EclecticIQ Blog

Threat Intelligence

EclecticIQ Monthly Vulnerability Trend Report - September 2018

This post is aimed to provide you with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings

  • September saw Microsoft patch 60 vulnerabilities affecting Windows and Internet Explorer.
  • The new macOS Mojave was identified to allow access to protected files by a security researcher.
  • A number of new attack patterns leveraging vulnerabilities were identified.

Analysis

Routers

A vulnerability in Tool: Winbox had a Proof of Concept published on GitHub in September. TheWinboxExploit PoC affects all versions of WinBox from 6.29 to 6.42. The flaw allowed attackers to forward traffic to themselves via MikroTik routers.

Operating Systems

Security researchers released a micropatch based on a zero-day that was unveiled on Twitter. The report Third-Party Researchers Released Micropatch for Recently Disclosed Windows Zero-Day features more information. The report identified how security researchers discovered a zero day vulnerability affecting all supported versions of Microsoft Windows including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016. The flaws were tracked as CVE-2018-8392 and CVE-2018-8393 .

Meanwhile, Microsoft patched 60 vulnerabilities in its September update. These included an actively exploited flaw ( CVE-2018-8414 ) that resides in the Windows Shell, which originates due to improper validation of file paths. By exploiting this flaw, a remote attacker might execute arbitrary code on the targeted system by convincing victims into opening a specially crafted file received via an email or a web page. Security researchers note that CVE-2018-8414 was actively exploited by Intrusion Set: TA505hacker group to deliver the Malware: FlawedAmmyy RAT . More information can be found in the report Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer.

macOS Mojave was launched in September, and subsequently the report macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files demonstrates a vulnerability in the new version of the OS that can allow an attacker access to protected files without needing to be logged in to a machine. The researcher who discovered the flaw did not say if Apple were working on a fix, but did say he would demonstrate the flaw in November.

CVE-2018-14634 affecting Linux OS CentOS and Red Hat Enterprise Linux (RHEL) was identified in September. The flaw was present in the Linux kernel between July 19th 2007 (kernel commit: b6a2fea39318) and July 7th 2017 (kernel commit: da029c11e6b1). It only affects CentOS and RHEL as the developers failed to backport a patch when the vulnerability was fixed last year.

On mobile devices, no major vulnerabilities were identified in September. However, these reports demonstrate some of the current techniques being used by cybercriminals to target mobile users, predominantly on Android devices.

  • Trojanized App in Google Play Steals Bank Customers' Euros
  • Bogus Finance Apps on Google Play Target Users Worldwide
  • Android Spyware in Development Plunders WhatsApp Data, Private Conversations

Web Browsers

Microsoft patched a zero-day vulnerability for a critical remote code execution bug ( CVE-2018-8373 ). This affects the way that the scripting engine handles objects in memory in Internet Explorer. The bug could allow remote attackers to take control of the vulnerable systems just by convincing users to view a specially crafted website through Internet Explorer. This bug is very similar to CVE-2018-8174 , which was actively exploited by an unnamed threat actor before it had been patched in May 2018.

Tricky DoS Attack Crashes Mozilla Firefox was identified in September. This vulnerability can allow an attacker to crash a FireFox browser when a user accesses a web page containing an embedded JavaScript script. The flaw currently does not have a fix.

Protocols - VoIP

Cisco issued updates to its WebEx software in September. The vulnerabilities ( CVE-2018-15422 , CVE-2018-15421 and CVE-2018-15414 ) that could allow unauthenticated, remote attacker to execute arbitrary code on the target machine. According to the vendor, an attacker could exploit the flaws by tricking victims into opening a malicious file in the Cisco Webex Player. The file could be sent via email as an attachment or through a link in the content referencing it. Each version of the Webex Network Recording Players for Windows, OS X, and Linux is affected by at least one of the issues.

Other Vulnerabilities

Adobe issued an out-of-schedule for Acrobat in order to mitigate against an out-of-bounds write vulnerability ( CVE-2018-12848 ) which can lead to arbitrary code execution in the context of the current user if exploited by attackers.

Adobe also issued updates against CVE-2018-12775 , CVE-2018-12778 , CVE-2018-12801 , CVE-2018-12840 , CVE-2018-12849 and CVE-2018-12850 . These out-of-bounds read issues can all lead to information disclosure. The vulnerabilities impact Acrobat DC 2018.011.20058 and earlier, Acrobat Reader DC 2018.011.20058 and earlier, Acrobat 2017 2017.011.30099 and earlier, Acrobat Reader 2017 2017.011.30099 and earlier, Acrobat DC 2015.006.30448 and earlier, and Acrobat Reader DC 2015.006.30448 and earlier.

Exploits for Vulnerabilities

A proof-of-concept for a critical vulnerability in Tool: Winbox was published on GitHub in September, affecting all WinBox versions from 6.29 to 6.42. The WinboxExploit PoC exploits CVE-2018-14847published in August.

The report An In-depth Look at the CVE-2018-5002 Exploit focuses on an zero day allegedly exploited by the Intrusion Set: FruityArmor . CVE-2018-5002 is a high-risk vulnerability in the avm2 interpreter and was being used to exploit machines using Flash and evidence shows it active at least as far back as February 2018.

The following Attack Pattern TTPs were also identified by EclecticIQ analysts throughout September 2018:

  • Attack Pattern: Exploiting CVE-2018-14634
  • Attack Pattern: Exploit for CVE-2018-8373
  • Attack Pattern: Exploit CVE-2016-3088 for propagation
  • Attack Pattern: Scanning for Apache Struts devices vulnerable to CVE-2018-11776
  • Attack Pattern: Exploiting CVE-2018-11776 to install cryptomining malware
  • Attack Pattern: Exploit Office CVE-2012-0158 vulnerability to download QCRat payload
  • Attack Pattern: Fake Pikpro Site drops RTF file that exploits CVE-2017-8750 and drops VB backdoor
  • Attack Pattern: Fake Pikpro Site drops InPage file that exploits CVE-2017-12824 and drops VB backdoor
  • Attack Pattern: Exploiting D-Link routers supporting the HNAP protocol
  • Attack Pattern: Hijacking devices while leveraging CVE-2017-17215
  • Attack Pattern: Exploiting Realtek routers using vulnerable version of the Realtek SDK
  • Attack Pattern: Access to broadcasted information: local WiFi network information, BSSID, IP address, DNS server and MAC address of the device accessible

From last month’s EclecticIQ Monthly Vulnerability Trend Report - August 2018 active exploits, the use of CVE-2018-11776 is still prevalent and being used to target Apache Struts devices, but also now being used for cryptomining malware. This may become a common trend for this vulnerability or similar flaws that become apparent over the coming months.

The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.

Recommendations

EclecticIQ Fusion Center recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.

 

We hope you enjoyed this post. Follow our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.