Main author: Aaron Roberts, Threat Intelligence Analyst, of EclecticIQ Fusion Center
This report is aimed to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings:
· Major updates for iOS, Android, and Windows Web Browser Edge.
· CVE-2018-5390 relating to the SegmentSmack vulnerability published in early August 2018.
· Total of 23 exploits for known vulnerabilities identified since 1st July.
Analysis
Operating Systems
July saw Apple release security updates ( Apple Patches 76 Security Issues with Latest Software Releases ) for 76 separate vulnerabilities across its product suite. The majority of which were for its iOS mobile platform, with 11 fixes for macOS High Sierra. The flaws predominantly link to memory-corruption issues which may allow the execution of arbitrary code if exploited.
Google released 44 security updates for Android ( Google Patches Critical Remote Code Execution Bugs in Android OS ), the most severe of which ( CVE-2018-9433 ) was a critical flaw in the Android OS Media framework, which could allow a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
In July, there was the emergence of the "RAMpage" vulnerability ( CVE-2018-9442 ) in Android devices. The report "Rowhammer Variant ‘Rampage’ Targets Android Devices All Over Again" details this vulnerability and its impact on all Android devices manufactured since 2012.
Microsoft issued updates to 17 Critical vulnerabilities in July ( Microsoft July Security Updates Are Mostly Browser-Related ), the majority of which were browser-related, the vendor patched 44 issues in total. According to the vendor, there were no critical vulnerabilities patched in the Microsoft Windows operating system and none of the flaws patched by Microsoft in July 2018 were listed as publicly known or under active attack.
The report "New Crypto-Mining Malware ZombieBoy Exploits Multiple CVEs for Maximum Impact" was also issued in July, which explains how this new malware looks to exploit a remote desktop protocol (RDP) vulnerability on XP and Server 2003 ( CVE-2017-9073 ), and Server Message Block (SMB) exploits ( CVE-2017-0143 , CVE-2017-0146 ).
Routers
The biggest router-based vulnerability that appeared in July was CVE-2017-17174 . This flaw is a weak algorithm vulnerability in some Huawei products. To exploit the vulnerability, a remote, unauthenticated attacker has to capture TLS traffic between clients and the affected products. The report "Huawei Enterprise and Broadcast Products Have a Crypto Bug" has more information about this specific vulnerability.
Browsers
As above, the majority of Microsoft's Patch Tuesday update was assigned for Browser updates, these included information disclosure vulnerabilities in Edge ( CVE-2018-8289 , CVE-2018-8297 , CVE-2018-8324and CVE-2018-8325 ).
Apple's security update was covered in the report "Apple Patches 76 Security Issues with Latest Software Releases" , at the time of writing, the full details of the vulnerabilities were yet to be published.
Databases
July saw five vulnerabilities relating to Database software, none of which are advertised as critical:
· CVE-2018-2939
· CVE-2018-3004
· CVE-2018-8007
· CVE-2018-13863
· CVE-2017-2665
Anonymization
There were two vulnerabilities relating to anonymization technologies since 1st July. CVE-2018-8929affected the Synology SSL VPN Client before 1.2.4-0224. Meanwhile, the Golden Frog VyprVPN before 2018-06-21 had a vulnerability linked to the installation process on Windows systems, tracked as CVE-2018-13133 .
Protocols
Possibly the largest vulnerability released since July is CVE-2018-5390 . This relates to the report "SegmentSmack: Linux Kernel TCP Vulnerability" issued in August 2018.
Processors
There were three vulnerabilities relating specifically to processors in July 2018, relating to Intel SmartSound Technology ( Intel Smart Sound Tech Vulnerable to Three High-Severity Bugs ) - CVE-2018-3666 , CVE-2018-3670 and CVE-2018-3672 .
Cloud Technologies
July saw four flaws published relating to Cloud-based technologies, all of which related to Jenkins AWS. Three of these vulnerabilities linked to improperly protected credentials, the other vulnerability being a File and Directory Information Exposure flaw. These were tracked as CVE-2018-1000401 , CVE-2018-1000402 , CVE-2018-1000403 and CVE-2018-1000404 .
Other Vulnerabilities
The following vulnerabilities were also published since 1st July, but do not fit into the categories above:
| · CVE-2017-10271 | · CVE-2018-8305 |
| · CVE-2018-5925 | · CVE-2018-8306 |
| · CVE-2018-5924 | · CVE-2018-8310 |
| · CVE-2018-0871 | · CVE-2018-8312 |
| · CVE-2017-10271 | · CVE-2018-8323 |
| · CVE-2017-0143 | · CVE-2018-8324 |
| · CVE-2018-10562 | · CVE-2018-8325 |
| · CVE-2018-8260 | · CVE-2018-8326 |
| · CVE-2018-8281 | · CVE-2018-8327 |
| · CVE-2018-8282 | · CVE-2018-8234 |
| · CVE-2018-8289 | · CVE-2017-0145 |
| · CVE-2018-8297 | · CVE-2017-0144 |
| · CVE-2018-8299 | · CVE-2017-0146 |
| · CVE-2018-8300 | · CVE-2017-0148 |
These vulnerabilities cover flaws in Microsoft Office (remote code execution vulnerability in CVE-2018-8281), printers (HP Printers specifically in CVE-2018-5924 and CVE-2018-5925 ), PowerShell (remote code execution vulnerability in the PowerShell Editor, tracked as CVE-2018-8327 ) and Active Directory (cross-site scripting (XSS) vulnerability in Active Directory tracked as CVE-2018-8326 ) among others.
Exploits for Vulnerabilities
Since 1st July, the following exploits of vulnerabilities have been captured as Attack Patterns and TTPs by EclecticIQ analysts:
· Attack Pattern: Muhstik Botnet used for DDoS attack
· Attack Pattern: Exploitation of CVE-2017-0144 to Drop PowerGhost Script
· Attack Pattern: Weaponised Phishing Email Exploits Two Microsoft Office vulnerabilities
· Attack Pattern: Underminer EK Exploits CVE-2015-5119 to deliver Hidden Mellifera Miner
· Attack Pattern: Underminer EK Exploits CVE-2016-0189 to deliver Hidden Mellifera Miner
· Attack Pattern: Underminer EK Exploits CVE-2018-4878 to deliver Hidden Mellifera Miner
· Attack Pattern: Sold in hacking forums to harvest data
· Attack Pattern: Scanning and Targeting Port 8080
· Attack Pattern: Chaining Exploits to install malware
· Attack Pattern: Loading malicious JavaScript into the victim’s browser
· Attack Pattern: Muhstik Botnet used for DDoS attack
· Attack Pattern: Phishing emails introducing browser-based zero-day exploits
· Attack Pattern: D-Link Devices - UPnP SOAP TelnetD Command Execution (Metasploit)
· Attack Pattern: MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution (Metasploit)
· Attack Pattern: Multiple CCTV-DVR Vendors - Remote Code Execution
· Attack Pattern: Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)
· Attack Pattern: Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Remote Code Execution (Metasploit)
· Attack Pattern: Magnitude EK Exploits CVE-2018-8174 and Serves Magniber Loader
· Attack Pattern: Decoy Word File Exploits CVE-2017-11882 to Drop Hussarini Backdoor
· Attack Pattern: Scans for CVE-2017-5638
· Attack Pattern: Spam emails with malicious documents exploiting CVE-2017-0199 and CVE-2017-11882
· Attack Pattern: Weaponised PDF Exploits CVE-2018-4990 and CVE-2018-8120
· Attack Pattern: Attempting to exploit CVE-2018-7600
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Follow our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
