French cybersecurity specialist Julien Voisin reported that in early February 2021, someone uploaded exploits for the Specter vulnerability to VirusTotal. This is the first time that a “combat” exploit for this problem has become publicly available.
As a reminder, the original Specter issue was discovered in 2018 along with the Meltdown bug. These fundamental flaws in the architecture of modern processors make it easy to break the isolation of the address space, read passwords, encryption keys, bank card numbers, arbitrary data of system and other user applications bypassing any security measures and on any OS.
In fact, three years ago, these issues forced processor manufacturers to rethink their approach to CPU design, making it clear that they should not focus on performance alone at the expense of security.
Soon after the discovery of Meltdown and Specter, information security specialists noticed that malware authors were actively experimenting with these vulnerabilities, and traces of this activity could be found on the network, and on VirusTotal in particular. Fortunately that finally researchers did not find any evidence of exploitation of both vulnerabilities.
Now, according to Voisin, the situation has changed. He writes that he discovered new and different exploits for Specter – one for Windows and one for Linux.
Voisin also hints that he understood who could be behind the creation of exploits. According to him, attribution in this case is very trivial, and blog readers will be able to guess everything on their own.
As a result, cybersecurity experts on Twitter and HackerNews conducted their own analysis and quickly discovered that the new Specter exploit could be a module for the CANVAS pentesting tool developed by Immunity Inc. Former head of Immunity Dave Eitel seems to be hinting at the same on Twitter, noting that the company advertised the module back in February 2018.
In addition, an anonymous source confirmed to The Record that a hacked version of Immunity CANVAS v7.26 was recently published on the hacker RAID forum along with cracked copies of White Phosphorus and D2 (two extension packs for CANVAS containing sets of exploits for various vulnerabilities). Among those vulnerabilities was the exploit for the problem CVE-2017-5715, which is named Specter.
It is known that hacked versions of this toolkit have been distributed on private Telegram channels since at least October 2020. Apparently, they were the source of the exploits uploaded to VirusTotal last month.
Let me remind you that I talked about the fact that for RECON vulnerability appeared PoC exploit.