image of breaking badness
Breaking Badness
Breaking Badness

164. In Da NightClub Malware

Coming up this week on Breaking Badness: Downfall is in the Air, Disco Malware Fever, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Downfall is in the Air

  • Several major companies have published security advisories in response to the recently disclosed Intel CPU vulnerability named Downfall
  • The name is very dire-sounding, but when we talk about transient vulnerabilities, you get these lovely choices: you can be pwned or you can have seriously downgraded performance
    • Bugs in hardware are problematic
    • But Downfall makes it sound like a catastrophic crash, and that could be a consequence if you get owned by this vulnerability, but perhaps this name is a little more dramatic than it needs to be
  • Skylake and Ice Lake
    • Basically Intel has had these name schemes possibly based on places in Oregon (and this is just an assumption) 
    • It’s a bunch of generations of chips – 6 thru 11 generations of lakes 
    • It’s a lot of CPUs that are encompassed here
    • Skylake was announced in 2014 to give you a sense of the timeline
  • The two techniques this attack leverages are dubbed Gather Data Sampling and Gather Value Injection
    • If you read the summary quote from the Google researcher who discovered this, he said “The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not be normally be accessible.” Now, that’s basically just describing a transient execution vulnerability in fairly general terms. But he got more specific about this one, saying “I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution.” 
    • Again, generally looks familiar if you studied SPECTRE, for example. But then we get to what you asked about – Gather Data Sampling, and Gather Value Injection. The researcher created these techniques after observing the behavior of this Gather instruction
    • Gather Data Sampling exploits the gather instruction to steal stale data from previously-undisclosed CPU components called SIMD register buffers. Since various memory operations share these buffers, GDS enables attackers to steal data from other security domains
    • Gather Value Injection combines GDS with an earlier type of exploit called load value injection, and this allows the attacker to insert arbitrary values into registers in order to carry out attacks
  • We have not yet seen a threat actor use this vulnerability in the wild as of the time of this recording
    • As published right now, to exploit these you need to have local access. However, a remote attack is theoretically possible so it’s wise to keep on the lookout to see if someone develops a PoC for that 
  • Are there mitigations?
    • How you specifically act on them is situational 
    • A lot of the big cloud providers have come out with statements like “the mitigation is in place and you’re covered so you don’t need to take action.”
    • Most actions are: you don’t need to do anything
    • If you’re running your own hardware, you should look at getting a patch in place, but the urgency is not super high because it appears to be a local attack, but as we’ve been saying, we might want to do something about it rather than have that hanging out there

Disco Malware Fever

  • We’ve been hearing more about MoustachedBouncer in the news
    • Name of the newly uncovered group from the ESET group that targets diplomatic targets in Belarus (foreign embassies) 
    • They’ve been around for a while, dating back to 2014
    • First victim is seen in 2017 
  • Typically they do Adversary-in-the-Middle attacks – it’s kind of their calling card
    • The malware they work with is called Disco and NightClub
    • The whole Moustache thing is a take off the president of Belarus who has a well-known moustache 
    • The attacks are at the ISP level
      • There’s a Russian law – SORM – it’s a program to do lawful intercept
      • Hardware is deployed in Belarus 
    • Adversary-in-the-Middle (AitM) is seen a few other spots, but it is pretty rare
      • The level of access you need is greater 
      • It’s very uncommon 
      • In this case, they’re seeing Windows updates happening on the machines used by diplomats are redirected to drop malware
      • Man-in-the-Middle is used for exfiltration 
    • This scenario is reminiscent of Turla and StrongPity
      • Some of the targeting and activity align with what has been seen from these other groups 
      • We see Russian language in the malware, but it’s not uncommon in Belarus 
      • They also see directional alignment with GhostWriter 
      • Targeting is also similar – not the exact same group maybe, but very similar 
  • The malware families (Disco and NightClub)
    • Disco is newer and does delivery via SMB shares 
    • The older families relied on fake Windows updates 
    • There’s some really interesting in-the-middle exfils going on 
    • Looking at this stuff you think it has to be AitM because they’re things that should not happen in DNS 
    • The article kept referring to a downloader that seems like a legitimate Microsoft domain
      • That says to Tim that this happens at the ISP level that there’s some sort of DNS poisoning 
  • Are there mitigations to consider? What’s the main takeaway?
    • Full tunnel VPN is the mitigation 
    • If you’re a diplomat, that should be what you’re always doing 100% of the time
      • It’s all your security team should allow you to do

This Week’s Hoodie/Goodie Scale

Downfall is in the Air

[Taylor]: 4.78/10 Hoodies
[Tim]: 4.5/10 Hoodies

Disco Malware Fever

[Taylor]: 1/10 Hoodies
[Tim]: 2/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!