EclecticIQ Blog

EclecticIQ Monthly Vulnerability Trend Report - August 2019

September 16, 2019

EIQ_FC_Monthly Vulnerability Report-2

This blogpost aims to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings
  • Two new versions of the BlueKeep Remote Desktop Protocol vulnerability has been announced by Microsoft.
  • Continuous exploitation of popular vulnerabilities such as the WinRAR ACE CVE-2018-20250 and Microsoft Office CVE-2017-11882 were observed in August 2019.
  • Two Firefox 0day exploits were used in a campaign targeting the popular cryptocurrency exchange Coinbase.
Analysis

Newly Discovered Vulnerabilities

Protocols

Microsoft has announced two new version of the BlueKeep Vulnerability CVE-2019-0708. The new vulnerabilities, CVE-2019-1181 and CVE-2019-1182, are both wormable, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction. Just like BlueKeep, the vulnerability resides in the Windows Remote Desktop Services (RDS) package.

An attacker can exploit this vulnerability to perform Attack Pattern: Send crafted request via RDP to gain remote access of targeted system.

In July 2019, it was reported that the WatchBog cryptocurrency miner included a module for scanning services vulnerable to the original BlueKeep (CVE-2019-0708) vulnerability. It would not be a leap to imagine that these two new vulnerabilities would also be included in automatic scanner modules such as the one WatchBog is using in the near future.

Course of Action:

  • Apply patch for RDP vulnerabilities to affected Windows systems IoT

Security researchers at Tenable uncovered a security flaw CVE-2019-3948 in Amcrest IP2M-841B IP cameras, which permits remote spying without any form of authentication.

The Amcrest camera, available on Amazon, is advertised as a full-HD 1080p camera capable of low-light footage capture. After dissecting the firmware for the device, researchers determined the Amcrest IP2M-841B is a rebranded Dahua camera. Dahua has been in the news as the US government plans to blacklist the company due to potential spying concerns.

Course of Action:

  • Upgrade Amcrest IP2M-841B IP Camera Firmware

Processors

In August 2019, security Researchers at Bitdefender demonstrated a new side-channel attack, dubbed SWAPGS CVE-2019-1125, that bypasses mitigations against Spectre and Meltdown. Millions of newer Intel microprocessors manufactured after 2012 are vulnerable to the side-channel attack.

The vulnerability can be exploited to gain sensitive information from the victim system.  

Course of Action:

  • Apply July 2019 Microsoft Patch to Mitigate CVE-2019-1125

VLC

Two high-risk vulnerabilities in the VLC media player, CVE-2019-14970 and CVE-2019-14438, could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim’s PC.

The developer of the open-source VLC media player, VideoLAN project, made 15 VLC bugs public.

In addition to the two high-risk bugs, five were rated medium, CVE-2019-14533, CVE-2019-14778, CVE-2019-14777, CVE-2019-14776, CVE-2019-14437, three low and others remain unrated. According to a security researcher that discovered 11 of the vulnerabilities, exploitation of any of the bugs would be straightforward.

Course of Action:

  • Update VLC Media Player to 3.0.8

Ongoing Exploitation of Vulnerabilities

WinRAR

The already widely exploited WinRAR ACE vulnerability CVE-2018-20250 has been reported on continually throughout August 2019.

SophosLabs reported on a campaign which ultimately delivers either the Malware: Baldr v2 or Malware: Baldr v3 information stealer. The campaign is targeted at online gamers and exploits CVE-2018-20250 as well as CVE-2018-0802 through apparent cheat software which promises to give the gamer an unfair advantage at multiple different online games.

A new malware campaign was observed in August 2019 which targeted a Chinese news website. It used the legitimate domain of the website to spread backdoors to the PCs of innocent readers.

The campaign targeted Chinese language speakers using a watering hole strategy as its infection vector. Phishing links were injected into the domain, including a fake Twitter login page and malicious scripts which check the browser and OS information of visitors to make sure they are using a Microsoft Windows system. The attackers exploit known WinRAR CVE-2018-20250 and RTF CVE-2017-11882 file vulnerabilities to deliver the Malware Variant: Sality ba68ea backdoor.

Course of Action:

  • Update WinRAR to Build 5.70 and Newer.

Microsoft Office

Kaspersky identified activity from January - July 2019 for Cloud Atlas, also known as Intrusion Set: Inception Framework. Kaspersky identified spearphishing activities mostly targeting Russia, Central Asia, and independent regions of Ukraine.

Cloud Atlas's Tactics, Techniques and Procedures (TTPs) have remained largely unchanged: exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802. During recent months, Kaspersky has seen a new infection chain, involving a polymorphic HTA, a new VBS implant aimed at executing Malware Variant: PowerShower m3k93s, and the Cloud Atlas second stage modular backdoor, Malware Variant: VBShower y4389n.

EclecticIQ Fusion Center analysts suspect that the reason behind the unchanged tactics is likely due to the group's success rate.

Web Browsers

The Coinbase security team investigated an incident in their systems attributed to Intrusion Set: CRYPTO-3.
The attackers used two Firefox 0day exploits CVE-2019-11707 and CVE-2019-11708.

The way the attackers exploited CVE-2019-11708 has only been possible since May 12th, which indicates a powerful and rapid weaponization research behind the exploit.  

The attackers did not obfuscate the first 0day, and the code was well structured and with descriptive names. This may indicate that the attackers did not want to maintain the lifespan of the exploit beyond this attack or that they were not the ones that developed it.

There was a strong social engineering reconnaissance phase through the campaign to determine what employees were the most appropriate to send the URL with the exploit.

Course of Action:

  • Update to Firefox 67.0.4 or Firefox ESR 60.7.2 to Patch CVE-2019-11708 Course of Action: Update to Firefox 67.0.3 and Firefox ESR 60.7.1


Patched Vulnerabilities

NGINX

In May 2019, researchers at Netflix discovered a number of security vulnerabilities in several HTTP/2 server implementations. These were responsibly reported to each of the vendors and maintainers concerned. NGINX was vulnerable to three attack vectors, as detailed in the following CVEs:

CVE-2019-9511 (Data dribble) CVE-2019-9513 (Resource loop) CVE-2019-9517 (Zero‐length headers leak)

In August 2019, INGINX released updates to NGINX Open Source and NGINX Plus in response to the discovery of vulnerabilities. They strongly recommend upgrading all systems that have HTTP/2 enabled.

Course of Action:

  • Update NGINX to the latest version
Recommendations

EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.