Security Affairs
Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts found a way to create a super-malware implanted in SGX-enclaves

Researchers devised a new technique to hide malware in the security Intel SGX enclaves, making it impossible to detect by several security technologies. Security researchers devised a new technique to hide malware in the security Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data […]

Intel SGX enclaves

Researchers devised a new technique to hide malware in the security Intel SGX enclaves, making it impossible to detect by several security technologies.

Security researchers devised a new technique to hide malware in the security Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

The technique created by the experts allows them to deploy a malicious code in a memory area that is protected by design making it hard the detection.

Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.

The team of researchers composed of Michael Schwarz, Samuel Weiser and Daniel Gruss of the Graz University of Technology in Austria, includes those that discovered the Spectre-Meltdown CPU vulnerabilities. They devised a method to bypass security protection and implant malware in the enclaves leveraging a benign application that uses a malicious enclave when executed.

Experts pointed out that the host application communicates with the enclave through an interface that should not allow the enclave to attack the app.

The researchers used Transactional Synchronization eXtensions (TSX), in modern Intel CPUs along with a fault-resistant read primitive technique called TSX-based Address Probing (TAP).

“Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer.” states the research paper published by the experts.

“We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

The experts developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW) to determine whether it is possible to write in a memory page.

The primitive encapsulates the write instruction for the specific memory page within a TSX transaction and aborts the transaction just after the write operation.

The experts determine the possibility to write in a target memory page analyzing the return value of the transaction.

A malware injected in the enclaves could be transparent to security solutions, including Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer.

“The strong confidentiality and integrity guarantees of SGX fundamentally prohibit malware inspection and analysis, when running such malware within an enclave.” continues the analysis.

“Moreover, there’s a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain.

Intel SGX enclaves

The experts published a proof-of-concept exploit that bypassed ASLR, stack canaries, and address sanitizer, the overall exploit process took only 20.8 seconds. Hardware and software mitigations against this new attack will be implemented by Inter in future generations of CPUs.

“With SGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer, to run ROP gadgets in the host context enabling practical enclave malware.” conclude the researchers.

“We conclude that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SGX enclaves, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]