Asia Cyber Summary | 26 June 2020
In the spotlight this week:
VMware addressed 10 vulnerabilities affecting its ESXi, Workstation, and Fusion products. A malicious actor with local access to a virtual machine with enabled3D graphics may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.
A series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck Inc., called Ripple20, has attacked at least 18 known vendors. The Treck networking stack is used by a wide range of industries, leaving significant impact as it ripples out across supply chains.
The latest variant of Lucifer v.2, was discovered on May 29 while investigating the exploit of CVE-2019-9081, a deserialization bug in Laravel Framework that can be abused to conduct remote code execution (RCE) attacks. Patches are available for all the weaponized security flaws. On hosts that have not been updated, attacks using these issues are often trivial to exploit with code execution for the purpose of cryptocurrency mining being one of the ultimate goals.
Adobe Flash is about to reach its expiry date at the end of this year. While the decline of exploit kits can be linked to the decline of Adobe Flash, it has yet to disappear completely.
JUN 25, 2020 | Lucifer: Devilish Malware Abuses Critical Vulnerabilities on Windows Machines
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, dubbed as “Lucifer”, is capable of conducting DDoS attacks and is well-equipped with all kinds of exploits against vulnerable hosts that run on Windows.
The first wave of the campaign ended on June 10, 2020. The attackers resumed their campaign on June 11, spreading an upgraded version of the malware, wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM UTC and caught by Palo Alto Networks Next-Generation Firewall. At the time of writing, the campaign is still ongoing.
Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also capable of command and control (C2) operations and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Additionally, it drops and runs Eternal Blue, Eternal Romance, and Double Pulsar backdoors against vulnerable targets for intranet infections.
JUN 24, 2020 | Magnitude Exploit Kit Evolution: No Flash, No Exploit Kits
Exploit kits are not as widespread as they used to be. In the past, they relied on patched vulnerabilities. Newer and more secure web browsers with automatic updates do not allow known vulnerabilities to be exploited in this way. When Adobe Flash was just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there was a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. As Adobe Flash reaches its end-of-life date at the end of this year, it is disabled by default on all web browsers and is being replaced with open standards such as HTML5, WebGL, and WebAssembly. While the decline of exploit kits can be linked to the decline of Adobe Flash, it has yet to disappear completely.
JUN 24, 2020 | CryptoCore: A Threat Actor Targeting Cryptocurrency Exchanges
In recent years, cryptocurrency exchanges have become targets for constant attacks, mainly from criminal groups and lone hackers. Threat actors of all kinds try to infiltrate corporate networks for reconnaissance, ransomware deployment, and plainly to steal money from those exchanges, specifically from their "hot" (i.e. active, connected) wallets.
These kinds of targets are somewhat unique, different from traditional financial institutions for two reasons: (1) banks in general, and the SWIFT system in particular, are perceived as highly secured targets in comparison to cryptocurrency exchanges. The reduced security in those exchanges’ networks increases their potential as a lucrative target for cybercriminals; (2) While it seems easier to track the stolen money through blockchain, identifying and attributing wallets to entities and individuals is generally more difficult.
Attacks against crypto exchanges had a discernible place in the 2019-early 2020 landscape, from the top three attacks against Coinbase, Upbit, and Binance (which was hacked at least twice and had its KYC1 leaked), to smaller-scale but still sophisticated attacks, such as those carried out by the DPRK attributed group "Lazarus" (aka HIDDEN COBRA), or the exploitation of vulnerabilities in the Ethereum platform in the (ultimately unsuccessful) attack on Uniswap and Lenf.me2.
Jun 26, 2020 | VMware Addressed 10 Vulnerabilities Affecting ESXi, Workstation and Fusion
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the SVGA device. According to the advisory published by the company, VMware has deemed the severity of this issue as “critical” with a maximum CVSSv3 base score of 9.3. A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.
Jun 19, 2020 | Copy-Paste Compromises: TTP Used to Target Multiple Australian Networks
An Australian state-based actor has been discovered leveraging a number of initial access vectors, the most prevalent being the exploitation of public facing infrastructure through the use of a remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public facing infrastructure have also been exploited including a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, and the Citrix vulnerability in the same year.
The actor is capable of quickly leveraging public exploit proof of concepts (POC’s) to target networks of interest as well as regularly conducting reconnaissance of vulnerable services, potentially maintaining a list of public facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test, and orphaned services that are not well known or maintained by victim organizations.
Jun 19, 2020 | Ripple20: 19 Zero-Day Vulnerabilities Amplified by the Supply Chain
The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name “Ripple 20”, affect upwards of hundreds of millions of devices and include multiple remote code execution vulnerabilities. An attacker could hide malicious code within embedded devices for years.
The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “ripple-effect”. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.