WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Note: This blog is a revisit on our 2018 coverage of the Spectre and Meltdown vulnerabilities. You can read further on Meltdown and Spectre: the Story So Far.
In the past week, a security researcher discovered several working exploits for the infamous Spectre and Meltdown hardware vulnerabilities (also known affectionately in some circles as ‘Smeltdown’), resulting in panic back in January 2018. The exploits had been uploaded to VirusTotal’s database in February, with one exploit for Linux reportedly allowing unprivileged users to read the contents of files that store user passwords in both Windows and Linux systems. The researcher who discovered the exploits, Julian Voisin, has claimed that the exploits had been thoroughly tested and successful.
This blog will look at these two notorious vulnerabilities and their evolving impact on the media and the security community. Given the technical sophistication required to exploit Spectre and Meltdown, many organizations left these vulnerabilities unpatched to avoid reducing their machines’ capabilities. Three years later, a working exploit has been finally released and has caused the security community to return to that 2018 anxious state. Read this blog to find out why it’s essential to keep calm in times of common agitation.
The Meltdown vulnerability—tracked as CVE-2017-5754— breaks the mechanism that keeps applications from accessing arbitrary system memory. The vulnerability allows an attacker to access system memory. Spectre—tracked under CVE-2017-5753 and CVE-2017-5715—tricks other applications into accessing random locations in their memory. Both of these issues exist in the broader category of side-channel attacks.
You may be thinking, this is simply another one of thousands of exploitable vulnerabilities currently in circulation, and in many ways, you are right. Despite identifying these working exploits, the likelihood of these issues being exploited in the wild is still low, at least much lower than other bugs that have been highlighted in the last couple of weeks. If somehow you’ve missed it—you should prioritize patching the four Microsoft Exchange zero-days that are reportedly being used by multiple advanced threat groups in live attacks.
The threat actor’s technical demands wishing to exploit the bugs are significant, albeit slightly lower since the public exploits’ release. What made Spectre and Meltdown the talk of the town in 2018 was the enormous scale of potentially affected devices. These are hardware vulnerabilities in almost all modern processors, which could allow programs to steal data currently being processed on a computer. While plans are not typically permitted to read data from other programs, a malicious exploit could allow an actor to access sensitive data stored in additional running programs’ memory; data that could include passwords stored in a password manager or browser, personal photos, emails, or critical business documents.
Spectre and Meltdown’s names result from the speculative execution process that all modern processors use to optimize performance. Speculative execution is an optimization technique in which a processor (CPU) performs a series of tasks before it is prompted to have the information ready if required at any point.
The best analogy I have seen for this process is a chef cooking popular orders ahead of customers requesting them. Optimization in this sense is based on the chef’s experience of knowing what type of food would be ordered at certain times (i.e., hummus or yogurt to be served all day if you ask my 2-year-old). This technique allows the chef to get through his orders at a quicker rate. Speculative execution works similarly, with your CPU anticipating what processes and tasks you might request at certain times and performing them in advance.
Despite the low probability of the vulnerabilities being targeted in live attacks, their discovery initially resulted in quite a media frenzy overall modern CPUs’ susceptibility (which included PCs, tablets, and smartphones) to such a fundamental flaw. Some of the somewhat fantastical reporting contributed towards a rushed and botched response to mitigating the vulnerabilities in many ways.
Early software patches for the duo were rife with optimization problems, leading to performance regressions for several reasons. The patches were being applied to systems immune to specific variants and often caused microcode and operating systems to conflict with each other— with the ultimate effect of causing system instability, particularly on Windows systems.
Performance Impact:
Performance impact was a massive bone of contention, with figures of 5-30% impact being referenced by many technology news websites. The actual performance impact number depended on many factors, including workload and type of CPU the patch was being applied on, and likely resulted in a far lower figure. Some researchers have since suggested that the performance impact was negligible.
System Instability:
We’re not just done at performance impact, though. Initial patches from Windows created system instability. As a result, Microsoft’s update ended up blacklisted on some third-party antivirus systems, with the patch causing Blue Screen of Death (BSOD) and boot loop issues on some AMD systems. Windows 10 users also could not defer the update, which ultimately caused Microsoft to withdraw the patch.
The update for Windows 7 and Server 2008 caused an even more significant and more problematic vulnerability, aptly named “Total Meltdown.” The patch incorrectly set permissions, causing memory that should only be accessible to the kernel to be automatically mapped for every process running at user-level privileges. This vulnerability allowed malicious programs to read complete system memory at speeds of gigabytes per second, instead of 120 KB/s which Meltdown is otherwise capable of. Research into the Windows 10 patches in April 2018 also discovered that the patches didn’t work and allowed a program to access the entire kernel page by calling on a particular command called NtCallEnclave.
Intel’s updates didn’t fare much better, with the first microcode updates causing random reboots, leading to a mass withdrawal of patches. Linux creator Linus Torvalds was particularly scathing about Intel’s patch, saying that it was “pure garbage” and did “insane things” to systems’ performance when applied. I can only imagine being that sysadmin coming back from a few days off to find out your company had used a patch that caused 5-30% performance impact and resulted in a more impactful and exploitable vulnerability?
Due to the problems mentioned above with the initial updates to address Spectre and Meltdown, many organizations will likely have skipped the knowledge bases required to protect these bugs. This is particularly the case for older operating systems that would receive the most significant decrease in system performance. The updates released for Spectre and Meltdown have been fine-tuned over the past three years. We advise that organizations apply the patches where possible, following routine local testing to determine any susceptibility to performance degradation.
While the risk of Spectre/Meltdown is low, other side-channel attacks will likely exist for many years to come. The vulnerabilities represent a snapshot of broader hardware problems associated with modern CPUs. There will likely be fundamental changes to CPU construction in future computers; in the past year, Intel has confirmed its new Tiger Lake processors will be exempt from these types of attacks. While applying patches may feel like using a sticky plaster at this time, it remains the best option we have available.
It’s been three years since security researchers initially disclosed the bugs. In that time, there hasn’t been a single example of exploitation of the bugs in live attacks. There are fundamentally easier ways for a credible threat actor to intrude into targeted networks or attempt to steal data. While discovering the working exploits has raised the risk associated with Spectre and Meltdown, it’s still unlikely that these will become a common attack vector. Threat actors and groups will always take the path of least resistance, aiming for the most significant gain for the smallest output.
The vulnerabilities also represented an excellent experience to look back and recognize the importance of remaining calm in the face of fantastical reporting. Not everything that is released will end up being a world-changing event, and we should always take a risk-based approach to remediation of cyber threats and vulnerabilities. Prioritize issues that are both likely to be exploited and cause the most significant impact, and be less concerned with the largely hypothetical threats that are yet to be targeted in the wild.
If you’d like to trial getting a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a picture of your network exposure in real time. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.
If you are a SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) user already, you can enrich these CVEs with data from Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) including TTPs utilized, threat actors involved in exploitation, linked Intelligence updates, and sightings from across the open, deep, and dark web.