Researchers have developed new techniques inspired by the recent Spectre CPU vulnerability to completely compromise the confidentiality of hardware-based secure enclaves created with Intel’s Software Guard eXtensions (SGX).
SGX is a feature present in 6th generation (Skylake) and later Intel CPUs that provides a shielded execution environment for applications. Programs or program components can use the technology to set up secure enclaves to execute sensitive code or to store secrets.
The main security guarantee of SGX is that no program other than the one that created an enclave—not even the OS or hypervisor—can access its memory. The technology, which allows applications to protect data even if a system is compromised or in control of a malicious insider, has been adopted by public clouds, including Microsoft Azure.
Researchers from Ohio State University have developed new side-channel attack techniques based on branch target injection (Spectre variant 2) that allow them to steal data from SGX enclaves. This is possible because all SGX runtime libraries (Intel SGX SDK, Rust-SGX and Graphene-SGX) used by application developers have vulnerable code patterns. The researchers have named their new class of attacks SgxPectre.
“To demonstrate their practicality, we systematically explored the possible vectors of branch target injection, approaches to win the race condition during enclave’s speculative execution, and techniques to automatically search for code patterns required for launching the attacks,” the researchers said in their paper.
A tool has been released on GitHub that can help developers identify vulnerable code patterns in their own applications and proof-of-concept attack code will be released at a later date. The issue was disclosed to Intel before the paper was published and the company plans to release an update to its SGX SDK later this month that will contain mitigations.
Memcached-Based DDoS Attacks Hit New 1.7Tbps Record
GitHub was hit by a record distributed denial-of-service (DDoS) attack last week that was launched through compromised Memcached servers and peaked at 1.35Tbps. That record has now been surpassed by a new attack that used the same technique and hit 1.7Tbps.
The new attack was recorded Monday by Netscout’s DDoS mitigation division Arbor Networks and was directed at an unnamed U.S.-based service provider. The largest DDoS attack Arbor had previously recorded occurred in 2016 and peaked at 650Gbps.
The new DDoS reflection and amplification technique that abuses the more than 88,000 publicly exposed Memcached servers has pushed DDoS attacks past the 1Tbps mark and might become the norm. Some large hosting providers have taken action to prevent Memcached servers hosted on their networks from being abused, but this will only put a dent in the overall numbers.
“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” the Arbor researchers said in a blog post.
Companies can defend against such attacks by filtering incoming traffic on port UDP port 11211, which is used by Memcached servers to deliver data.
Decryption Tools Available for GandCrab and Annabelle Ransomware
Security researchers from Bitdefender have released decryption tools for two families of ransomware called GandCrab and Annabelle. The tools are available on the Europol-maintained NoMoreRansom.org website.
The GandCrab decryptor was created in collaboration with the Romanian Police and the General Prosecutor’s Office. The ransomware spreads through malicious advertisements and has made 50,000 victims worldwide. It stands apart from similar threats because it asks for ransoms to be paid in Dash cryptocurrency.
The Annabelle ransomware is more complex and also overwrites computers’ master boot records (MBR), leaving them unable to boot into their operating systems. To use the new decryptor tool, victims first have to restore or rebuild the computer’s MBR using some other utilities and then remove some registry keys following instructions provided by Bitdefender in a blog post.