A Match Made In Heaven for Motivated Threat Actors

By Filip Truta, Information Security Analyst, Bitdefender

What if cybercriminals could deploy an attack that is both devastating and impossible to trace? A new generation of exploits leveraging flaws in CPU hardware design means they can, and likely will.

At the start of 2018, security researchers were sounding the alarm over a “hardware” vulnerability affecting Intel processors that allowed bad actors to run rogue processes and read all memory. This vulnerability, circulated in the media under the names Spectre and Meltdown, revolved around a feature in Intel CPU designs called “speculative execution,” where the processor makes informed guesses about the likelihood of receiving a certain instruction. This allows the CPU to execute instructions before actually “knowing” whether their execution is required, leading to a considerable improvement in the processor’s performance.

A feature, not a bug

CPU and operating system vendors, as well as the security community, have been burning the midnight oil patching and creating defensive solutions to prevent exploitation of speculative execution. But researchers keep finding new ways to abuse this feature. The most recent finding comes from Bitdefender researchers, who have discovered that a system instruction called SWAPGS, when to run in speculative mode, can be exploited to exfiltrate precious data.

SWAPGS itself as a standalone function isn’t necessarily the problem. Just like other kernel-level instructions, it has a clearly defined purpose with a proven track record. However, the fact that it can be executed speculatively allows a threat actor to force arbitrary memory dereferences in the kernel. This leaves traces within the data caches. The attacker can use these traces as “signals” that infer certain values located at a given memory address. These values can be anything from passwords to decryption keys – essentially, any secret that might allow the attacker to further their assault and / or escalate their privileges. Proper execution of the SWAPGS attack circumvents anti-malware protection and leaves no traces on the compromised system, allowing the attacker to escape undetected.

The potential to exploit this feature to exfiltrate sensitive data and gain elevated privileges for total takeover is of significant concern. T this time, bad actors have yet to successfully exploit this design flaw in the wild. However, considering the untraceable nature of the attack, it is possible that a threat actor with knowledge of the vulnerability may have already exploited it to steal confidential information and walked away undetected.

A new cyber-threat bares its fangs

Attacks leveraging vulnerabilities embedded directly in the hardware – in this case, the CPU – are known as a side-channel attack. Broadly speaking, a side-channel is when a system might be leaking, or revealing information in a non-traditional way, or a way that we haven’t thought about. For example, timing information, electromagnetic leaks, power consumption, and even sound can act as a side-channel that can be exploited.

While side-channel attacks are not new, using it to exploit speculative-execution is starting to be more common. As scrutiny around speculative-execution increases, disclosures are piling up. In fact, some security experts believe that these types of attacks are quickly becoming the new standard in cutting edge exploits and attacks.

Mitigation

Fortunately, there’s good news. Hypervisor-level security solutions, like Bitdefender Hypervisor Introspection, can be used to stop the attack by removing conditions required for it to succeed on unpatched Windows systems. Patching an entire enterprise against such a threat can result in significant downtime and disruption to the business. Because hardware vulnerabilities can’t be fixed with a single click, virtualized environments are particularly susceptible to side-channel attacks. While deploying the available patch from Microsoft is highly recommended, Hypervisor Introspection is an effective control measure to deploy until enterprise systems can be fully patched.

Looking forward

While sophisticated, side-channel attacks require a coordinated effort and perseverance, two traits that consumer-level cyber-criminals are not willing to invest in. For them, phishing or credential stuffing would be more appealing than running an expensive and complex attack against CPU hardware.

In the hands of nation-state actors though, side-channel attacks can provide a lucrative attack avenue that circumvents traditional anti-malware defenses. Armed with this information, IT leaders at organizations big and small should include detection of side-channel attacks in their cybersecurity strategy, and to prioritize the deployment of patches provided by their operating system and hypervisor vendor of choice.

About the Author

Filip Truta is an Information Security Analyst at Bitdefender. He has more than twelve years of experience in the technology industry space such as gaming, software, hardware, and security. He likes fishing (but not phishing), basketball, and playing around in FL Studio. Filip can be reached online at https://www.linkedin.com/in/filip-truta/ and at www.bitdefender.com