This blog series is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, it will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings
- A newly discovered vulnerability in Confluence was exploited not long after its discovery to distribute the popular GandCrab ransomware
- A new Remote Code Vulnerability CVE-2019-2725 affecting Oracle WebLogic has been utilized to deploy a botnet as well as ransomware
- Further exploitation of the WinRAR CVE-2018-20250 vulnerability has been observed in April 2019
Analysis
Administrative Tools
A recently patched Confluence vulnerability designated as CVE-2019-3396 was exploited to distribute the popular Malware Variant: GandCrab 1b435c. The campaign can be found here: CVE-2019-3396 Used to Install GandCrab Ransomware
Course of Action:
Upgrade to versions upgraded to 6.15.2 or after
Content Management Systems
WordPress
Security researchers have disclosed a new WooCommerce Checkout Manager File Arbitrary File Upload Vulnerability affecting the WooCommerce WordPress plugin used in e-commerce websites.
The vulnerability does not reside in the plugin itself but rather affects the WooCommerce Checkout Manager, which allows eCommerce sites to customize forms on their checkout pages.
The vulnerable extension is currently used by over 60,000 websites. At the time of writing, the latest release of the WooCommerce Checkout Manager is vulnerable.
A previously reported vulnerability CVE-2019-9978 present in the WordPress Social Warfare Plugin has been actively exploited in the wild. The observed TTPs exploiting the vulnerability are:
- Attack Pattern: Exploitation of CVE-2019-9978 to Redirect Victims to Ad Sites
- Attack Pattern: Exploitation of CVE-2019-9978 to Interact With Web Shell
Course of Action:
Upgrade to 3.5.3 of Social Warfare
eCommerce
Magento have patched 37 security vulnerabilities in their latest software updates for Magento Commerce and Open Source.
Of the 37 vulnerabilities, 4 were considered critical and has a CVSS score of 9 or above.
- Magento: PRODSECBUG-2287 - Remote code execution through email template
- Magento: PRODSECBUG-2198 - SQL Injection vulnerability through an unauthenticated user
- Magento: PRODSECBUG-2236 - SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)
- Magento: PRODSECBUG-2192 - Remote code execution though crafted newsletter and email templates
Researchers from Ambionics were able to exploit one of the critical vulnerabilities in order to extract admin sessions or password hashes. The POC from Ambionics has been posted online, so it is possible that attackers may exploit the vulnerabilities in the wild.
Course of Action:
Upgrade to Magento Commerce and Open Source 2.3.1, 2.2.8 or 2.1.17
Operating Systems
Windows
Microsoft has patched 74 vulnerabilities in course of its April Patch Tuesday release.
Two of the 74 patched vulnerabilities are Microsoft Windows local privilege escalation vulnerabilities, CVE-2019-0859 and CVE-2019-0803 , and have been exploited in the wild. The vulnerabilities exist because of a flaw in win32k.sys.
One of the in-the-wild exploitations have been observed as Campaign Targeting CVE-2019-0859 to Install HTTP Reverse Shells.
Some of the major vulnerabilities patched include an information disclosure vulnerability, CVE-2019-0688 , present in Windows TCP/IP stack and a remote code execution flaw, CVE-2019-0853 , present in the GDI+ component of Windows OS and Office suits.
Course of Action:
Apply April 2019 Security Updates
Oracle
Security experts have found a dangerous vulnerability, CVE-2019-2725 , that affects the Oracle WebLogic service platform.
Oracle WebLogic wls9_async and wls-wsat components of Oracle WebLogic are affected by a deserialization remote command execution vulnerability. The vulnerability can be exploited without authentication.
The vulnerability has been exploited in multiple campaigns since it's discovery:
- Ransomware Deployment Through the Exploitation of CVE-2019-2725
- Muhstik Botnet Targeting Oracle Web Servers
The vulnerability was used to deploy Malware Variant: Muhstik Botnet 0e1acc as well as Malware Variant: GandCrab 5.2 ef766b.
Course of Action:
Apply patches available in Oracle Security Alert Advisory - CVE-2019-2725
Processors
Qualcomm
A vulnerability, CVE-2018-11976 , in Qualcomm chipsets can expose sensitive data that is stored in the Trusted Execution Environment. The affected chipsets are very common across many Android devices.
This vulnerability was exploited by the NCCGroup researchers. More on the exploitation can be found in Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone.
Course of Action:
Apply Qualcomm April Security Updates
Intel
Intel released patches & published security notifications for security vulnerabilities across the following products:
- Intel Media SDK
- Intel NUC mini PC
- Intel Graphics Performance Analyzer
CVE-2018-18094 - High-severity, with a CVSS score of 7.8, Intel patched Media SDK, a software development kit enabling developers with acceleration capabilities on Intel platforms. The flaw allows an authenticated user to potentially enable escalation of privilege via local access.
Course of Action:
Upgrade Intel Media SDK update to 2018 R2.1 or later
CVE-2019-0163 - High-severity, with a CVSS score of 7.5, Intel patched NUC (short for Next Unit of Computing) a mini PC kit. The flaw about insufficient input validation in the system firmware, could enable escalation of privileges, denial of service and information disclosure.
Course of Action:
Update firmware for Intel Broadwell U i5 vPro
CVE-2019-0158 - Medium-severity, with a CVSS score of 6.7, Intel patched Intel(R) Graphics Performance Analyzer for Linux. Versions 18.4 and below are affected by a flaw which allow an authenticate user to potentially enable escalation of privilege via local access.
Course of Action:
Update Intel Graphics Performance Analyzer for Linux to 2019 R1
CVE-2019-0162 - Low-severity, with a CVSS score of 3.8, which may allow an authenticated user to potentially enable information disclosure via local access.
Course of Action:
Intel recommended that users follow best practices as a mitigation to the low severity vulnerability
Routers
Cisco
Cisco has patched a critical vulnerability CVE-2019-1710 affecting its ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit software.
Course of Action:
Update ASR 9000 routers to IOS XR 64-bit 6.5.3 and 7.0
Cisco re-patched its RV320 and RV325 WAN VPN routers after initially releasing an incomplete patch against two high-severity vulnerabilities, CVE-2019-1652 and CVE-2019-1653 , while also reporting on two new medium-severity bugs which have no fixes. The campaign, Cisco Router Take-Over Using Multiple Vulnerabilities , was observed exploiting the vulnerabilities.
Courses of Action:
Update RV320 and RV325 routers to Firmware Release 1.4.2.22
Cisco reported two new medium-severity bugs also affecting its RV320 and RV325 routers, both with no patches available.
CVE-2019-1828 exists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypt intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges.
CVE-2019-1827 is a vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers that could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.
No Proof of Concept code or exploitation has been observed for these vulnerabilities at the time of writing.
TP-Link
Matthew Garrett, a security engineer at Google has published details on a TP-Link SR20 Router ACE Vulnerability.
It enables a threat actor to gain root privileges and execute any command on the local network. The exploit takes advantage of a flaw in the type 1 command of the TP-Link process, "TP-link Device Debug Protocol".
Matthew Garret original disclosed the vulnerability to TP-Link over 90 days ago, as of March 28th 2019, via their online security disclosure form. He received no response from TP-Link, leading him to publicly disclose the vulnerability on his personal website.
There is currently no patch for the vulnerability.
WiFi
Broadcom WiFi chipsets used by Apple and Dell have been found to contain multiple vulnerabilities that could lead to remote code execution or denial of service conditions.
The vulnerabilities affect Broadcom's "wl" and "brcmfmac" drivers, three of the vulnerabilities, CVE-2019-9500 , CVE-2019-9502 and CVE-2019-9501 are heap buffer overflow vulnerabilities, whilst one, CVE-2019-9503 , is a frame validation bypass vulnerability.
Course of Action:
Broadcom have patched the vulnerabilities in the brcmfmac driver.
Other
Since it's discovery in March 2019, the WinRAR Ace Vulnerability, CVE-2018-20250, has been widely exploited in the wild.
A summary of the rise in usage of the vulnerability has been well documented in this report written by Fusion Center Analysts: Investigating Increased Threat Actor Activity using WinRAR and CVE-2018-20250
Course of Action:
Update WinRAR to Build 5.70 and Newer.
The Microsoft Defender Research Team have uncovered a major backdoor vulnerability, CVE-2019-5241 , affecting PCManager software, pre-installed on most Huawei’s Matebook laptops.
The vulnerability resides in a PCManager driver that contains ring-0 privileges components running with in the kernel. The flaw might be exploited by an unprivileged attacker to create processes with superuser privileges.
The vulnerability was reported to the vendor and Huawei has patched the flaw in January 2019. Moreover, the flaw is similar to the NSA’s DOUBLEPULSAR backdoor that was leaked by the Shadow Brokers in 2017.
Course of Action:
Update Huawei PCManager
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
