image of breaking badness
Breaking Badness
Breaking Badness

5. Son of a Phish

Developing News: Citrix Says its Network was Breached by International Criminals

Here are a few highlights from each article we discussed:

Major SPOILER Alert

  • Speculative execution flaw (same thing with Spectre last year).
  • Can be exploited by malicious JavaScript within a browser tab, or malware, or rogue logged in users.
  • Neither ARM nor AMD were affected by this particular vulnerability.
  • Mitigation may require hardware change and may impact performance.
  • SPOILER describes a technique for discerning the relationship between virtual and physical memory by measuring the timing of speculative load and store operations, and looking for discrepancies that reveal memory layout.
  • Novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes.
  • SPOILER can also can be exploited from within VMs and sandboxed environments. No elevated privileges needed to exploit this vulnerability.
  • SPOILER makes existing attacks like Rowhammer easier and quicker – used to take weeks, now can take just seconds.
  • According to Intel, “[they] expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected”.

0Day Exploit

  • WPI fight song (X to the E) for reference.
  • Chrome 72.0.3626.121 released on March 1, fixes an undisclosed 0-day.
  • Justin Shuh (chrome researcher) tweeted out that you should update chrome “right this minute”.
  • CVE-2019-5786 – at this time we are aware of exploits in the wild.
  • No details thus far on what the vulnerability is or how its being exploited, but should be released in 14 weeks.
  • But it’s a bug in FileReader that may allow for RCE (Remote Code Execution).

Courtesy of XKCD: Alt Text: The dump also contains a list of millions of prime factors, a 0-day Tamagotchi exploit, and a technique for getting gcc and bash to execute arbitrary code.

Floundering, Flailing, Phishing Attack

  • A recent phishing fail occurred when a phisher accidentally attached a legitimate copy of PowerShell instead of the malicious payload to a phishing email.
  • The email was pretending to be regarding an invoice (common in phishing emails).
  • A researcher believes the threat actor may have been trying to attach a LNK file and just grabbed the wrong one.
  • Op and OpSec fails are common in phishing – we had one recently where a phishing email delivered to Ryan and Emily which had all the recipients in the To line instead of the BCC line or separate emails. They could see the entire list of people receiving the phishing email and could see they were all security company email addresses, letting us narrow down who might have been the source of where they got Ryan’s email address.

This Week’s Hoodie Scale

A Major SPOILER Alert

[Tim]: 6/10 Hoodies
[Emily]: 5/10 Hoodies

0Day Exploit (aka CVE-2019-5786)

[Tim]: 3/10 Hoodies
[Emily]: 5/10 Hoodies

A Floundering, Flailing, Phishing Attack

[Tim]: -10 milihoodies/10 Hoodies
[Emily]: -4/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!