Key Findings
- Security researchers have detected more than 100 distinct exploits targeting a code execution vulnerability CVE-2018-20250 affecting all WinRAR versions released over the past 19 years.
- Multiple WordPress vulnerabilities have been discovered, some of which have been exploited in the wild.
- Researchers discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack has been dubbed ShadowHammer.
Analysis
ShadowHammer
In January 2019, researchers discovered a sophisticated supply chain attack, dubbed ShadowHammer, involving the ASUS Live Update Utility. The attack took place between June and November 2018 and affected a large number of users.
The attackers hardcoded a list of MAC addresses in the trojanized samples to identify the targets of this operation. This has stayed undetected for so long partly due to the fact that the trojanized updaters were signed with legitimate certificates hosted on the official ASUS update servers.
Victim distribution by country for the compromised ASUS Live Updater affects users the most from Russia, Germany, France, Italy, and the United States.
Courses of Action:
- Check MAC addresses online to see if you have been targeted by this operation
- Use ASUS diagnostic tool to check for affected systems
- Update to latest fixed version 3.6.8 Live Update software
Operating Systems
Windows
A Zero-Day vulnerability CVE-2019-0808 was discovered which could let an attacker elevate their local privileges. It exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Course of Action:
- Patches for the affected software can be found here.
Another Privilege Escalation Zero-Day Vulnerability was discovered, designated as CVE-2019-0797 , which exists because of a race condition that is present in win32k driver due to lack of proper synchronization.
Course of Action:
- Apply Microsoft Security Patch
Administrative Tools
SSH
Multiple vulnerabilities in the popular SSH client PuTTY have been patched by its developers. The vulnerabilities range in severity and type, from a PuTTY DSA signature check bypass that could allow a man-in-the-middle attacker to silently compromise SSH sessions to PuTTY Terminal DoS Attacks.
The other vulnerabilities are:
- Buffer Overflow in Unix PuTTY Tools
- PuTTY Code Execution via CHM Hijacking
- Reusing Cryptographic Random Numbers in PuTTY
- PuTTY Integer Overflow Flaw
- PuTTY Authentication Prompt Spoofing
Course of Action:
- Update PuTTY to 0.71
Processors
Intel Processors
Security researchers have uncovered a new vulnerability, Intel Processors SPOILER Microarchitectural Leakage, which affects all Intel processors and might allow threat actors to steal sensitive data from applications running on a user’s device using speculative execution on chips.
The flaw is a result of a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem, which directly leaks timing behaviour due to physical address conflicts.
It could allow attackers to obtain passwords, keys, and other highly sensitive data from machine memory.
Content Management Systems
WordPress
The Easy WP SMTP Object Injection Vulnerability exists in the “Easy WP SMTP” plugin, which allows threat actors to change site settings, create rogue admin accounts to use as backdoors, and hijack traffic from the vulnerable sites.
Course of Action:
- Upgrade to v1.3.9.1 of Easy WP SMTP
The Social Warfare plugin vulnerability ( Social Warfare XSS Vulnerability ) enables attackers to exploit a flaw that allows anyone visiting a vulnerable site to overwrite its plugin settings. With the ability to modify the social media plugin’s settings, an attacker can pivot and perform more malicious activity.
Course of Action:
- Upgrade to 3.5.3 of Social Warfare
Soon after the patches were releases for Easy WP SMTP Object Injection Vulnerability and Social Warfare XSS Vulnerability , attacks started surfacing.
A major cross-site scripting (XSS) vulnerability ( CVE-2019-9168 ) has been discovered. It resides in the zoom display of the Photoswipe function in the WooCommerce open-source platform .The vulnerability might be exploited by an attacker to inject arbitrary code into a WooCommerce-powered website, hijack the current WooCommerce session, steal sensitive information from WooCommerce site visitors, and control visitors’ browsers.
All the WooCommerce versions prior to 3.5.4 were found to be affected.
Course of Action:
- All users of vulnerable versions of WooCommerce are encouraged to upgrade to the latest version immediately
Browsers
Google Chrome
Google has patched a zero-day vulnerability in the Chrome browser, which was found to have been actively exploited in the wild. According to Google, the vulnerability ( CVE-2019-5786 ) is a use-after-free bug in Google Chrome's FileReader API included in all major browsers to allow web apps to read the contents of files stored on the user's computer. The flaw can be triggered while the user visits a specially crafted webpage.
Course of Action:
- Update Chrome to 72.0.3626.121
Positive Technologies researcher, Sergey Toshin has discovered a new critical vulnerability in Android devices.
The vulnerability ( CVE-2019-5765 ) resides in the WebView component of Chromium engine and affects all Android releases since version 4.4. It might be exploited by an attacker to read information from WebView, which eventually enables them to access the data on the device.
Course of Action:
- Update Google Chrome on Android devices using version 7.0 or later
- Update WebView on Android devices that are using a version earlier then 7.0
IoT
Cisco has patches five high severity vulnerabilities in its business-focused IP Phones. The vulnerabilities impact the web-based management interface of Session Initiation Protocol (SIP) Software of the IP Phone 8800 Series. One of these flaws also affects the 7800 model.
Cisco IP Phone 8800 Series:
- CVE-2019-1765
- CVE-2019-1766
- CVE-2019-1763
- CVE-2019-1764
- CVE-2019-1716
Cisco IP Phone 7800 Series:
- CVE-2019-1716
Course of Action:
- Apply the necessary updates
Other Technologies
Security researchers have detected more than 100 distinct exploits targeting a code execution vulnerability CVE-2018-20250 ) affecting all WinRAR versions released over the past 19 years. Most of the attacks observed use a spearphishing attack to deliver an archive file which exploits the vulnerability, and ultimately assists in the install of various malware on victim computers.
Course of Action:
Update WinRAR to Build 5.70 and Newer
Adobe released an emergency update for its ColdFusion web application development platform to address a zero-day vulnerability ( CVE-2019-7816 ) that has been exploited in the wild. The zero-day flaw has been described by Adobe as a file upload restriction bypass issue that could lead to arbitrary code execution in the context of the ColdFusion service. The attack requires the ability to upload executable code to a web-accessible directory, and then execute the code via an HTTP request.
Course of Action:
Patch Adobe ColdFusion (CVE-2019-7816)
Malware and TTPs
The following tools, malware, and attack pattern are general threats that have been observed by EclecticIQ analysts in March 2019:
Tools
- Tool: POSHC2
- Tool: Py2exe
Malware
- Malware: Gustuff
- Malware: LockerGoga
- Malware: JNEC.a
- Malware Variant: GandCrab ec729b
- Malware Variant: Ursnif 17JR92
- Malware: Qbot
Attack Patterns
- Attack Pattern: WinRAR Ace Vulnerability Exploitation to deploy JNEC.a Ransomware
- Attack Pattern: Exploitation of Container Systems Through CVE-2019-5736 Vulnerability
- Attack Pattern: Exploiting Easy WP SMTP Object Injection Vulnerability to take over as admin on WP site
- Attack Pattern: Spearphishing email targeting Office 365 and G Suite IMAP accounts
- Attack Pattern: Flu-Related Theme Spearphishing Emails Used To Deliver Malicious Word Macro
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviours not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
The Attack Pattern: WinRAR Ace Vulnerability Exploitation to deploy JNEC.a Ransomware and Attack Pattern: Exploiting Easy WP SMTP Object Injection Vulnerability to take over as admin on WP site demonstrates how quickly threat actors adopt newly discovered vulnerabilities into their arsenal.
The use of themed spearphishing emails, as can be seen in Attack Pattern: Flu-Related Theme Spearphishing Emails Used To Deliver Malicious Word Macro, is a recurring TTP used in various Malspam campaigns. The success of these types of attacks depends largely on the language proficiency of the threat actor, as grammar and consistent spelling errors could create suspicion which prevents the targeted victim from clicking on the malicious attachment and/or link.
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
