This week we discussed Metasploit Framework, and some of the vulnerabilities we demonstrated were from 2008. For this week’s discussion, relate to the class a “hack” that involved a vulnerability that had been “in the wild” for at least six months after the patch had been available.
Week Six Presentation (Handout)
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
According to the following article, a Chinese cyber espionage unit that’s focused on stealing email from victim organizations. The group has exploited known vulnerabilities Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
This was actually the first hack/vulnerability that came to my mind. This hack caused a lot of disruption and I believe the US government got involved as well in the form of an investigation to possibly raft sanctions on China.
The most obvious example that comes to mind is the infamous EternalBlue exploit of Microsoft Windows systems which was developed by the NSA and hidden from Microsoft and the public for “more than 5 years.” EternalBlue was developed for security testing by the NSA, but was obtained by a hacker group known as Shadow Brokers, who used the exploit to take advantage of a major remote access vulnerability in Windows OSs, leading to its malicious implementation via the WannaCry ransomware in May 2017 and followed by the NotPetya ransomware attack in June 2017. The vulnerability has been documented as CVE-2017-0144, and was due to a critical error in SMBv1 handling of custom packets that ultimately gave external users remote code execution.
https://en.wikipedia.org/wiki/EternalBlue
Not entirely six months, but for the second time, VMware had a vulnerability in their vCenter Servers. In September CISA warnd organizations that have not applied the patch that they should expect widespread exploitation as the exploit code was publicly available. In June CISA had issued another warning related to remote code execution on the vCenter Servers. The patch had been released in May, and weeks to months later thousands of devices remained unpatched and vulnerable.
https://www.darkreading.com/vulnerabilities-threats/cisa-says-wide-exploitation-likely-of-new-vmware-center-server-flaw
A well known vulnerability with the name of Heartbleed was introduced into TSL protocol in 2012, and involved the “overreading” of data that was appended. The appended data did not undergo input validation and therefore had potential to include malicious code.. Despite the disclosure of the vulnerability and accompanying release of a patch in 2014, as of 1 July 2019, Shodan reported that 91,063 devices were still vulnerable.
A well known vulnerability with the name of Heartbleed was introduced into TSL protocol in 2012, and involved the “overreading” of data that was appended. The appended data did not undergo input validation and therefore had potential to include malicious code.. Despite the disclosure of the vulnerability and accompanying release of a patch in 2014, as of 1 July 2019, Shodan reported that 91,063 devices were still vulnerable.
Shodan (11 July 2019). “[2019] Heartbleed Report”. Shodan. Archived from the original on 11 July 2019. Retrieved 11 July 2019.
https://9to5mac.com/2021/09/27/security-researcher-claims-3-zero-day-flaws-ios-15/
In September, Apple released iOS 15 to the general public after about 3 months of beta and developer testing. In March, a security researcher explored and found 3 0-Day vulnerabilities. Apple failed to respond in time, and those 3 0-Days made its way on to iOS 15. This developer took those exploits and vulnerabilities to the public, and once that received great traction, Apple finally responded and issued a patch to make sure those 0-Days were gone.
https://winbuzzer.com/2021/11/25/windows-installer-zero-day-exploit-spotted-being-used-in-the-wild-xcxwbn/
Threat actors are using an exploit for Windows Installer in the wild. The zero-day vulnerability stems from another flaw that Microsoft has already patched.
I find it interesting that zero-day vulnerabilities are so common now, and I am curious as to what companies are doing to combat this.
Although this is an older incident, the 2003 SQL Slammer worm infected 75,000 SQL servers in just 10 minutes. However, the vulnerability that this worm exploited had a patch available six months earlier.
“The program exploited a buffer overflow bug in Microsoft’s SQL Server and Desktop Engine database products. Although the MS02-039 patch had been released six months earlier, many organizations had not yet applied it.”
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-039
https://en.wikipedia.org/wiki/SQL_Slammer