include

Solution

Mitigation Strategies

DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:

Response to Unauthorized Network Access

References

Revision History


This product is provided subject to this Notification and this Privacy & Use policy.




Atlanta Computer Repair Center, Metro Atlanta Computer Repair, Data Recovery, Atlanta Computer Service, Computer Troubleshooting, hardware upgrades, Wireless Internet, Wireless Network, Home Office Computer Setup, Atlanta Computer Repair Center, Providing On-Site Computer Repairs, Virus Removals, Data Recovery, Computer Upgrades in the Metro Atlanta Areas, Atlanta's Premier Laptop Repairs. We Build Custom Computers, Wireless Networking, Data Recovery, and Virus / Spyware Removals. Serving the entire Metro Atlanta Area. Home or Office Computer Repair, Virus Removal, Hardware Installations, Software Installations, Windows XP Troubleshooting, Printer Troubleshooting, Wireless Networking, Wireless Internet, Virus Protection, Speed up Computer, Acworth computer repair, Alpharetta computer repair, Atlanta computer repair, Buckhead computer repair, Chamblee computer repair, Doraville computer repair, Kennesaw computer repair, Marietta computer repair, Norcross computer repair, Roswell computer repair, Sandy Springs computer repair, Windows, Smyrna computer repair, Woodstock computer repair, Linux, Debian Linux, Treasure Coast Ubuntu, dell computer repair, HP computer repair, Compaq computer repair, Toshiba computer repair, Sony computer repair, Samsung computer repair, Gateway computer repair, Emachines computer repair, IBM computer repair, Acer computer repair, Computer, repair, repairs, service, pc repairs, custom, system, pc, onsite, home, repairs, help, guru, business, company, technician, network, crash, maintenance, contract, repairs, virus repair, treasure coast computer repair, virus removal, preventive maintenance, tech support, Open BSD, computer cleaning service, at home, Free BSD, service center, repair price, on site, specialist, compaq, dell, gateway, upgrade, upgrades, in home, support, search engine guru, on-site, cpu, amiel, amiel summers, business, georgia, east atlanta, fulton county,cobb county, dekalb county,atlanta, GA

¹²³