Thunderbolt waa is dhex galka summada hardware ee ay samaysay Intel . Waxay u shaqeysaa sidii isku xirka u dhexeeya kumbuyuutarka iyo aaladaha dibadda. Iyadoo inta badan kombiyuutarada Windows ay la yimaadaan dhammaan noocyada dekedaha, shirkado badan ayaa isticmaala Thunderbolt si ay ugu xiraan noocyada kala duwan ee qalabka. Waxay ka dhigaysaa isku xidhka mid sahlan, laakiin sida laga soo xigtay cilmi-baarista Jaamacadda Eindhoven^{(Eindhoven University)} ee Teknolojiyadda^(Technology) , amniga ka dambeeya Thunderbolt waa la jebin karaa iyadoo la adeegsanayo farsamo - Thunderspy . Maqaalkan, waxaanu kula wadaagi doonaa tabaha aad raaci karto si aad uga ilaaliso kumbuyuutarkaaga Thunderspy .

Waa maxay Tunderspy ? Sidee u shaqeysaa?

Waa weerar qarsoodi ah oo u oggolaanaya qofka weerarka geystay inuu galo gelitaanka xusuusta tooska ah ( DMA ) shaqeynta si uu u waxyeeleeyo aaladaha. Dhibaatada ugu weyn ayaa ah in aysan jirin wax raad ah oo ka tagay sida ay u shaqeyso iyada oo aan la geynin maskax kasta oo malware ah ama isku xirka sed. Waxay dhaafi kartaa hab-dhaqannada amniga ugu wanaagsan oo waxay qufuli kartaa kombiyuutarka. Haddaba sidee u shaqeysaa? Weerarku wuxuu u baahan yahay gelitaanka tooska ah ee kombiyuutarka. Sida laga soo xigtay cilmi-baarista, waxay qaadataa wax ka yar 5 daqiiqo iyadoo la adeegsanayo qalabka saxda ah.

Weeraryahanku wuxuu koobiyeeyaa Thunderbolt Controller Firmware ee aaladda isha aaladdiisa. Kadibna waxay isticmaashaa qalab firmware ah ( TCFP ) si ay u baabi'iso qaabka amniga ee lagu hirgeliyay Thunderbolt firmware. Nooca la bedelay ayaa dib loogu koobiyeeyay kumbiyuutarka lala beegsaday iyadoo la isticmaalayo aaladda Bus Pirate . Kadibna aaladda Thunderbolt -ku- saleysan waxay ku xiran tahay aaladda la weeraray. Kadib waxay adeegsataa aaladda PCILeech si ay ugu shubto kernel module kaas oo dhaafa shaashadda soo galitaanka Windows .

Sidaas darteed xitaa haddii kombuyuutarku leeyahay sifooyin ammaan sida Secure Boot , BIOS xooggan , iyo nidaamka hawlgalka koontada sirta ah, oo karti u leh sirta diskka buuxa, karti, weli way dhaafi doontaa wax walba.

TALO^(TIP) : Spycheck ayaa hubin doonta haddii PC-gaagu u nugul yahay weerarka Thunderspy .

Talooyin si aad isaga ilaaliso Thunderspy

Microsoft waxay ku talinaysaa^(recommends) saddex siyaabood oo looga ilaaliyo khatarta casriga ah. Qaar ka mid ah sifooyinkaan lagu dhisay Windows waa la faa'iidaysan karaa halka qaarna la awoodo si loo yareeyo weerarada.

• Ilaalinta PC-ga xudunta u ah ee sugan
• Ilaalinta DMA Kernel
• Hypervisor-la ilaaliyo daacadnimada koodka ( HVCI )

Taasi waxay tidhi, waxaas oo dhan waxay ku suurtogalayaan PC-ga Secured-core. Si fudud uma codsan kartid kan PC-ga caadiga ah sababtoo ah qalabku lama heli karo kaas oo ka ilaalin kara weerarka. Sida ugu fiican ee lagu ogaan karo in kombuyutarkaagu uu taageerayo waa adiga oo hubiya qaybta Devic Security ee abka Windows Security .

1] Ilaalinta kombuyuutarrada aasaasiga ah ee sugan

Windows Security , Software-ka amniga guriga ee Microsoft, waxa uu bixiyaa Ilaalinta Nidaamka Difaaca Windows iyo amniga ku salaysan macruufka. Si kastaba ha ahaatee, waxaad u baahan tahay qalab isticmaalaya kombuyuutarrada Secured-core^{(Secured-core PCs)} . Waxay isticmaashaa amniga qalabka xididka ee CPU -ga casriga ah si ay u bilawdo nidaamka xaalad la aamini karo. Waxay kaa caawinaysaa yaraynta isku dayga ay sameeyeen malware-ka heerka firmware.

2] Ilaalinta DMA Kernel

Lagu soo bandhigay Windows 10 v1803, Ilaalinta Kernel DMA waxay hubisaa inay ka xannibto xayndaabyada dibedda ee Helitaanka Xusuusta^{(Memory Access)} Tooska ah ( DMA ) iyadoo la adeegsanayo aaladaha hotplug PCI sida Thunderbolt . Waxay la macno tahay haddii qof isku dayo inuu nuqul ka sameeyo Thunderbolt firmware mashiinka, waxaa lagu xannibi doonaa dekedda Thunderbolt . Si kastaba ha ahaatee, haddii isticmaaluhu uu haysto magaca isticmaalaha iyo erayga sirta ah, wuxuu awoodi doonaa inuu dhaafo.

3] Ku adkeynta^(Hardening) ilaalinta sharafta Hypervisor-la ilaaliyo^{(Hypervisor-protected)} ( HVCI )

Hypervisor-ilaaliye kood daacadnimada ama HVCI waa in la furo Windows 10 . Waxay go'doomisay nidaamka hoose ee daacadnimada koodhka waxayna xaqiijisay inuu jiro koodka Kernel -ka ee aan la xaqiijin oo aanu saxeexin Microsoft . Waxa kale oo ay hubisaa in koodhka kernel-ku aanu noqon karin mid la qori karo oo la fulin karo si loo hubiyo in koodka aan la xaqiijin aanu fulin.

Thunderspy waxay isticmaashaa aaladda PCILeech^(PCILeech) si ay ugu shubto cutubka kernel kaas oo hareer mara shaashadda soo galitaanka Windows . Isticmaalka HVCI waxay hubin doontaa inaad ka hortagto tan maadaama aysan u oggolaan doonin inay fuliso koodka.

Ammaanku waa inuu had iyo jeer ahaado midka ugu sarreeya marka ay timaado iibsashada kombuyuutar. Haddii aad wax ka qabato xogta muhiimka ah, gaar ahaan ganacsiga, waxaa lagugula talinayaa inaad iibsato aaladaha PC-ga ee Secured-core . ^{(Secured-core PC)}Waa kan bogga rasmiga ah ee aaladahaas^{(such devices)} oo ku yaal bogga Microsoft.

Tips to protect your computer against Thunderspy attack

Thunderbolt is the hardware brand interface developed by Intel. It acts as an interface between computer and external devices. While most of the Windows computers come with all sorts of ports, many companies use Thunderbolt to connect to various types of devices. It makes connecting easy, but according to research at the Eindhoven University of Technology, the security behind Thunderbolt can be breached using a technique — Thunderspy. In this post, we will share tips you can follow to protect your computer against Thunderspy.

What is Tunderspy? How does it work?

Its a stealth attack that allows an attacker to access direct memory access (DMA) functionality to compromise devices. The biggest problem is that there is no trace left as it works without deploying any mind of malware or link bait. It can bypass the best security practices and lock the computer.  So how does it work? The attacker needs direct access to the computer. According to the research, it takes less than5 minutes with the right tools.

The attacker copies the Thunderbolt Controller Firmware of the source device to his device. It then uses a firmware patcher (TCFP) to disable the security mode enforced in the Thunderbolt firmware. The modified version is copied back to the target computer using the Bus Pirate device. Then a Thunderbolt-based attack device is connected to the device being attacked. It then uses the PCILeech tool to load a kernel module that bypasses the Windows sign-in screen.

So even if the computer has security features like Secure Boot, strong BIOS, and operating system account passwords, and enabled full disk encryption, enabled, it will still bypass everything.

TIP: Spycheck will check if your PC is vulnerable to the Thunderspy attack.

Tips to protect against Thunderspy

Microsoft recommends three ways to protect against the modern threat. Some of these features that are built into Windows can be leveraged while some should be enabled to mitigate the attacks.

• Secured-core PC protections
• Kernel DMA protection
• Hypervisor-protected code integrity (HVCI)

That said, all this is possible on a Secured-core PC. You simply cannot apply this on a regular PC because the hardware is not available that can secure it from the attack. The best way to find out if your PC supports it is by checking the Devic Security section of the Windows Security app.

1] Secured-core PC protections

Windows Security, Microsoft’s in-house security software, offers Windows Defender System Guard and virtualization-based security. However, you need a device that uses Secured-core PCs. It uses rooted hardware security in the modern CPU to launch the system into a trusted state. It helps mitigate attempts made by malware at the firmware level.

2] Kernel DMA protection

Introduced in Windows 10 v1803, Kernel DMA protection makes sure to block external peripherals from Direct Memory Access (DMA) attacks using PCI hotplug devices such as Thunderbolt. It means if someone tries to copy malicious Thunderbolt firmware to a machine, it will be blocked over the Thunderbolt port. However, if the user has the username and password,  he will be able to bypass it.

3] Hardening protection with Hypervisor-protected code integrity (HVCI)

Hypervisor-protected code integrity or HVCI should be enabled on Windows 10. It isolates the code integrity subsystem and verified that there Kernel code is not verified and signed by Microsoft. It also ensures that kernel code cannot be both writable and executable to make sure unverified code does not execute.

Thunderspy uses the PCILeech tool to load a kernel module that bypasses the Windows sign-in screen. Using HVCI will make sure to prevent this as it will not allow it to execute the code.

Security should always be at the top when it comes to buying computers. If you deal with data that is important, especially with business, it is recommended to purchase Secured-core PC devices. Here is the official page of such devices on the Microsoft website.

Related posts

• Sidee Looga Fogaadaa Khayaanada Khiyaamada iyo Weerarada?

• Waa maxay Gelitaanka Fog ee Trojan? Kahortagga, Ogaanshaha & Ka saarida

• Ka saar fayraska USB Flash Drive adoo isticmaalaya Command Prompt ama Faylka Dufcada

• Rogue Security Software ama Scareware: Sida loo hubiyo, looga hortago, looga saaro?

• Waa maxay Win32:BogEnt iyo sida loo saaro?

• 3 da siyaabood oo looga takhaluso Virus-yada, Spyware iyo Malware

• Sida loo uninstall ama ka saaro Driver Tonic ka Windows 10

• Waa maxay Rootkit? Sidee buu u shaqeeyaa Rootkits? Rootkits ayaa sharaxay.

• Aaladaha Maamulka Fog: Khataraha, Hanjabaadaha, Kahortagga

• Waa maxay dambiyada internetka? Sidee wax looga qabtaa?

• Crystal Security waa aaladda ogaanshaha Malware ee ku saleysan Cloud ee bilaashka ah ee PC

• Cryptojacking khatarta macdanta birawsarka cusub ee aad u baahan tahay inaad wax ka ogaato

• Weerarada Cyber ​​- Qeexid, Noocyada, Ka Hortagga

• Sida loo isticmaalo Malwarebytes Anti-Malware si meesha looga saaro Malware

• Sida loo hubiyo Registry for malware gudaha Windows 11/10

• Weerarada Malware-ka aan fileyn, Ilaalinta iyo Ogaanshaha

• Afduubka Browser-ka iyo Aaladaha Ciribtirka Af-duubaha Biraawsarkaaga

• Weerarada khaldan: Qeexid, tusaaleyaal, ilaalin, ammaan

• Waa maxay CandyOpen? Sidee looga saaraa CandyOpen Windows 10?

• Sawir-qaadayaasha Malware ee khadka tooska ah ee ugu fiican si loo sawiro faylka