Monthly Archives

August 2018

ALERT: Foreshadow and Foreshadow NG

By | Security News

On 15 August 2018, information was released regarding three new Intel CPU vulnerabilities that may be exploited to steal data from computers.

  • CVE-2018-3615 (SGX, SMM – Foreshadow)
  • CVE-2018-3646 (VMM – Foreshadow NG)
  • CVE-2018-3620 (OS – Foreshadow NG)

Much like the Meltdown and Spectre vulnerabilities revealed earlier in the year, these new vulnerabilities take advantage of performance optimisation techniques to bypass security mechanisms built into the chips. The Foreshadow vulnerabilities target a different optimisation technique, potentially allowing access to a broader scope of data than Meltdown and Spectre, including data from other virtual machines in a virtualised environment.

Successful exploitation of these vulnerabilities would require an attacker to run malicious code on a targeted system. There are currently no known exploits being used against these vulnerabilities and researches have not yet released proof of concept code for the vulnerabilities.

We recommend that all clients assess their risk and appropriately patch systems to protect their environments against these vulnerabilities.  Care should be taken to read all patching instructions and release notes as well as perform thorough testing to avoid unexpected outages or performance impacts. Vendors have indicated that some performance impact should be expected for certain workloads.

Mitigation steps may involve processor microcode updates in addition to OS and virtualisation vendor updates, and in some cases may involve configuration options, including enabling new technologies and disabling HyperThreading.  Please refer to vendor guidance around opt-in steps, which will include guidance around scenarios where it is recommended and not recommended to disable HyperThreading, for example.

Processor microcode previously released by Intel in Q2 includes updates that address these new vulnerabilities.   We recommend that clients test and apply the latest microcode updates to all affected systems.

CCL’s Polaris Platform
CCL is programmatically addressing the identified vulnerabilities at the hypervisor levels.  Clients are responsible for patching their Operating Systems residing on the platform unless these are managed by CCL.  Additional information will be provided through standard change control notifications or directly from your Client Relationship Manager.

Public Cloud Platforms
All major public cloud providers have actively patched their environments and have taken steps to protect workloads:

https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Client Dedicated Virtual Platforms, On-premise Private Cloud and On-premise Infrastructure
For dedicated virtualisation platforms, patching may be required at the hardware microcode and operating system level in addition to the hypervisor and may also require additional configuration changes depending on what features and products are being used.  Please refer to applicable vendor guidance for detailed mitigation requirements.  Links for the major vendors are included below.

In some cases, mitigation steps may have performance impacts.  We recommend thorough testing as part of the standard patching process.

 If you have any questions or concerns, please do not hesitate to contact your Client Relationship Manager or the CCL Service Desk on 0800 225 737 or support@concepts.co.nz.

Additional Information:

https://foreshadowattack.eu/

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://kb.vmware.com/s/article/55636

https://kb.vmware.com/s/article/55806

https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html

https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

https://support.microsoft.com/en-us/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault

https://blogs.technet.microsoft.com/virtualization/2018/08/14/hyper-v-hyperclear/

https://blogs.oracle.com/oraclesecurity/intel-l1tf

ALERT: Email Phishing Attack

By | Security News

Over the last couple of days, we have noticed a spike in email phishing attacks in our clients’ environments.  The emails are coming into a client’s environment from well-known and trusted companies.

The phishing email requests users to open a pdf attachment that contains an image of DocuSign that has an embedded link to a fake website (in this case, it resembles Microsoft Office365).   It prompts users to enter their credentials.

The email has a PDF attachment which when opened looks like this:

And browsing to the “REVIEW DOCUMENTS” link will present a login screen that looks like this, where “compromisedsite.com” could be any number of different sites that are being used in the attack:

As you know, phishing emails can catch anyone out at any time and are one of the top methods cyber criminals use to gain access to a company’s network.  This is a timely reminder to always be vigilant.

Here are some useful tips to help spot a phishing email:

  • You aren’t expecting the email
  • The email urges immediate action
  • The email requests personal information
  • Links in the email lead to websites that ask for passwords
  • The email may contain a generic greeting rather than a name, e.g. Dear Sir/Madam
  • The email contains incorrect spelling or grammar
  • The email could include an attachment
  • The sender’s name and address does not match the sender or are spelt incorrectly
  • The link(s) in the email do not match the URL it redirects to
  • The URL does not match the company website or is not using SSL Encryption, e.g. https://