EclecticIQ Blog

EclecticIQ Monthly Vulnerability Trend Report - January 2019

February 07, 2019

EIQ_FC_Monthly Vulnerability Report-1

This post is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings

  • Linux based operating systems have been affected by vulnerabilities in the Advanced Package Tool and system.
  • Windows has been affected by a 0day. The security researcher's POC code results in overwriting 'pci.sys' with information about software and hardware problems.
  • Microsoft's January 2019 Patch Tuesday release includes patches for approximately 50 vulnerabilities affecting Edge, Hyper-V, and DHCP.
  • Google has patched 27 vulnerabilities in Android.
  • Cisco has patched a number of vulnerabilities affecting its SD-WAN Solution and Webex products.

Analysis

Routers

A vulnerability was found in Cisco Linksys Router up to E4200 (Router Operating System) and classified as very critical. Affected by this issue is a part of the file tmUnblock.cgi. The manipulation of the argument ttcp_ip with an unknown input leads to a privilege escalation vulnerability.

Operating Systems

Windows

A security researcher has disclosed exploit code for zero-day vulnerability affecting Windows operating systems and enables overwriting a target file with arbitrary data. Running the researcher’s PoC code results in overwriting 'pci.sys' with information about software and hardware problems, collected by the Windows Error Reporting (WER) event-based feedback infrastructure. The cyber-security firm Acros Security has released a temporary patch for two Windows zero-day vulnerabilities.

Microsoft’s January 2019 Patch Tuesday release includes patches for approximately 50 vulnerabilities, of which seven are critical bugs affecting Edge, Hyper-V, and DHCP.

Linux

A security researcher has identified a remote code execution vulnerability ( CVE-2019-3462 ) in the Advanced Package Tool (APT) software used on Debian, Ubuntu and other Linux distributions.

Qualys Security researchers have detected three vulnerabilities affecting systemd, a system and service manager used by major Linux distributions.

Android

Google has patched 27 vulnerabilities in Android with its January 2019 Patch Tuesday update.

The most severe issue patched in course of the latest update was a critical remote code execution vulnerability ( CVE-2018-9583 ) within an Android System component. The other bugs fixed within the Android System includes four high risk privilege escalation flaws and seven high severity information disclosure vulnerabilities, which affect Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.

A vulnerability in Skype for Android allows an unauthenticated attacker to view photos and contacts, and open links in the browser. ( Skype Call bypass phone’s lock code )

Security researchers have discovered a new flaw in the Chrome browser, which could enable threat actors to use a device’s profile in order to exploit vulnerabilities in a targeted fashion. The flaw was discovered three years ago but has only been partially addressed by Google in Chrome version 70, as the company claimed the Android OS is working as intended. It should be noted that the vulnerability has not been designated a CVE as it is not considered a security issue by Google or Mitre.

Web Browsers

Edge

Four critical vulnerabilities ( CVE-2019-0539 , CVE-2019-0565 , CVE-2019-0567 and CVE-2019-0568 ) affect Edge browser. Most of them are memory corruption bugs which reside in the "Chakra" scripting engine. If exploited, all four bugs may lead to arbitrary code execution in the context of the current user.

Processors

Security researchers have identified memory corruption vulnerabilities ( CVE-2018-4456 and CVE-2018-4421 ) within IntelHD5000 kernel, which occurs when working with graphics resources inside of Apple OSX 10.13.4.

Databases

An unprotected MongoDB instance was found by third party researchers containing a database of 854 GB's worth of personal Chinese Citizen resume details. The database was secured shortly after the discovery, but MongoDB does show that several IP addresses accessed the database beforehand.

Administrative Tools

Security researchers have identified five ( CVE-2018-20685 , CVE-2019-6111 , CVE-2018-20684 , CVE-2019-6109 and CVE-2019-6110 ) vulnerabilities in the design of Secure Copy Protocol (SCP) which can be leveraged by malicious servers to overwrite arbitrary files on a computer connected via SCP.

Other Technologies

WiFi

A new vulnerability affecting the Wi-Fi system-on-a-chip Marvell Avastar, which is used in billions of devices worldwide, could be triggered during the device’s scanning for available Wi-Fi networks, which it does every five minutes.

Miscellaneous

Security researchers have identified that threat actors are actively exploiting a recently identified vulnerability in ThinkPHP open source framework to expand two Mirai-based botnets, dubbed Malware: Gafgyt and Malware: Yowai .

Courses of Action

Cisco has patched a number of vulnerabilities affecting its SD-WAN Solution and Webex products. Cisco recommends the following CoAs:

  • Apply Patch for Cisco Webex product affected by an arbitrary code execution vulnerability earlier than version 3.0.10260. .
  • Apply Patches for SD-WAN Solutions Vulnerabilities affecting versions prior 18.4.0.
  • Request Cisco support to fix SD-WAN Solution arbitrary code execution flaw affecting vContainers
Malware and TTPs

The following tools, malware, and attack pattern are general threats that have been observed by EclecticIQ analysts in January 2019:

Tools

  • Tool: PrivExchange
  • Tool: Modlishka

Malware

  • Malware: BlackRouter
  • Malware: Razy
  • Malware: OSX/Dok
  • Malware: MOBSTSPY
  • Malware: NRSMiner

Attack Patterns

  • Attack Pattern: Exploiting GoDaddy DNS Renewal Protocol to Hijack Legitimate Domains
  • Attack Pattern: Access user's Whatsapp history in new device
  • Attack Pattern: HiddenAd disguised as game, TV and remote control apps downloaded via Google Play store
  • Attack Pattern: Side-channel attack utilising mincore on Linux and QueryWorkingSetEx on Windows

The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.

Recommendations

EclecticIQ Fusion Center recommends users to apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.

 

We hope you enjoyed this post. Subscribe to our blog below for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.