This post is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings
- Microsoft patched two zero days in December 2018, one within Windows and one for Internet Explorer.
- The first major flaw in Kuberenetes was both identified, and subsequently exploited.
- The SplitSectre vulnerability was identified affecting AMD processors, with potential for similar consequences to the Spectre flaw identified in 2017.
Analysis
Routers
There were two significant stories in December about router vulnerabilities. One affecting Huawei routers being vulnerable to credential leaking ( CVE-2018-7900), and a new exploit being available for a new Mirai variant ( ThinkPHP 5.0.23/5.1.31 - Remote Code Execution).
Operating Systems
Windows
Microsoft patched 40 vulnerabilities in their December security updates, notably CVE-2018-8611which was reported as being exploited by at least two different APT groups ( Intrusion Set: FruityArmorand Intrusion Set: SandCat).
The report Security Researcher Discloses New Windows Zero-Day on Twitter identified a security researcher who has previously posted Windows Zero-Day vulnerabilities and PoC code on Twitter. This issue resided within the MsiAdvertiseProduct feature of Windows, and could allow an attacker arbitrary to read files that would otherwise only be available to a system administrator.
The report Satan Ransomware Variant Exploits 10 Server-Side Flaws covers 10 different vulnerabilities affecting both Windows and Linux that could allow ransomware to be installed and spread in a worm-like propagation method.
Linux
This month the report Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit) was published that demonstrated how CVE-2018-1002105, the first major flaw identified in Kubernetes could be exploited. The report Hacking Group Outlaw Distributes Botnet for Cryptocurrency-Mining, Scanning, and Brute-Force covered an old vulnerability ( CVE-2013-4788) that was being actively exploited for crypto-mining purposes.
December also saw the above mentioned Mirai variant targeting the ThinkPHP framework ( IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit).
macOS
The report WebKit Vulnerability Affects Latest Versions of Apple Safari was published that discussed a Webkit regex error that could be exploited by malicious attackers, and affected both macOS and iOS versions of Safari.
Android
For Android devices, in December the report Google Patches More Than 50 Android Vulnerabilities in December covered a host of new flaws, including six critical bugs in the mobile OS, mostly affecting the Android Media Framework.
Web Browsers
Internet Explorer
The report New Threat Actor SandCat Exploited Recently Patched CVE-2018-8611 0Day, which identified a major bug affecting Microsoft's Internet Explorer which was patched in an out-of-band security update, thus was the severity of the flaw ( Zero-Day Bug Fixed by Microsoft in December Patch Tuesday).
The report Underminer Exploit Kit Improves in Its Latest Iteration also identified updates to the Underminer exploit kit which targets Flash and Internet Explorer vulnerabilities to infect its victims.
Edge
A PoC for CVE-2018-8629was published in December ( Demo Exploit Code Published for Remote Code Execution via Microsoft Edge), this vulnerability was fixed by Microsoft in the December security updates, however the code for this exploit was made available on GitHub shortly after.
Databases
phpMyAdmin
Three vulnerabilities were patched for phpMyAdmin in December ( CVE-2018-19968, CVE-2018-19969and CVE-2018-19970), the report phpMyAdmin Releases Critical Software Update contains more detail.
Processors
AMD
The report SplitSpectre: New Spectre-like CPU Attack discussed a new vulnerability that can affect CPUs in a similar manner to the Spectre vulnerability first identified in 2017. The flaw does not yet have a CVE identified.
Miscellaneous
IoT
Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)disclosed how moderately-skilled attackers could access Amazon s3 credentials contained within the firmware Guardzilla IoT Video Cameras.
Exploits for Vulnerabilities
December 2018 saw the following Attack Patterns, Malware & Tool Variants identified that looked to exploit existing vulnerabilities:
- Malware Variant: Underminer 8e2072
- Attack Pattern: Defacement of Wall Street Journal (WSJ) Website's Section
- Attack Pattern: exploiting default credentials through Telnet in order to launch brute force attack and spread to additional devices creating a Linux DDoS botnet
- Attack Pattern: Using PolicyKit on Linux to Elevate Privileges for Lateral Movement
- Malware Variant: Seduploader 362990
- Attack Pattern: Exploiting Microsoft Office & Adobe Vulnerabilities through Spearphishing attachments
- Attack Pattern: Delivering Exploit if Landing Page Visitor Meets Target Criteria
- Attack Pattern: Exploiting CVE-2018-15982
- Attack Pattern: Botnet Distribution by Outlaw to Scan Networks, Perform Cryptocurrency Mining, Brute-Force Attacks
- Tool Variant: Haiduc attacking via cPanel e1qz3l
- Attack Pattern: Leveraging ETERNAL family of Exploits to Target Routers through CVE-2017-7494 and CVE-2017-0144
- Attack Pattern: Exploiting CVE-2018-8611
- Malware Variant: Satan "Lucky" de893a
- Attack Pattern: DanaBot Exploiting Email Services on Endpoints With Attachment Containing Signed Malicious VBS Script
- Attack Pattern: HTTP Upgrade API Call to Exploit CVE-2018-1002105
- Malware Variant: Rabbot y37cj9
- Attack Pattern: Exploiting CVE-2018-0468
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
Recommendations
EclecticIQ Fusion Center recommends organizations to apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
