This post is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings:
- Security researchers have recently discovered two vulnerabilities ( CVE-2018-16986 , CVE-2018-7080 ), dubbed BLEEDINGBIT, in Bluetooth Low Energy chips
- 8 Critical Vulnerabilities were patched in Microsoft's Edge Chakra Scripting Engine which allowed remote code execution
- CVE-2018-8589 was also patched by Microsoft and had been observed being exploited by an unknown group in attack aimed at entities in the Middle East
- Microsoft patched CVE-2018-8373 which was a favorite target of the Intrusion Set: Darkhotel
Analysis
Routers
Several remote code execution vulnerabilities were patched by TP-Link that affected SOHO Routers.
- CVE-2018-3951
- CVE-2018-3949
- CVE-2018-3948
- CVE-2018-3950
Operating Systems
Microsoft
Microsoft addressed a total of 63 vulnerabilities In November's patch Tuesday. Two publicly known vulnerabilities include a Windows ALPC elevation of privilege flaw CVE-2018-8584 and a BitLocker security feature bypass vulnerability CVE-2018-8566 .
CVE-2018-8589 was also patched by Microsoft and had been observed being exploited by an unknown group in attacks aimed at entities in the Middle East ( Attack Pattern: Exploitation of CVE-2018-8589 ). The vulnerability exploited in the attacks is a privilege escalation vulnerability in Windows that allowed threat actors to execute arbitrary code in the context of the local user.
Linux
CVE-2018-19406 and CVE-2018-19407 are two new Linux kernel vulnerabilities that allow a local user to cause denial of service.
Andriod
Security researchers have discovered a serious vulnerability in Android operating system that might allow threat actors to track the user’s location in case there is a close proximity to a WiFi router. CVE-2018-9581derives from Android’s inter-process communication enabling cross-process information leakage. The vulnerability might be exploited by threat actors for surveillance purposes, and/or in a burglary plotting.
iOS
iOS 12.1 Passcode Bypass allows a user to access contacts without authentication by changing an active call to FaceTime you can access to the contact list while adding more people to the Group FaceTime, and by doing 3D Touch on each contact you can see more contact information."
Web Browsers
Edge
8 Critical Vulnerabilites were patched in Microsoft's Edge Chakra Scripting Engine which allowed remote code execution.
- CVE-2018-8541
- CVE-2018-8542
- CVE-2018-8543
- CVE-2018-8551
- CVE-2018-8555
- CVE-2018-8556
- CVE-2018-8557
- CVE-2018-8588
Internet Explorer
Microsoft patched CVE-2018-8373 which was a favorite target of the Intrusion Set: Darkhotel
CVE-2017-11869 an Internet Explorer Vulnerability allows an attacker to gain the same user rights as the current user, due to how Microsoft browsers handle objects in memory, aka "Scripting Engine Memory Corruption Vulnerability."
Databases
Apache Haddoop
A couple Haddoop Vulnerabilites were reported. One from Radware Threat Research Center, regarding a malicious agent that is leveraging Hadoop YARN RCE in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot. Also, a zip slip vulnerability is exploitable in several Hadoop versions where a zip file is accepted. This is reported in CVE-2018-8009 .
SAP
Several critical patches were release for SAP. Two remote code execution vulnerabilities ( CVE-2018-1270CVE-2018-1275 ) were patched in the Spring Framework library used by SAP HANA Streaming Analytics. If exploited, the flaws might enable unauthorized code execution, allowing an attacker to access arbitrary files and directories located in the SAP server file system. Another critical SAP security note patches four vulnerabilities ( CVE-2018-2488 CVE-2018-2489 CVE-2018-2490 CVE-2018-2491 ) in the SAP Fiori Client for Android, the native mobile application used for communication with the SAP Fiori server. The flaws include a denial of service issue, a remote HTML injection flaw, missing authorization checks, and information disclosure.The same note also fixes a fifth vulnerability ( CVE-2018-2485 ), which allows an attacker to perform arbitrary tasks such as data ex-filtration using a malicious application targeting the bug.
Virtualization
An integer overflow bug affecting virtual network devices was discovered in VMWare Workstation. CVE-2018-6983 could be exploited to execute code on the host from the guest system.
Protocols
Bluetooth
Security researchers have recently discovered two vulnerabilities( CVE-2018-16986 CVE-2018-7080 ), dubbed BLEEDINGBIT, in Bluetooth Low Energy chips, which would allow threat actors to take control over devices without authentication or breach a network.
Processors
CPU AMD and Intel
CVE-2018-5407 , dubbed "PortSmash", uses a timing attack in order to steal information from processes running in a CPU core with SMT/ hyper threading enabled. This attack could allow threat actors to steal private decryption keys from OpenSSL threads running in a CPU core, which is also running the malicious exploit.
Other Vulnerabilities
The five vulnerabilities were found to affect the Accu-Chek glucose testing devices, CoaguChek anticoagulation therapy devices, and the Cobas portable point-of-care systems. All of the affected devices consist of a base unit and a handheld wireless device, enabling a threat actor to hack the base unit through a local network and then target the handheld device. A threat actor on the same network could exploit the vulnerabilities to bypass authentication to an advanced interface, execute code using specific medical protocols, and drop arbitrary files onto the file system.
- CVE-2018-18562
- CVE-2018-18563
- CVE-2018-18564
- CVE-2018-18561
- CVE-2018-18565
Exploits for Vulnerabilities
The following attack pattern TTPs were observed by EclecticIQ analysts in November 2018:
- Attack Pattern: Leveraging ETERNAL family of Exploits to Target Routers through CVE-2017-7494 and CVE-2017-0144
- Attack Pattern: Rowhammer ECCploit
- Attack Pattern: Monero Mining with Linux.BtcMine.174
- Attack Pattern: Exploiting CVE-2018-7600
- Attack Pattern: Mirai Variant Exploiting Hadoop YARN RCE
- Attack Pattern: Use of Dirty COW exploit for privilege escalation
- Attack Pattern: Use of Drupalgeddon 2 Exploit
- Attack Pattern: Exploiting CVE-2018-15981
- Attack Pattern: Exploitation of CVE-2018-8589
- Attack Pattern: Exploiting online video feature in Microsoft Office to deliver malware
- Attack Pattern: Exploiting CVE-2018-15961 to install China Chopper Malware
- Attack Pattern: Exploiting CVE-2018-5407 to Steal OpenSSL Private Decryption Keys
- Attack Pattern: Exploitation of CVE-2018-14665
- Attack Pattern: Exploiting mobile point of sales terminals via Bluetooth
- Attack Pattern: Exploiting CVE-2018-15688
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Follow us here for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.
