Wednesday, July 15, 2020

Project Freta: detecting rootkits and advanced malware, in memory snapshots of live Linux systems

   Project Freta: free service from Microsoft Research for detecting evidence of OS and sensor sabotage, such as rootkits and advanced malware, in memory snapshots of live Linux systems

   Incubated at Microsoft Research, Project Freta is a roadmap toward trusted sensing for the cloud that can allow enterprises to engage in regular, complete discovery sweeps for undetected malware. The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging. While snapshot-based memory forensics is a field now in its second decade, no commercial cloud has yet provided customers the ability to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms and a priori forensic readiness. Just as yesteryear’s film cameras and today’s smartphones have similar megapixels but vastly different ease of use and availability, Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.

Project Freta’s four properties of trusted sensing
1. Detect. No program can:
Detect the presence of a sensor prior to installing itself
2. Hide. No program can:
Reside in an area out of view of the sensor
3. Burn. No program can:
Detect operation of the sensor and erase or modify itself prior to acquisition
4. Sabotage. No program can:
Modify the sensor in a way that can prevent the program’s acquisition

To learn more go here.

Graphics Processing Units in Vulnerable Lane

    In the past, Graphics Processing Unit (GPU) drivers weren’t a typical target for system exploitation, but this has changed in recent years. Many computing applications from desktop to server require more graphics horsepower than ever before and, as such, discrete GPUs are more common than ever. Laptops are even often configured with high-performance GPUs included instead of the basic CPU embedded graphics chipsets of the past. Modern GPUs are highly complicated components requiring complex system drivers to maximize the GPUs capability.

    As system complexity increases continuously, so does the potential for finding a way to exploit the system. This effect is multiplied because GPU drivers usually run in the highest privilege ring of the system, kernel mode. This week, graphics chip maker Nvidia patched its drivers to fix two high security vulnerabilities as well as several lower severity vulnerabilities.

    The first vulnerability patched by Nvidia this week relates to the Nvidia Control Panel component. This software is bundled as part of the Nvidia graphics driver package and allows for adjusting settings related to the graphics subsystem. The vulnerability, assigned CVE-2020-5962, allows for a local attacker to corrupt critical system files, leading to denial of service or escalation of privileges. Little information is available about the vulnerability specifics but systems running this software should be updated to prevent local attacks against the machine.

    CUDA is a subsystem in Nvidia drivers that allows for non-graphics use of the high-performance processing units for machine learning or artificial intelligence programs. These applications benefit greatly from the highly-parallelized nature of graphics hardware and typically use high-end graphics cards for their processing. The second high security vulnerability, CVE-2020-5963, is in the CUDA component of the graphics driver. Again, little information is available about the specifics, but the issue appears to stem from a mistake in the access control security in the Inter Process Communication APIs. This vulnerability could lead to arbitrary code execution from a lower privilege process in the context of a high privilege process.

    Other Nvidia vulnerabilities patched this week are classified as medium severity. CVE-2020-5967 and CVE-2020-5965 appear to be similar vulnerabilities in Linux and Windows respectively, which allow for denial of service to the target system. CVE-2020-5964 and CVE-2020-5966 are exclusive to Windows systems and range in severity from denial of service to arbitrary code execution.
As high-performance GPUs become more common in even basic systems it is important to verify that your drivers are being updated in a timely fashion.



Netgear Router Vulnerabilities

National Cyber Awareness System:

06/29/2020 03:44 PM EDT

Original release date: June 29, 2020

    Multiple Netgear router models contain vulnerabilities that a remote attacker can exploit to take control of an affected device.

    The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update to the most recent firmware version and to replace end-of-life devices that are no longer supported with security patches. Given the increase in telework, CISA recommends that CISOs consider the risk that these vulnerabilities present to business networks.
See the following products for additional information.

DNS Vulnerability - CVSS - Score of 10

Microsoft has released a critical patch impacting all Windows Server Operating System Versions with the DNS role installed. The included affected operating systems are: 2003 – 2019.

This patch has a significant risk of being exploited, and if an attacker successfully exploited the vulnerability, they could run arbitrary code in the context of the Local System Account. As most organizations install the DNS Server role on their Domain Controller, the attacker would gain full control of a Domain Controller. Once the attacker has full control of the domain controller, lateral movement to any Domain joined system is possible.
There are no known uses in the wild of this. It is highly recommended you patch all windows DNS servers (internal and external) that you may own as soon as possible.


In order to secure your environment as soon as possible, you should complete the following steps as soon as possible.
  1. IDENTIFY -  ALL WINDOWS DNS servers in your environment – both internal and external. – You can use PowerShell to help
  2. TEST – The applicable monthly servicing stack, and cumulative update for the server operating system.
  3. DEPLOY – The applicable patch to all DNS servers in your environment as soon as possible.

NIST Releases Draft SP 800-181 Revision 1 for Comment

The National Initiative for Cybersecurity Education (NICE) has released Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework). The NICE Framework is a fundamental reference for describing and sharing information about cybersecurity work in the form of Task Statements and as Work Roles that perform those tasks. In this revision, several updates have been made, including:
  • an updated title to be more inclusive of the variety of workers who perform cybersecurity work, 
  • definition and normalization of key terms,
  • principles that facilitate agility, flexibility, interoperability, and modularity,
  • introduction of competencies,
  • and more!
The public comment period is open through August 28, 2020. See the publication details for a copy of the document and instructions for submitting comments