Downfall and zero-day exploits, what you should now — #98

Hi there,

It is already time for another strategic deep dive, and we're moving from military coups to cyber security ...

Let's jump right into it: Did you hear about Downfall last week?

Sounds like a dystopic movie title.

Even I would have missed it without my friend Stefan sending me a link, so I guess most of you are new to this event.

(Also, sharing news or tips you think should be featured in these newsletters will give you lifelong luck and a Better Odds sticker).

So, Downfall ... What is it?

Intel — the company behind 60-70% of all computer processors (depending on how you count) — released fixes for a processor vulnerability affecting many models of its chips produced since 2015, some of which are still sold today.

The vulnerability, named 'Downfall' by its discoverer, Daniel Moghimi, a Google researcher, could be exploited to bypass barriers designed to keep data isolated and private on a computer system. Different programs running on the same processor have been able to view (some) information they shouldn’t have been able to. This could allow attackers to access sensitive data from victims, including financial details, emails, messages, passwords, and encryption keys.

This flaw has been especially problematic in environments for cloud computing, where many customers share the same hardware resources, including the same processors.

The technological aspects of Downfall

Downfall occurs in chip code that uses an instruction known as 'Gather' to access data scattered in the system memory quickly. Intel calls the flaw 'Gather Data Sampling,' naming it after one of the techniques Moghimi developed to exploit the vulnerability.

The 'Gather' method, made the Intel chips A LOT faster, and speed is critical when making competitive computer processors.

Intel’s fixes for the vulnerability even allowed users NOT to fix the problem because of its potential performance impact on specific use cases (workloads), with some tests suggesting that the fix to this vulnerability slows down the processor by 50%. However, Intel stated that most cases have not shown a reduced performance.

So, while the processors have been faster because of this method, it also — accidentally — made it less secure.

And while Downfall is currently known to impact only Intel chips, similar flaws might exist in processors made by other manufacturers. He stresses the importance of learning from this issue and investing significantly in verification processes.

Hard to detect, slow to mitigate

It is challenging to detect Downfall attacks. They primarily manifest as "benign software activity", and look like everyday computer activity. But a detection system that monitors hardware behaviour, like unusual cache activity, could potentially identify such attacks.

Moghimi disclosed Downfall to Intel a year ago, and these vulnerabilities are now released after a one-year-long embargo, giving Intel time to prepare fixes and roll them out before information about the vulnerability reaches the public.

Intel says it is complex to carry out Downfall attacks under real-world conditions. But Moghimi points out that he was able to develop proofs of concept for an attack in just a few weeks, suggesting that a motivated and well-resourced attacker could potentially exploit this flaw.

And while it would be time-consuming for an attacker to use the Downfall vulnerability, it allows an attacker to spy on processes and slowly develop a pattern or fingerprint of the data they are targeting, which could create a significant payoff despite the time investment.

Zero Day Exploits — An increasingly important concept to know

Zero Day vulnerabilities and exploits are cyber attacks that occur before the developers discover the weakness in software. "Zero Day" refers to the developers having "zero days" to fix the issue before it is actively exploited.

Knowing about a vulnerability not yet fixed by the developer is a free pass to access the systems or sensitive data disclosed by the flaw.

This is why some organisations operate under the assumption that their systems are breached, even without any proof of a breach.

The vulnerabilities can be used by private actors when committing crimes. Sometimes these hacker groups are state-sponsored, like the Russian hacker group APT28, also known as Fancy Bear. Or they provide “cyberattacks as a service” to anyone who pays them. But intelligence agencies, like the NSA or GRU, could also use the vulnerabilities to gather information with little effort.

With many actors interested in accessing these vulnerabilities, anyone who finds a security breach today can sell that information for heaps of money on the black market, instead of reporting it to the software developers.

The hope is that security researchers – like Daniel Moghimi – find the vulnerabilities and report them to the developers. But as you have learned already, that can take some time.

Unfortunately, Moghimi would probably make A LOT more money as a criminal hacker than he does in his job at Google. So the incentive system is a bit wacko, and we should all be very grateful for the people guided by doing what is right.

Side note: Black hat, white hat

One standard categorisation in cyber security, also used in adjacent fields, is the idea of hackers wearing the white hat (being a good guy) or the black hat (being a bad guy). This gives us white hat hackers – like Moghimi, and black hat hackers – who use the zero-day vulnerabilities to empty your bank account.

This terminology is also used in, as an example, psychological operations, where you have black psyops and white psyops. And grey, somewhere in-between.

The origin of these words - also present in modern terms like blacklist, is problematic, and some people think we should stop using these expressions. But that’s a story for a different time.

Geopolitics are overtaking financial motivations

Zero-day exploits, and other cyber warfare tactics, have become increasingly common with the rising geopolitical tension globally.

According to the Google-owned threat intelligence and incident response firm Mandiant, attackers exploited 55 zero-day flaws in 2022. That was fewer than the 81 observed in 2021 but triple the number tracked in 2020 and higher than in previous years.

At the same time, Mandiant attributed only four zero-day exploits to financially motivated hacker groups in 2022, a decrease from 2021.

Why should you care about Downfall?

1. The general “keep your passwords secure and software updated” lesson applies to this situation. If you leave your door unlocked, you’re more likely to become collateral damage in a cyber attack.

2. Most companies spend large amounts on cyber security. However, complementing the cyber security focus with understanding the geopolitical components of your business risk becomes increasingly important.

3. The incentive for doing the wrong thing rises when uncertainty in society increases. This is not isolated to cyber crime — it’s a general trend. How a culture - societal or organisational - values and models ethical and moral behaviour and how we structure monetary and psychological incentives to “do the right thing” will matter more than ever.

That was all for today, I hope you learned something new.

Anna