This post is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Microsoft patched two zero days in December 2018, one within Windows and one for Internet Explorer.
The first major flaw in Kuberenetes was both identified, and subsequently exploited.
The SplitSectre vulnerability was identified affecting AMD processors, with potential for similar consequences to the Spectre flaw identified in 2017.
There were two significant stories in December about router vulnerabilities. One affecting Huawei routers being vulnerable to credential leaking ( CVE-2018-7900), and a new exploit being available for a new Mirai variant ( ThinkPHP 5.0.23/5.1.31 - Remote Code Execution).
Microsoft patched 40 vulnerabilities in their December security updates, notably CVE-2018-8611which was reported as being exploited by at least two different APT groups ( Intrusion Set: FruityArmorand Intrusion Set: SandCat).
The report Security Researcher Discloses New Windows Zero-Day on Twitter identified a security researcher who has previously posted Windows Zero-Day vulnerabilities and PoC code on Twitter. This issue resided within the MsiAdvertiseProduct feature of Windows, and could allow an attacker arbitrary to read files that would otherwise only be available to a system administrator.
A PoC for CVE-2018-8629was published in December ( Demo Exploit Code Published for Remote Code Execution via Microsoft Edge), this vulnerability was fixed by Microsoft in the December security updates, however the code for this exploit was made available on GitHub shortly after.
The report SplitSpectre: New Spectre-like CPU Attack discussed a new vulnerability that can affect CPUs in a similar manner to the Spectre vulnerability first identified in 2017. The flaw does not yet have a CVE identified.
Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)disclosed how moderately-skilled attackers could access Amazon s3 credentials contained within the firmware Guardzilla IoT Video Cameras.
Exploits for Vulnerabilities
December 2018 saw the following Attack Patterns, Malware & Tool Variants identified that looked to exploit existing vulnerabilities:
Malware Variant: Underminer 8e2072
Attack Pattern: Defacement of Wall Street Journal (WSJ) Website's Section
Attack Pattern: exploiting default credentials through Telnet in order to launch brute force attack and spread to additional devices creating a Linux DDoS botnet
Attack Pattern: Using PolicyKit on Linux to Elevate Privileges for Lateral Movement
Malware Variant: Seduploader 362990
Attack Pattern: Exploiting Microsoft Office & Adobe Vulnerabilities through Spearphishing attachments
Attack Pattern: Botnet Distribution by Outlaw to Scan Networks, Perform Cryptocurrency Mining, Brute-Force Attacks
Tool Variant: Haiduc attacking via cPanel e1qz3l
Attack Pattern: Leveraging ETERNAL family of Exploits to Target Routers through CVE-2017-7494 and CVE-2017-0144
Attack Pattern: Exploiting CVE-2018-8611
Malware Variant: Satan "Lucky" de893a
Attack Pattern: DanaBot Exploiting Email Services on Endpoints With Attachment Containing Signed Malicious VBS Script
Attack Pattern: HTTP Upgrade API Call to Exploit CVE-2018-1002105
Malware Variant: Rabbot y37cj9
Attack Pattern: Exploiting CVE-2018-0468
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
EclecticIQ Fusion Center recommends organizations to apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.