Alleged creator of Fruitfly indicted for 13 years of spying

Alleged creator of Fruitfly indicted for 13 years of spying

Posted: January 12, 2018 by Malwarebytes Labs

Way back at the start of last year, we took a look at something called Fruitfly, a Mac backdoor using old code that had been around for a long time and could (deep breath) upload files to computers, record images and video, snoop around in victims’ information, take screenshots, and also log keystrokes. The malware, made up of just two files, was a mixture of “wow, that’s clever,” ancient system calls, and basic persistence techniques. Possessing the ability to download additional files from a Command and Control server, alongside a seemingly overt interest in being able to capture images, we also discovered Windows versions of the files communicating with the same C&C.

At the time, a lot of questions were raised about what it was being used for, alongside the possibility that professional hacking groups were behind its creation.

With that in mind, news has broken that a 28-year-old man, Phillip R. Durachinsky of North Royalton, Ohio, has been charged with using this piece of malware since the age of 15(!) to allegedly:

Very serious allegations. In addition to being charged with 16 counts of charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft, it’s also claimed he’s the creator of Fruitfly, which would be quite the revelation. From the indictment:

The “medical records” reference leaps out. From our linked blog:

That would definitely appear to sync up with the medical record pilfering, and we’re wondering what else will come out in the wash by the time this one has passed through the courts.

According to the indictment, Durachinsky also used stolen login credentials to access and download information from third-party websites. He’s further alleged to have watched and listened to victims without their knowledge or permission, and intercept oral communications taking place in the room where the infected computer was located. In some cases, Durachinsky’s malware alerted him if a user typed words associated with pornography. He apparently saved millions of images and often kept detailed notes of what he saw.

Reading through the charges paints more and more of a disturbing picture.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”

Getting away with more than a decade of stealing data like this on such a grand scale is quite the feat, and one hopes the victims of the most salacious offenses receive justice.

Of princes and perpetrators: Beware of getting ensnared in 419 scams

We’ve mentioned before that 419 scams don’t always originate from Nigeria. It’s a very simple and popular scam that can be attempted by pretty much anyone with a flair for social engineering. Indeed, 419 scams are so associated with the region that many scammers in non-Nigerian countries know they have an additional layer of “It wasn’t me” potentially obfuscating their identity.

This may help the non-Nigeria based criminal better hide once life savings have been stolen. Law enforcement and the victims themselves are probably going to make assumptions about who’s doing the money swiping, which simply helps the actual criminal go deeper underground.

By the same token, 419 scammers seek to obfuscate their location further by making use of so-called money mules: innocent victims tangled up in scams, sending stolen money to and from a variety of bank accounts. More often than not, they’re enticed by the prospect of too-good-to-be-true job adverts posted online, typically in the field of remote work administration or “payroll management.”

A fancy-sounding title, the promise of big money for little work, and an awful lot of “we’ll explain how that thing works later,” and you have yourself a money mule.

What’s so good about having an army of disposable web flunkies at your disposal?

When the cops come calling, they make a beeline for the point of least resistance (the scammer pulling strings is supposed to be based in Nigeria, remember?) In practice, this probably means your recently retired grandfather looking for a bit of extra pocket cash, or your penniless friend at University is going to jail. If you’re a money mule, you’re engaged in illegal activity and can be prosecuted for it. “I didn’t know” won’t save you.

Take this individual, recently charged with no less than 269 counts of wire fraud and money laundering.

From the Slidell Police department Facebook page:

Reports are a little confused, as some articles claim he’s the mastermind while others (including the police statement up above) plainly state he’s the middleman. Additional details are thin on the ground, so we don’t really know at this stage if he was “merely” responsible for wiring money, or if he was physically typing out “Hello, I’m a Prince” emails to hoodwink potential victims.

Either way, he’s in a whole lot of trouble with law enforcement and though some of the pieces mention “co-conspirators in Nigeria,” it’s unlikely any of them will be caught. In effect, whether unaware of what was really going on, or an active participant (and it’s entirely possible some money mules will happily get involved for a bigger cut of the proceeds), what we have here is a fall guy within easy reach of the police.

Wait, did I just say “active participant?” I sure did. And guess what? It’s not just retirees wandering into trouble. Younger folks are also getting in on the act, often due to lack of cash and the idea that this might be a safe, fast way to make some money. Data from 2017 suggests that more than 8,500 people aged between 18 to 24 had their bank accounts used by criminals.

Given that a lot of money muling can tie directly into crimes such as drug distribution and people trafficking, those individuals will probably have a short, sharp dose of reality when the police come knocking. As Cifas, a UK fraud prevention service, points out, loans, contracts, and other financial services may be hard to come by should your bank account be closed due to laundering—and that’s before you get to the part where you could spend up to 14 years in prison for it.

All things considered, not a sensible career choice. If you’re approached by strangers offering too-good-to-be-true job opportunities—especially for remote work and handling money/sending said cash through various bank accounts—give it a wide berth. You’ll probably be very glad that you did.

A week in security (January 1 – January 7)

A week in security (January 1 – January 7)

Posted: January 9, 2018 by Malwarebytes Labs
Last updated: January 15, 2018

New year, new threats, as 2018 gets underway.

On our blog, we had dubious searches aplenty for those hunting for Malwarebytes information, and we also covered the huge Meltdown/Spectre bug, affecting hardware going back to 10 years.

Other news

  • Coin miners are at it again, with a proof of concept for hacking public Wi-Fi and injecting cryptomining code into browsing sessions. (source: The Register)
  • Around 240k people have been tied up in a “privacy incident” over at the DHS. (source: DHS)
  • Browser makers are looking to mitigate risks from Meltdown and Spectre. (Source: Help Net Security)
  • 36 rogue apps wound up on the Google Play store, reminding us to be extra vigilant even when on an official site. (Source: Trend Micro)
  • Yet another cryptominer doing the rounds, this time dragging Linux machines into a cash spinning botnet. (source: F5)
  • Face recognition: nice idea, but being fooled by photographs is a bit much. (source: Naked Security)
  • A well put together phishing mail is causing headaches for those who may have purchased items from retailer Debenhams. (Source: South Wales Argus)
  • Unusually, you may be able to reclaim money lost to wire fraud scams, regardless of where you live. This doesn’t happen often, so check it out if you’ve been stung! (Source: Birmingham Mail)
  • Malware-laden emails laced with more malware are being used to steal data related to the Winter Olympics. (Source: BBC)

Stay safe, everyone!

Meltdown and Spectre: what you need to know

UPDATE (as of 1/12/18)Several vendors have produced patches for Meltdown and Spectre, however performance problems dog the fixes. Details on the patches were published here.

UPDATE (as of 1/04/18)Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.

The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.

Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.

For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.

Details

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 

Mitigations

Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and all supported versions of Windows.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

A week in security (December 11 – December 17)

A week in security (December 11 – December 17)

Posted: December 18, 2017 by Malwarebytes Labs
Last updated: January 15, 2018

Last week we explained what fast flux is and how it’s being abused, we showed you all kinds of Bitcoin-related scams, presented a video recording of a tech support scammer trying to sell free software, and pointed out some free software to keep an eye on your Internet traffic. We also informed you about an ad server found predominantly on adult websites, which has taken the lead in the number of URLs blocked by our web protection module.

Other news

  • South Korea is preparing a bill that will ban minors and foreigners from trading in cryptocurrencies or opening investment accounts for them within South Korea. (Source: Techspot)
  • Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this flaw over the past few months. (Source: The Hacker News)
  • Intel will implement a hardware lock on management engine equipped chips to defend against patch rollbacks. (Source: The Register)
  • Dutch security firm Fox-IT handled a security breach in an exemplary way after a man-in-the-middle (MitM) attack. (Sources: Fox-IT and Security Affairs)
  • Lawsuit based on a surreptitiously recorded phone call claims Google doesn’t refund advertisers who spend money on fraudulent clicks. (Source: Business Insider)
  • Australian airport hack was “a near miss,” says government’s cybersecurity expert, and could easily have been prevented. (Source: Hot for Security)
  • Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers warned. (Source: ZDNet)
  • A two-decade-old security hole lets hackers unlock encrypted data and was found in the software of at least eight IT vendors and open-source projects. (Source: The Register)
  • MoneyTaker, a cybercriminal group believed to be operating out of Russian-speaking territories, has hit at least 20 banks and financial companies and stolen millions of US dollars in the process. (Source: BleepingComputer)
  • Politicians from California, Washington, and New York said they’ll use a mix of legislative action and legal moves to fight the FCC’s repeal of net neutrality regulation, shortly after the vote. (Source: Cnet)

Stay safe, everyone!

Cookies: Should I worry about them?

Starting off the new year, many of us are worried about cookies—how many we ate over the holidays and how we’re going to avoid them in the break room, for example. With so much cybercrime and data theft swirling around like daily bomb cyclones, there’s more than a few folks worried about the kinds of cookies they encounter on the Internet.

But should they be?

Cookies are typically text files that can provide information about your browsing behavior to websites that you visit. On the one hand, cookies are useful for making your Internet experience more efficient. It’s how you automatically get logged in on sites you’ve already visited, even if you closed the browser tab, for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention—and they serve them up to you wherever you visit.

Why doesn’t Malwarebytes detect cookies?

Cookies in themselves are harmless. They are just data stored by a website in your browser, and they are not malware. It is what sites do with them that determines whether we like them or not. Some cookies are essential to use a site properly, and others might be considered a privacy risk. Since the possible preferences are various and personal, we believe in leaving the choice up to our customers. Of course, we can and do block sites that we know to plant overly intrusive cookies on a user’s machine. But otherwise, we leave it up to you.

How do I delete and control cookies?

At some point, you may want to remove the cookies from your browser. Below, you will see how to do that for a couple popular browsers. But before you get rid of all of them, let me warn you that you may regret doing so. Your favorite sites will forget who you are, and you will have to log in where you normally were automatically accepted.

Windows

Edge

Unfortunately, Edge (like Internet Explorer) does not have a built-in cookie management tool for specific cookies. It does have a delete all or nothing option, which you can find under Settings. Under Clear Browsing Data click Choose  > Cookies and saved website data. The control is also not very granular. You can find it under Settings > Advanced settings > View advanced settings. You will find three options: block, don’t block, or block only third-party cookies.

edge options

Internet Explorer

To clear cookies in Internet Explorer, select Tools > Internet options > General tab. Under Browsing history, hit Delete and put a checkmark in the Cookies box. Think once more, because this is an all or nothing method, before you hit Delete. For a more detailed description, check out Microsoft’s support article on How to delete cookie files in Internet Explorer.

Chrome

Go to Menu > Settings > Show advanced settings. Under Privacy, click Content settings > Cookies. Click “All cookies and site data” to get an overview. Here you do have a choice on what to delete. You can delete individual cookies separately or all of them in one sweep. For a more detailed description, see Google’s support article: Manage your cookies and site data.

Firefox

Click on the Firefox button > Options > Privacy > Show Cookies. Here you will see options to Delete all cookies or search for specific ones you want to delete. For a more detailed description, take a look at Firefox’s article: Delete cookies to remove the information websites have stored on your computer.

Opera

Click the Opera button > Settings > Delete Private Data > Detailed options > Manage cookies. Here you will see an overview of the stored cookies and an option to delete them separately. For more information, see Opera’s help article: Manage Cookies.

In the links I have provided for Chrome, Firefox, and Opera, you will also find information on how to control which cookies get stored on your computer. Internet Explorer has the controls on the Privacy tab under Tools > Internet options.

macOS

Malwarebytes for Mac does not detect or remove cookies either. Like we said before, cookies are just data stored by a website, and not malware. At worst, they can pose a threat to your privacy, in the case of tracking cookies. Further, many cookies are not only legitimate, but also required for normal operation of some websites.

If you feel it necessary to delete cookies from your computer, some of them may be difficult to get rid of. You can use the following techniques to delete these cookies, but you should be aware that they will come right back as soon as you visit a site that sets those cookies.

Safari

Safari offers the option to clear all your cookies along with your browsing history. To use this option choose History > Clear History. Click the pop-up menu, and then choose how far back you want your browsing history cleared. Or you can choose to delete only cookies and website data by clicking Preferences > Privacy > Manage Website Data. Select one or more websites, then click Remove or Remove All. For more information, see Safari’s support articles: Manage cookies and website data and Safari help.

Under Privacy, you can also find the settings to control which cookies will be allowed moving forward by choosing “Change which cookies and website data are accepted.”

Adobe Flash Player

When you visit some sites with Adobe Flash Player installed and activated, the software also stores cookie data on your system. The easiest way to control these is to visit the Flash Player Help site and use the Website Storage Settings panel displayed there to delete those that you no longer want. Read the information below the panel to make sure you understand what your options are and how to use them.

adobe panel

Silverlight

Browser plug-in Silverlight can also store cross-browser information in the application cache. To delete the Silverlight Cache, follow this procedure:

  • Close all Microsoft browser windows (Internet Explorer and Edge).
  • Click Start > All Programs > Microsoft Silverlight.
  • Choose the Application Storage tab.
  • Click Delete all.
  • Click “Yes” in the “Delete application storage for all Web sites?” dialog.
  • Click OK.

Evercookies

Evercookies are not just text files. They are Javascript routines that recreate cookies even after they have been removed. Evercookies often rely on the two major streaming video browser plug-ins: Microsoft Silverlight and Adobe Flash. These plug-ins allow their own caching and storage, which can be used across sessions and even across browsers. But they can be hidden in other caches as well. By storing the same data in several locations that a client can access, the data can be recovered and then reset and reused if any of it is ever lost (for example, by clearing cookies).

To actually get rid of evercookies, you would have to delete all the related cookies and clear all the caches of all your browsers and video browser plug-ins, using the information posted above.

Supercookies

These are technically not cookies because they are not stored in browsers or browser plug-ins, but I wanted to mention them here anyway because their name might lead you to think otherwise. Supercookies are unique identifiers that are inserted into the HTTP header by a service provider. Service providers are legally bound to offer you an opt-out option, so it could be prudent to check if your service provider uses supercookies and how to opt out if they do.

A week in security (January 8 – January 14)

A week in security (January 8 – January 14)

Posted: January 15, 2018 by Malwarebytes Labs

It’s very early in the year, yet everyone has already had a complete meltdown (pun intended) over a number of serious vulnerabilities found in legacy and modern microprocessors. Last week, rightly so, vendors released patches for hardware and OSes to help mitigate these threats. However, problems in patching persisted.

As if this wasn’t challenging enough, some online criminals jumped on the bandwagon to take advantage of the hullabaloo to push out the Smoke Loader malware to inconspicuous user systems.

On our blog, we also touched on WPA3, misleading marketing tactics, more 419 scams, and the indictment of alleged Fruitfly creator—a win for the security community.

Lastly, in the realm of cryptocurrency, we saw an increase in malware payloads from the RIG exploit kit.

Other news

Stay safe, everyone!

Fake Spectre and Meltdown patch pushes Smoke Loader malware

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, the same fraudulent domain has a link to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:

sicherheit-informationstechnik[.]bid

Fake patch (Smoke Loader):

sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru

Meltdown and Spectre: what you need to know

UPDATE (as of 1/04/18)Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.

The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.

Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.

For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.

Details

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 

Mitigations

Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and all supported versions of Windows.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

Facebook phishers want you to “Connect with Facebook”

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

facebook phish landing page

Click to Enlarge

…or

another phish landing page

Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Fake Facebook warning page

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

fake lock landing pageClick to Enlarge

After that, they go straight for security questions:

fake lock

Click to Enlarge

The text on the page reads as follows:

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

sites.google.com/site/wwwpagesinfoterms12/

sites.google.com/site/info30021033700i/

sites.google.com/site/policyclaming767005/

sites.google.com/site/recoveryfbunblockingcenter/

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

sites.google.com/site/wwwpagesconfirms1202/

sites.google.com/site/noticereportslogsinfoo050/

sites.google.com/site/wwwpagesinfonet/

sites.google.com/site/help151054141104105140/

sites.google.com/site/info20012001320i1/

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.