This report is aimed to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.
Routers
Several vulnerabilities were found affecting MikroTik routers in December:
One vulnerability in particular ( CVE-2018–14847 ) was being actively exploited in a cryptojacking campaign which enslaved devices across Brazil ( MikroTik Routers Enslaved in Massive Coinhive Cryptojacking Campaign ).
Operating Systems
January saw an actively exploited flaw ( CVE-2018–8414 ) in Microsoft Windows Shell, which originates due to improper validation of file paths. By exploiting this flaw, a remote attacker might execute arbitrary code on the targeted system by convincing victims into opening a specially crafted file received via an email or a web page.
Linux suffered two vulnerabilities which could allow an attacker to remotely cause DoS or DDoS conditions known as SegmentSmack ( CVE-2018–5390 ) and FragmentSmack ( CVE-2018–5391 ). The Linux kernel project released an update to address the vulnerabilities ( Linux Kernel Project Rolled Out Security Updates to Fix Two DoS Vulnerabilities ).
A zero-day vulnerability was found in Apple’s macOS High Sierra operating system which could allow a local attacker to virtually “click” a security prompt and load a kernel extension ( Apple 0-Day (Re)Opens Door to ‘Synthetic’ Mouse-Click Attack ).
Security researchers exposed an API-breaking vulnerability in Android-devices (CVE-2018–9489), which allows any application installed on a device to access sensitive information ( Android OS API-Breaking Flaw Offers Useful WiFi Data to Bad Actors ).
Browsers
Microsoft patched a flaw ( CVE-2018–0871 ) in the Edge browser that could allow threat actors to steal local files from a victim’s computer ( Microsoft Edge Flaw Lets Hackers Steal Local Files ).
A severe use-after-free vulnerability ( CVE-2018–8373 ) was also found in the VBScript engine of the latest versions of Windows operating systems and affects Internet Explorer to run ShellCode ( Use-after-free (UAF) Vulnerability CVE-2018–8373 in VBScript Engine Affects Internet Explorer to Run Shellcode ).
Mozilla patched six critical flaws in Firefox:
Databases
Security researchers found a Proof of Concept (PoC) code that can exploit the recently discovered vulnerability ( CVE-2018–11776 ) affecting the Apache Struts framework ( PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability ). This vulnerability is being exploited in the wild as noted below.
IBM patched two severe vulnerabilities ( CVE-2018–11756 , CVE-2018–11757 ) in its IBM Cloud Functions that allowed one to exploit an Apache OpenWhisk vulnerability to overwrite the user functions code ( IBM Cloud Functions Is Affected by Two Function Runtime Vulnerabilities ).
Protocols
Security researchers believe an Iranian telecommunication company hijacked Telegram’s traffic using a well-known BGP Hijacking technique, which allowed them to reroute traffic from IP addresses found in corrupted Internet routing tables ( Telegram Traffic From Around the World Took a Detour Through Iran ).
Security researchers from the Georgia Institute of Technology published details at the Usenix18 conference of a side channel attack on the fixed-window constant-time implementation of RSA inOpenSSL 1.1.0g ( One&Done OpenSSL Side Channel Attack ).
Security researchers have discovered a new spam campaign aimed at targeting corporate networks around the world with the LokiBot malware. Upon infection, Loki Bot steals passwords from browsers, messaging applications, mail and FTP clients ( Loki Bot Steals Corporate Passwords ).
The Internet Systems Consortium (ISC) warned that a severe vulnerability in the “deny-answer-aliases” feature in BIND software could be exploited to launch denial-of-service (DoS) attacks; the feature helps recursive server operators protect users against DNS rebinding attacks ( CVE-2018–5740 ).
Administrative Tools
Security experts discovered that since September 2011 OpenSSH is affected by a serious flaw ( CVE-2018–15919 ), making it still vulnerable to an Oracle attack ( OpenSSH Versions Since 2011 Vulnerable to Oracle Attack ).
Other Vulnerabilities
The following vulnerabilities were also published since 1st July, but do not fit into the categories above:
These include two vulnerabilities in HP Inkjet printers ( CVE-2018–5925 , CVE-2018–5924 ), an out-of-bound memory read vulnerability ( CVE-2018–6970 ) in three VMWare Horizon products, and an information disclosure vulnerability ( CVE-2018–8234 ) in Edge when it improperly marks files, aka “Microsoft Edge Information Disclosure Vulnerability.”
Exploits for Vulnerabilities
Since 01 December, the following exploits of vulnerabilities have been captured as Attack Patterns and TTPs by SCS analysts:
Attack Pattern: Exploitation of CVE-2017–0144 to Drop PowerGhost Script
Attack Pattern: Exploiting CVE-2018–11776 RCE in Apache Struts
Attack Pattern: Exploiting CVE-2018–11776 to download CNRig
Attack Pattern: Scanning for Apache Struts devices vulnerable to CVE-2018–11776
Attack Pattern: Spearphishing with Word Document to Drop RAT by Gorgon Group in Political Campaign
Attack Pattern: Muhstik Botnet used for DDoS attack
Attack Pattern: Exploitation of CVE-2017–0144 to Drop PowerGhost Script
The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.
Recommendations
SCS recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.
Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.