EclecticIQ
July 17, 2020

EclecticIQ Monthly Vulnerability Trend Report - June 2020

EclecticIQ Monthly Vulnerability Trend ReportThis report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings
  • Microsoft addressed a total of 129 vulnerabilities as part of their monthly Patch Tuesday security advisory making it the largest edition of the advisory to date.
  • Multiple vulnerabilities have been discovered in D-Link DIR-865L Home Routers.
  • A Remote Code Execution Proof of Concept exploit for the CVE 2020-0796 (SMBGhost) vulnerability in SMBv3 has been made publicly available.
Analysis

Exploitation of Vulnerabilities
Remote Code Execution Proof of Concept for SMBGhost CVE 2020-0796

The CVE-2020-0796 vulnerability, also known as SMBGhost, has previously only had a Proof-of-Concept ( PoC ) exploit publicly available to cause a Denial of Service (DoS) condition and a PoC by researchers at ZecOps that demonstrates Local Privilege Escalation (LPE).

In June 2020, a security researcher going by "chompie1337" posted a Remote Code Execution (RCE) exploit PoC for SMBGhost. The PoC is publicly available on the chompie1337's Github page. A full write-up describing the techniques that the researcher used can be found the Ricerca Security blog .

With SMBGhost having multiple PoC exploits publicly available and the similarities to Eternal Blue contributing to public awareness, it is only a matter of time that attacks utilizing the open source exploits are observed in the wild.

  • Course of Action: Apply Official Microsoft Patch for CVE-2020-0796

"Copy-Paste Compromises" Campaign Exploits Various Vulnerabilities

The Australian Cyber Security Center (ACSC) observed a sustained targeting of Australian government and company networks by a sophisticated state-based actor in June 2020.

The campaign, dubbed ‘Copy-Paste Compromises’, heavily used proof of concept exploit code, web shells and other tools copied almost identically from open source. Initial access was gained through the exploitation of publicly facing vulnerable applications.

The ACSC identified successful and attempted exploitation of the following vulnerabilities to gain initial access:

  • CVE-2019-18935 - Used to achieve arbitrary code execution on vulnerable systems. The most common payloads used by the actor were copies of public proof of concept exploit code for a sleep test and reverse shell binary.
  • VIEWSTATE deserialisation vulnerability present in Microsoft Internet Information Services utilizing .NET. The malicious actor utilized this vulnerability to upload a web shell, enabling further interaction with, and compromise of, the affected server. In exploiting this vulnerability, the actor utilized the IIS MachineKey retrieved from a previous compromise of the host by the same actor.
  • CVE-2019-19781 - The actor was identified targeting Citrix products potentially vulnerable to CVE-2019-19781
  • CVE-2019-0604 -The actor was identified targeting vulnerable external, publicly accessible Microsoft SharePoint instances

Lucifer Malware Exploits Multiple High and Critical Vulnerabilities

Researchers at Palo Alto's Unit42 discovered a malware, dubbed Lucifer, with Distributed Denial of Service (DDoS) capabilities as well as being weaponized to exploit multiple vulnerabilities in Windows based systems.

Some capabilities include dropping Malware: XMRig, command and control (C2) operations, self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. In addition, Lucifer drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoors to laterally move through victim intranets.

Some of the observed exploits that Lucifer has been weaponized with include:

  • CVE-2017-0144 - Windows SMB Remote Code Execution Vulnerability (EternalBlue)
  • CVE-2017-0145 - Windows SMB Remote Code Execution Vulnerability
  • CVE-2019-9081 - Laravel Framework Deserialization Vulnerability
  • CVE-2018-20062 - NoneCms Vulnerability
  • CVE-2018-1000861 - Stapler web framework Code Execution Vulnerability
  • CVE-2017-10271 - Oracle WebLogic Server Vulnerability
  • CVE-2018-7600 - Drupal Arbitrary Code Execution Vulnerability
  • CVE-2017-8464 - Windows Shell Arbitrary Code Execution Vulnerability
  • CVE-2014-6287 - Rejetto HTTP File Server Code Execution Vulnerability
  • CVE-2017-9791 - Apache Struts Remote Code Execution Vulnerability
    Course of Action: Update Vulnerable Systems

Newly Discovered Vulnerabilities
D-Link DIR-865L Home Router Vulnerabilities

Security Researchers at Palo Alto Networks’ Unit 42 discovered six vulnerabilities affecting D-Link wireless cloud routers. The discovery was made in February 2020, but D-Link only released patches addressing the flaws in June 2020.

The vulnerabilities, which were all found within the DIR-865L model of D-Link routers, have been assigned as the following:

  • CVE-2020-13785 - Inadequate Encryption Strength.
  • CVE-2020-13782 - Command Injection.
  • CVE-2020-13784 - Predictable seed in a Pseudo-Random Number
  • CVE-2020-13783 - Cleartext Storage of Sensitive Information.
  • CVE-2020-13786 - Cross-Site Request Forgery (CSRF).
  • CVE-2020-13787 - Cleartext Transmission of Sensitive Information.

Actors can possibly steal the session cookies through network sniffing, and eventually access the administrative portal of the router for file sharing. As of June 2020, EclecticIQ Analysts are not aware of any exploitation attempts in the wild.

  • Course of Action: Implement Patching and Mitigation Steps for Vulnerabilities in D-Link DIR-865L Router

Ripple20

Security researchers at JSOF published a detailed report on 19 zero-day vulnerabilities in Treck’s widely adopted low-level TCP/IP library. The vulnerabilities could pose significant risk to organizations, as exploitation could allow attackers remote access and remote code execution.

The vulnerabilities effect a wide variety of technologies and organizations ranging from HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter and many other including technologies associate with medical, transportation, industrial control systems, enterprise, energy, telecom, retail, and commerce.

The US Department of Homeland Security has attributed ratings of 10 and 9.8 on the CVSSv3 vulnerability severity scale (scale goes from 1 to 10) to four of the Ripple 20 vulnerabilities, some which could cause Remote Code Execution:

  • CVE-2020-11896 - CVSSv3 score: 10 - Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in remote code execution.
  • CVE-2020-11897 - CVSSv3 score: 10 - Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in possible out-of-bounds write.
  • CVE-2020-11898 - CVSSv3 score: 9.8 - Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorized network attacker. This vulnerability may result in exposure of sensitive information.
  • CVE-2020-11899 - CVSSv3 score: 9.8 - Improper input validation in IPv6 component when handling a packet sent by an unauthorized network attacker. This vulnerability may allow exposure of sensitive information.

         Course of Action: JSOG Ripple20 Mitigation Recommendations

Patched Vulnerabilities
Microsoft Patch Tuesday 9 June 2020

In June 2020, Microsoft patched a record high of 129 vulnerabilities as part of their monthly Patch Tuesday advisory. Notably, none of the listed flaws have been detailed or exploited prior to this advisory.

Eleven of the 129 vulnerabilities has been described as critical, meaning that if successfully exploited the attacker would gain remote access of the vulnerable targeted machine without any assistance from the user. As with previous Monthly Vulnerability Trend Reports, some of the listed flaws' criticality are exacerbated by the current COVID-19 pandemic which has forced companies to adopt a "work-from-home" culture.

The advisory included three vulnerabilities in the Microsoft Server Message Block (SMB) service. The most serious of the three, CVE-2020-1301, is a remote code execution flaw affecting SMB capabilities present in Windows 7 and Windows Server 2008, both operating systems that Microsoft has stopped issuing security updates for. SMB has been the subject of many vulnerabilities in the past months, which could have contributed to the closer examination and discovery of the newly patched vulnerabilities in this advisory.

The other vulnerabilities of note include:

  • CVE-2020-1225 - Remote code execution in Microsoft Excel.
  • CVE-2020-1226 - Remote code execution in Microsoft Excel.
  • CVE-2020-1229 - Microsoft Outlook Security Feature Bypass Vulnerability
  • CVE-2020-1181 - Remote code execution in Microsoft SharePoint.

         Course of Action: Review June 2020 Microsoft Patch Tuesday Advisory

Recommendations

EclecticIQ Fusion Center recommends to apply security updates to affected systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they update their dependent systems even if they are not mentioned in this report.

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.