Meltdown and Spectre – Updated Advice
Malware making use of Meltdown and Spectre, the two CPU vulnerabilities highlighted back in January, is now being seen in the wild. Security researchers are reporting they have seen over 140 malware samples based on the proof of concept code. Whilst there have not been instances of Meltdown and Spectre actually being leveraged to compromise a system, it is a timely reminder that miscreants will take published security vulnerabilities and weaponise them into malware quickly, making it all the more important to patch.
As previously reported by the NCSC, Meltdown and Spectre are two related, side-channel attacks against modern microprocessors that can result in the unprivileged code reading data it should not be able to access. Most devices may be vulnerable to some extent with many vendors releasing patches to secure systems.
The NCSC have previously advised users and business enterprise users to follow vendor advice and apply patches. For more detailed advice regarding these vulnerabilities, please see the latest guidance from the NCSC.
News articles have focused recently on the value and volatility of cryptocurrencies, over the past year, most notably Bitcoin which had a peak value of $20,089.00 in December 2017. Cryptocurrencies can be earned, or ‘mined’, by performing computationally intensive operations to support the running of the currency. Malware intended to mine cryptocurrencies on victim computers has been available since at least 2013 and surged in popularity in late 2017 as the currencies’ value increased.
Cryptomining malware is attractive to cyber criminals as they are able to use botnets of compromised machines as miners without having to cover the infrastructure costs (e.g. the cost of electricity would be covered by the victim). Despite the potentially lucrative rewards, cryptomining is becoming increasing economically unviable for some legitimate users as the running costs (hardware and associated electricity costs) often outweigh any potential gains in this increasingly competitive environment. This has also had real world implications on the price and availability of graphic cards as many are now being purchased specifically for cryptomining.
For cyber criminals, cryptomining malware has some advantages over ransomware. It doesn’t rely on the victim being willing and/or capable of making payment. It is also not confrontational but is designed to operate undetected in the background over a long period, potentially earning more money than a ransomware campaign.
More importantly, it can be distributed through same delivery mechanisms as ransomware (e.g. exploit kits) and, once established, a network of mining bots can generate a respectable amount of money with minimal effort (e.g. the Smominru botnet generates 24 XMR per day (approximately £8,500)). Monero is the preferred currency as the processing power required to mine it is minimal compared to that required to mine Bitcoin.
It is highly likely that the criminal deployment of cryptomining malware will increase during 2018 as cyber criminals either shift their focus away from other forms of malware or run these campaigns alongside their established cyber criminal activities.
The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts.