Threat Research

Meltdown/Spectre Update

By FortiGuard SE Team | January 30, 2018

Earlier this month, three major chip manufacturers announced that vulnerabilities known as Meltdown and Spectre (CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754) affected processors deployed in millions of devices. 

For the past year or so, FortiGuard Labs has been tracking the efforts of cybercriminals to develop new attacks designed to exploit known vulnerabilities. As detailed in our Fortinet Threat Report for Q2 of 2017, a full 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Even 10+ years after a flaw’s release, 60% of firms still see related attacks.

The rate at which the cybercriminal community is targeting known vulnerabilities is clearly accelerating, with the WannaCry and NotPetya exploits serving as perfect examples of the need to patch vulnerable systems as soon as possible. Which is why our concerns were raised when we recently learned about some of the largest vulnerabilities ever reported – ones that affect virtually every processor developed since 1995 by chip manufacturers Intel, AMD, and ARM.

We aren’t the only ones concerned. Others in the cybersecurity community have clearly taken notice, because between January 7 and January 22 the research team at AV-Test discovered 119 new samples associated with these vulnerabilities. FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code.  The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.

AV-Test graph showing the exponential growth of detected malware targeted at Meltdown and Spectre

One of the key challenges with addressing the Meltdown and Spectre vulnerabilities – besides the fact that the affected chips are already embedded in millions of devices running in home or production environments – is that developing a patch that resolves their exposed side-channel issues is extremely complicated. In fact, Intel just announced that they have had to pull their latest patch because it led to a reboot issue on some devices where it has been applied.

Which is why, in addition to establishing an aggressive and proactive patch-and-replace protocol, it is essential that organizations have layers of security in place designed to detect malicious activity and malware, and to protect vulnerable systems.

Fortinet Antivirus Signatures for Meltdown and Spectre

The FortiGuard Labs team is actively working to protect customers and organizations from any exploits that might emerge that target these vulnerabilities. We have released the following set of antivirus signatures to address all Meltdown and Spectre samples that have been discovered thus far. As always, we will continue to monitor this situation and provide updates as they become available.

Riskware/POC_Spectre

W64/Spectre.B!exploit

Riskware/SpectrePOC

Riskware/MeltdownPOC

W32/Meltdown.7345!tr

W32/Meltdown.3C56!tr

W32/Spectre.2157!tr

W32/Spectre.4337!tr

W32/Spectre.3D5A!tr

W32/Spectre.82CE!tr

W32/MeltdownPOC

 

Other research from Fortinet FortiGuard Labs on this topic:

Fortinet Advisory on New Spectre and Meltdown Vulnerabilities

Into the Implementation of Spectre

Dr. StrangePatch or: How I Learned to Stop Worrying (about Meltdown and Spectre) and Love Security Advisory ADV180002

 

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

Join the Discussion