Cyber Security

GOT(IT) #30: FBI seizes Russian botnet, researchers pass AMD SEV virtual machine’s encryption, plus  Z-Wave IoT attack.

We’ve hit three decades of Got(IT)! Well, ok, thirty posts, not years, but we will get there!

GOT(IT) #30 already? After thirty security recaps and a year of recapping weekly vulnerabilities and threats, we’ve learned that there’s no rest for the DevOps, and this week is no difference! Grab a cup of coffee, check if you have any wireless device with the Z-Wave protocol, and reboot all routers!

FBI Seizes Russian Botnet That Hit the DNC

botnet army

Remember the 2016 breach to the Democratic National committee during the 2016 elections, linked to the Russian hacking group Fancy Bear? This past week, the FBI managed to seize over 500,000 hacked routers from the Kremlin’s botnet, in their search for the malware called ‘VPN Filter’.

This malware struck 54 countries, infecting targeted routers of officials and residents alike through vulnerabilities in Linksys, MikroTik, NETGEAR, and TP-Link routers. After breaching this devices, the malware installs plugins that allow the attackers to eavesdrop on the victim’s traffic and target industrial network infrastructure.

With the routers at hand, the bureau identified a key weakness in VPN Filter’s plugins: all plugins disappear when you reboot the router. However the malware code does survive, but the FBi worked on getting their hands on the malicious domain that reactivates the infection after reboots, crippling the process.

So, in a nutshell… Reboot your routers!


AMD’s SEV Virtual Machine Encryption Cracked


Virtual Machines are at risk once again. the Fraunhofer Institute for Applied and Integrated Security of Munich has discovered a flaw in AMD’s Secure Encrypted Virtualization (SEV) that could possibly allow the recovery of memory data in plaintext, by any VMs guest.

The flaw, named SEVered, tackles the lack of integrity protection of the page-wise encryption in the main memory, extracting its contents in plaintext form.

The paper details: “While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.

“This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside.”

“We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM’s memory in plaintext.”

Researchers suggested AMD to isolate the transition process to mitigate the SEVered attack, or protecting the page’s content with guest-assigned GPA for a quick fix.


Z-Wave Downgrade Attack, a Major IoT Risk at Home

IoT and security aren’t concepts that have been pairing along well. The unstoppable trend has been facing security issues since day 1, and it’s still in an extremely vulnerable stage, receiving little attention from manufacturers and regulators alike.

UK research team PenTest Partners discovered a flaw in the Z-Wave protocol, a radio frequency communication technology used by most electronic home appliances for remote pairing.

Z-Wave recently received a security updated with its S2 security framework, after the S0 was determined extremely vulnerable. However, even after this mandatory update rolled out, most devices still support the older version for compatibility, and if an S2 needs to connect with an S0 device, the first will pair as S0 to avoid compatibility issues.

PenTest exploited this with a mechanism that successfully forced compatible devices to downgrade the pairing security from S2 to S0, using the unencrypted and unathenticated security class in the node info command.

This downgrade attack, dubbed Z-Shave, allows attackers in range to easily exploit S0’s known vulnerabilities to intercept key exchanges and obtain remote control of the connected devices.

Silicon Labs, owner of Z-Wave, backed S2’s toughness, and alleged that a full adoption wasn’t possible, so a compatibility option was necessary for the roll-out of this new protocol.


This time, the good old ‘turning it OFF and ON again’ could save your network from a botnet!

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.