blog / Jan 10, 2018

A Spectre of Meltdowns Could be in Store for 2018, Including Fileless Malware Attacks and More Costly Bots

by Lori MacVittie

“The digital economy is firmly entrenched, and has an appearance that promises prosperity; but in this world, nothing can be said to be certain, except death, taxes, and vulnerabilities.”

With many apologies to Benjamin Franklin, to whom the original, unaltered quote on which this one relies is typically attributed.

Unlike the forecasts for snow in Wisconsin made by local meteorologists last month, the forecast for 2018 predicting more security incidents was not only accurate but proven true within the first week.

By now you’ve no doubt heard the warnings about “Meltdown” and “Spectre,”1 the ominous sounding names given to CVE-2017-5715,2 CVE-2017-5753, and CVE-2017-5754.3 According to the researchers, these bugs (we’re calling them bugs vs. vulnerabilities because they are design flaws) affect several families of processors in servers, desktops, and mobile devices and, if exploited, allow an attacker to access the memory of another process. For the sake of brevity, I’m not going to describe them in detail here. I will, however, make two points about their impact:

1. Basically, if something’s got a CPU, it’s probably vulnerable.

2. These bugs introduce a perfect opportunity for fileless malware attacks, a.k.a. “malware sans binary” or “malwareless” attacks, if you are following the latest terminology trend. Say an attacker compromises a host (tricks a user into giving up credentials, exploits the browser, compromises a web application vulnerability, etc.), but they don’t yet have privileged access. They could leverage these bugs to access the memory of a privileged user (root would be the obvious choice) and infect the host with a stream of binary data without a file, and not have to worry about obfuscating layers of a dropper or payload to bypass user escalation issues.

The usual exhortations to patch, PATCH NOW!, apply—along with the side note that this one is going to be messy. A reboot of all impacted systems is required here, and that often means slow adoption rates of patches on production systems that can’t sustain downtime or require long coordination periods before the patches can be applied. Both challenges magnify the importance of developing a repeatable patch strategy, and having a multi-layered security approach that should absolutely include a web application firewall (WAF) to block attacks on unpatched applications. But, a WAF is not going to cover your network equipment, endpoints, or the users of endpoints that could easily fall victim to a phishing attack that might end up leveraging these CVEs. So, patch far and wide, and force the necessary upgrades to your mobile devices.

Fileless malware is not a new threat, and it’s rightfully scary. Current host-based and network intrusion detection systems dependent upon detecting known malware files are not equipped to detect these types of attacks. You can create a reactive signature, but you won’t know what to base it on until after you are compromised and know what to look for. Fileless malware attacks currently can only be detected from a behavioral standpoint, which require a combination of experienced engineers using tools to help them notice anomalies in the way your systems or network typically behave.

It’ll Cost You Bit by Bit

After you’ve done everything right, you still must deal with the netizens who haven’t, and that list is growing week by week as new, unpatched systems flood the market.

There is a more insidious problem associated with vulnerabilities—particularly those that affect popular hardware platforms. Because after you patch your systems, you aren’t out of the woods with respect to them costing you time and money.

You see, automation is a wonderful thing. Since it was first introduced, it has been the catalyst that propels businesses to success. First in manufacturing and now in IT. Automation enables economies of scale and provides a solid foundation for optimization through the identification and elimination of defect-causing tasks and processes.

But it has also empowered attackers to seek out vulnerable platforms faster and with the same economy of scale. Leveraging vast legions of botnets built from vulnerable things and systems, attackers are able to use automation to scan the Internet faster, cheaper, and with greater success. Their digital minions are neither adorable nor do they sing cute songs, but they do consume traffic, and resources, and money.

Your traffic, resources, and money.

Even after you’ve patched, you still must deal with a veritable plague of bots seeking systems they can exploit—bots that chew up costly bandwidth and hog your connections and CPU cycles. Vulnerabilities pave the way for bot development and are wasting your money, literally bit by bit.

I can throw data from Distil Networks, from our own threat researchers, and a dozen other sources that will clearly show the majority of traffic today is driven by bots, not human beings. An increasingly scary percentage of those bots are bad.

In addition to being a good net neighbor by accomplishing our prior recommendations, it’s time you get proactive and seriously consider how you interact with traffic bound for your applications—whether in the public cloud or at home, on-premises. Because the sooner you can detect those annoying little bots, the less they will cost you in wasted bandwidth, capacity, and compute—all of which are real dollars on your balance sheet no matter where they are consumed.


MODIFIED: Jan 15, 2018

Tags: , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.