Attackers Leverage Meltdown, Spectre Fears

Monday, January 15, 2018 @ 06:01 PM gHale


It didn’t take long as attackers are jumping at the chance to leverage the publicity from the Meltdown and Spectre CPU flaws in an effort to trick users into installing malware instead, researchers said.

Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices.

RELATED STORIES
ICS Vendors Affected by Meltdown, Spectre
WECON Clears HMI Editor Issues
New Firmware for Moxa’s MXview
Phoenix Contact Clears FL SWITCH Holes

Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week.

Almost like clockwork, soon after patches from the big vendors released, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them is targeting German users with the SmokeLoader malware, said researchers at Malwarebytes in a post.

The emails appeared to come from the German Federal Office for Information Security (BSI), and Malwarebytes found a domain that also posed as the BSI website. Recently registered, the SSL-enabled phishing site isn’t affiliated with a legitimate or official government entity, but attempts to trick users into installing malware.

The website is offering an information page that supposedly provides links to resources about Meltdown and Spectre, bug also links to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) that contains malware instead of the promised security patch.

Once a user downloads and runs the file, the SmokeLoader malware, which is capable of downloading and running additional payloads, is installed.

Malwarebytes researchers said the threat attempts to connect to various domains and send encrypted information.

By analyzing the SSL certificate, researchers discovered other properties associated with the .bid domain, including a German template for a fake Adobe Flash Player update.

“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns,” Malwarebytes researchers said. “This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

“It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer,” they said. “There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.”



Leave a Reply

You must be logged in to post a comment.