EclecticIQ Monthly Vulnerability Trend Report - December 2020

Summary

This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings:

• SolarWinds targeted by a supply chain attack affecting 18,000 customers.
• Apple iPhones running iOS versions prior to iOS 14 vulnerable to iMessage 'Zero-Click' Exploit.
• Microsoft addressed a total of 58 vulnerabilities as part of their December 2020 Patch Tuesday advisory.

Analysis

Exploitation of Vulnerabilities

Apple iPhones running iOS versions prior to iOS 14 vulnerable to iMessage 'Zero-Click' Exploit

In July and August 2020, suspected state actors utilized a zero-click exploit in Apple's iMessage to gain access to personal phones belonging to journalists.

The attackers used the NSO Group's Pegasus spyware to compromise 36 personal phones of numerous employees of Al Jazeera and an employee at London-based Al Araby TV. The attack chain, dubbed KISMET by Citizen Lab researchers [1], utilized a zero-day present in versions of iOS until at least version 13.5.1 to gain initial access. The exploit, described as a "zero-click", required no user interaction to be successful and could compromise Apple’s then-latest iPhone 11.

With all iPhones having iMessage installed as a default application, and iOS 14 being the most recent iOS version to be released, the potential attack surface is extremely large.

Course of Action: Update Apple Devices to iOS 14 or Later

SolarWinds Supply Chain Attack

SolarWinds Inc, a US based network company [2], was targeted with a supply chain attack that trojanized [3] the SolarWinds Orion business software updates with the backdoor SUNBURST. SolarWinds believes [4] that fewer than 18,000 customers are affected with the trojanized version of the product. Affected customers [5] include FireEye, the US Department of Commerce, the US Department of Homeland Security, and the US treasury Department.

Increased scrutiny of supply chains and technology stacks, especially within government, will certainly continue to occur. The SolarWinds attack highlights that organizations, even those with resources such as FireEye and the US government are only as secure as their weakest link.

Courses of Action:

• Review the official SolarWinds security advisory page [6].
• Review the US Cybersecurity and Infrastructure Security Agency's Emergency directive [7] to mitigate SolarWinds Orion code compromise.
• Review FireEye's technical blog post [8] detailing detection opportunities.
• Review Microsoft's technical blog post detailing recommended defenses. [3]

Critical Oracle WebLogic flaw CVE-2020-14882 used to Distribute Various Malware

Researchers at Juniper Networks observed [9] various attack vectors and payloads as part of the exploitation of the CVE-2020-14882 vulnerability in Oracle WebLogic Servers.

The payloads distributed as part of the exploitation include:

• Perlbot
• Mirai
• Meterpreter
• DarkIRC Bot
• Cobalt Strike

The ease of exploitation of the vulnerability, coupled with multiple proof-of-concept exploits published [10] online, will only increase the number of exploitation attempts and successes.

Course of Action: Review Oracle October Patch Update Advisory October 2020

Patched Vulnerabilities

Microsoft December 2020 Patch Tuesday Advisory

Microsoft addressed a total of 58 vulnerabilities as part of their December 2020 Patch Tuesday advisory. Of the 58 vulnerabilities fixed, nine are classified as Critical, 48 as Important, and two as Moderate. This is a low total number of flaws addressed by Microsoft, considering the average number of patched vulnerabilities exceeded 100 in recent months.

• The critical vulnerabilities addressed in December 2020 include:
  CVE-2020-17158, CVE-2020-17152 - Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
• CVE-2020-17131- Chakra Scripting Engine Memory Corruption Vulnerability
• CVE-2020-17117, CVE-2020-17132, CVE-2020-17142 - Microsoft Exchange Remote Code Execution Vulnerabilities
• CVE-2020-17121, CVE-2020-17118 - Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability
  Course of Action: Review December 2020 Microsoft Patch Tuesday Advisory

Recommendations

EclecticIQ Fusion Center recommends applying security updates to affected systems as soon as they become available to mitigate the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they update their dependent systems even if they are not mentioned in this report.

References

1. https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
2. https://www.solarwinds.com/
3. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
4. https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf
5. https://www.govtech.com/security/Federal-Agencies-Think-Tank-Targeted-in-Russian-Hacking-Spree.html
6. https://www.solarwinds.com/securityadvisory
7. https://cyber.dhs.gov/ed/21-01/
8. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
9. https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability
10. https://github.com/jas502n/CVE-2020-14882