Cybersecurity's Week From HellFix WhatsApp, Windows, Cisco and CPUs From Intel - Pending Patch Availability
Two years after WannaCry ransomware was unleashed, the cybersecurity realm isn't any calmer. Thankfully, there hasn't been another global ransomware outbreak threatening hospitals, businesses and consumers spreading rapidly around the world that has reached WannaCry's scale.
See Also: Stopping BEC and EAC
But last week, multiple flaws - all serious, all exploitable and some already being actively exploited in the wild - have come to light. Big names - including Cisco, Facebook, Intel and Microsoft - build the software and hardware at risk. And fixes for some of the flaws are not yet available.
I don't think this is a regular Tuesday: CVE-2018-12126 MSBDS, CVE-2018-12127 MLPDS, CVE-2018-12130 ZombieLoad, CVE-2019-11091 MDSUM, CVE-2018-0708 RDP, CVE-2019-3568 WhatsApp, CVE-2019-8605 iOS, CVE-2019-1649 Cisco— Adrian Rueegsegger (@Kensan42) May 14, 2019
Is this cybersecurity's new normal - prepare to be surprised, more frequently, and likely perhaps also more alarmingly, and with less time to respond?
Here's a recap of a cybersecurity week from hell.
Facebook Fixes WhatsApp
A buffer overflow flaw in WhatsApp has been used to target individuals and apparently to install Pegasys spyware, built by Israel's NSO Group and sold to governments and law enforcement agencies.
Exploiting the flaw does appear to have at least allowed attackers to eavesdrop on individuals' devices. Pegasus appears to have been sold to at least some governments with not-good human rights records, including Saudi Arabia (see: WhatsApp Exploit Reveals 'Legalized Hacking' at Work).
Alan Woodward, a professor of computer science at the University of Surrey, says everyone who uses WhatsApp should update it immediately or else uninstall it. But it's not clear if exploiting the flaw allowed attackers to auto-install spyware on Android or iOS WhatsApp users' devices. If so, the update will not remove that spyware.
An app update that includes the security fix was released for Android on May 10, while the iOS version arrived three days later, on Monday. But many WhatsApp users may not know that they need to update the app themselves.
As of Thursday - six days after the Android version appeared, and three days after the iOS version was released - many users still hadn't updated, according to data gathered by mobile security vendor Wandera:
Who's Updated WhatsApp?
iOS WhatsApp users:
- 20 percent upgraded to patched version
- 80 percent are still vulnerable
Android WhatsApp users:
- 45 percent upgraded to patched version
- 55 percent are still vulnerable
Intel Battles ZombieLoad
Side-channel speculative execution flaws continue to be discovered in CPUs. Last week, a team of researchers as well as Intel confirmed that they'd found more flaws in processors along the lines of the Spectre and Meltdown flaws that came to light in early 2018. Dubbed ZombieLoad, the vulnerabilities would allow an attacker to retrieve private data from a processor's buffers.
Thankfully, no in-the-wild exploits have been seen against these flaws.
Intel has rolled out some microcode updates and others are on the way. Already, updates designed to help mitigate the problem have been shipped by operating system developers - including Apple, Microsoft, Red Hat and VMware - and will need to be installed. Cloud services firms such as Amazon and Google says they already have fixes in place.
Intel says future processors will have defenses to help prevent these vulnerabilities from being exploited. But many if not all processors built from 2011 onward will need fixes, which Intel says can degrade performance. Until fixes are available, experts recommend deactivating hyperthreading, which speeds up chip performance (see: Intel's 'ZombieLoad' Fixes May Slow Processors by 9 Percent).
Microsoft Updates Remote Desktop Services
To block another WannaCry-type worm, Microsoft is urging many users to update Remote Desktop Services - formerly known as Terminal Services - to fix CVE-2019-0708 (see: To Prevent Another WannaCry, Microsoft Patches Old OSs).
"This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is 'wormable,' meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017," Microsoft warns. "While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware."
The good news is that Windows 8 and 10 do not have the problem
The not-so-good news is that vulnerable systems include Windows 7, Windows Server 2008 R2 and Windows Server 2008, as well as Windows 2003 and Windows XP, both of which are no longer supported, although Microsoft has released patches for them anyway. According to market researcher NetMarketShare, 4 percent of all PCs in the world that connect to the internet are still running Windows XP.
Thrangrycat Bites Cisco
Research published last week shows that secure boot functionality built into many Cisco devices isn't secure (see: Cisco's 'Thrangrycat' Router Flaw Tough to Neuter).
Cisco uses a field programmable gate array - or FPGA - as part of its "secure boot" process. But researchers from Red Balloon Security last week reported that Cisco hardware doesn't properly check to ensure that any firmware is legitimate before it allows it to run. As a result, an attacker with root access to the device could rewrite the firmware, and users would probably never even know it.
"We are unaware of any use of this exploit in the wild, but the potential danger is severe," say the Red Balloon Security researchers, who have nicknamed the vulnerability Thrangrycat.
Because the problem exists in hardware, it appears to be tough to fix. While Cisco has pushed updates for some devices, there's a longer list of vulnerable products for which no fixes are available, and there are no workarounds that can be used in the interim.
Last week wasn't all security dystopia. For example, the U.S. Justice Department and Europol announced that an international operation has disrupted the GozNym malware attack network, tied to $100 million in losses from more than 41,000 victims around the world. Six suspects have been arrested across the countries of Bulgaria, Georgia, Moldova and Ukraine and face local prosecution. Five remain at large and are believed to be in Russia (see: FBI and Europol Disrupt GozNym Malware Attack Network).
While that case is notable, GozNym has been operating since at least 2016, showing the lead time often required to bust cybercrime suspects. In addition, many criminals operating online remain at large. Washington public policy think tank Third Way, for example, earlier this year reported that "less than 1 percent of malicious cyber incidents ever see an arrest of the criminal."
In other words, law enforcement isn't going to save you; save yourself.
But Wait; There's More
But where to start? What's notable about the above flaws is that they're just the especially high-priority ones.
Are we done with the patches for the day?— Arrigo Triulzi (@cynicalsecurity) May 14, 2019
1) WhatsApp gets you killed by Saudis,
2) Cisco "secure" FPGA is not,
3) Intel processors discovered to have a "whatever" microcode mode,
4) Microsoft decides to rename Remote Desktop to Remote Execution...
Microsoft's patch came as part of its monthly release of fixes, of which there are many more. And other vendors, including Adobe, have continued to ship their regularly scheduled batch of monthly patches too.
This. Is. One. Adobe. Update. pic.twitter.com/lXBHBB90wh— Matthew Green (@matthew_d_green) May 14, 2019
Another problem is that while security experts have for years been warning businesses and consumers to prioritize patches and then install them as quickly as possible, patches may arrive in deluges, and some of the flaws that have come to light in the last week cannot even be fixed. At best, they can be mitigated. But in the case of the Cisco vulnerabilities, some updates aren't available and any suitable workarounds have yet to be identified.
Hence organizations will have to patch. But in the meantime, in some cases they're still waiting for patch release dates, and thus having to track when they might be able to start testing and then planning to roll out future fixes.
Now, who knows what the coming days will bring?