Tag Archives: Exploit in the Wild

Adobe Flash zero day exploited in the wild. Remote code execution vulnerabilities are hacker’s favorites!

8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

Remote Code Execution Vulnerabilities. Data: 1988-2018

RxE Vulnerabilities. Data: 1988-2018

Exploits for Remote Code Execution Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.

Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/
Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html
Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/
Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy?

4 November 2018

Some days ago Cisco published a vulnerability CVE-2018-15454[1][2] in software running on their security products Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco discovered the flaw while investigating a support case, in other words, the attackers used a zero-day exploit.

How frequent are zero-days? This question is not easy to answer because it takes some time until malicious activity is detected. However, we can compare the date an exploit is published in the Exploit Database[3] with the date the vulnerability is published in the NVD.

Figure 1. Exploit publication date relative to CVE publication date. Data: 2013 – 2017

Between 2013 and 2017 about 60% of the exploits were published before the CVE. With this, about 60% of the exploits are candidates for zero-day exploits.

Figure 2. Exploit publication date relative to CVE publication date details. Data: 2013 – 2017

Figure 2 shows the details within 30 days prior and after the CVE was published.

This is no reason to panic. In general, this means that we should directly start the remediation process once an exploit is published. Do not waste time!

In addition, since remediation takes some time, it makes sense to invest in means enhancing the resilience of application systems. Expect the worst and be prepared.

Find out more in the following posts.

Have a great week.

MITRE. NVD – CVE-2018-15454 [Internet]. 2018 [cited 2018 Nov 3]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-15454
Cisco Security. Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability [Internet]. Cisco Security Advisory. 2018 [cited 2018 Nov 3]. Available from: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

CVE-2018-8453 exploited in the Wild?

16 October 2018

I learned about CVE-2018-8453 from Kaspersky Lab’s Secure List [1] last Wednesday during a bicycle tour to the Baltic Sea.

Lake Steinhude, Lower Saxony

Elevation of Privilege vulnerabilities like CVE-2018-8453 should be taken seriously because an attacker can fully compromise a system if an exploit is available.

Since the vulnerability had status Awaiting Analysis [2] in the NVD I checked the Microsoft Security Response Center for more details [3]. The CVSS 3.0 vector string AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C and the CVSS 3.0 base score 7.0 made clear: There is no reason for panic.

But what puzzled me was that many sources [4][5] reported that the vulnerability was already exploited in the wild. Back home, I found that almost all sources referred to the Kaspersky Lab report [1].

In section Attribution of the Kaspersky Lab report we learn:

“During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.”

That is really baffling. The attackers already compromised the affected systems through a PowerShell backdoor. With this it is easy to exploit CVE-2018-8453.

The question remains why the attackers use CVE-2018-8453 instead of one of the auto-elevation programs included in the Windows operating system.

From section Victims of the Kaspersky Lab report one learns:

“The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.”

Now this makes pretty sense. In the case of highly targeted attacks we can assume, that the affected clients are well hardened. In such cases, when e.g. User account control is set to Always notify me, the standard method to get elevated privileges by manipulating the auto-elevation programs does not work.

The big questions are: How many APT (nation-state actors) are aware of this vulnerability? And since when?

Have a great week.

SecureList. Zero-day exploit (CVE-2018-8453) used in targeted attacks [Internet]. Securelist – Kaspersky Lab’s cyberthreat research and reports. 2018 [cited 2018 Oct 15]. Available from: https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/
MITRE. NVD – CVE-2018-8453 [Internet]. 2018 [cited 2018 Oct 15]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-8453
Microsoft Security Response Center. CVE-2018-8453 | Win32k Elevation of Privilege Vulnerability [Internet]. Security TechCenter. 2018 [cited 2018 Oct 15]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453
Paganini P. CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East [Internet]. Security Affairs. 2018 [cited 2018 Oct 15]. Available from: https://securityaffairs.co/wordpress/77003/apt/cve-2018-8453-win-0day.html
Beltrov M. CVE-2018-8453: Microsoft Windows Zero-Day Vulnerability Used in Attacks Worldwide [Internet]. How to, Technology and PC Security Forum | SensorsTechForum.com. 2018 [cited 2018 Oct 15]. Available from: https://sensorstechforum.com/cve-2018-8453-microsoft-windows-zero-day-vulnerability-used-attacks-worldwide/

What is the Most Secure Web Browser?

23 September 2018

For some weeks now I am busy with patch strategy and vulnerability management. When new critical vulnerabilities shows up two questions must be addressed:

How fast must we patch the vulnerable systems?
What vulnerabilities must be patched with highest priority? Or mitigated, if a patch is not available in due time.

Speed is the key in cyber security. The faster we find and patch vulnerable systems the greater is the chance that cyber criminals cannot exploit the vulnerabilities.

The exploit is the weapon in cyber warfare. A vulnerability as such increases the potential risk only. Once an exploit is published that can leverage the vulnerability, the vulnerability becomes a real risk. And if the exploit is “in the wild”, i.e. if the exploit is actively used by cyber criminals for attacks, the IT organization is on red alert.

Unfortunately, no one knows when an exploit spreads in the wild. Therefore, the cautious answer to the above questions is:

“The moment an exploit for a critical vulnerability is published it must be patched directly, at least on critical systems. If a patch is not available proper protective measures must be applied to mitigate the risk effectively.”

Browsers are the most critical systems because they are used in a hostile environment. Browsers are very complex applications, thus prone of errors. Between 2013 and 2017 about 11% of 40671 vulnerabilities in total were found in the 4 major browsers Chrome, Firefox, Internet Explorer and Edge.

Market Share Browsers 2013 – 2017. Data source: StatCounter

Browser Vulnerabilities 2013 – 2017

It remarkable to see that 67% of all browser vulnerabilities are related to IE, Edge and Firefox although they have only a small market share (11% in 2017).

Exploit publication date relative to CVE publication date 2013 – 2017

The graphic above shows the number of exploits that are published within one month before the CVE is published compared to the number of exploits published within one month after the CVE is published.

Except for Chrome and Firefox the majority of exploits is published after the vulnerability is published. Nevertheless, we have to patch immediately on publication of a CVE.

How many exploits spread in the wild? This question is hard to answer. The Symantec attack signatures give a useful indication. “An attack signature is a unique arrangement of information that can be used to identify an attacker’s attempt to exploit a known operating system or application vulnerability.”

Exploits in the Wild 2013 – 2017

This is an amazing result, isn’t it.

Have a great week!

Data sources

NIST. NVD Database. https://nvd.nist.gov/
Offensive Security. Exploit Database. https://www.exploit-db.com
Andrea Fioraldi. CVE Searchsploit.
https://github.com/andreafioraldi/cve_searchsploit/tree/master/cve_searchsploit
NIST. EXPLOIT-DB Reference Map. http://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html
Symantec.com. Attack Signatures. https://www.symantec.com/security_response/attacksignatures/

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: