Tag Archives: Zero day exploits

About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy?

4 November 2018

Some days ago Cisco published a vulnerability CVE-2018-15454[1][2] in software running on their security products Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco discovered the flaw while investigating a support case, in other words, the attackers used a zero-day exploit.

How frequent are zero-days? This question is not easy to answer because it takes some time until malicious activity is detected. However, we can compare the date an exploit is published in the Exploit Database[3] with the date the vulnerability is published in the NVD.

Figure 1. Exploit publication date relative to CVE publication date.

Figure 1. Exploit publication date relative to CVE publication date. Data: 2013 – 2017

Between 2013 and 2017 about 60% of the exploits were published before the CVE. With this, about 60% of the exploits are candidates for zero-day exploits.

Figure 2. Exploit publication date relative to CVE publication date details.

Figure 2. Exploit publication date relative to CVE publication date details. Data: 2013 – 2017

Figure 2 shows the details within 30 days prior and after the CVE was published.

This is no reason to panic. In general, this means that we should directly start the remediation process once an exploit is published. Do not waste time!

In addition, since remediation takes some time, it makes sense to invest in means enhancing the resilience of application systems. Expect the worst and be prepared.

Find out more in the following posts.

Have a great week.


  1. MITRE. NVD – CVE-2018-15454 [Internet]. 2018 [cited 2018 Nov 3]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-15454
  2. Cisco Security. Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability [Internet]. Cisco Security Advisory. 2018 [cited 2018 Nov 3]. Available from: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
  3. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/
Advertisements

To patch or not to patch this is not the question – New Remote Code Execution Vulnerability in Drupal CMS

21 October 2018

Lindsey O’Donnell’s report “Two Critical RCE Bugs Patched in Drupal 7 and 8” [1] published yesterday on Threatpost gives website operators every reason to enter panic mode.

The vulnerabilities are not published in the NIST NVD yet, but Drupal released two security advisories [2] [3] with details.

Why panic? In the past 16 years 177 vulnerabilities [4] related to Drupal were published. That sounds like a lot but consider that 1,075,609 websites were powered with Drupal core in October 2018 [5].

Fortunately, only 13 exploits were published since 2002. On 29 March 2018 the remote code execution vulnerability CVE-2018-7600 (Drupalgeddon2) was published. Within 20 days after publication three exploits were available. Thousands of sites were compromised in the aftermath.

CVE-2018-7602 (Drupalgeddon3) was published on 19 July 2018. In this case exploits were available 81 and 86 days before the CVE was published.

Drupal Exploits since 2010

Table: Drupal Exploits since 2010. Click to enlarge.

The table above shows the vulnerabilities with published exploits for the Drupal CMS since 2010. Negative values in column Number of days exploit published after CVE published indicate that the exploit was published before the CVE was published. These are the magic zero-day exploits, the worst-case scenario for website operators because a warning time does not exist.

Except of the green highlighted exploit all exploits were used in the wild, means, they were used in attacks. In addition, except of the green highlighted exploit all CVE were remote code execution or injection vulnerabilities.

For the newly published remote code execution vulnerabilities we can expect

  • that exploits will be published with a probability of about 7% and
  • that if exploits are published, they will be published before or at the day the CVE is published.

With this, website operators must directly patch once they become aware of a new remote code execution vulnerability.

In addition, I would recommend to take additional preventive measures, e.g. to implement a Web Application Firewall or a Host based Intrusion Detection/Prevention System to make the installation more resilient against new vulnerabilities. If the website is operated on Linux it makes sense to activate  AppArmor [6].

Have a great week.


  1. O’Donnell L. Two Critical RCE Bugs Patched in Drupal 7 and 8 [Internet]. Threatpost | The first stop for security news. 2018 [cited 2018 Oct 20]. Available from: https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/
  2. Drupal ST. Drupal Core – Multiple Vulnerabilities – SA-CORE-2018-006 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-core-2018-006
  3. 3.Drupal ST. Mime Mail – Critical – Remote Code Execution – SA-CONTRIB-2018-068 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-contrib-2018-068
  4. CVE Details. Drupal Drupal : CVE security vulnerabilities, versions and detailed reports [Internet]. CVE Details. The ultimate security vulnerability datasource. 2018 [cited 2018 Oct 21]. Available from: https://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 
  5. Drupal.org. Usage statistics for Drupal core | Drupal.org [Internet]. 2018 [cited 2018 Oct 21]. Available from: https://www.drupal.org/project/usage/drupal
  6. theMiddle. AppArmor: Say Goodbye to Remote Command Execution. [Internet]. Secjuice.com. 2018 [cited 2018 Oct 21]. Available from: https://www.secjuice.com/apparmor-say-goodbye-to-remote-command-execution/

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

22 October 2016

On Tuesday, I watched the IBM webinar ‘Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching’.

On slide 3 one could read the really interesting statement ‘NSA: no zero days were used in any high profile breaches over last 24 months’.

Slide 3 - Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Slide 3 – Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Curtis Dukes, deputy national manager of security systems within the NSA, said that NSA has been involved in incident response or mitigation efforts for all ‘high profile incidents’ one has read about in the Washington Post or the New York times.

In all this incidents hacker used somewhat simple technology like spear phishing, water holing and USB-drive delivery to get onto the victim’s networks.

In the last 24 months, not one zero day has been used in these high profile intrusions.

That is a very interesting insight. Moreover, Curtis Dukes said that

The fundamental problem we faced in every one of those incidents was poor cyber hygiene.

The central idea of the webinar is to harden all systems by applying at least all existing patches to the known vulnerabilities, and in a timely manner. For most of the organizations this is a great challenge: Applying an endless stream of operating system and application patches to thousands of servers and endpoints is a never-ending nightmare. But essential to hinder an attacker, who managed to get on the network, in his lateral movement across the network.

If an attacker cannot exploit existing vulnerabilities, he is forced to install hacking tools from his C&C server. But this will increase the likelihood of detection because the attacker creates anomalies which can be detected e.g. by a current anti-malware solution or a well-tuned SIEM system.

It is important to recognize that cyber hygiene shall not be restricted to patching and password rules. Operating systems offer lots of powerful inbuilt tools, e.g. PowerShell, which can be used by an attacker to move laterally across the network. Such movements a much harder to detect, because they are very similar to standard user behavior. Pass-the-hash attacks are another example where patching is of limited value only.

It is very important to understand what threats a security solution mitigates. But it is of crucial importance to know the gaps and to have some ideas on how to deal with them effectively.

Have a good weekend.

Canadian hospital under attack

26 March 2016

Reports on cyber-attacks don’t come to an end. Cyber-criminals seem to focus in particular on hospitals this year. In the case of the Norfolk General Hospital attackers modified the hospital’s homepage to serve the Teslacrypt ransomware to clueless visitors. The ransomware is delivered by drive-by download when the page is opened – you won’t even need to click on something on the page.

However, this does not mean that spear-phishing with malicious attachments is no longer modern. Cyber-criminals use a range of attack methods, and outdated application middleware on a server, which is connected to the Internet, is a worthwhile destination.

On Tuesday I got two spear phishing emails directly in my inbox. A short hack on VirusTotal showed that this were two zero days.

Two hours later, now at home, I analyzed the attachments in more details. Both attachments contained the same ransomware, but in different document formats. The attachments were now detected by 6 of 56 anti-malware systems on VirusTotal, e.g. by TrendMicro as W2KM_DRIDEX.YYSSH or by Avira as W2000M/Dldr.Agent.19573. That’s a reasonable result for classic anti-malware systems, although it means, that the anti-malware systems left the users unprotected for about 4 hours.

The VBA project with the auto-open macro was password protected. But LibreOffice writer was able to display the macros; it simply overrides the obviously weak VBA project protection functions of Microsoft Office.

W2KM_DRIDEX.YYSSH Code Sample

W2KM_DRIDEX.YYSSH Code Sample. Click to enlarge.

The auto-open macro creates a file dsfsdfsdf.vbe, submits the file to the C&C server, downloads an executable named Fuckyourself.ass and runs it. Fuckyourself.ass is detected as e.g. by Microsoft as Backdoor:Win32/Drixed, by ESET as Win32/Dridex.AA.

COMODO File Execution Message

COMODO File Execution Warning.

A next-gen endpoint protection solution would have containerized or blocked at least the critical event of executing dsfsdfsdf.vbe. An infection with Dridex would have been prevented. And this without any delay for updating malware patterns.

Happy Easter!

Bypassing protection measures by direct upload of malicious content to OneDrive/Office 365

9 August 2015

I am happy about every email with malicious content or attachment, in particular if I find the mail in my inbox. Sound’s strange, but it’s important to analyze the technology of the attackers to develop proper protection strategies.

Last Wednesday I spent an hour with the analysis of an obviously malicious email attachment. Outlook blocked the access to the attachment without any error message. Therefore I logged in to my outlook.com account and opened the email:

Malicious Mail in Outlook.com

Malicious Mail in Outlook.com

A click on Download as zip resulted in the following error message:

The file “Automatische Lastschrift konnte nicht vorgenommen werden 05.08.2015.zip” is infected with an unknown virus, so it isn’t safe to download.

Perfect! This explains the strange behavior of Outlook. But saving to OneDrive surprisingly works.

Malicious Mail Save to OneDrive

Malicious Mail Save to OneDrive

Some minutes later I uploaded the zip archive to VirusTotal and found, that the malware was already known with name Trojan:Win32/Bulta!rfn. For more details please see below.

When I extracted the nested zip-archive to my local hard disk the endpoint protection system correctly identified the program, blocked access and took the predefined action.

What happened? The attackers used a standard technology (malware in nested zip archives) to deliver their payload. The outlook client and outlook.com both blocked downloading the payload because they identified a suspicious attachment.

But all protection could be bypassed by uploading the file to OneDrive. When OneDrive or Office 365 is used as collaboration platform with suppliers and partners an attacker could easily use bypass to distribute malicious content across companies. In particular for zero day exploits this may become a serious problem.

For protection against the download of malicious content from Cloud Services we have to change our endpoint protection strategy. The anti-malware systems on the surf proxy will not recognize the malicious objects because the data stream is encrypted (https protocol used). Even if the surf proxy breaks SSL it is very likely that zero day exploits, and already known viruses, are not identified. The same holds for the endpoint protection systems on the end-users desktops.

But the first line of defense, the cloud provider, has the most important task. Bypassing protection by uploading malicious objects to the cloud storage is not acceptable. This strange behavior should be corrected as soon as possible. From the above we know that this is an easy task because the system already identified the attachment as malware.

Have a good week!


VirusTotal results: 2015-08-06 20:21:06 UTC

Detection rate: 23 / 55

AntiVirus Result Last Update
Avast Win32:Malware-gen 20150806
Microsoft Trojan:Win32/Bulta!rfn 20150806
Ikarus Trojan.Win32.Crypt 20150806
Arcabit Trojan.Mikey.D538C 20150806
DrWeb Trojan.Inject1.62743 20150806
TrendMicro TROJ_KR.2B7B2BF7 20150806
TrendMicro-HouseCall TROJ_KR.2B7B2BF7 20150806
Avira TR/Crypt.Xpack.248161 20150806
Rising PE:Trojan.Win32.Generic.18EBC66C!418104940 20150731
Sophos Mal/Generic-S 20150806
AVG Generic_r.FOY 20150806
Panda Generic Suspicious 20150806
Emsisoft Gen:Variant.Mikey.21388 (B) 20150806
Ad-Aware Gen:Variant.Mikey.21388 20150806
BitDefender Gen:Variant.Mikey.21388 20150806
F-Secure Gen:Variant.Mikey.21388 20150806
GData Gen:Variant.Mikey.21388 20150806
MicroWorld-eScan Gen:Variant.Mikey.21388 20150806
McAfee-GW-Edition BehavesLike.Ransom.lc 20150806
Kaspersky Backdoor.Win32.Androm.humu 20150806
Symantec Backdoor.Matsnu 20150806
McAfee Artemis!B65DB4920F67 20150806
ESET-NOD32 a variant of Win32/Kryptik.DSND 20150806
ALYac 20150806
AVware 20150806
AegisLab 20150806
Agnitum 20150806
AhnLab-V3 20150806
Alibaba 20150803
Antiy-AVL 20150806
Baidu-International 20150806
Bkav 20150806
ByteHero 20150806
CAT-QuickHeal 20150806
ClamAV 20150806
Comodo 20150806
Cyren 20150806
F-Prot 20150806
Fortinet 20150804
Jiangmin 20150804
K7AntiVirus 20150806
K7GW 20150806
Kingsoft 20150806
Malwarebytes 20150806
NANO-Antivirus 20150806
Qihoo-360 20150806
SUPERAntiSpyware 20150806
Tencent 20150806
TheHacker 20150805
VBA32 20150806
VIPRE 20150806
ViRobot 20150806
Zillya 20150806
Zoner 20150806
nProtect 20150806

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award  - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version 18.0.0.194.

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.

Adobe releases next emergency Flash zero-day patch

27 June 2015

Adobe Flash Player is a real source of irritation. New vulnerabilities are continuously made public. In the last three month 64 vulnerabilities were published in the NIST NVD Database, of which 43 with highest severity 10.0.

The latest vulnerability CVE-2015-3113, that potentially allows an attacker to take control of an affected system, is a technically advanced piece of malware. For technical details see the FireEye blog post ‘Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign’.

As usual the attack is started through a phishing email. And, once the attackers got access to the victim’s network, they move laterally through the network in the search of valuable information.

With this we have the first and second line of defense in a prevention strategy: User awareness training to support users in recognizing such attacks, and system isolation to prevent the attackers from moving laterally through the network.

Perhaps it’s time to solve this problem once and for all by uninstalling Flash Player…

Have a good weekend.