By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

In yesterday’s post, Meltdown and Spectre: The Threats in Your Machine, we discussed the significance and some of the technical details of the Meltdown and Spectre vulnerabilities. Today, let’s talk about how a cyber adversary could leverage these vulnerabilities to target your organization or your personal systems.

To prepare for potential attacks that might use the vulnerabilities, it’s important to understand various theoretical scenarios of how an attack could unfold:

New Breach – As with most attacks, the attacker will need to gain access or execute code on the target’s system. These vulnerabilities could be exploited by the very common attacks used today including drive by downloads, watering hole or spear phished emails, which leverage malicious files (e.g. weaponized PDFs, office documents, etc.) or fileless attacks (e.g. JavaScript embedded in PDFs files or in HTML code). Solely relying on signatures and other legacy detection and protection solutions will not provide an organization much protection as knowledgeable attackers craft their attacks to evade most mandated and compliance-based technologies.

Expanding the Breach – These vulnerabilities could provide value to a cyber adversary who already has breached your network and has been unable to gain further access to sensitive information in your environment. For example, the adversary has breached a virtual machine in the network or cloud instance, but has been unable to gain further access. Leveraging Meltdown or Spectre, an attack could allow the adversary to gain access to other systems’ memory spaces. While these spaces might typically be secure and inaccessible, an attack using the vulnerabilities may allow the attacker to begin expanding their access by obtaining sensitive data such as passwords and encryption keys. This is very concerning if organizations rely solely on logical segmentation for security and destructive malware exploits these vulnerabilities to wreak more havoc. This should be a major area of concern.

Avenues of Attack – What SOCs should be watching for (generally, as no samples have yet been found in the wild). The scale and scope of these vulnerabilities are significant and pose various risks to consumers and organizations. First, let’s look at some of the various ways an adversary could leverage these vulnerabilities.

  • Mobile Devices – Malicious mobile applications are a prominent way to target mobile devices (tablets and smart phones). For example, a cybercriminal can spoof a legitimate mobile application and trick users into downloading and installing a version that looks very similar, but is malicious. These malicious mobile applications, have limitations based on the permissions granted, but could then exploit the Spectre vulnerability and gain access to memory of other mobile applications on the mobile device (tablet, smart phone, etc.). If a corporate enterprise allows Bring Your Own Device (BYOD), then an adversary could leverage Spectre to access to sensitive corporate data contained within another application’s memory space. Possible risks could include: personal email account passwords, corporate login credentials and corporate IP, credit card number, password reminder apps, or other PII/PHI information (disclaimer – each entity’s situation is unique and is very specific to what hardware and software they are running on their devices and requires investigation by your organization to determine
  • Cloud Infrastructure – As moving to the cloud consolidates computing resources for cost savings and efficiencies, the data processing and storage of multiple customers on the same piece of physical hardware can create risk. However, the vulnerabilities could now allow an adversary to expand their foothold and visibility into other logically separated computing environments which would otherwise seem secure.
  • Server/Laptop/Desktop Systems – These systems, even over 10-year-old devices (and especially under-monitored, but connected, ghost devices), are widely deployed and used to process and store sensitive data across all industry verticals. These end devices are subject to similar attacks as noted above (file-based and fileless attacks). Specifically, desktops and laptops are prime targets for cyber adversaries as they can leverage the Meltdown vulnerability to harvest valid network credentials that may be used to directly access other systems in the organization. End user’s stored personal credentials could also potentially be obtained, resulting in financial fraud and identity theft.

The Meltdown and Spectre vulnerabilities are the beginning of the latest wake up call for organizations to continuously question, enhance, test and secure their environments. While the attacks I’ve described have not yet been seen in wild, they do represent how attackers might be planning ways to capitalize on the vulnerabilities before adequate patches are deployed widely or hardware is refreshed.

Please come back for Monday’s blog as we discuss some mitigating best practices for Meltdown and Spectre as it relates to cyber hygiene, architectural security practices, and the ways that emerging technologies can provide additional defenses. Our BluVector solutions, which leverage Artificial Intelligence/Machine Learning and Speculative Code Execution capabilities, can help to detect unknown, zero-day attacks that threat actors will inevitably create and use to exploit these vulnerabilities.