cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mutin
Newcomer I

No compliance if known threat is not addressed

Compliance with GDPR, which is about Data Protection cannot be achieved if a threat to data is known but not addressed. That is exactly what happened with Malicious Hypervisor threat.

The history of the malware and the threat goes back to 2005/2006 when University of Michigan developed first proof of the concept so named VMBR (Virtual Machine Based Rootkit) hidden hypervisor. The article has been published and the material has been available on Microsoft site for a short time. The sponsors of the research were Intel, Microsoft, US National Science Foundation and DOD/DARPA/ARDA and do not provide project specific information. Such malware is very rare mentioned while Intel and AMD develop embedded security solutions (like Secure Boot or Platform Security Processor) for this threat in particular. There is only one published in 2011 blog evidence of MH found in the wild – first working as VMBR implementing software virtualization and over the time progressing to nested hypervisors capability.

The malware is hidden below system OS or hypervisor and undetectable from user OS. Its overhead is about 0.7%, so even by utilization measurements it cannot be detected as well. MH can access to any byte of OS, applications and any memory place. It can sustain reboot, shutdown and in some cases even complete power disconnection. Finally, it can create its own virtual hosts with specific malware, which thus undetectable as well or … simply destroy your system within seconds.

Unfortunately, InfoSec industry simply ignored the threat. There are various reasons for, but if anybody interested we can consider them separately from this post. Therefore, there is no commercial tool which would be able to detect MH. However, non-commercial HyperCatcher freeware has been developed by Rubos, Inc. and since the end of last year is available to download from www.rubos.com  This is the first software of such kind available to public.

Various materials including complete MH research article and other related publications and presentations are provided on the site.

Considering that MH threat exists, no one can claim compliance with security regulations like GDPR without running MH detection software whether HyperCatcher or anything else having such capability. Cannot see? It may still exist in your system for years.

2 Replies
Wayne_Evans
Newcomer III

Not sure I agree with your statements, and almost reads like an advert for the software rather than a discussion. Could also be scaremongering?

 

I believe there is more to compliance than a black and white if you have not this control so you cannot be compliant.  I know systems that have been assessed as compliant to various standards but don’t have this product.

 

You can never eliminate all risks; you just have to use risk assessments and conduct due diligence in suitable apply controls that will help reduce the risks to manageable levels.   

 

Would due diligence in a highly sensitive data processing solution perhaps cover the requirement to ensure the hypervisor level is clean? I would say maybe absolutely.

 

However, for, a small shop, that only contains and processes limited PII and has like 4/5 machines and limited technical capability. The requirement to deploy that specific software just to be compliant is well debatable.

 

What if the system is airgapped? Infected by the OEM or partner in the supply chain.  The malware cannot call home, what use is it? Effective DLP? The system then could then be compliant with regulatory and legal requirements such as GDPR. As mitigation for hypervisor layer malware has been implemented by isolation.  Again it only reduces the risk.

 

Further risk mitigation, most hypervisors are not internet connected, and often have some form of network segregated, more often than not VLANs (Not a security control VLAN hopping is simple etc.), but some places have a decent out of band management networks.

 

With other advancements such as shielded virtual machines further reducing the risks.  However, as I said, I do not think you can stipulate; you do not have or use this product (it being the only product that can detect MH), so you cannot be compliant otherwise there would be a line in the standards that says ensure product XXX is used/installed.   Then the law of capitalism will take hold, and there will be other vendors products that will very quickly be able to detect this malware.

 

Any tool that improves detection is useful, but to be frank - Viewing the website, the site, doesn’t fill me with confidence just from the look and feel of the site.  My 8-year-old could perhaps do a better designed and pleasing to the eye. No decision maker would consider using a bootable product like this on their hypervisor based on the look of that website.  

 

With the cyber-area 51 – section I think I also need a tin foil hat.

This is just my view on the matter; I expect there will be real experts on the matter.

Wayne

mutin
Newcomer I

Hello Wayne,

Her we are:

1. Not as advertising, however anything new reported in any article, and security tool in particular, sounds like as advertising. The SW IS NOT FOR PROFIT. Distribution of ANY threat information could be considered as scaremongering. OR better - as warning.

2. It depends on how you treat your system. If you have highly confidential info and do not check if you have a  rootkit, or got last six month AV not updated, then you are happy person. Each of those is a threat. MH is no difference. Feature could be devastating... As an example of compliance - US government requirement is ALL computers should be fixed to all issued alerts, and each which is not fixed should be reported. That means compliance. However, the reality is different ...

3. Manageable level or risk... well, try to identify that considering that both events' frequency is not known and the exposure as well. For any of known threats. How many instances of MH were distributed and where? When since 2007/2008 as the starting point? It is black cat in black room with multiple black holes to hide out. We basically have no experience, no information yet about anything associated with the threat. Including whether some system firmware contains hidden hypervisor.

4. Definitely, it is not about small shops. However, we have 40 million servers around the globe and 20 of them in the US. We have some work to do ...

5. What if the system is air-gapped? May be 1% of 40 million ... US government has that only for classified information within DoD (add to this list). The most vulnerable - industrial and financial system do not use them.

6. Mitigation, etc. That's all about "what if ...". Unlimited number of variations. May be discussed but not here and without any information as above basically is premature.

7. Concerning the site - it serves its purpose - to provide information. Looks different? We do independent research but not web design and sales. Limited scripts, active stuff etc. means less chance of hacking. If you have a site, take a look on the access log. Then think if any content management software is to be used.

However, you can help to improve if you have some time, but in pure html. We appreciate any help. Concerning the correlation between design and the software - that is philologically correct. But we do not want people with such sort of correlation downloading our software. That is different level. Who wants it will check our articles, DeepSec presentations, video on YouTube, etc. That is how our team is known. All we do is for high level professionals who do not mind reading 30 pages of boring text.

8. No, tin-foil hat won't help. Aliens are coming from Area 51! They've been residents there since 1950s. It is almost a joke. The rest you can get if you read the book entirely. Won't be wasted time.

 

Thanks a lot for your input! Highly appreciate your time! People rarely reply to posts, that is really sad.