Microsoft's Patch Tuesday came with 39 updates, with 9 rated critical and 1 under active attack. Two of this month's patches were vulnerabilities discovered by FortiGuard Labs researchers. Our researchers discovered both vulnerabilities in September this year, and have worked closely with Microsoft to ensure that the patch successfully addressed the weaknesses. CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook. The vulnerability results from Microsoft Outlook's failure to properly handle objects in memory. To exploit this vulnerability, a user must open a specially crafted RWZ file with an affected version of Microsoft Office. Once an attacker is successful in exploiting the vulnerability they can perform actions in the security permissions context of the current user. FortiGuard Labs signature: MS.Outlook.CVE-2018-8587.Remote.Code.Execution CVE-2018-8612 is a Denial of Service (DoS) vulnerability in Microsoft Universal Telemetry Client (UTC). UTC is a remote procedure call (RPC) services that is used to collect telemetry data from Windows 10 to identify security and reliability issues; this helps to improve the quality of Windows and related services, and to make design decisions for future releases. This DoS vulnerability is caused by insufficient user input validation sent to APIs exposed via UTC RPC interfaces that eventually lead to null pointer dereference. The vulnerability can be triggered by a local authenticated user to effectively terminate the service that can normally be done by administrative users. FortiGuard Labs signature: MS.RPC.UTC.DoS Note that one of this month's vulnerabilities, CVE-2018-8611, is under active attack. This is a Win32K elevation of privilege flaw and likely being used for targeted attacks. The vulnerability requires an attacker to have an established presence on a target system. Consider this vulnerability a priority when developing your patching strategy. For more details on this month's Patch Tuesday, visit: Microsoft Security Update Guide FortiGuard always practices responsible disclosure and will not publish details of any vulnerability we discover until the patch has been released. To find out more about our program, visit: FortiGuard Zero-Day Research.
Application Vulnerabilities / IPS
Rank
|
Name
|
Prevalence
|
1
|
MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow
|
26,970
|
2
|
Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution
|
21,713
|
3
|
D-Link.DSL-2750B.CLI.OS.Command.Injection
|
19,072
|
4
|
Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities
|
18,491
|
5
|
PHPUnit.Eval-stdin.PHP.Remote.Code.Execution
|
18,629
|
SoftNAS.Cloud.snserv.recentVersion.OS.Command.Injection – A vulnerability exists in the SoftNAS Cloud product, which is a software-defined NAS file delivered as a virtual appliance that can be set up and run on private, public, or hybrid clouds. The software itself is pretty mature, with features such as snapshots, encryption, rapid rollbacks, and high-availability capabilities. The flaw relates to a PHP command injection vulnerability that was found on the web administration panel, located on the script named "snserv," which did not thoroughly sanitize inputted parameters before sending them to execution. All SoftNAS versions before 4.0.3 are vulnerable to this bug. More specifically, the "recentversion" parameter to the "snsrv" script is the one to blame. This function does not properly authenticate or validate sessions, allowing an unauthenticated attacker to execute payloads as the root user, since *wait for it* the web server runs Apache, and the Apache user has an entry on the sudoers file, allowing it to execute anything as the super user. The researchers responsible for the discovery disclosed a simple HTTP GET parameter to get shell on a vulnerable server. We are seeing an enormous increase in the activity for this signature worldwide, with the last 24 hours of activity being 73% higher than the observed average for the last 30 days, and 34% higher than the last 7 days' average. Signatures: SoftNAS.Cloud.snserv.recentVersion.OS.Command.Injection Avahi.NULL.UDP.Packet.DoS – Avahi, for those who are unaware, is a Linux service that facilitates local network service discovery via the mDNS/DNS-SD protocol suite. This is similar to Apple's Bonjour, where once connected to the network, other users, printers, and shares will appear on your local machine. It was discovered back in 2011 that Avahi (before 0.6.29) allowed remote attackers to cause a denial of service (via an infinite loop being triggered on the code path taken) on the Avahi daemon by simply sending it an empty mDNS IPv4 or IPv6 packet to the Avahi service port 5353. This has been assigned CVE-2011-1002 and has been exploited in the wild ever since. We are now seeing an increase in the amount of detections regarding this signature, with a 25% increase when comparing the last 7 days' average and the last 24 hours. If we compare the last 24 hours to the last 30 days' average, the jump is even higher, with 45% more triggers worldwide. Signatures: Avahi.NULL.UDP.Packet.DoS
Malware Activity
Rank
|
Name
|
Prevalence
|
1
|
Android/Agent.FJ!tr
|
5,967
|
2
|
W32/Agent.AJFK!tr
|
4,471
|
3
|
MSOffice/CVE_2017_11882.A!exploit
|
3,739
|
4
|
W32/Kryptik.GLZZ!tr
|
3,629
|
5
|
W32/Agent.HTL!tr.rkit
|
2,419
|
More Hidden Cobra Hijinks! – FortiGuard Labs is aware of a new campaign called "Operation Sharpshooter," which targets global defense organizations and critical infrastructure groups and is attributed to Lazarus/Hidden Cobra. Operation Sharpshooter leverages embedded shellcode that is called from a malicious macro to download a second-stage payload for further exploitation. The second-stage payload is downloaded from a remote site to %startup%mssynce.exe on the victim machine to ensure persistence for the downloaded second-stage implant. Another payload downloaded is a document that is likely a decoy to hide the malicious content. Once the decoy and second-stage payload are downloaded to the victim machine, they are executed using various commands. The backdoor exfiltrates data to the command and control about the victim endpoint, and provides network adapter info, computer name, username, IP address information, native system information, and OS information. It also sends data to a remote server using HTTP POST. The back door also has the capability to execute commands, get drive information, launch processes from the Windows binary, get process information, terminate process, get file timestamp info, read files, clear process memory, write file to disk, delete file, remote connection via IP address, and change file attributes and folder properties. Signatures: W32/WildPositron.A!tr, VBA/Agent.KPH!tr Indicator(s): 34[.]214[.]99[.]20/view_style[.]php 137[.]74[.]41[.]56/board[.]php kingkoil[.]com[.]sg/board[.]php hxxp://208.117.44.112/document/Strategic Planning Manager.doc hxxp://208.117.44.112/document/Business Intelligence Administrator.doc hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1 Sofacys Choice – FortiGuard Labs is aware of a new campaign by the Sofacy Group. Discovered by researchers earlier this week, this new campaign leverages interest in the recent fatal Lion Air crash. This new campaign reveals that a maliciously crafted Word document with the title "crash list (Lion Air Boeing 737).docx" is sent to unsuspecting victims, via spear phishing. The majority of the documents lure victims to enable the macros, as they are hoping that less than sophisticated victims would be enticed and compelled to open the file based on the file name alone. Other themes observed were Brexit named documents, and Israel rocket attacks as well. The first-stage payload downloaded by these weaponized documents was the Zebrocy downloader, which interestingly enough, was seen developed in multiple languages such as Delphi, C#, and VB.NET. Also observed being distributed via these documents was the use of the Cannon back door, which can take screenshots, gather system information, and connect to a C2 server to specific email addresses over port 587 to evade detection. Signatures: MSOffice/Agent.LBE!tr Indicator(s): hxxp://188[.]241[.]58[.]170/local/s3/filters[.]php hxxp://185[.]203[.]118[.]198/en_action_device/center_correct_customer/drivers-i7-x86[.]php hxxp://145[.]249[.]105[.]165/resource-store/stockroom-center-service/check[.]php hxxp://109[.]248[.]148[.]42/agr-enum/progress-inform/cube[.]php
Web Filtering Activity
More Cyber Monday Scams – Recently, the FortiGuard Labs Web Filtering team has observed a campaign distributing Emotet targeting the UK with a particularly effective email lure pretending to be a Cyber Monday Voucher from Amazon.co.uk. The threat actors use email addresses and subjects that persuade or entice a user to read the email and follow the links and download the malicious Word document at the end. The downloaded Word docs are given very convincing names such as "cyber_monday_coupon," which contain the nefarious Emotet malware. FortiGuard Labs Web Filtering Team has blacklisted all the IOCs. Indicator(s): hxxp://pcgestion[.]com/En/Clients_CM_Coupons hxxp://mexathermal[.]co[.]uk/EN/CyberMonday2018
|