May 2019 has been a month full of controversy and chaos, as three major cyber attacks have been discovered lurking within three major companies: WhatsApp, CISCO and Intel.
The WhatsApp Hack
Early in the month, the Facebook-owned messaging app WhatsApp announced that it had discovered malware injected by a hacker firm into target phones, effectively taking over the devices and allowing the hackers to remotely and surreptitiously control the camera and microphone within the phone, and vacuum up all personal and location data. The most concerning aspect of this attack is that it is done by simply placing a phone call to the target phone, and the malware can be installed whether the call is answered or not.
Once the system has been violated, WhatsApp’s famed end-to-end encryption for its 1.5 billion users is rendered worthless. The attack utilises a bug in WhatsApp’s software, most likely a common type known as a buffer overflow. A buffer is where extra data is stored, and hackers can target this system by overburdening the buffer and causing the extra data to ‘overflow’ into adjacent memory space, allowing attackers to either crash the system or gain an invaluable foothold. A researcher for the internet watchdog Citizen Lab, John Scott-Railton described the attack as “a very scary vulnerability”, mainly because “there is nothing a user could have done here, short of not having the app”.
The notorious Israeli spy firm NSO has been named as the culprit, and WhatsApp has all but confirmed this identification. In a statement to CBS News, WhatsApp explained that the hackers had “all the hallmarks of a private company that works with a number of governments around the world”. The company, also known as Q Cyber Technologies, is now facing various lawsuits including those filed by Israeli citizens requesting the government revoke NSO’s export license, and by Mexican civil society figures who have been targeted by the company’s spyware.
Danna Ingleton, Deputy Program Director at Amnesty Tech, emphasises that “NSO have again and again demonstrated their intent to avoid responsibility for the way their software is used”.
The Thrangrycat Attack
Later this month, security provider and research firm Red Balloon came out with information about a deeply concerning exploit they found in products from the American multinational technology conglomerate, Cisco.
Dubbed Thrangrycat, the bug involves two vulnerabilities, the first of which resides in Cisco’s IOS operating system and allows hackers to remotely obtain root access to devices. The second is much more sinister; once the attackers have gained root access, they can then bypass the router’s fundamental security protection, known as the Trust Anchor, potentially compromise the device network and implant a persistent backdoor into many devices. Given the ubiquitous nature of Cisco products, this bug has devastating implications.
Founder and CEO of Red Balloon, Ang Cui explains that they’ve shown that they can quietly and persistently disable the Trust Anchor and then “make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy”. Cui also states that, although it is highly unlikely individual computers will be impacted by this bug, it nevertheless has “privacy consequences for basically anyone who uses the internet”.
Writer for the New York Times, Sarah Jeong explains that attacks like these suggest we “have to start thinking about privacy as a collective, environmental problem, not something that hits individual people, and certainly not something where the onus is on the individual to protect themselves”.
Discovered recently by researchers at the Graz University of Technology in Austria, the ZombieLoad attack is a security flaw found in Intel processors that allows attackers to steal any data that has been recently accessed by that processor.
Once found, ZombieLoad was immediately disclosed to Intel who soon issued code to patch the flaw; although this needs to be implemented by individual manufacturers and installed by users in order to be useful. Currently, researchers are not sure whether the flaw has actually been used by any hackers, but it has been shown to affect almost every Intel chip made since 2011.
Interestingly, ZombieLoad is nothing new to Intel. In fact, it is the fourth of its kind to have taken advantage of a process known as speculative execution. This feature, built into most modern processors, allows processors to pre-emptively execute future commands which grants significant speed increases. In early 2018, the ZombieLoad’s predecessors known as ‘Spectre’ and ‘Meltdown’ took front page in the media, and later in the year another flaw was discovered.
Researchers expect to continue finding flaws in the speculative execution process for years to come, as it leaves gaping vulnerabilities and the fixes so far have been arguably weak. What is more, in order for fixes to work completely, users are advised to turn off Intel CPU hyper-threading which researchers explain will drop CPU performance and speed by 30% to 40%.
The full scale of this vulnerability is yet to be discovered, and the verdict is still out on how dangerous it is. However, it has undeniably grave potential and severe implications for both Intel and its users.
This string of attacks is yet another indication of the increasingly volatile nature of the cyber world, and the imperative for governments, industries and individuals to begin taking cyber security more seriously and to truly understand their interactions with the cyber world. Consumers need to use technology more thoughtfully, and companies need to implement effective and adaptive cyber security policies in order to predict and respond to a huge variety of threats. Learn how you can do this today by contacting Agilient and receiving renowned expert advice from our security specialists.
Author: Elsa Chapple, Agilient Consultant