This post is aimed to provide an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Key Findings:
- Microsoft patch for a zero day being used by FruityArmor along with 48 other vulnerabilities.
- Apple releases numerous updates for iOS and macOS.
- Google patches 26 vulnerabilities for Android.
- libssh vulnerability CVE-2018-10933 has exploits readily available on MetaSploit and GitHub.
Analysis
Routers
The report Bushido-Powered DDoS Service Whipped Up from Leaked Code identified a new IoT botnet that was exploiting old vulnerabilities CVE-2017-17215 and CVE-2014-8361 . Both vulnerabilities could allow an attacker to execute code.
Operating Systems
Microsoft
Microsoft patched 49 vulnerabilities in Octobers Patch Tuesday, including a zero day that was allegedly used by the Intrusion Set: FruityArmor group. CVE-2018-8453 was identified by Microsoft as Wink32 elevation of privileges bug that exists in Windows when the Win32k component does not properly handle objects in memory. By exploiting the flaw, attackers might execute arbitrary code in the kernel mode using a specially crafted application.
Microsoft also fixed three vulnerabilities publicly disclosed before patches became available. These flaws include a remote code execution vulnerability in Microsoft Jet Database Engine ( CVE-2018-8423 ). This fix however is not fully complete according to Microsoft JET Vulnerability Still Open to Attacks . Microsoft also fixed a privilege escalation bug affecting the Windows kernel ( CVE-2018-8497 ), and a remote code execution weakness impacting Azure IoT ( CVE-2018-8531 ). More details on Microsoft's Patch Tuesday can be found in the report Microsoft Patches Windows Zero-Day Exploited by 'FruityArmor' Group .
Away from Microsoft's own updates, Researcher Finds Simple Way of Backdooring Windows PCs and Nobody Notices for Ten Months identified a flaw with Windows Relative Identifiers (RID). The RID is a code added at the end of account security identifiers (SIDs) that describes the user's permissions group. By manipulating the registry keys that store information about each Windows account, an attacker can modify the RID associated with each account. Then this RID can be changed and assigned to another account group which would also modify the permissions associated with it.
A researcher also published a zero day for Windows on Twitter ( Hacker Releases Windows 0-Day on Twitter ). This flaw is similar to previously disclosed flaw by the same individual, a Micro-patch was made available for this flaw which blocks any attempts to delete critical Windows files without admin access.
Apple
Apple issued a macOS Sierra and High Sierra update that fixes a vulnerability that could allow an attacker to crash macOS High Sierra or iOS 11 devices on the same WiFi network. On iOS, the CVE-2018-4367FaceTime vulnerability would allow a remote attackers to initiate a FaceTime call from your device through a code execution vulnerability. Full vulnerability details in the report Apple Fixes FaceTime Vulnerability, Crash Bug in macOS, and More .
iOS also had numerous bugs that could allow an attacker to bypass the passcode feature on iPhone and iPad. CVE-2018-4379 and CVE-2018-4380 were updated in iOS 12.0.1 ( iOS 12.0.1 Released with Fixes to Passcode Bypass Bugs ). However, the report New iPhone Passcode Bypass Method Found Days after Patch was released just a few days after the above fixes, and demonstrates how an attacker could access the full contact list of a victim device, if they can get physical access.
Linux
CVE-2018-15688 was identified affecting Systemd in Linux distros Ubuntu, Red Hat, Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server ( Systemd Flaw Could Cause the Crash or Hijack of Vulnerable Linux Machines ). Meanwhile a Major Debian GNU/Linux 9 "Stretch" Linux Kernel Patch Fixes 18 Security Flaws affecting Linux 4.9 kernel used by the Debian GNU/Linux 9 "Stretch" operating system series and leading to information leaks, privilege escalation, and denial of service, as well as a use-after-free bug in Linux kernel's InfiniBand communication manager, and a variant of the Spectre V2 vulnerability dubbed SpectreRSB.
Android
Google released updates for 26 vulnerabilities, including 8 rated ‘critical’, and 17 rated ‘high’ severity. The most severe of these issues are four critical remote code execution flaws within Android’s Media framework that might allow a remote attacker to execute arbitrary code within the context of a privileged process by using a specially crafted file. The report Google Patches Critical Vulnerabilities in Android OS has more information.
Web Browsers
Mozilla issued a number of updates in October. These included the report Mozilla Patches Critical Vulnerabilities in Firefox 62.0.3 and Firefox ESR 60.2.2 which identified CVE-2018-12386 and CVE-2018-12387 as serious vulnerabilities in its web browsers. Later in October Mozilla also issued more updates in the report Mozilla Updates Fix Several Critical and High-Rated Vulnerabilities. This included critical-rated flaws CVE-2018-12388 and CVE-2018-12390 , as well as high-rated flaws CVE-2018-12392 , CVE-2018-12391 and CVE-2018-12393 .
Databases
Oracle
Oracle released updates for 301 vulnerabilities in October, 46 of which had a 9.8+ severity rating ( Oracle Patches 301 Vulnerabilities, Including 46 with a 9.8+ Severity Rating ). The most severe vulnerability, CVE-2018-2913 received a severity rating of 10.0 and is located in Oracle’s GoldenGate, a data replication framework.
Numerous other critical vulnerabilities, rated 9.8 on the severity scale, affect Oracle products such as Oracle Database Server, Oracle Communications, Oracle Construction and Engineering Suite, Oracle Enterprise Manager Products Suite, Oracle Fusion Middleware, Oracle Insurance Applications, Oracle JD Edwards, MySQL, Oracle Retail, Oracle Siebel CRM, and Oracle Sun Systems Products Suite.
SAP
SAP fixed several vulnerabilities in October, including an information disclosure flaw ( CVE-2018-2471 ) in SAP BusinessObjects Business Intelligence Suite client that might be triggered through the execution of certain special Central Management Server (CMS) scripts on the Central Management Server.
The company also patched numerous vulnerabilities, including flaws that could lead to compromise of clusters within its Gardener application. The report SAP Patches Critical Vulnerability in BusinessObjects has full details.
Apache
CVE-2018-9206 includes a zero day discovered in Apache's jQuery plugin. The flaw could allow attackers to change files on website servers vulnerable to the bug. Apache has issued a patch for this issue ( 0-Day in jQuery Plugin Impacts Thousands of Applications ).
Anonymization
Nothing Significant to Report (NSTR).
Virtualization
VMWare
The vulnerability CVE-2018-6977 was identified affecting VMWare in October. The flaw is a denial-of-service vulnerability due to an infinite loop in a 3D-rendering shader. More detail is in the report VMware Workstation, Fusion, and ESXi Affected by DoS Vulnerability, No Patch Yet . Whilst the flaw hasn't yet been patched, there is a workaround for the flaw in the meantime ( Use Workaround to Mitigate against CVE-2018-6977 ).
Protocols
NSTR.
Administrative Tools
SSH
CVE-2018-10933 was established in October affecting the libssh library. Whilst a number of vendors have released updates to mitigate against this flaw, which can allow an attacker to authenticate into a library relatively trivially, a number of exploits are already active and in the wild. High-Severity Vulnerability Discovered in the libssh Library has more details.
Drivers
NSTR.
Processors
NSTR.
Cloud Hosting Providers
NSTR.
Other Vulnerabilities
Mozilla Thunderbird
Mozilla patched CVE-2018-12376 which is a memory corruption issue that could be exploited in order to run arbitrary code. The bug was fixed in Thunderbird version 60.2.1 update. The report Mozilla Patches Critical Vulnerability in Thunderbird 60.2.1 has more information.
Amazon FreeRTOS IoT
The report Critical Flaws Found in Amazon FreeRTOS IoT Operating System identified 13 vulnerabilities affecting Amazon's FreeRTOS project. The vulnerabilities could allow attackers to crash a targeted device, leak information from a device’s memory, execute malicious code remotely, and gain complete control over a targeted device. To date it appears no fix is currently available.
Sony Bravia Smart TVs
CVE-2018-16593 is a serious vulnerability affecting Sony's Smart TV line. A patch was prepared and was awaiting approval to be sent to customer devices, which of course need to be connected to the internet to receive the automatic updates ( Sony Bravia Smart TVs Affected by a Critical Vulnerability ).
Exploits for Vulnerabilities
As mentioned above, there are already exploits in the wild for the libssh vulnerability CVE-2018-10933 .
The report JQShell - A Weaponized Version of CVE-2018-9206 details how an exploit for the recently patched Apache vulnerability has been seen in the wild.
The following attack pattern TTPs were observed by EclecticIQ analysts in October:
- Attack Pattern: Exploitation of CVE-2018-14665
- Attack Pattern: Collection of data from NAS in data breach targeting U.S. company Rice Consulting
- Attack Pattern: Initial access to NAS in data breach targeting U.S. company Rice Consulting
- Attack Pattern: Exploiting Hadoop YARN Unauthenticated Remote Command Execution
- Attack Pattern: Use of Flash 0-Day Exploit to target Syria-based targets
- Attack Pattern: Abusing DeepLink and Icon tag to deliver malicious payload
- Attack Pattern: Exploitation of CVE-2017-8291
- Attack Pattern: Phishing Emails With Malicious Word Attachments
- Attack Pattern: Embedded OLE Object Opens RTF Document Dropping Loki
- Attack Pattern: Spearphishing email delivers RTF exploit document
- Attack Pattern: RTF File Exploiting CVE-2017-11882 Dropping Loki
- Attack Pattern: RTF File Exploiting CVE-2017-11882 Dropping Agent Tesla
- Attack Pattern: Exploiting CVE-2018-8495
- Attack Pattern: Disguised XMRig Download Masquerading as Adobe Update
- Attack Pattern: Attacker makes attempts to register victim’s telephone number WhatsApp application attacker-controlled phone
- Attack Pattern: Exploiting CVE-2018-0471 in Cisco IOS XE Software Cisco Discovery Protocol
- Attack Pattern: Exploiting CVE-2018-15370 in Cisco IOS ROM Monitor
- Attack Pattern: Exploitation of CVE-2014-6352 to install RAT
- Attack Pattern: Exploiting CVE-2018-9081
- Attack Pattern: Exploiting CVE-2018-9082
- Attack Pattern: Exploiting CVE-2018-9080
- Attack Pattern: Exploiting CVE-2018-9079
- Attack Pattern: Exploiting CVE-2018-9078
- Attack Pattern: Exploiting CVE-2018-9077
- Attack Pattern: Exploiting CVE-2018-9076
- Attack Pattern: Exploiting CVE-2018-9075
- Attack Pattern: Exploiting CVE-2018-9074
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviours not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
Recommendations
EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.
We hope you enjoyed this post. Follow us here for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.