Threat Report

It’s time for another usually weekly threat report. Last week we were really busy with a successful PerchyCon 2020. But we’ve gotten some interesting threats that we need to make you aware of this week.

Cisco Discovery Protocol vulnerability impacts millions

Cisco has disclosed five 0-day vulnerabilities in the Cisco Discovery Protocol (CDP) collectively dubbed “CDPwn.” CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to share information about directly connected Cisco equipment.

CDP is used in nearly all Cisco products (including switches, routers, IP phones, and cameras), and all products come with CDP enabled by default. Consequently, the vulnerabilities impact tens of millions of enterprise devices.

Four of the five CDPwn vulnerabilities allow for complete take-over of the devices, including all Cisco 7800 and 8800 IP phones, Cisco IP Cameras, Nexus Switches, IOS XR routers, and others. An advisory from the U.S. CERT Coordination Center has also been issued.

The vulnerabilities are classified as critical. Four are enable Remote Code Execution (RCE) and the fifth is a Denial-of-Service (DoS) vulnerability that can impact the entire operation of a network.

Researchers from Armis first disclosed the vulnerabilities to Cisco on August 29, 2019. Cisco customers are advised to prioritize patching at their earliest convenience and can visit Cisco for more information on patches. If you’re interested, you can read the full white paper on CDPwn.

The following is a breakdown of each vulnerability:

• CVE-2020-3110: Cisco’s Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value (TLV).
• CVE-2020-3111: Cisco’s Voice-over-Internet-Protocol (VoIP) phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value (TLV).
• CVE-2020-3118: Cisco’s CDP subsystem of devices running - or based on - Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow.
• CVE-2020-3119: Cisco’s CDP subsystem of devices running - or based on - Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet (PoE) type-length-value (TLV).
• CVE-2020-3120: Cisco’s CDP subsystem of devices running - or based on - Cisco NX-OS, IOS XR, and FXOS Software are vulnerable to a resource exhaustion denial-of-service (DoS) condition.

Emotet leverages Corona Virus in phishing campaign

Last week, researchers identified a new Emotet phishing campaign that warned recipients of Corona Virus infection in Japan. According to the reports, the subject of the emails are composed of different representations of the Japanese word for “notification” and suggest an urgency for recipients to view the notification.

The content of the document is a standard Office 365 document, which instructs the viewer to enable the malicious content. If the malicious attachment has been opened with macro enabled, an obfuscated VBA macro script opens PowerShell and installs the Emotet Trojan. The infected computer will then be used to drop other malware, such as Trickbot, to harvest user credentials, browser history, and sensitive documents that will be sent to the attacker-controlled command-and-control server.

To mitigate phishing attacks, users are advised to check the URL of the website before clicking a link sent via email, be vigilant to suspicious attachments, avoid enabling macros on untrusted documents, and use security controls that can track malicious activities.

Detect FIN6 using TerraLoader

TerraLoader is a JScript based backdoor, used by multiple threat actors. TerraLoader capabilities include self-deletion, downloading additional payloads, and system scans - including detection of antivirus software, OS info, computer name, username, and the victim’s IP address.

This functionality is typical for a backdoor and uses HTTPS for C2 operations allowing the threat actor to control the target’s machine. TerraLoader will regularly connect to its C2 server to check for any new commands from the threat actor.

FIN6 deployments of TerraLoader differentiate themselves from Cobalt Group deployments. FIN6 deployments version 4 and above, contain strings denouncing Cobalt Group, while Cobalt Group deployments (solely of version 2.0) include the via_x command, to initiate cmd.exe to download additional files.

Microsoft Products earn Top Target Spot, three years running

Based on RecordedFuture’s analysis of CVEs from 2017 through 2019, more exploits were observed targeting Microsoft products than Adobe products. Eight out of the top ten vulnerabilities are exploited via phishing attacks, exploit kits, or remote access trojans (RATs) which impact Microsoft products.

Four of these vulnerabilities impact Internet Explorer. Despite experiencing a decline in browser market share, Internet Explorer is still favored by enterprises, making it a high-value target for threat actors.

Only two Adobe Flash vulnerabilities made the top ten, likely due to a combination of better patching and Flash Player’s 2020 end of life.

Many vulnerability and patch management teams struggle to keep updates current without having visibility into which vulnerabilities are being actively exploited. This makes it hard to prioritize critical patches.

In 2019, there were over 12K vulnerabilities reported and classified through CVE. Although this is fewer than in 2018, the U.S. government and the National Vulnerability Database (NVD) have scored over 1K of those 12K vulnerabilities with a CVSS score of nine or higher and deemed them “critical” to patch.

It is imperative that security professionals have knowledge of those vulnerabilities that impact a company’s technology stack and are included in exploit kits, used to distribute a RAT, or are currently being used in phishing attacks.

Key Observations:

• For a third straight year, Microsoft was the technology most affected by vulnerabilities, with eight of the top 10 vulnerabilities identified targeting its products.
• For the first year, six of the vulnerabilities all impacting Microsoft were repeats from the prior year. CVE-2018-8174 dropped one spot from the top exploited vulnerability in 2018 to second in 2019; CVE-2017-11882 stayed in the third spot, while CVE-2012-0158 dropped from ninth to tenth.
• Only one vulnerability from the 2019 calendar year was ranked in the top 10 that impacted Internet Explorer 10 and 11: CVE-2019-0752. This vulnerability was included in a new exploit kit called Capesand.
• The number of new exploit kits continued to decrease, dropping from five to four in 2019. Capesand was one new exploit kits that targeted vulnerabilities on this list. An underground forum user claimed to stop development on both Capesand and DarkRat in December 2019.
• In 2019, 23 new remote access Trojans (RATs) were released compared to 37 in 2018. Only one of these new RATs, BalkanRAT, was associated with a top vulnerability that impacted Microsoft WinRAR ACE: CVE-2018-20250.

Bitbucket Leveraged in Threat Campaigns

Security researchers from Cybereason released a report on February 5, 2020, about an ongoing campaign that is abusing Bitbucket, a Web-based version control repository hosting service owned by Atlassian. The threat actors who are abusing Bitbucket have been creating several user accounts that they update regularly (as often as every few hours) to evade detection by antivirus products. According to the report, the campaign starts when users click a malicious link in phishing emails or download cracked versions of commercial software like Adobe Photoshop, Microsoft Office, and others. Threat actors have bundled these Free Warez with Azorult Infostealer and Predator the Thief. They are using Themida and CypherIT Autoit as packers to avoid detection.

Once the Freee Warez is installed, it drops Azorult and Predator and downloads multiple payloads from a Bitbucket repository which are being updated by the threat actors regularly. Aside from Predator and Azorult, malwares such as Evasive Monero Miner, STOP Ransomware, Vidar, Amadey bot, and IntelRapid are being deployed by the threat actors.

The report stated that over 500K machines worldwide are affected by this ongoing campaign.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday January 16th 2020