PlunderVolt: A new Vulnerability found in Intel Processors

PlunderVolt: A new Vulnerability found in Intel Processors

Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs.

It was reported by three academics from three different universities across Europe that a new attack was re that affects the integrity of data stored in the highly-secured area of Intel CPUs called the Intel SGX.  The attack exploits an interface which is in charge of controlling the voltage regulation of the Intel processor, this interface is something that many gamers will recognize as it is the same one that is used to overclock their CPUs.  The attack is aptly named, Plundervolt.

How it works

Plundervolt only targets Intel Software Guard eXtensions (SGX). The Intel SGX, for those unfamiliar with it, is a powerful security feature that is found on all modern Intel CPUs that keeps very sensitive data for applications to ensure that other applications are unable to access it.

By using the CPU’s energy management interface, it is able cause some changes in the SGX data just by altering the electrical voltage and frequency of the SGX memory cells. This causes bugs and faults appear within the data and operations which SGX handles.  Meaning, instead of destroying, Plundervolt sabotages output to weaken the encryption of SGX and even cause errors within apps that might have not been there before to exploit and steal data.

However, unlike other attacks, Plundervolt cannot be exploited remotely like luring users into a website and then being able to execute the attack.  Plundervolt needs to run from an app of an infected hosts with root or admin privileges.  So getting a successful attack may be harder compared to other attacks but once they are able to get in your system, they will be able to exploit your system much faster than most other attacks.

What Intel CPUs are infected and where can we get a fix?

According to Intel, the following CPU series are vulnerable to Plundervolt attacks:

Intel® 6th, 7th, 8 th, 9th & 10th generation CoreTM processors

Intel® Xeon® Processor E3 v5 & v6

Intel® Xeon® Processor E-2100 & E-2200 families

Plundervolt is nothing that end-users should worry about. It’s an attack vector that is of little interest for malware authors since it’s hard to automate at scale. It is, however, an attack vector that could be weaponized in targeted attacks, against specially selected targets. If Plundervolt is a serious threat depends on each user’s threat matrix.

For those who are looking for the update to fix this vulnerability, you may refer to the microcode and BIOS update here.

For any inquiries with regards to this vulnerability or any other security questions, you may call us at 8893-9515 and we would be happy to help you!

Cloud Security: The Shared Responsibility Model

Cloud Security: The Shared Responsibility Model

Have you ever asked yourself what the biggest threats are in the cloud?  The answer may not be what you’d expect it to be.  Rather than big named malware or cyber attacks, the biggest risk in the cloud happens due to service misconfigurations.  Despite the cloud’s clear operating model, teams continue to make simple mistakes or overlook the simple task of properly configuring the services they use in the cloud.

Security in the Cloud is a shared responsibility as both customer and provider has their respective responsibility, these are usually based on the Shared Responsibility Model.  The model defines which segments each are responsible for.  At a glance, are you doing your part?  Or did you assume it was handled by your provider?

One common misconfiguration misstep comes from pre-configured deployment services.  Most misunderstandings arise from thinking that after being given the configurations that they too will handle update patching and even maintenance of said configuration.  It falls on you the user to do these responsibilities and make sure that your system is safe!

Another common cause of misconfiguration is from human error.  As per our nature, we are bound to make errors along the way when working even if we take as much precaution as we can.  This is where automation can help make sure that these errors don’t occur.  Let’s say the operating system your team uses for your systems has a new patch that needs to be deployed. Instead of someone patching each of the production virtual machines, that team member should patch the original template of the virtual machines and a build system should redeploy production.

For safety measures as well, it is always in best practice to verify that your providers are doing their part in keeping you secure.  This is not to say that your provider is not doing their job, usually the 3 big cloud providers have an overwhelming amount audit evidence you can browse, its always just better to keep the habit of counter checking when security is involved.


Interested in learning more about our Cloud Security Solutions?  Contact us at 8893-9515 and we would be happy to answer your inquiries!

Ransomware Hits Florida Town, Costs them $500,000 in Ransom

Ransomware Hits Florida Town, Costs them $500,000 in Ransom

No matter how big or small your organization is, security is always something that should be considered when it comes to securing your business data.  This is especially so if you are mostly handling confidential data such as data from customers.  Unfortunately, a town in Florida learned this lesson the hard way as they were recently hit by a ransomware attack.  As their operations was put to a standstill, they had no choice but to pay the asking price of cyber criminals, 42 bitcoins (equivalent to $500,000).

This wasn’t the only attack that happened in Florida as well, another municipality ended up paying cyber criminals $600,000 when the attack severed their connection to important data.  The mayor of the town even stated that he could not believe that in such a small town they would encounter such attacks.  They aren’t alone however, during the past years many other organizations such as major hospitals were hit by ransomware and were forced to pay to gain access to business-critical data.

“Ransomware is the canary in the coal mine,” said cyber-security expert Kevin Beaumont, who argued that the spate of attacks showed organizations needed to get better at basic IT security.

What can you do to prevent this?

As stated above, one preventive measure is to make sure that your employees are briefed on basic IT security as to make sure they don’t fall to attacks such as phising to prevent criminals from getting into the network.

Another would be to have data protection measures up, you may even start with a simple back up set up.  This is to ensure that during time of attacks or system failures, you will have a starting point to recover instead of trying to get whatever you can from your infected systems.

You may also consider advanced security protection from vendors such as Trend Micro which can help detect and quarantine suspicious files and activities from the Server level or even on your multiple endpoints.

To learn more about these solutions and how we can help you, you may contact us at 893-9515 and we would be happy to find the best solution for you company!

Security Advisory: Microsoft Alerts Customers to Patch BlueKeep Vulnerability ASAP

Security Advisory: Microsoft Alerts Customers to Patch BlueKeep Vulnerability ASAP

In case you didn’t hear, another big vulnerability was reported by Microsoft on May 14, 2019 known as “BlueKeep” which takes advantage vulnerabilities of Remote Desktop Services (RDS), Remote Code Execution (RCE), and Remote Desktop Protocol (RDP).  However, BlueKeep only affects older version of Windows, so users of Windows 10 and 8 can rest easy.  The severity of the vulnerability though has forced the hand of Microsoft and they have actually made and released a security patch for its unsupported versions.  They have classified this vulnerability as a critical level threat.

This is why as of June 4, 2019, Microsoft once again urged its customers to apply the patch as soon as possible as more than 1 million devices are still vulnerable to the attack.  This is to avoid another widescale malware attacks like those of the WannaCry ransomware attack back in 2017.  Many companies were affected by the attack and caused many business operations to stop, more notably hospital operations.

What can you do to avoid being affected?

Microsoft has already provided the solution to BlueKeep, make sure you download the latest security patch for your corresponding OS (you can find the patches here).  You may need to reboot your servers to ensure the patch is running properly.

For those who are Trend Micro users, specifically those who use Deep Security, if you are unable to apply the patch due to other reasons, such as being unable to reboot your servers, please make sure that you apply the correct policy for the virtual patching of Deep Security to ensure the security of your servers.  Below is the Deep Packet Inspection (DPI) rule:

  • 1009749 – Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability

You can view the official Trend Micro article on it here.

For those who are looking into a longer-term solution, you can consider solutions such as Citrix Gateway and Virtual Apps to secure your remote connections to Windows servers.

To learn more about these solutions, you can contact us at 893-9515 and we will help introduce you to different options that you have to help prevent these kinds of vulnerabilities!

Security Vulnerabilities: A Closer look at a Cyber Criminal’s Window to your System

Security Vulnerabilities: A Closer look at a Cyber Criminal’s Window to your System

You may be hearing more and more these days of new security vulnerabilities being discovered in the news and may be wondering what exactly it may imply?  Simply, a vulnerability represents the ideal opportunity for cyber criminals to infiltrate your system to compromise your data or to perform data theft.

According to current data now, we can see that these vulnerabilities will be popping up more often as 2017 had a record-breaking year for reported exploitable vulnerabilities, with almost 20,000 security flaws reported over the year.   For the year 2018, the data is still being tallied however, a report from RiskBased Security has already noted that more than 10,000 vulnerabilities have been reported in which 3,000 potential flaws which enterprises have failed to patch.

To better understand vulnerabilities, our friends from Trend Micro has segregated them into types in which to classify them:

Traditional vulnerability – is a programming error or other type of software issue that hackers can use to sidestep password protection or security measures and gain unauthorized access to legitimate systems. These are the most rampant types of security vulnerabilities.

Zero-days – are brand new software issues that have only just been identified and have not yet been patched by vendors.  As Trend Micro explained, “that’s because the vendor essentially has zero days to fix the issue or has chosen not to fix it.”

Undisclosed vulnerability – these are flaws that have been identified and reported, but are not yet disclosed to public users, giving vendors time to patch the issue.

So, what can you do to help address these vulnerabilities?

To help keep your enterprise safe from these vulnerabilities, Trend Micro suggests that you pay attention to current security research so that you can apply the necessary findings to help keep your business safe.  Another would be to make sure that you keep yourself up to date with updates and patches.  However, with the number of vendors and patches, it can sometimes be too much for your IT to patch immediately due to the volume.  Trend suggests the following patching prioritization scheme to help ease the load of your IT team:

  • The severity of the patched issue. Microsoft and other vendors will rate vulnerabilities according to how critical they are to overall risk. More critical patches should be applied as soon as possible, whereas less critical updates can represent a lower priority.
  • Vulnerabilities impacting your enterprise’s particular key software. Similarly, updates for software systems that are used on a daily basis within the enterprise and provide essential functionality should be prioritized over other updates. A patch for a software that is only intermittently used, or only impacts a small number of users in a single department of the company, for instance, can be put on the back burner.
  • Those currently being exploited. It’s important to prioritize patches for vulnerabilities that hackers are currently using to mount attacks.

To learn more, you may visit the original Trend Micro article here, visit our product page here, or you can also contact us directly at 893-9515 and we will be happy to answer your inquiries!

Managed Detection and Response: Helping to Fill in Business Security Gaps

Managed Detection and Response: Helping to Fill in Business Security Gaps

Managed detection and response (MDR) is an outsourced service that provides organizations with threat hunting service and responds to threats once they are discovered.  What sets it apart from other security services is the human element in which security providers provide access to their security resources such as their researchers and engineers who will now provide analysis to incidents while monitoring their networks.

The challenges MDR can solve

One of the more significant solutions MDR can provide to businesses is solving the lack of security skills within their organization.  Unlike bigger organizations, not all businesses can afford to hire and train dedicated security personnel that can do full-time threat hunting, which then gives them access to security which normally would be out of their reach.  This benefit is more apparent in medium sized organizations as they are targeted by cyberattacks while not having the proper resources or manpower to defend themselves adequately.  However, it must be pointed out that even if organizations budget costs and manpower to a dedicated team, they might not be able to find the right personnel in the first place.  In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by 2021.

                      What an organization stands to gain when MDR comes into play

Another challenge that is often overlooked by businesses is the sheer amount of alerts the security team receive on a daily basis.  Not all the alerts are malicious, but they can’t be easily identified so they must be checked individually, and threats found must also be scanned for correlation to see if there is a connection to find any bigger attacks planned in the future, and all of this take time.   MDR tries to address this problem by not only discovering the threats but also doing an analysis on the factors and indicators involved in an alert.  Analyzing and contextualizing are the most important skills of a security professionals’ arsenal, as security technologies can block threats but knowing the reasons and the patterns of the incidents can help you block bigger threats in the future.  MDR tries to solve the skill gap in cybersecurity that smaller organizations cannot usually afford due to their limited resources.

How does Trend Micro’s MDR work?

Trend Micro’s MDR provides a wide array of security services, including alert monitoring, alert prioritization, investigation, and threat hunting. It uses artificial intelligence models and applies them to endpoint, network, and server data in order to correlate and prioritize advanced threats. By investigating prioritized alerts, Trend Micro threat researchers can then work with organizations to provide a detailed remediation plan.

To learn more about Trend Micro’s MDR, you may read the original article or you can contact us at 893-9515 and we will be happy to answer your questions!

New Vulnerability aLTEr Discovered by Researchers

New Vulnerability aLTEr Discovered by Researchers

Researchers from Ruhr-Universität Bochum & New York University Abu Dhabi have recently discovered three types of attacks/vulnerabilities for devices using Long-Term Evolution (LTE) network protocol that cyber criminals can use to steal your data.  The researched team has dubbed the attacks as “aLTEr”.  With LTE (a form of 4G) as a standard in the mobile communications industry, many of their users can be affected by these new attacks.  However, according to the researchers, the efforts in which to do these attacks are so high that they will most likely only target those of special interest like politicians or high-level management of corporations.

aLTEr attacks can either be passive or active in nature.  The passive attacks are considered so as they do not directly interfere with network connections, what they cyber criminals do are to release a type of tool in which they use to eavesdrop on the activities of the user.    This means that they can monitor your internet activities and collect information on the user’s habits on the internet and use it to their advantage.

An active attack on the other hand, makes use of the middle-man method.  Through the vulnerability found within the data layers, attackers are able to intercept your traffic with the network.  They are able to fool the network into thinking that they are the user and vice versa so that they may redirect you to a malicious website rather than the intended destination so that they may try to steal your data or infect your device without you nor the network knowing.

Although stated that this is not vulnerabilities which will affect the majority of LTE users, there are still those at risk.  The researchers have recommended the following steps you can take to avoid prevent these attacks:

  • Update the specification. A specification updates means that the implementation of all devices must be changed, which leads to a high financial and organizational effort. This is likely not feasible in practice.
  • Correct HTTPS configuration. Using correct parameters for HTTPS (especially HTTP Strict Transport Security (HSTS)) helps to prevent the redirection to a malicious website. It can act as an additional layer of protection.
  • Virtual Private Network (VPN). Using VPN tunnel with integrity protection and end point authentication helps to prevent the attack. The VPN tunnel acts similar to HTTPS as additional security layer.

For those interested in an extra layer of defense against attacks like aLTEr, Cisco Umbrella and Cisco AMP for endpoints are the solutions you are looking for.  Cisco Umbrella acts as your first layer of defense as it protects your endpoints from downloading malicious requests such as phishing attempts or infected websites trying to download in the background.  For threats that can’t be blocked by umbrella, such files downloaded by the user outside of the Umbrella network, there is Cisco AMP for endpoints.  Cisco AMP for endpoints can block malware using global data analytics, perform exploit prevention, uses machine learning, perform rootkit scanning, and has a built-in antivirus engine.

To learn more about aLTEr attacks you may read up on the official website.  To learn more about Cisco Umbrella and Cisco AMP for Endpoints, you may call us at 893-9515 for more information!