This blogpost aims to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
- A vulnerability in Citrix Application Delivery Controller, Citrix Gateway and certain deployments of Citrix SDWAN has been exploited to install Ragnarok ransomware.
- Microsoft released fixes for 49 vulnerabilities (7 Critical, 41 Important, 1 Moderate) as part of their January 2020 Patch Tuesday advisory.
- Multiple Proof of Concept exploits were released for the BlueGate Remote Desktop Gateway vulnerabilities.
Exploitation of Vulnerabilities
Firefox and Internet Explorer Zero-day Vulnerabilities
In January 2020, cyber-security firm Qihoo 360 posted on Twitter, details on a campaign exploiting zero-day vulnerabilities in the Mozilla Firefox browser as well as Microsoft Internet Explorer. The Firefox zero-day CVE-2019-17026 has been patched by Mozilla in Firefox v72.0.1.
With Firefox and Internet Explorer being used by millions of users worldwide, the impact of these vulnerabilities is critical. Patches (if and when available) should be applied as soon as they are released.
The Firefox zero-day has been categorized as a type confusion vulnerability, which is a memory bug where memory input is initially allocated as one type, but gets switched to another type during manipulation. This could lead to the ability to execute code remotely on the vulnerable system.
Course of Action:
- Update to Firefox v72.0.1
The RCE vulnerability in Internet Explorer exists within the way that the scripting engine handles objects in memory. The vulnerability could lead to memory corruption which enables remote code execution in the context of the current user of the vulnerable system.
Course of Action:
- Apply CVE-2020-0674 Advisory Mitigation and/or Workarounds
On December 17th , 2019 Citrix publicly announced a vulnerability CVE-2019-19781 that had been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler and certain deployments of Citrix SDWAN.
The vulnerability has been actively exploited to install a ransomware called Malware Variant: Ragnarok 7e7c1f. When attackers compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability. If detected, the scripts would attempt to exploit the Windows devices, and if successful, inject a DLL that downloads and installs the Ragnarok ransomware onto the exploited device.
Course of Action:
- Use the CVE-2019-19781 vulnerability tool to find vulnerable devices
Course of Action:
- Apply Official Fixes for Citrix Devices Affected by CVE-2019-19781
Patch Tuesday January 2020
In January 2020, Microsoft released fixes for 49 vulnerabilities. Of these vulnerabilities, 7 are classified as Critical, 41 as Important, and 1 as Moderate as part of their January 2020 Patch Tuesday advisory.
The 7 Critical vulnerabilities patched include:
- CVE-2020-0603 - ASP.NET Core Remote Code Execution Vulnerability
- CVE-2020-0605 - .NET Core Remote Code Execution Vulnerability
- CVE-2020-0606 - .NET Framework Remote Code Execution Injection Vulnerability
- CVE-2020-0609 - Windows RDP Gateway Server Remote Code Execution Vulnerability (BlueGate)
- CVE-2020-0610 - Windows RDP Gateway Server Remote Code Execution Vulnerability (BlueGate)
- CVE-2020-0640 - Internet Explorer Memory Corruption Vulnerability
- CVE-2020-0646 - .NET Framework Remote Code Execution Injection Vulnerability
The critical vulnerabilities patched include the BlueGate Remote Desktop Gateway flaws CVE-2020-0609 and CVE-2020-0610 which affects Microsoft Windows Server 2012, 2012 R2, 2016, and 2019 versions.
A Denial of Service Proof of Concept (PoC) exploit was published by a Danish researcher going by OllyPwn a couple of days after the flaws were patched by Microsoft. The researcher, together with KryptosLogic security researcher Marcus Hutchins , released PoC scanners that could be used to determine if a system is vulnerable to either CVE-2020-0609 or CVE-2020-0610.
InfoGuard AG penetration tester Luca Marcelli released a Remote Code Execution PoC not long after the initial DoS PoC was released. Marcelli said that he will post a blog detailing how to achieve RCE through exploiting the flaw, but said he will "wait a bit until people had enough time to patch before releasing this to the public."
With proof of concepts being released and tested by every interested party all across the world, it is only a matter of time that the exploits are weaponized and used as part of threat actor's tactics, techniques, and procedures (TTPs). Organizations are generally slow to adopt new security patches, as demonstrated by the prolific exploitation of another critical Remote Desktop vulnerability, BlueKeep CVE-2019-0708.
Following the disclosure of a critical vulnerability in the Windows CryptoAPI (CVE-2020-0601), Kudelski Security and other security researchers analysed the attack chain along with a proof of concept on the 15th January 2020. The company also created a GitHub repository with the Python code, OpenSSL command lines and configuration file.
On 16th January 2020, security researcher Florian Roth shared first samples that have been uploaded to VirusTotal and that triggered his custom Yara rule ( Malware Samples Tagged with CVE-2020-0601). In the following days, EclecticIQ analysts identified an increasing number of samples tagged with CVE-2020-0601.
Analysts assessed with moderate confidence that some of the samples have been uploaded by security researchers testing Yara signatures. It is very likely that adversaries are actively weaponizing malware to exploit CVE-2020-0601.
The NSA initially discovered and issued an advisory on CVE-2020-0601 stating that:
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.
To mitigate all vulnerabilities discussed in the "Patched Vulnerabilities" section, it is strongly recommended to implement the following course of action:
Course of Action
- Apply January 2020 Patch Tuesday
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems even if no security vulnerabilities have been reported.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.