EclecticIQ Monthly Vulnerability Trend Report - February 2019

Routers

MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is vulnerable to an intermediary vulnerability ( CVE-2019-3924 ). The software will execute user defined network requests to both WAN and LAN clients. A remote unauthenticated attacker can use this vulnerability to bypass the router's firewall or for general network scanning activities.

At the time of this report, EclecticIQ Fusion analysts have not seen any attack patterns or indicators relating to the exploitation of this vulnerability.

Courses of Actions: A fix has been released on February 11, 2019 in all RouterOS release channels. 

Operating Systems

Multi-Platform

Multiple different computer device types were found to be vulnerable to a Thunderbolt hardware interface vulnerability named "Thunderclap" which could attackers who have physical access to the devices the opportunity to launch a an attack and compromise the device.

A research team released the "Thunderclap platform" on GitHub, which is a collection of ready-made proof-of-concept code to create malicious Thunderclap peripherals.

Courses of Action: Disable the Thunderbolt ports on your machine.

 iOS

Apple released the iOS 12.1.4 software update to patch the Group FaceTime privacy bug ( CVE-2019-6223) and three zero-day vulnerabilities ( CVE-2019-7286 , CVE-2019-7287 and CVE-2019-7288 ), two of which were being exploited in the wild.

Courses of Action: It is highly recommended to update Apple devices with iOS 12.1.4 release, which is available for the iPhone 5S, and later, iPad Air and later, and iPod touch 6th generation.

A vulnerability ( iOS Siri Shortcuts App ) in the Siri Shortcuts feature, added by Apple to its iOS 12, might be abused by threat actors to perform various malicious activities. This includes launching scareware attacks to trick victims into believing their data had been compromised.

Courses of Action: Limit Shortcut and App Permissions. 

Linux

Security researchers identified a Use After Free Arbitrary Code Execution Vulnerability ( CVE-2019-8912 ) in Linux Kernel 4.20.10 and prior. This could lead to a denial of service condition if the exploit fails. EclecticIQ Fusion analysts have not observed any uses of this exploit in the wild at the time of this report.

There is a major vulnerability ( CVE-2019-7304 ) dubbed "Dirty Sock" affecting multiple Linux distributions that could allow threat actors to create root-level accounts on compromised Linux machines. The vulnerability resides in the Snapd daemon used by Ubuntu and other Linux distributions.

MacOS

A security researcher discovered a zero-day vulnerability ( KeySteal ) affecting Apple's macOS desktop operating system. It allows a malicious application running on the desktop version of the macOS operating system access to password files stored in Keychain, a macOS in-built password-managing system.

The KeySteal proof-of-concept exploit is not publicly available, though Apple security experts confirmed it is can be exploited. 

Cloud Hosting

AWS

Security researchers discovered a major vulnerability ( CVE-2019-5736 ) in runc tool, which serves as a default container runtime for Docker, containerd, Podman, and CRI-O. The vulnerability allows the threat actors to gain root-level access and execute malicious code on the targeted container host.

Courses of Action: Enable enforcing mode in SELinux, Apply RPM updates from the RHEL 7 Extras channel.

Protocols

Bluetooth

Security researchers identified multiple flaws ( AEG Smart Scale PW 5653 BT - Changing privacy settings , AEG Smart Scale PW 5653 BT - Changing device name , AEG Smart Scale PW 5653 BT - Denial of Service, AEG Smart Scale Mobile application (Smart Scale) - Man-in-The-Middle ) affecting IoT Smart Scale of the Chinese AEG brand that might allow attackers to perform a vast array of malicious activities.

Courses of Action: Do not use the Smart Scale mobile applications

Other Technologies

Email Services

Microsoft patched multiple vulnerabilities as part of its February 2019 Patch Tuesday release, including a zero-day Internet Explorer (IE) flaw under active exploitation ( CVE-2019-0676 ), and an Exchange Server (ES) flaw disclosed with a proof-of-concept exploit ( CVE-2019-0686 ).

Courses of Action: Apply February 2019 Microsoft Updates to Mitigate 0 Days and other Vulnerabilities. 

Miscellaneous

The exploitation of an old vulnerability ( CVE-2017-11882 ) has seen a major uptick in February 2019. The most of the attacks exploiting this vulnerability includes a phishing campaign of some sort, and the delivery of a malware variant after exploitation.

Malware and TTPs 

The following tools, malware, and attack patterns are general threats that have been observed by EclecticIQ analysts in February 2019:

Malware

• Malware: VenomKit
• Malware: Arkei
• Malware: Cr1ptT0r
• Malware: KerrDown
• Malware: Shlayer
• Malware: VIDAR 

Attack Patterns 

• Attack Pattern: Phishing Emails deliver CVE-2017-11882 RTF exploit doc
• Attack Pattern: Exploitation of CVE-2019-7286 to Gain Privileged Access
• Attack Pattern: B0r0nt0K Infecting Windows and Linux Systems
• Attack Pattern: Embedded Excel Workbooks Launches PowerShell
• Attack Pattern: Pivoting and Lateral Movement by Exploiting Multiple Vulnerabilities
• Attack Pattern: Phishing Ads Served to Users of Hardware Specific Devices 

The above attack patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs. 

Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.