Wednesday December 19th 2018
This week we’re covering critical vulnerabilities discovered in Huawei routers, Jenkins continuous build automation servers, and SQLite databases. Additionally, we’re going to review a threat actor that is taking aim at critical U.S. infrastructure.
Huawei’s integrity has been called into question recently. Many countries are taking U.S. leadership and canceling Huawei orders. Canada has arrested the Huawei CFO for extradition to the United States. During all this, Huawei has asked the U.S. to put up or shut up. And, the security community has responded with proof. A staggering vulnerability report for Huawei routers (CVE-2018-7900) has been released and Huawei doesn’t just make exploitation possible, they make it easy.
There is no spray and pray necessary for attackers. You can find all vulnerable routers with a Shodan/ZoomEye. There is no need to fail a login. The login page indicates if the default password has changed. This makes detecting abusive activity difficult because attackers don’t make much noise, and it’s possible to generate a list of 100 percent exploitable targets based on a dork query.
CyberArk’s security researchers discovered two vulnerabilities exposing Jenkins servers. Jenkins is a Web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results. CyberArk disclosed the flaw to Jenkins after they detected an exploitation attempt against Jenkins servers. The actors used two different vulnerabilities to launch attacks. The first is CVE-2018-1999001, a flaw that allows an attacker to remove files from the Jenkins master file system. The second is CVE-2018-1999043, which allows an attacker to create ephemeral user records in the server’s memory. Both of these vulnerabilities have been addressed and fixed. ZDNet was able to discover over 2,000 vulnerable Jenkins servers within a few minutes. Researchers believe that the total number of vulnerable servers might even be over 10,000. Users and organizations must keep software and firmware up to date with timely patch updates to mitigate attacks. File integrity monitoring on a Jenkins server could detect the security configuration file being moved.
Last week, Security researchers from Tencent Blade Team have discovered a remote code execution vulnerability in SQLite dubbed Magellan. SQLite is a widely used and well-known database utilized in all modern mainstream operating systems and software, meaning that this vulnerability holds a wide range of influence.
Researchers state that Google has fixed this vulnerability, however, Google is not disclosing the details of Magellan at this time as they are pushing vendors to fix it as soon as possible. Devices or software that use SQLite or Chromium are affected, and the dangers of exploitation include remote code execution, leaking program memory, or causing program crashes.
The vulnerability can be triggered remotely, for example, a target visits a particular Web page in a browser or any scenario that can execute SQL statements. Researchers did not observe any abuse of Magellan in the wild at the time of publishing. There is currently no CVE for this vulnerability. We will likely see this weaponized into a new or existing exploit kit or as part of a scanner’s arsenal of exploits over the next week or two. So, update SQLite or your applications that use SQLite, like Chromium based browsers (Chrome, Vivaldi, Opera, and Brave). SQLite products are advised to update to 3.26.0 and Chromium users are advised to update to the official stable version 71.0.3578.80.
McAfee security researchers discovered an advanced threat actor they call “Sharpshooter” targeting defense organizations and critical infrastructure sectors using source code from the infamous Lazarus group. McAfee disclosed the flaw on December 12, 2018, after they detected exploitation attempts against organizations in nuclear and defense sectors. The threat actor is executing the first stage exploit through a malicious office document that contains a weaponized macro. The macro downloads the second stage backdoor, dubbed Rising Sun, which performs reconnaissance on the victim’s network. Once executed, the victim’s data will be sent to a C2 server for monitoring by the actors to launch the attacks. Researchers have detected 87 victims from different industry sectors with this vulnerability. First stage infections that start with an office document are typically spread through malspam.
First Stage – Ips & Domains
208.117.44[.]112/document/BusinessIntelligenceAdministrator.doc www.dropbox[.]com/s/2shp23ogs113hnd/CustomerServiceRepresentative.doc?dl 208.117.44[.]112/document/StrategicPlanningManager.doc
Second Stage - IPs & Domains
34.214.99[.]20/view_style.php 137.74.41[.]56/board.php kingkoil.com[.]sg/board.php
66776c50bcc79bbcecdbe99960e6ee39c8a31181 31e79093d452426247a56ca0eff860b0ecc86009 8106a30bd35526bded384627d8eebce15da35d17 668b0df94c6d12ae86711ce24ce79dbe0ee2d463 9b0f22e129c73ce4c21be4122182f6dcbc351c95