The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good

According to a report from the U.S. Department of Justice, a United States District Judge sentenced a man who operated multiple distributed denial of service (DDoS) facilitation websites to 24 months in federal prison.

This sentencing follows a nine-day trial that took place in September 2021, when a federal jury found this threat actor guilty of one count of conspiracy to commit unauthorized impairment of a protected computer, one count of conspiracy to commit wire fraud, and one count of unauthorized impairment of a protected computer.

The threat actor ran AmpNode and DownThem, two websites that allowed users to pay to launch DDoS attacks. When they were active, AmpNode offered server hosting to customers. These servers could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” that users can leverage. Meanwhile, DownThem operated on a subscription model, allowing subscribers to launch DDoS attacks.

According to records recovered by authorities, many of AmpNode’s customers were using the website to offer for-profit DDoS services themselves. DownThem had over 2,000 registered users and had launched over 200,000 attacks on homes, schools, universities, municipal and local government websites, and financial institutions around the world.

In a sentencing memorandum, prosecutors commented that this malicious attacker “ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers. He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

This sentencing is a triumph for the FBI’s Cyber Initiative and Resource Fusion Unit, Anchorage field office, and cybersecurity partners in the private sector. Hopefully, it might also provide closure to hundreds of thousands of victims who were targeted by the threat actor’s paying users.

The Bad

Researchers this week have disclosed details of a new class of side-channel attacks against Intel and AMD CPUs that they say could allow remote attackers to steal cryptographic keys and other data from servers.

Previous work on power-analysis attacks had shown that CPUs could ‘leak’ secret data if attackers could measure the power a CPU consumes while processing known data values. The problem was not considered particularly worrisome, however, because until now it was thought that a remote attacker had no practical means of measuring power consumption of a CPU as it processed data. Hertzbleed, as the vulnerability has been dubbed, offers just such a means.

The researchers exploited a feature common to all AMD and Intel CPUs called “dynamic voltage frequency scaling” (DVFS). In a nutshell, DVFS allows for CPU frequency to change in response to the data being processed, a feature implemented by chip manufacturers to help ensure that CPUs stay within power and thermal limits during high loads.

Since CPU frequency is data-dependent, the researchers say, a remote attacker can use specially-crafted queries to deduce the CPU frequency of the server by timing the responses received.

In a blog post describing Hertzbleed, the authors claim that “In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.”

While admitting that practical exploits through a frequency side channel attack are currently unlikely, the researchers argue that Hertzbleed demonstrates that current ‘best practice’ guidelines for developers to mitigate against timing attacks is now obsolete.

Intel has updated its guidance for developers here in light of the research, while AMD have yet to respond at the time of writing. Hertzbleed is tracked as CVE-2022-23823 and CVE-2022-24436.

The Ugly

Security researchers have identified “WannaFriendMe,” a new variant of Chaos ransomware that disguises itself as Ryuk ransomware, but with one major twist: the operators behind this ransomware were selling the ransomware’s decryptor on the online gaming platform Roblox.

In June 2021, a malicious attacker began selling the Chaos ransomware builder, which allowed cyber criminals to create their own ransom notes, encrypted file extensions, and other customization selections to create their own ransomware.

Post-encryption, WannaFriendMe victims will see a ransom note that prompts them to buy the threat actor’s decrypter tool on the Roblox Game Pass store using Roblox’s in-game Robux currency. Once a victim buys the decrypter from the threat actor (who had the Roblox username “iRazorMind”), they’re prompted to contact the threat actor with confirmation to recover their files.

However, victims that follow the ransom note’s instructions are not likely to recover their data. Chaos ransomware variants often destroy data by overwriting any file larger than 2 MB with random data instead of simply encrypting the file, only allowing victims to recover files smaller than 2 MB.

At the time of publication, Roblox developers offered a public statement to the media, saying “Roblox maintains many systems to keep our users safe and secure, and while this case did not relate to any exploit or vulnerability on Roblox, we have taken swift action to remove the Game Pass in question and we have permanently removed the account responsible for a breach of our Terms of Service.” Roblox has also removed the decrypter tool from its storefront and banned the account hosting it.

Although Roblox has thankfully taken steps to respond to this abuse of their platform, it is disheartening to see cyber criminals target Roblox’s young users to launch cyber attacks that will cause damage and create major ramifications for victims.