Microsoft has released patches for Windows 10 and Windows Server 2016 that update the microcode for some Intel microprocessors to address CPU vulnerabilities, including the recently announced Foreshadow flaws.
Foreshadow, or L1 Terminal Fault (L1TF), allows attackers to extract sensitive information from a CPUs L1 data cache and was publicly disclosed last week. However, Intel knew about the issue, which has three variants, since January and had already prepared fixes which were shared with partners, including Microsoft.
The three Foreshadow variants are tracked as CVE-2018-3615, which affects Intel’s Software Guard Extensions (SGX) trusted execution environment; CVE-2018-3620, which impacts operating systems; and CVE-2018-3646, which affects virtualization software.
In addition to Foreshadow, the microcode updates delivered by Microsoft also contain fixes for several other CPU vulnerabilities that were announced this year: Spectre Variant 3a, also known as Rogue System Register Read (CVE-2018-3640) and Spectre Variant 4, also known as Speculative Store Bypass (CVE-2018-3639).
The updates are included in KB4346084, KB4346085, KB4346086, KB4346087 and KB4346088, which cover all major versions of Windows 10 and Windows Server 2016. They apply to systems using Intel CPUs from the following editions: Skylake U23e, Skylake U, Skylake Y, Skylake H, Skylake S, Kaby Lake U, Kaby Lake U23e, Kaby Lake Y, Coffee Lake H (6+2), Coffee Lake S (6+2), Coffee Lake S (6+2) Xeon E, Coffee Lake S (4+2) Xeon E, Coffee Lake S (6+2) x/KBP and Coffee Lake S (4+2).
According to Intel, the patches should not have any noticeable performance impact on most PCs, but might degrade performance for some datacenter workloads. For some configurations, particularly those related to virtualization, complete mitigation might require enabling core scheduling in the hypervisor or disabling the CPU’s hyper-threading function.
North Korean APT Group Lazarus Starts Using Mac Malware
In a recent attack against a cryptocurrency exchange, the Lazarus APT group used both Windows and macOS malware, a first for the group that’s widely believed to have ties to the North Korean government.
Lazarus, also known as Hidden Cobra, was behind the 2014 attack that crippled Sony Pictures’ computer infrastructure and the 2016 Bangladesh Bank cyber heist that resulted in the theft of US$81 million. The group has also attacked other central banks and financial institutions from around the world and has recently set its sights on cryptocurrency exchanges and fintech companies.
Researchers from Kaspersky Lab recently investigated an attack against a cryprocurrency exchange where an employee’s computer was compromised after he downloaded and installed a trojanized cryptocurrency trading application.
The targeted exchange hasn’t been named, but the site hosting the rogue trading platform is professional-looking and belongs to a real company. The site uses an HTTPS certificate and the software application is digitally signed, although it’s unclear at this time if this was a supply-chain attack where the developer was compromised or if the attackers set up the company and entire infrastructure.
The trading application itself didn’t contain any malware, but its updater component was designed to allow attackers to install malware on computers. The attackers used it to deliver a backdoor program called Fallchill, which has been used by Lazarus in the past.
What’s interesting is that the trojanized trading platform also had a version for macOS, complete with the malicious updater, making this the first known attack when Lazarus also targeted Mac users.
“There is steadily growing interest in macOS from ordinary users, especially in IT companies,” the Kaspersky researchers said in a blog post. “Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”