image of breaking badness
Breaking Badness
Breaking Badness

127. Like Shooting Phish in a Barrel

Coming up this week on Breaking Badness. Today we discuss: Lean, Mean RetpolineThe Phuture of Phishing: An Interview with @nullcookies, and our fun new game, two truths and a lie.

Here are a few highlights from each article we discussed:

Lean, Mean Retpoline

  • Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability
  • In order to get a jump on work that the processor has to do, there is logic on board that makes a sort of educated guess about what tasks will need to be executed next (or soon), and it starts executing them rather than waiting until explicitly called
    • This is a great optimization technique, but the problem comes into play when we think about what might happen if we could get the processor to execute something else, rather than the tasks that it should be executing
    • Speculative execution attacks work by tricking the processor into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application
      • So, we have a violation of least privilege
  • Retpoline is a defense that was developed by Google to prevent speculative execution attacks (oh, the irony!)
    • It’s worth quoting part of what they say in their writeup about retpoline: “The name “retpoline” is a portmanteau of “return” and “trampoline.”
    • It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will “bounce” endlessly
  • Researchers from ETH Zurich, Johannes Wikner and Kaveh Razavi, wrote that “Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector.”
    • (BTI stands for branch target injection, a specific term for speculative execution, and ETH is a technical and science university.)
    • Their concerns have been shown to be accurate
    • Here’s how they put it into more detail:
      • “Spectre variant 2 [listeners will recall that the first two speculative execution vulnerabilities that made news a couple of years back were called Spectre and Meltdown] exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2. Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are common on certain Intel and AMD platforms. This means that retpoline was an inadequate mitigation to begin with”
      • Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses, so the so-called branch prediction unit will make mispredictions that the attacker can control
  • Mitigations for speculative execution attacks all have one thing in common: you have to forego the optimization that speculative execution offers, so the net result is that your processor slows down
    • But here are the details. First off, let’s cover which processor families are affected:
      • For Intel, it’s Skylake and its derivatives
        • And narrowing it down further, for Intel, it’s for the ones that do not have something called “enhanced Indirect Branch Restricted Speculation” or eIBRS in place
        • Intel had had these software mitigations available for a while now; they also point out that Windows isn’t affected because it already had an IBRS in place; the new mitigation is for Linux users
      • For AMD, it’s Zen, Zen+, and Zen2
        • AMD also has ab IBRS that’s been available for a while, and they also recommend that software use a something called a RAP stuffing sequence (where RAP is Return Address Predictor” and/or Supervisor Mode Execution Protection (SMEP) to ensure that the memory addresses in the RAP are safe for speculation
    • Back to what we mentioned about how these mitigations cause performance degradation: the measured results look like they are in the range of 12 to 28% more computational overhead
      • That’s not trivial. When we saw Spectre and Meltdown come out a few years back, we all wondered whether we would continue to see more of these, and unfortunately the answer is yes.

The Phuture of Phishing: An Interview with @nullcookies

  • The most obvious prediction on the Phuture of Phishing: it’s not going anywhere (at least not anytime soon)
    • Let’s start by acknowledging that phishing WORKS
      • A disciplined phishing actor has a pretty good chance of success with the correct lure and decent sending infrastructure (especially in cases where phishing is more targeted, like a spear phish)
      • Assuming a phishing actor has enough time to be patient in the first place, they’ll eventually find a lure and kit that works and when they do, you may see them try to pivot to a new target with that winning formula, hoping to capitalize on that past success
    • @Nullcookies believes phishing actors as a whole need to be regarded as rational, clever, and a lot more self-aware than people give them credit for
      • They learn from mistakes
      • The improve on past successes
      • They discuss with other people outside their immediate cybercrime circles
      • They experiment and iterate
      • In short, they get better, and we need to get better too
    • The spam war right now is a war of attrition and it’s fought with creativity
  • This begs the question: What are we facing?
    • There are two different worlds when it comes to phishing activity
      • If this was statistics, @nullcookies would describe phishing quality as a bimodal distribution
        • The first and largest group is a water hydrant deluge of low-quality phishing lures that get sent to anyone and everyone. It doesn’t matter if you’ve never had an account at that bank, you’re getting a notification about your account being restricted for fraud
        • It’s like this: “you get a phish! And you get a phish! And you over there, you also get a phish!”
        • t’s cheap, high volume, but it’s unwise to think this doesn’t work at scale because it does
          • But there are ways to skew their cost/benefit
          • As an industry, we’re seeing progress there
        • @nullcookies thinks this method will become more difficult for threat actors thanks to improved email filtering and detection at different levels
        • Hopefully in the future, this will continue to improve
    • But here’s the bad news:
      • We’re going to see the ascendency of smishing and vishing
        • @nullcookies cannot say we’re making very good progress right now in the smishing space at all – we’re just getting started here
        • Smishing, vishing, and hybrid forms of phishing (like one-time passcode interception) are becoming legion
        • Fraudulent call centers are being used as a fairly intricate social engineering campaign to trick targets into installing malware under various guises
    • One team that’s doing fairly impactful research in the space is WMC Global
      • Not a ton of people have heard of this company, but their research on smishing is pretty eye opening and the results should give us pause
      • Filtering right now is ineffective compared to what we’ve achieved in the spam/email space – there’s a lot of work that needs to be done
    • That space is ripe for exploitation, but also, thankfully, innovation from the defender’s side
  • Another prediction based on a phisher’s willingness to iterate and pivot from one campaign to another:
    • That pivoting isn’t necessarily just about staying on the same target
    • They’ll use a winning formula on a similar target, hoping to capitalize on past success
    • @nullcookies suspects that down market targeting will start happening
    • You normally think phishing campaigns target these large, well-known brands
      • For the most part, that’s still certainly true
      • But when we think about the phishing ecosystem and where effort can create the most profit, they would say down markets will be more frequent
      • We had a financial institution make headlines for fraud losses and they were a result of a merger between two smaller banks
        • And the difficulty with merging two anti-fraud teams together made for a really effective target
    • We need to understand that these fraud actors talk and share notes and it’s a lot more collaborative that maybe previously believed
  • Phishing as a service will become the norm
    • When it comes to phishing, it’s not a technically very high bar to reach to conduct a phishing campaign
    • It’s trivial to find a phishing kit. It’s trivial to get a rudimentary infrastructure to send a phishing lure
    • If it becomes easier to send bitcoin and get access to a management panel with a kit that’s relatively well-designed and then do their phishing campaigns from a single pane of glass, that sounds like a great opportunity to a bad actor
    • When phishing kits and infrastructure become more homogenous, detection becomes easier
    • The bad news for victims is services often siphon stolen credentials from their own customers
      • If I use phishing as a service and I use their kit and I have their infrastructure and I can see my results by logging into this access panel, unfortunately there is a good chance those credentials are being siphoned by the people operating it
      • If you ask the administrators of these enterprises about this, they would vehemently deny it
      • The result is you basically have two cybercrime actors offloading those credentials at the same time, so the harm potentially doubles at a minimum
  • There’s a lot of reason for concern with smishing and vishing, but there are a lot of companies and actors in government who take this seriously
    • We can hopefully steer the ship with collaboration and trying in our own little way to make the world a better place
  • Ransomware gets so many headlines, but phishing doesn’t get nearly as many, though the losses are higher
    • Capturing the entire phishing space is hard because it’s so large
    • Ransomware gets so much attention because from a research perspective it’s fascinating
      • There’s clever things happening in that space and the damage is so readily apparent
      • The damage phishing causes is more of a slow drip and the news coverage can be lesser, which can in turn cause more damage because people see it as a lesser threat
      • Beyond phishing, the BEC space is causing the most financial damage of anything
        • The losses are shocking
        • Billions upon billions are being lost because someone is able to impersonate someone at a company and convince them to send money somewhere
        • We’re battling human creativity and seeing how human foibles are being exploited
  • Final takeaway:
    • Look at the macro trends when it comes to targeting
    • Their theory is this down market trend will continue and every company will face a phishing threat if they have customers who have credentialed access to a website
    • There’s an entire subset of phishing actors who are hyper targeted
    • They’re not major players – they focus on esoteric phishes
    • It’s not often clear what the ultimate goal is. There’s a lot happening and it’s fascinating and we have yet to see an end to that

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale

Lean, Mean Retpoline

[Nullcookies]: 7/10 Hoodies
[Tim]: 6/10 Hoodies

The Phuture of Phishing: An Interview with @nullcookies

[Nullcookies]: 8.5/10 Hoodies
[Tim]: 9/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!