Google is distributing more Meltdown and Spectre Patches for Chrome OS devices

Google is distributing more Meltdown and Spectre Patches for Chrome OS devices

Google announced that mitigations for devices with Intel processors that are affected by the Spectre and Meltdown vulnerabilities will be available for latest stable channel update for Google’s Chrome OS operating system.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

Google addressed the Meltdown issue in Chrome OS with the release of the version 63 in December, tens of days before researchers at Google Project Zero disclosure the flaws.

Chrome OS Spectre patches

Google rolled out the KPTI/KAISER patch to address the flaw in 70 Intel-based Chromebook models from various vendors, including Acer, ASUS, Dell, HP, Lenovo, and Samsung.

This week the company released Chrome OS 65 release that also includes the KPTI mitigation against Meltdown for a number of Intel-based systems that were not addressed in with version 3.14 of the kernel.

According to Google, all older Chromebooks with Intel processors should get the KPTI mitigation for Meltdown with the release of Chrome OS 66 that is scheduled for release on April 24.

“The Stable channel has been updated to 65.0.3325.167 (Platform version: 10323.58.0/1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.” reads the Google announcement.

“Intel devices on 3.14 kernels received the KPTI mitigation against Meltdown with Chrome OS 65.

All Intel devices received the Retpoline mitigation against Spectre variant 2 with Chrome OS 65.”

Chrome OS 65 also includes the Retpoline mitigation for Spectre Variant 2 for all Intel-based devices. Google experts highlighted that for Spectre Variant 1 attack, hackers can abuse the eBPF feature in the Linux kernel, but Chrome OS disables eBPF.

Chrome OS devices running on ARM-based systems are not affected by Meltdown. Google is working to cover also Spectre issues.

“On ARM devices we’ve started integrating firmware and kernel patches supplied by ARM. Development is still ongoing so release timelines have not been finalized. ARM devices will receive updated firmware and kernels before they enable virtualization features.” concluded Google.

A flaw in Ledger Crypto Wallets could allow to drain your cryptocurrency accounts. Fix it!

A flaw in Ledger Crypto Wallets could allow to drain your cryptocurrency accounts. Fix it!

Saleem Rashi, a 15-year-old researcher from the UK, has discovered a severe vulnerability in cryptocurrency hardware wallets made by the Ledger company.

Hardware wallets enable transactions via a connection to a USB port on the user’s machine, but they don’t share the private key with the host machine impossible malware to harvest the keys.

Saleem Rashid has found a way to retrieve the private keys from Ledger devices once obtained a physical access to the device.

The researchers discovered that a reseller of Ledger’s devices could update the devices with malware designed to steal the private key and drain the user’s cryptocurrency accounts when the user will use it.

Giving a close look at the Ledger’s hardware device, Saleem Rashid discovered that they include a secure processor chip and a non-secure microcontroller chip. The nonsecure chip is used for different non-security tacks such as displaying text on the display. The problem ties the fact that the two chips exchange data and an attacker could compromise the insecure microcontroller on the Ledger devices to run malicious code in stealth mode.

Even is Ledger devices implement a way to protect the integrity of the code running on them, the expert developed a proof-of-concept code to bypass it and run malicious code on the products.

nano s ledger wallet

The PoC code was published along with the official announcement from Ledger about the availability of a new firmware update that addresses the vulnerability.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rashid told to the popular cyber security expert Brian Krebs. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Rashid published a research paper on the flaw and a video PoC of the attack against a Nano-S device, one of the most popular hardware wallets sold by the company.

“This attack would require the user to update the MCU firmware on an infected computer. This could be achieved by displaying an error message that asks the user to reconnect the device with the le/ button held down (to enter the MCU bootloader). Then the malware can update the MCU with malicious code, allowing the malware to take control of the trusted display and confirmation buttons on the device.” wrote the researcher.
This attack becomes incredibly lucrative if used when a legitimate firmware update is released, as was the case two weeks ago.”

“As you can tell from the video above, it is trivial to perform a supply chain attack that modifies the generated recovery seed. Since all private keys are derived from the recovery seed, the attacker could steal any funds loaded onto the device.” continues the expert.

The Ledger MCU exploit relies on the fact that the process for generating a backup code for a user’s private key leverages on a random number generator that can be forced to work in a predictable way and producing non-random results.

Curiously, when Rashid first reported his findings to Ledger, the company dismissed them.

“the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe.” reads the security advisory published by the French company.

“Thimotee Isnard and Sergei Volokitin followed the responsible disclosure agreement process and were awarded with a Bounty, while Saleem Rashid refused to sign the Ledger Bounty Program Reward Agreement.”

Rashid pointed out that Ledger doesn’t include anti-tampering protection to avoid that an attacker could physically open a device, but the company replied that such kind of measures is very easy to counterfeit.

In this case, let me suggest buying the devices directly from the official vendor and not from third-party partners and update them with the last firmware release.

AMD will release the patches for the recently discovered flaws very soon

AMD will release the patches for the recently discovered flaws very soon

AMD concluded its investigation on the vulnerabilities recently discovered by CTS Labs and announced that security patches will be released very soon.

AMD has finally acknowledged 13 critical vulnerabilities and exploitable backdoors in its Ryzen and EPYC processors that were first disclosed earlier March by the researchers at the security firm CTS Labs.

The CTS Labs researchers did not disclose any technical details about the vulnerabilities to avoid abuses in the wild.

The vendor plans to roll out firmware updates in the incoming weeks to address the flaws affecting millions of devices worldwide.

The flaws could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems. The flaws expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.

CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”

The analysis conducted by the security experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.

The flaw could allow to bypass AMD’s Secure Encrypted Virtualization (SEV) technology and also Microsoft Windows Credential Guard.

AMD flaws

This week AMD published a press release trying to downplay the severity of the flaws.

“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.” reads the press release published by AMD. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.” 

Differently from what has happened for Meltdown and Spectre attacks, AMD sustains that the patches it is going to release are not expected to impact system performance.

CTS Labs are skeptical about a rapid fix of the issues, they claimed that AMD could take several months to release patches for most of the flaws, even some of them could not be fixed.

Bitcoin Price Hit 2018 Lows Because Of $400 mln Mt.Gox Sell-Off: Reports.

Bitcoin Price Hit 2018 Lows Because Of $400 mln Mt.Gox Sell-Off: Reports.

Bitcoin Price Hit 2018 lows

Bitcoin prices fell as low as $6000 in 2018 due to a Mt.Gox trustee “panicking” and selling $400 mln worth of bitcoins (BTC), reports suggest this week.

As multiple news outlets reported from March 7, Nobuaki Kobayashi has sold over 35,000 BTC and 34,000 BCH (Bitcoin Cash) in order to pay the defunct exchange’s creditors.

The sales occurred via an exchange, with each individual sale appearing to move Bitcoin markets lower. Former Mt.Gox CEO Mark Karpeles confirmed the transfers took place from December through February.

When BTC/USD hit $5900 Feb. 6, Kobayashi had transferred 18,000 BTC ($180 mln) the day prior, entrepreneur Alistair Milne reported on Twitter March 7 quoting the r/mtgoxinsolvency subreddit.

Kobayashi himself related the selling practices at a creditors’ meeting the same day, Matt Odell adds.

The MT Gox trustee has sold 35,841 BTC for $362 million and 34,008 BCH for $45 million according to reports coming out of a creditors meeting held earlier today.”

Sales started in December and ended in February.

“The MT Gox trustee has sold 35,841 BTC for $362 million and 34,008 BCH for $45 million according to reports coming out of a creditors meeting held earlier today.”

Sales started in December and ended in February.

h/t @girevikcap 

2/ Full list of transfers out of their wallet. More than half of the bitcoin they sold (18k btc) was transferred to an exchange on Feb 5th. The day before bitcoin hit its 3 month low of ~$6000. They panicked and sold the bottom. Market absorbed it well.

h/t @alistairmilne


3/ The arrows on the chart below mark the dates of each Gox wallet transfer. Worth noting, these aren’t the dates of the sales, those most likely happened right after, these are the dates of the transfers to the exchange.

Cointelegraph also reported on the ongoing Mt.Gox FBI investigation this week, as unofficial detective work by UK broadcaster the BBC increased suspicion on an alleged London “shell” company that may have helped launder the exchange’s stolen bitcoins.
TeleRAT, a new Android Trojan that uses Telegram for data exfiltration

TeleRAT, a new Android Trojan that uses Telegram for data exfiltration

Security experts at Palo Alto Networks discovered a new Android Trojan dubbed TeleRAT that uses Telegram Bot API to communicate with the command and control (C&C) server and to exfiltrate data.

The TeleRAT malware is distributed via seemingly legitimate applications in third-party Android app stores and also via both legitimate and nefarious Iranian Telegram channels. According to PaloAlto networks, a total of 2,293 users were apparently infected, most of them (82%) having Iranian phone numbers.

Telerat android malware