Threat Report

This week we’re covering critical vulnerabilities discovered in Huawei routers, Jenkins continuous build automation servers, and SQLite databases. Additionally, we’re going to review a threat actor that is taking aim at critical U.S. infrastructure.

Security community calls Huawei’s bluff on security claims

Huawei’s integrity has been called into question recently. Many countries are taking U.S. leadership and canceling Huawei orders. Canada has arrested the Huawei CFO for extradition to the United States. During all this, Huawei has asked the U.S. to put up or shut up. And, the security community has responded with proof. A staggering vulnerability report for Huawei routers (CVE-2018-7900) has been released and Huawei doesn’t just make exploitation possible, they make it easy.

There is no spray and pray necessary for attackers. You can find all vulnerable routers with a Shodan/ZoomEye. There is no need to fail a login. The login page indicates if the default password has changed. This makes detecting abusive activity difficult because attackers don’t make much noise, and it’s possible to generate a list of 100 percent exploitable targets based on a dork query.

Jenkins makes guests feel at home with anonymous to admin access

CyberArk’s security researchers discovered two vulnerabilities exposing  Jenkins  servers.  Jenkins  is a Web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results.  CyberArk  disclosed the flaw to  Jenkins  after they detected an exploitation attempt against  Jenkins  servers. The actors used two different vulnerabilities to launch attacks. The first is  CVE-2018-1999001, a flaw that allows an attacker to remove files from the  Jenkins  master file system. The second is  CVE-2018-1999043, which allows an attacker to create ephemeral user records in the server’s memory. Both of these vulnerabilities have been addressed and fixed. ZDNet was able to discover over 2,000 vulnerable  Jenkins  servers within a few minutes. Researchers believe that the total number of vulnerable servers might even be over 10,000. Users and organizations must keep software and firmware up to date with timely patch updates to mitigate attacks. File integrity monitoring on a Jenkins server could detect the security configuration file being moved.

Magellan vulnerability discovered in SQLite

Last week, Security researchers from Tencent Blade Team have discovered a remote code execution vulnerability in SQLite dubbed Magellan. SQLite is a widely used and well-known database utilized in all modern mainstream  operating systems  and software, meaning that this vulnerability holds a wide range of influence.

Researchers state that  Google  has fixed this vulnerability, however, Google is not disclosing the details of Magellan at this time as they are pushing vendors to fix it as soon as possible. Devices or software that use SQLite or Chromium are affected, and the dangers of exploitation include remote code execution, leaking program memory, or causing program crashes.

The vulnerability can be triggered remotely, for example, a target visits a particular Web page in a browser or any scenario that can execute SQL statements. Researchers did not observe any abuse of Magellan in the wild at the time of publishing. There is currently no CVE for this vulnerability. We will likely see this weaponized into a new or existing exploit kit or as part of a scanner’s arsenal of exploits over the next week or two. So, update SQLite or your applications that use SQLite, like Chromium based browsers (Chrome, Vivaldi, Opera, and Brave). SQLite products are advised to update to 3.26.0 and Chromium users are advised to update to the official stable version 71.0.3578.80.

Sharpshooter takes aim at critical infrastructure

McAfee  security researchers discovered an advanced threat actor they call “Sharpshooter” targeting defense organizations and  critical infrastructure  sectors using source code from the infamous Lazarus group.  McAfee  disclosed the flaw on December 12, 2018, after they detected exploitation attempts against organizations in nuclear and defense sectors.  The threat actor is executing the first stage exploit through a malicious office document that contains a weaponized macro. The macro downloads the second stage backdoor, dubbed Rising Sun, which performs reconnaissance on the victim’s network. Once executed, the victim’s data will be sent to  a C2  server for monitoring by the actors to launch the attacks. Researchers have detected 87 victims from different industry sectors with this vulnerability. First stage infections that start with an office document are typically spread through malspam.

First Stage – Ips & Domains

208.117.44[.]112/document/BusinessIntelligenceAdministrator.doc

www.dropbox[.]com/s/2shp23ogs113hnd/CustomerServiceRepresentative.doc?dl

208.117.44[.]112/document/StrategicPlanningManager.doc

Second Stage - IPs & Domains

34.214.99[.]20/view_style.php
137.74.41[.]56/board.php
kingkoil.com[.]sg/board.php

Hashes

66776c50bcc79bbcecdbe99960e6ee39c8a31181

31e79093d452426247a56ca0eff860b0ecc86009

8106a30bd35526bded384627d8eebce15da35d17

668b0df94c6d12ae86711ce24ce79dbe0ee2d463

9b0f22e129c73ce4c21be4122182f6dcbc351c95

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Friday December 14th 2018