17. A Root Awakening
Coming up this week on Breaking Badness. Today we discuss: No One Makes Bleed My Own RAM, Exim Marks the Spot for Vulnerabilities, and Not So Ok Computer: The Android Wasn’t Paranoid Enough.
Here are a few highlights from each article we discussed:
- As a reminder, this category of vulnerability has to do with the physical architecture of the RAM. The chip makers have crammed more and more memory cells into the same space, which is great in that you can get higher volumes of memory in the same or less physical space, but it’s reached a point where when the cells are this small and this closely packed together, it’s impossible to prevent them from sometimes interacting with their neighbors, and flipping bits in those adjacent cells can lead to being able to read out memory areas you’re not supposed to be able to read. So in essence you can deduce what the bits are in cells adjacent to a cell you’re able to control (by writing to it).
- The central thing in this attack is that the researchers were able to manipulate the memory in such a way as to get sensitive data that they want to steal, to be written to cells adjacent to ones that they control. This lets them read out the victim’s data.
- This vulnerability has been demonstrated against devices that use DDR3 and DDR4 memory, so that’s quite a lot. If you’re listening to us on a laptop, your laptop could be affected.
It is not known at this time if RamBleed has been exploited in the wild. There’s no evidence that it has, but absence of evidence is not…
- All of the hardware-based vulnerabilities, like Rowhammer and the SPECTRE/MELTDOWN speculative execution flaws, are hard to completely secure against. So for now, the best thing to do is just take the CPUs and all the RAM out of your computers. No, don’t do that. Really, all you can do is practice the usual security hygiene things, and be particularly careful about anything that enables physical access—not just “don’t leave your computer with the top-secret company plans unlocked in the bar at Applebees while you go to the restroom,” but also the stuff about not using USB sticks whose history you don’t know well.
- CVE-2019-10149 was publicly disclosed on June 5th.
- This vulnerability allows for RCE (remote code execution) in order to send nefarious emails to vulnerable Exim servers. This allows Exim servers to run malicious code at the Exim Process’ access level, which is typically on root of most servers.
- It’s estimated that there are somewhere between 500,000 and 5.4 million Exim servers that are currently installed across the internet.
- There were multiple waves of attacks. The first, according to Freddie Leeman, started on June 9th. The first hacker group began blasting out exploits from a c2 server.
- In later days, the group continued to evolve their tactics by changing the type of malware and scripts it would download on infected hosts. This is potentially a sign that they were still experimenting.
- A second wave of attacks carried about by a second group began on June 10th, according to Magni R. Sigurðsson. The objective of this attack was “to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account,” Sigurðsson told ZDNet.
- Radiohead refused to pay $150,000 ransom for ‘hacked’ recordings and chooses to release them instead.
- This is a ransom story, but interestingly, it’s not a ransomWARE story. What happened is that someone stole the mini-disk files that contained a lot of unreleased material from the OK Computer record, and threatened to make them public unless Radiohead paid $150K.
- Radiohead did the best possible thing: they went ahead and put all the files on Bandcamp! I like what Jonny Greenwood said on Twitter, though—one of the things he said was “Never intended for public consumption (though some clips did reach the cassette in the OK Computer reissue) its only tangentially interesting. And very very long. Not a phone download. Rainy out, isn’t it though?”.
This Week’s Hoodie Scale
No One Makes Bleed My Own RAM
[Tim]: 5/10 Hoodies
[Taylor]: 4.35/10 Hoodies
Exim Marks the Spot for Vulnerabilities
[Tim]: 2/10 Hoodies
[Taylor]: 4.57/10 Hoodies
Not So Ok Computer: The Android Wasn’t Paranoid Enough
[Tim]: 5/10 Goodies [Yay Radiohead]
[Taylor]: 3.5/10 Goodies [Yay Radiohead]
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!