Category Archives: Survival tips

Adobe Flash zero day exploited in the wild. Remote code execution vulnerabilities are hacker’s favorites!

8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

Remote Code Execution Vulnerabilities. Data: 1988-2018

RxE Vulnerabilities. Data: 1988-2018

Exploits for Remote Code Execution Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

  • The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
  • In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
  • Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
  • In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.


  1. Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

  2. Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

  3. Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html

  4. Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/

  5. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

Advertisements

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy?

4 November 2018

Some days ago Cisco published a vulnerability CVE-2018-15454[1][2] in software running on their security products Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco discovered the flaw while investigating a support case, in other words, the attackers used a zero-day exploit.

How frequent are zero-days? This question is not easy to answer because it takes some time until malicious activity is detected. However, we can compare the date an exploit is published in the Exploit Database[3] with the date the vulnerability is published in the NVD.

Figure 1. Exploit publication date relative to CVE publication date.

Figure 1. Exploit publication date relative to CVE publication date. Data: 2013 – 2017

Between 2013 and 2017 about 60% of the exploits were published before the CVE. With this, about 60% of the exploits are candidates for zero-day exploits.

Figure 2. Exploit publication date relative to CVE publication date details.

Figure 2. Exploit publication date relative to CVE publication date details. Data: 2013 – 2017

Figure 2 shows the details within 30 days prior and after the CVE was published.

This is no reason to panic. In general, this means that we should directly start the remediation process once an exploit is published. Do not waste time!

In addition, since remediation takes some time, it makes sense to invest in means enhancing the resilience of application systems. Expect the worst and be prepared.

Find out more in the following posts.

Have a great week.


  1. MITRE. NVD – CVE-2018-15454 [Internet]. 2018 [cited 2018 Nov 3]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-15454
  2. Cisco Security. Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability [Internet]. Cisco Security Advisory. 2018 [cited 2018 Nov 3]. Available from: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
  3. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

To patch or not to patch this is not the question – New Remote Code Execution Vulnerability in Drupal CMS

21 October 2018

Lindsey O’Donnell’s report “Two Critical RCE Bugs Patched in Drupal 7 and 8” [1] published yesterday on Threatpost gives website operators every reason to enter panic mode.

The vulnerabilities are not published in the NIST NVD yet, but Drupal released two security advisories [2] [3] with details.

Why panic? In the past 16 years 177 vulnerabilities [4] related to Drupal were published. That sounds like a lot but consider that 1,075,609 websites were powered with Drupal core in October 2018 [5].

Fortunately, only 13 exploits were published since 2002. On 29 March 2018 the remote code execution vulnerability CVE-2018-7600 (Drupalgeddon2) was published. Within 20 days after publication three exploits were available. Thousands of sites were compromised in the aftermath.

CVE-2018-7602 (Drupalgeddon3) was published on 19 July 2018. In this case exploits were available 81 and 86 days before the CVE was published.

Drupal Exploits since 2010

Table: Drupal Exploits since 2010. Click to enlarge.

The table above shows the vulnerabilities with published exploits for the Drupal CMS since 2010. Negative values in column Number of days exploit published after CVE published indicate that the exploit was published before the CVE was published. These are the magic zero-day exploits, the worst-case scenario for website operators because a warning time does not exist.

Except of the green highlighted exploit all exploits were used in the wild, means, they were used in attacks. In addition, except of the green highlighted exploit all CVE were remote code execution or injection vulnerabilities.

For the newly published remote code execution vulnerabilities we can expect

  • that exploits will be published with a probability of about 7% and
  • that if exploits are published, they will be published before or at the day the CVE is published.

With this, website operators must directly patch once they become aware of a new remote code execution vulnerability.

In addition, I would recommend to take additional preventive measures, e.g. to implement a Web Application Firewall or a Host based Intrusion Detection/Prevention System to make the installation more resilient against new vulnerabilities. If the website is operated on Linux it makes sense to activate  AppArmor [6].

Have a great week.


  1. O’Donnell L. Two Critical RCE Bugs Patched in Drupal 7 and 8 [Internet]. Threatpost | The first stop for security news. 2018 [cited 2018 Oct 20]. Available from: https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/
  2. Drupal ST. Drupal Core – Multiple Vulnerabilities – SA-CORE-2018-006 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-core-2018-006
  3. 3.Drupal ST. Mime Mail – Critical – Remote Code Execution – SA-CONTRIB-2018-068 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-contrib-2018-068
  4. CVE Details. Drupal Drupal : CVE security vulnerabilities, versions and detailed reports [Internet]. CVE Details. The ultimate security vulnerability datasource. 2018 [cited 2018 Oct 21]. Available from: https://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 
  5. Drupal.org. Usage statistics for Drupal core | Drupal.org [Internet]. 2018 [cited 2018 Oct 21]. Available from: https://www.drupal.org/project/usage/drupal
  6. theMiddle. AppArmor: Say Goodbye to Remote Command Execution. [Internet]. Secjuice.com. 2018 [cited 2018 Oct 21]. Available from: https://www.secjuice.com/apparmor-say-goodbye-to-remote-command-execution/

What is the Most Secure Web Browser?

23 September 2018

For some weeks now I am busy with patch strategy and vulnerability management. When new critical vulnerabilities shows up two questions must be addressed:

  1. How fast must we patch the vulnerable systems?
  2. What vulnerabilities must be patched with highest priority? Or mitigated, if a patch is not available in due time.

Speed is the key in cyber security. The faster we find and patch vulnerable systems the greater is the chance that cyber criminals cannot exploit the vulnerabilities.

The exploit is the weapon in cyber warfare. A vulnerability as such increases the potential risk only. Once an exploit is published that can leverage the vulnerability, the vulnerability becomes a real risk. And if the exploit is “in the wild”, i.e. if the exploit is actively used by cyber criminals for attacks, the IT organization is on red alert.

Unfortunately, no one knows when an exploit spreads in the wild. Therefore, the cautious answer to the above questions is:

“The moment an exploit for a critical vulnerability is published it must be patched directly, at least on critical systems. If a patch is not available proper protective measures must be applied to mitigate the risk effectively.”

Browsers are the most critical systems because they are used in a hostile environment. Browsers are very complex applications, thus prone of errors.  Between 2013 and 2017 about 11% of 40671 vulnerabilities in total were found in the 4 major browsers Chrome, Firefox, Internet Explorer and Edge.

Market Share Browsers 2013 - 2017

Market Share Browsers 2013 – 2017. Data source: StatCounter

Browser Vulnerabilities 2013 - 2017

Browser Vulnerabilities 2013 – 2017

It remarkable to see that 67% of all browser vulnerabilities are related to IE, Edge and Firefox although they have only a small market share (11% in 2017).

Exploit publication date relative to CVE publication date

Exploit publication date relative to CVE publication date 2013 – 2017

The graphic above shows the number of exploits that are published within one month before the CVE is published compared to the number of exploits published within one month after the CVE is published.

Except for Chrome and Firefox the majority of exploits is published after the vulnerability is published. Nevertheless, we have to patch immediately on publication of a CVE.

How many exploits spread in the wild? This question is hard to answer. The Symantec attack signatures give a useful indication. “An attack signature is a unique arrangement of information that can be used to identify an attacker’s attempt to exploit a known operating system or application vulnerability.” 

Exploits in the Wild 2013 - 2017

Exploits in the Wild 2013 – 2017

This is an amazing result, isn’t it.

Have a great week!


Data sources

  1. NIST. NVD Database. https://nvd.nist.gov/
  2. Offensive Security. Exploit Database. https://www.exploit-db.com
  3. Andrea Fioraldi. CVE Searchsploit.
    https://github.com/andreafioraldi/cve_searchsploit/tree/master/cve_searchsploit
  4. NIST. EXPLOIT-DB Reference Map. http://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html
  5. Symantec.com. Attack Signatures.  https://www.symantec.com/security_response/attacksignatures/

DeepLocker: AI Powered, Ultra-Targeted and Evasive Malware

19 August 2018

Mohit Kumar’s report on DeepLocker (1) published on 9 August 2018 in The Hacker News made me jump. Is AI becoming the doomsday machine of the 21st century?

DeepLocker is the result of a study (2) performed by IBM Researcher Marc Stoecklin and his colleagues on the question how the use of AI will change cyber-attacks:

“DeepLocker has changed the game of malware evasion by taking a fundamentally different approach from any other current evasive and targeted malware.”

The good news is that DeepLocker still needs a carrier app. Marc Stoecklin writes:

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.”

Seven Phases Cyber Kill Chain

Cyber Kill Chain

DeepLocker is hence not invincible. A compromised carrier app will have another fingerprint than the not compromised version, at least until the carrier app is not compromised during development.

With this, program reputation, a must-have in every Next Generation Endpoint Protection Solution (NGEPS), can stop a malicious app very early in the Cyber Kill Chain (CKC).

The bad news is that reverse engineering is hardly possible. Marc Stoecklin writes:

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

Although I am fond of reading malware analysis papers I won’t miss them. From my point of view, it is only important that the NGEPS blocks the payload from being executed. In terms of the Cyber Kill Chain this means: ideally in the delivery phase, the latest in the installation phase.

For more details on DeepLocker please see the presentation (3) Marc Stoecklin delivered at the Black Hat 2018 conference.

Don’t panic, but be prepared: Skynet will gain world supremacy soon …

Have a great week.


  1. Kumar M. Researchers Developed Artificial Intelligence-Powered Stealthy Malware [Internet]. The Hacker News. 2018 [cited 2018 Aug 13]. Available from: https://thehackernews.com/2018/08/artificial-intelligence-malware.html
  2. Stoecklin MP. DeepLocker: How AI Can Power a Stealthy New Breed of Malware [Internet]. Security Intelligence. 2018 [cited 2018 Aug 13]. Available from: https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/
  3. Stoecklin MP, Kirat D, Jang J. DeepLocker – Concealing Targeted Attacks with AI Locksmithing [Internet]. Black Hat USA 2018. 2018 [cited 2018 Aug 19]. Available from: https://www.blackhat.com/us-18/briefings/schedule/#deeplocker—concealing-targeted-attacks-with-ai-locksmithing-11549

Digital Carelessness – a disease without a chance of cure

12 August 2018

Two messages this week showed that there is no cure in sight for the fatal disease called digital carelessness.

ONE: Two remote code execution (RCE) vulnerabilities found in certain HP Inkjet printers (1).

CVE-2018-5924: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2018-5925: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This sort of vulnerabilities is particularly popular in the cyber crime scene because they are network exploitable (Attack Vector AV:Network), attack complexity is low (AC:L), no privileges required (PR:None) and no user interaction is required (Ui:None).

Under normal conditions, Inkjet printers are operated inside the company network. Thus there is no need to enter into panic mode because the vulnerability can not be exploited from the internet.

Unfortunately, some HP Inkjet printers are, for whatever reason, accessible from the internet. A Shodan search reveals that 539 HP DesignJet printers are directly connected to the internet. One of the vulnerable printer models is the HP DesignJet T520 24-in ePrinter, Product number CQ890A, Firmware version 1829B. For a complete list of the affected printers please see the HP Security Bulletin HPSBHF03589 (2).

HP DesignJet T520 Map

HP DesignJet T520 Map. Click to enlarge.

As of today, 79 printers of this type are directly attached to the internet. Some of them are ready for printing and with this prone to CVE-2018-5924 or CVE-2018-5925 because the HP JetDirect Line Printer Daemon port 515 is open.

But why should an attacker exploit these RCE vulnerabilities if he can hijack the printer because basic security is not configured?

HP advised its customers to update the firmware of the affected printers as soon as possible. This is the best opportunity

  • to configure basis security,
  • to eliminate the http protocol, and
  • to close unnecessary open ports.

TWO: TSMC Chip Maker Blames WannaCry Malware for Production Halt

Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest makers of semiconductors and processors, was hit by a variant of the WannaCry ransomware last week. According to TSMC, its computer systems were not directly attacked, but instead, were exposed to the malware when a supplier installed corrupted software without a virus scan.

“We are surprised and shocked,” TSMC CEO C.C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened. (3)

It doesn’t matter how often installations went well in the past. It’s always the next installation that counts.

Have a good week.


  1. Zorz Z. HP plugs critical RCE flaws in InkJet printers [Internet]. Help Net Security. 2018 [cited 2018 Aug 6]. Available from: https://www.helpnetsecurity.com/2018/08/06/hp-inkjet-printer-vulnerabilities/
  2. HP Customer Support. HPSBHF03589 rev. 2 – HP Ink Printers Remote Code Execution. 2018 [cited 2018 Aug 6]. Available from: https://support.hp.com/us-en/document/c06097712
  3. Wu D. iPhone Chipmaker Blames WannaCry Variant for Plant Closures. Bloomberg.com [Internet]. 2018 Aug 6 [cited 2018 Aug 12]; Available from: https://www.bloomberg.com/news/articles/2018-08-06/iphone-chipmaker-blames-wannacry-variant-for-plant-closures