The “2019 IBM X-Force Threat Intelligence Index” highlighted a paradigm shift sparked by a new era of hardware security challenges. The exposure of critical hardware vulnerabilities that affected almost every endpoint built in the past 20 years forced enterprises and the security community to rethink the way they approach hardware security and its impact on the business.
Since the release of the Spectre/Meltdown vulnerabilities in January 2018, researchers have been uncovering new potential impacts while threat actors search for ways to exploit these significant hardware vulnerabilities and launch attacks on affected systems. The benefits of determining valid attack vectors are significant, since many organizations have struggled to effectively address Spectre and Meltdown.
Based on interest displayed in dark web forums and underground marketplaces, IBM X-Force Incident Response and Intelligence Services (IRIS) assessed that threat actors will continue to search for ways to leverage Spectre, Meltdown and other hardware vulnerabilities to steal data in the coming years. Security teams must continue to monitor this space for new research and vendor patches to minimize detrimental effects to their business.
The Paradigm Shift Catalyst: Spectre and Meltdown
In January 2018, researchers debuted three variants of critical hardware vulnerabilities affecting most popular processor chips released since the 1990s, naming them Spectre and Meltdown (two of the three variants were lumped under the name “Spectre,” and the remaining variant was called “Meltdown”).
Spectre and Meltdown leverage “speculative execution” to gain access to sensitive data that would otherwise reside in a device’s protected memory. Modern processor chips not only process the commands programs give them, but also attempt to preemptively process possible outcomes. By preprocessing possible decision paths, processors are able to send back solutions more quickly and thereby increase processing speeds significantly. Once a decision path is chosen, the processor usually ignores any other preemptively processed possibility. This discarded path is the key to speculative execution. Spectre and Meltdown leverage this discarded path to gain access to data that should otherwise be protected by security controls. Meltdown allows an attacker to gain access to “protected data” from anywhere on a machine — “melting” security boundaries, if you will — whereas Spectre is limited to revealing protected data from the same program.
This sounds a lot like a standard privilege escalation bug, so why are these vulnerabilities such a big deal? Securely coded applications rely on a number of assumptions, one of which is that protected data remains separate from other data. As a result, securely coded applications suddenly found themselves insecure because the rules had changed.
On top of this issue, patching Spectre and Meltdown initially proved to be difficult because early patches led to possible system failure on Windows machines. Finally, Spectre/Meltdown weren’t easily detected by static security controls or basic patching scans since the issue was below the operating system level, making the attempted exploitation of these vulnerabilities tough to observe. These elements combined made Spectre/Meltdown worrisome threats to reckon with upon release to the public.
Dark Web Research Reveals Continued Threat Actor Interest
Since information about these vulnerabilities was initially released, researchers have been working to discover new, similar ones. In November 2018, researchers from a number of universities published seven new Spectre/Meltdown variants using slightly altered parameters and techniques. Multiple other researchers have vowed to keep investigating other variants to take advantage of the same underlying flaws. In 2019, IBM research released two more variants of these flaws.
While researchers have been looking for new ways to exploit Spectre, Meltdown and similar vulnerabilities for the purpose of understanding them better and devising protection mechanisms, threat actors have been watching the advancements with bated breath, knowing that many users and even organizations delay patching or applying workarounds to production environments. Meanwhile, since January 2018, IBM X-Force has observed a large number of posts across criminal underground venues inquiring about Spectre/Meltdown and seeking additional information on how to determine whether a system is vulnerable as well as active ways to exploit these vulnerabilities.
Why Aren’t We Seeing Active Exploitation at Scale?
Given the clear threat actor interest in Spectre, Meltdown and similar hardware vulnerabilities, you might ask why we did not see more malicious activity attempting to exploit them in the past year. There are numerous possible explanations, some of which are listed below.
- Most threat actors may not know how to leverage Spectre/Meltdown. These vulnerabilities are highly technical, requiring a threat actor to have a deep understanding of hardware processing to effectively leverage them.
- Threat actors may not be motivated to create exploit code if they don’t already have a way to monetize the vulnerabilities. Spectre/Meltdown can be challenging to use in targeting specific data and often return a very limited subset of data from the flawed device. This data could be useful, but it is often too specific and wouldn’t provide a threat actor with something they could turn around and sell quickly. If there is little opportunity to make a fast profit, most financially motivated actors will choose to invest their time and research into weaponizing other vulnerabilities.
- Threat actors have figured out how to use Spectre and Meltdown but are finding too many already-patched systems. Given the high-profile nature of the Spectre/Meltdown release, many organizations may have already fixed the flaws, which can deter threat actors from investing too heavily into leveraging these vulnerabilities in environments they would consider lucrative enough to begin with.
- Threat actors could be leveraging Spectre/Meltdown, but current sensors are not observing the attempts. This collection gap might occur due to limitations on endpoint sensors that only look at threats at the operating system level and above, while these vulnerabilities occur at the hardware level.
In all likelihood, all of the above answers are, to some extent, correct. However, the first two are likely only temporary roadblocks. Given enough time, more threat actors are likely to figure out how to weaponize Spectre/Meltdown and, eventually, monetize its output effectively. Once a few actors figure it out, it might only take one leak of a working exploitation code or Spectre/Meltdown-leveraging tool in underground forums to open up these vulnerabilities for actors of any sophistication level to use.
Keys to Mitigation: Patching and Threat Intelligence
Hardware vulnerabilities are an issue that the security industry is only starting to see at scale, and we are only likely to encounter more of these in the future. Since these types of flaws can affect an extremely large population of devices on a global scale, it is all that much more important to keep an eye on them, prioritize them properly and patch promptly.
When Spectre/Meltdown were reported, vendors released a series of patches to mitigate potential impacts. However, patch fixes are still a work in progress, with some patches potentially reducing performance on Linux-based systems by double-digit percentages. Despite these issues, patching systems containing critical or highly sensitive data is still the best available solution until processor manufacturers issue hardware-level fixes.
Organizations should be sure to back up critical data prior to patch installation, ask vendors for best practices in patch application, test the patch first and be prepared to revert to prior builds if patches lead to unsustainable performance reduction.
Since Spectre and Meltdown require local access for exploitation, organizations should continue to focus on preventing threat actors from gaining a foothold in their network. By restricting remote execution and unauthorized access, organizations can do more to prevent threat actors from leveraging Spectre/Meltdown.
Most importantly, continue monitoring threat intelligence feeds for information about new hardware vulnerabilities. Open-source reporting often sensationalizes threats, but a good threat intelligence vendor will provide the nuances and explain the observed usage of a vulnerability (or lack thereof) by threat actors. Though hardware vulnerabilities will undoubtedly be an area of interest for threat actors in years to come, threat intelligence can help your team understand whether threat actors are actually capable of using a vulnerability that’s relevant to your organization and whether its use has already been observed in the wild.
Finally, a great way to stay one step ahead of threat actors is to conduct hardware penetration testing, especially when current-day flaws affect legacy systems that are hard to scan for issues and sometimes hard to patch. Plan periodic testing to examine exposure to vulnerabilities that could negatively affect your infrastructure and gain insight into aligning security controls to have vulnerable assets patched or covered.
Download the IBM X-Force Threat Intelligence Index Report – 2019
Senior Cyber Threat Intelligence Analyst - IBM