Research Firm Discloses Details of Major Critical AMD Chip Flaws
A little-known Israel-based security firm called CTS Labs published the details of 13 critical security flaws and backdoors in a variety of AMD chipsets. The bugs affect servers, desktops, and laptops alike. As of now, there do not appear to be any fixes for these vulnerabilities, which could be exploited to enable data theft, remote code execution and other exploits. Third-party researchers have confirmed that CTS Labs has working proof-of-concept code for these bugs, but the company does not yet seem to have released that code. Oddly, CTS Labs give very little warning to AMD before publicly disclosing the existence of the flaws, and some of the wording in their public disclosure has led to speculation that the CTS Labs may have attempted to profit from a short position on AMD after disclosing the bugs. Vice’s Motherboard has nice write-ups on both the bugs themselves and the controversy surrounding their strange disclosure.
RottenSys Android Malware Builds 5 Million Device Ad Bot
A strain of Android adware has accrued a botnet of some five million devices, according to new research out of Check Point, which claims that the infections may have have occurred somewhere in the supply chain. The threat evades detection by delaying operation for a set time after installation, consists of only a dropper in the initial installation phase, and ultimately downloads its adware components without notification. Nearly half of all the infected devices observed by Check Point were distributed by a Chinese reseller called Tian Pai, which is one of the major reasons why Check Point suspects that the malware may have been installed somewhere in the supply chain. The earliest command and control activity linked to RottenSys dates back to 2016. In the last ten days, Check Point claims that RottenSys called more then 13 million adds and garnered more than a half million click throughs.
Disparate Criminals Using BlackTDS Traffic Distribution System
A wide variety of criminals are using a crimewave service offering called BlackTDS in various parts of their malware infrastructure, according to Proofpoint researcher Kafeine. Most obviously, the service sells traffic to criminals, but it’s also apparently offering up social engineering, drive-by-download, and redirection services to as well.
Hermes Ransomware Spreading Via Korean Flash Exploit
First exploited as a zero-day in attacks widely attributed to North Korean state-sponsored hackers, criminals have taken to exploiting a recently patched Adobe Flash Player vulnerability (CVE-2018-4878) to spread the Hermes Ransomware, according to Malwarebytes research published earlier this week. Like the original attacks leveraging exploits for CVE-2018-4878, Malwarebytes says that this new round of attacks, which rely on an exploit kit named GreenFlash Sundown, are also exclusively targeting machines located in South Korea. Despite the exploit kit and CVE-2018-4878, the infection chain ultimately requires that the victim enable a batch script to execute the main payload. Apparent criminals had previously embedded CVE-2018-4878 in Microsoft Office documents to spread malicious spam email messages.
Source: March Patch Tuesday: Microsoft Fixes 15 Critical Flaws
In addition to Microsoft’s fixes, Adobe released fixes for various bugs in Adobe Dreamweaver, Connect, and Flash Player. The Flash player vulnerabilities, a remote code execution enabling use-after (CVE-2018-4919) and a remote code execution enabling type confusion (CVE-2018-4920), are probably the highest priority of Adobe’s fixes. Microsoft’s critically rated bulletins resolve a series of memory corruption bugs in the Chakra Scripting Engine (CVE-2018-0930, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934, CVE-2018-0936, CVE-2018-0937, CVE-2018-0872, and CVE-2018-0874), the Microsoft version of Adobe’s Flash fixes, a Microsoft browser information disclosure (CVE-2018-0932), a scripting engine information disclosure (CVE-2018-0939), and four scripting ending memory corruption bugs (CVE-2018-0889, CVE-2018-0893, CVE-2018-0876, and CVE-2018-0925). As always, Johannes Ullrich of SANS has a great write-up on the fixes. Beyond all this, Microsoft appears to have softened the rules it implemented along with its Spectre and Meltdown patches that would have required registry key edits on machines running certain antivirus products if they wanted to install the latest operating system updates.
MKACyber publishes this intelligence brief regularly in an effort to keep cybersecurity professionals up-to-date on the news and research that matters.