Weissblick - Fotolia

Beware fake Meltdown and Spectre patches

Security experts have warned that cyber attackers will be quick to use the Meltdown and Spectre exploits, but the first attempt to capitalise on them has come in the form of fake updates

The first attempts by cyber attackers to use the Meltdown and Spectre exploits appear to be fake security updates to fix the flaws.

Researchers at security firm Malwarebytes have discovered a German-language website that appears to be government-backed and offer help on Meltdown and Spectre, but includes links to malware.

“While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity,” Jérôme Segura, lead malware intelligence analyst at Malwarebytes, wrote in a blog post.

The fake “sicherheit-informationstechnik.bid” site includes a link to a zip archive that claims to contain a patch for the recently disclosed exploits that affect most modern computing devices.

But the fake security update – Intel-AMD-SecurityPatch-10-1-v1.exe – is really a piece of malware called Smoke Loader that can retrieve additional payloads.

“Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information,” wrote Segura.

“The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update,” he said.

Malwarebytes notified Comodo and Cloudflare about the fake help website, which was taken offline within minutes, according to Segura.

“Online criminals are notorious for taking advantage of publicised events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise,” he said.

Read more about Spectre and Meltdown

Segura also cautioned organisations against taking any action when urged to perform an action by suppliers. “There is a chance that such requests are fake and intended to either scam you or infect your computer,” he said.

According to Segura, there are very few legitimate cases when suppliers will make direct contact to urge organisations to apply updates. In such cases, he said, organisations should always verify information via other online resources first.

Segura also warned that sites using SSL (HTTPS) are not necessarily trustworthy. “The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam,” he said.

Read more on Hackers and cybercrime prevention

Data Center
Data Management