Although it took some time to find the first exploit for the vulnerability in processors known Specter, the exploit has been spotted in the wild.
Specter first appeared in January 2018. This vulnerability is very complex and is linked to the algorithm responsible for modern CPUs’ high performance. The processors make use of unused areas for speculative calculations, which are tasks that will probably need to be completed soon. When the program requires them, the results are already available. This can be used to accelerate the process up to a third.
The process is also vulnerable to attackers who can gain access to the innermost areas of the memory and read sensitive information like passwords or crypto keys from main memory. These attacks have been limited to security research and proof-of-concept malware. They are very difficult to implement.
Origin as a training weapon
It took until today before an exploit that wasn’t part of the research was discovered. Julien Voisin (French security specialist) discovered him. Report The Record. Security professionals can now access the VirusTotal malware platform to further analyze the malicious code. This allowed for the rapid identification of the source code.
The exploit was not created entirely by criminal organizations. The actual code that exploited the vulnerability comes from Immunity. It has offered it since a while as part of its canvas tools to penetration tests. This is likely a cracked version of this exploit that is now available in the wild. It can also be used without the Immunity product. Since October last year, the cracked versions were available in closed Telegram groups.
They have been circulating through other channels and leaked from this limited environment. It is likely that the code will soon be used in meadow and forest malware. Ransomware groups could be particularly interested in the exploit. They might be able to steal encrypted data and demand ransom money. Because there is no easy fix for Specter, users should ensure that they are installing the most recent patches from the manufacturer of their system. However, the CPU manufacturers always release new microcode updates to keep attackers away.