Focus Mode
Threat Research

BadRAM: attack using malicious RAM module | Kaspersky official blog

admin
BadRAM: attack using malicious RAM module | Kaspersky official blog
The BadRAM attack exploits a vulnerability in AMD EPYC processors, posing a significant threat to cloud providers and virtualization systems. It allows unauthorized access to encrypted data in virtual machines, although executing the attack requires physical access and high-level software privileges. Recent firmware updates have patched the vulnerabilities, enhancing security against such attacks. Affected: AMD EPYC processors, cloud-solution providers, virtualization systems

Keypoints :

  • The BadRAM attack targets vulnerabilities in AMD EPYC processors.
  • It primarily threatens cloud-solution providers and virtualization systems.
  • Physical access to the server and high-level software access are required to execute the attack.
  • The attack bypasses Secure Encrypted Virtualization (SEV) protections.
  • Researchers modified the SPD chip of a memory module to execute the attack.
  • The attack allows malicious applications to read data from protected virtual machines.
  • Recent firmware updates have patched the vulnerabilities in AMD EPYC processors.
  • Intel’s TDX technology has similar protections against such attacks.
  • The concept of a trusted execution environment (TEE) is crucial for securing sensitive data.

MITRE Techniques :

  • TA0001 – Initial Access: Physical access to the server is required to modify the SPD chip.
  • TA0002 – Execution: The modified memory module allows execution of unauthorized data access.
  • TA0003 – Persistence: Attackers can maintain access remotely after initial physical access.
  • TA0004 – Privilege Escalation: High-level software access is necessary to exploit the vulnerability.
  • TA0005 – Defense Evasion: The attack bypasses SEV protections and Secure Nested Paging detection.

Indicator of Compromise :

  • [file name] SPD chip modification software
  • [others ioc] Modified memory module
  • [others ioc] Malicious application accessing virtual machine data
  • [others ioc] Firmware update for AMD EPYC processors
  • Check the article for all found IoCs

Full Research: https://www.kaspersky.com/blog/badram-cpu-attack/52849/

Tags: FINANCIAL, VULNERABILITY, CLOUD, EXPLOIT, DEFENSE EVASION, PERSISTENCE, PRIVILEGE, INITIAL ACCESS