Threat Report

Thursday November 15, 2018

Holy moly, it’s the weekly threat report. This is your gentle reminder to patch all the things. That’s the theme for this week, vulnerabilities that need patching and a sprinkle of attack tools.

Microsoft Patch Tuesday

In past reports, we’ve discussed pending 0-days for Edge and Windows; and it looks like some similarly critical vulnerabilities are being patched this week. This Tuesday’s Microsoft patch covered a pair of 0-day vulnerabilities, ten other critical items, and around 50+ other issues. Let’s review a few of those.

One of the vulnerabilities being actively exploited in the wild is a Win32k privilege escalation. CVE-2018-8589 has been found in the wild on Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems. However, an attacker needs to be authenticated to the system to exploit the vulnerability and gain full control. Another critical patch was for CVE-2018-8584, which was disclosed in October and impacts Windows 10, Windows Server 2016, and Windows Server 2019. When exploited it allows unauthorized users to access and delete files on systems that are normally only accessible by admins. This could open the door for DLL hijacking and other attack vectors that would allow for privilege escalation.

Also included were five vulnerabilities in the Chakra scripting engine behind Microsoft Edge (CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588). Any of these CVEs could be leveraged to execute code on an Edge user’s host. To be exploited, the Edge user would have to be naively phished or innocently malvertised. Remember, malvertising is on the rise. If an attacker chained together an Edge exploit with either of the vulnerabilities that allow for privilege escalation, they could gain full control of the host.

Other notables included two remote code execution flaws in Word (CVE-2018-8539, CVE-2018-8573) and PowerShell bugs that allow potential remote code execution (CVE-2018-8256, CVE-2018-8415).

Data Privacy Plug-in Ironically Eliminates Privacy for Thousands of Sites

Last week a privilege escalation vulnerability in a popular WordPress GDPR compliance plugin with over 100K installs. This week, thousands of websites have been compromised. If you’re running a WordPress site, check your GDPR plugin for updates, because they are scanning everyone. The patched version is 1.4.3.

Although these sites are fully compromised, Sucuri has been tracking a campaign and reports observing thousands of compromised sites that direct the user to code similarly used to invoke fake tech support scams (TSS). We confirmed with Perchy, the TSS campaign is currently using wtools[.]io to host the injected content and redirecting users to diwutixip[.]innocraft[.]cloud for the TSS payloads.

China Chopper Finds Forever Home with ColdFusion

Security researchers have recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion. A suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. Adobe’s ColdFusion has historically been a major target of APT groups looking to compromise networks. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. When Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability. The vulnerability is easily exploited through an HTTP POST request to the file “upload.cfm”, which is not restricted and does not require authentication. It should be noted that ColdFusion does attempt to restrict the file types that are allowed for upload via CKEditor in a configuration file called “settings.cfm”. Researchers have identified that Adobe did not include the “.jsp” file extension in the default configuration, which was problematic because ColdFusion allows “.jsp” files to be actively executed.

The attackers also identified a directory modification issue through the “path” form variable that allowed them to change the directory to where uploaded files would be placed. This means that even if the .jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it. All files on the compromised websites were found in one of two directories; /cf_scripts/ and /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/. Several of the affected websites contained an HTML index file from the hacktivist group, “TYPICAL IDIOT SECURITY”.

On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. This vulnerability was assigned as CVE-2018-15961 affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). You should apply a patch once it is available from Adobe.

We observed potential recon activity from:

113.161.90.69

JexBoss Gets Wild with NCCIC

Finally, to close out this threat report, we have a tool getting the spotlight from The National Cybersecurity and Communications Integration Center (NCCIC). NCCIC issued a US-CERT alert for security assessment tool. JexBoss is used to test and exploit older vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. The Github repo hasn’t been updated in two years and there are open issues fix bugs and to add new attacks. It amazes me that older versions of this software is still out there, unpatched and living its best life.

Attackers used JexBoss in the Samsam ransomware campaign that targeted the healthcare industry. According to US-CERT, JexBoss allows an attacker to execute arbitrary OS commands on the target host through either installing webshell, blindly injecting commands, or establishing a reverse shell. NCCIC has determined that JexBoss operates on all seven stages of the Cyber Kill Chain framework. Users and administrators are advised to review AR18-312A from US-CERT.

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn