CVE 2018- 8453 MONTHL Y RISK & THREAT ANAL YSIS REPORT
PRODUCED DECEMBER 2018
THREAT ANALYSIS AND INVESTIGATIONS
LookingGlass STRATISS: Confidential |
1
Overall Report Distribution is TLP: GREEN Overall Source/Information Reliability: B2
Executive Summary OnDecember6,2018,threatactorXadvertisedthesaleoftheCVE-2018-8453one-dayexploitinacybercrimeforum.Theexploitenablesprivilegeescalationforanattackerthatfacilitatesthefullcompromiseofavictimizedsystem.ThereislimitedinformationonX,thoughheisassociatedwiththesaleofone-dayexploitsandenjoysafavorablereputationlevel,bolsteringhisbonafidesasareliablesellerofmerchandise.Todate,suspectedstateactorshavebeenobservedleveragingtheCVE-2018-8453exploitagainsttargetedentitiesintheMiddleEastregion;however,thepublicitysurroundingthisvulnerabilitycoupledwithslowimplementationofavailablepatchesmakeanyorganizationsusceptibletocompromise.Patchmanagementremainsachallengefororganizationsandisnecessarytoreducemitigationandremediationexpensesincurredbycompaniespost-compromise,whichcanbeextremelycostly.
Key Points • InearlyDecember2018,threatactorXadvertisedthesaleofaone-daylocal
privilegeescalationexploitinacybercrimeforum.Elevationprivilegeexploitsenableattackerstofully-compromiseavictimizedmachine.Sinceitsdisclosure,hostileactorshavebeenobservedleveragingtheCVE-2018-8453exploitintargetedattacksdirectedagainstentitiesintheMiddleEastregion.
• ThereislimitedinformationonX.However,theactorisassociatedwithadvertising
thesaleofone-dayexploitsinthecybercrimeundergroundinthepast.Solidreputationlevelsandpositivefeedbackfromforummembersindicatethattheactorisacrediblesourceofthesetypesofexploits.
• Zero-andone-dayvulnerabilitiesaregenerallyconsideredcriticalfororganizations
topatch.Whileconsidered“rare”andtypicallybelievedtobeusedprimarilybystateactors,theyneverthelesscanbeextremelycostlyfororganizationstomitigateandremediateiftheyfailtopromptlypatchthesevulnerabilities.
*This report is based on open source findings. Therefore, the report is open source intelligence and does not constitute definitive evidence. Information found in the open source cannot necessarily be verified and is presented as intelligence and as additional information to enhance or expand current investigations.
******
LookingGlass STRATISS: Confidential |
2
CVE-2018-8453 Being Sold on Exploit[.]in OnDecember6,2018,RussianthreatactorXadvertisedthesaleofaone-daylocalprivilegeescalation(LPE)exploitCVE-2018-8453forWindowsoperatingsystemsintheExploit[.]incybercrimeforum(seeFigure1).TheexploitenablesanattackertobypassSupervisorModeAccessPrevention(SMAP),kerneldataexecutionprevention(DEP),kerneladdressspacelayoutrandomization(KASLR),WindowsIntegrityLevel,andtheuseraccesscontrol.
Figure1.ScreenshotofAdvertisementinExploit[.]in
(source:LookingGlassThreatResearch)Pertheactor’sposting,detailsoftheexploitareasfollows:Supportedversions:XP/2003/Vista/2008/W7/2008R2/W8/2012/W8.1/2012R2/W10TH1-RS3/2016Supportedarchitecture:x86/x64Developmentstage:v1.0.81207(stable)x86shellcodesize:13Kb(avg.exec.time:2-5seconds)
LookingGlass STRATISS: Confidential |
3
x64shellcodesize:19Kb(avg.exec.time:2-5seconds)Theactorassertedthatthecodewaswritten“fromscratch.”PerX,theexploitcomesintheformofshellcode(note:shellcodeisinstructionsthatgointoeffectoncethecodeisdeployedintoanapplication),whichisreadytobeembeddedintotheattacker’sprojects.Atthistime,anewfunctionappearsinthecode:<BOOLGetSystemPWNED(ULONGulProcescId);>TheactorstatesthatthepackagecontainsdemosourcecodethatopensthecommandconsolewithSYSTEMrights.Forthosepotentialbuyersthatworkonbootkits/rootkitslockers,Xassertsthatthecodecanruninring0modewithsomemodifications(note:ring0isthelevelwiththemostprivilegesandinteractswiththecomputer’shardwareandmemory).TheactorclaimsthattheexploithasbeensuccessfullytestedonWindowsbuildsrangingfromXPSP0toWindows10RS3(approximatelyahundredsystems)fromvariousyearsupthroughSeptember2018.Theexploitisabletoworkundera“Guest”account,aswellasfrom“LowIntegrity”(note:theWindowsIntegrityMechanism“providestheabilityforresourcemanagers,suchasthefilesystem,tousepre-definedpoliciesthatblockprocessesoflowerintegrityfromreadingormodifyingobjectsofhigherintegrity”i).Additionally,theactorstatesthattheexploitwastestedonsuchsecuritysolutionsasKasperskyTotalSecurity2019,AvastInternetSecurity2019,andESETSmartSecurity11.Theactorindicatesthatotherchecksonsecuritysolutionsareavailableonrequest.ThepriceoftheexploitislistedatUSD10,000,payableinBitcoin.
What is CVE-2018-8453? AnelevationofprivilegevulnerabilityexistsinWindowswhentheWin32kcomponentfailstoproperlyhandleobjectsinmemory,akaa"Win32kElevationofPrivilegeVulnerability."ThisaffectsWindows7,WindowsServer2012R2,WindowsRT8.1,WindowsServer2008,WindowsServer2019,WindowsServer2012,Windows8.1,WindowsServer2016,WindowsServer2008R2,Windows10,andWindows10Servers.iiAnattackerwhosuccessfullyexploitedthisvulnerabilitycouldrunarbitrarycodeinkernelmode.Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.Toexploitthisvulnerability,anattackerwouldfirsthavetologontothesystem.Anattackercouldthenrunaspecially-craftedapplicationthatcouldexploitthevulnerabilityandtakecontrolofanaffectedsystem.iiiInOctober2018,Microsoftreleasedapatchforthisvulnerability.
LookingGlass STRATISS: Confidential |
4
Who is X? Unsurprisingly,thereisadearthofinformationontheactor.Thealias“X”isnotuniqueinthecybercriminalunderground,whichmakesitchallengingtolinktheactorviathisaliastospecificpostings.Theactor’spostingsintheundergroundhaveprimarilyfocusedonthesaleofone-dayexploits.Basedonhisfavorabilityrankings,Xprovidesvalidexploits.Thefactthattheactorprimarilyoperatesinonecybercrimeforum(atleastunderthisalias)maybeanattempttoreducehisfootprintinthecybercrimeundergroundandevadescrutinyfromlawenforcementelements.Anotheraliasassociatedwiththisactoris“Z”Thisdeterminationwasmadebylinkingtheactor’sJabberaccountplaybit[@]exploit[.]imwithaprofilewiththataliasandapostingthathemadeonCVE-2016-7255.However,LookingGlassanalystsbelievethattheactorsolelyusestheXaliasonundergroundforumsandZasanaliasforvideositessuchasYouTubeandDe-visions.Cyber Crime Forums
Exploit[.]in.TheactorjoinedthisforumunderthealiasXonMay25,2008.Asofthiswriting,theactorhasmadeapproximately90posts,mostofwhichfocusonthesaleofexploitsanddroppers.Theactorenjoysa+10-favorabilityrating,whichindicatesthatXhassoldreliablyinthepast.SinceJune24,2012,theactorhasopenedthreadsthatfocusedonsellingone-dayexploitsforWindowsOS.Allfeedbackhasbeenfavorable.Antichat[.]ru.TheactorjoinedthisforumunderthealiasXonMay20,2012.Theactorhasonlymadeonepostingthusfarinwhichhepostednegativefeedbackaboutthesaleofadedicatedserver.Theactor’slastvisitonthissitewasonJune13,2013.
Contact Information
Jabber xyz[@]exploit[.]imxyz[@]hacklab[.]li
Zero- and One-Day Exploits Zero-dayandone-dayexploitsrefertotheamountoftimethatacompanyisawareofthevulnerabilitiesintheirnetworksthatcouldbetakenadvantageofbyhostileactors.Whilezero-daysreferto“holes”thatanorganizationisnotcognizantof(oneacademicpaperonzero-daysindicatesthatsomeoftheseexploitshavegoneunnoticedandunpatchedforupto10monthsiv),one-daysrefertoanorganization’sacknowledgementofavulnerability
LookingGlass STRATISS: Confidential |
5
thatstillremainsunpatched.Zero-daysareconsideredgenerally“rare”;theoverwhelmingmajorityofexploitsfacedbyorganizationsarebasedonvulnerabilitiesgenerallyknownforapproximatelyoneyear.vAccordingtoafirstquarter2018report,acomputersecuritycompany’sresearchfoundthatzero-daymarketsaregrowingandmaturingforanyoneabletopurchasethemforlegitimateorillegitimatereasons.viPerthesamereport,asofthefirstquarterin2018,45zero-dayvulnerabilitieshadbeendiscovered(note:othervendorsmayhavedifferentstatistics).PeraJuly2018MassachusettsInstituteofTechnologypaper,anonlinesubscriptionserviceofferszero-dayexploitsatacostofapproximatelyUSD150,000/month.viiOnecompanyhasfoundthatzero-dayattacksareincreasinglybeingusedbyhostileactorstoattackhybridcloudenvironments.viiiRemediatingtheresultsofzero-dayattackscanbecostlyfororganizations.Accordingtoanonlinecomputersecuritynewssite,“theaveragecompanyenduresacostofUSD7.12million,orUSD440perendpoint.”ix
Patch Management is Important Inanenvironmentwhereattackerstypicallyoutpacetheabilityofnetworkdefenders,theabilitytodetectandpatchvulnerabilitiesiscriticalformaintainingtheconfidentiality,integrity,andavailabilityofinformationsystemsandthedataresidentonthem.Accordingtoacompanythatspecializesinanext-gencloudWebApplicationFirewallthatenableswebapplicationstodefendthemselves,ittakesmorethanamonthforan“averageorganization”topatchitsmostcriticalvulnerabilities(liketheonerepresentedbytheCVE-2018-8453vulnerability).xThisisofparamountconcerngiventhatexploitingknownvulnerabilitiesisapopularmethodforhostileactorstogainunauthorizedaccessintoorganizations.AccordingtoastudybythePonemonInstitutethatinterviewed3,000worldwidecybersecurityprofessionals,morethanhalfofbreachedorganizationsdiscoveredthatwhatfacilitatedtheintrusionwastheexploitationofavulnerabilityforwhichapatchwasavailablebuthadnotbeenapplied.xiIn2017,300polledorganizationsofvarioussizesfoundthat80percentofbreachesweretheresultofpoorpatchmanagementpractices,accordingtoaglobalanalyticfirmstudy.xiiWhenviewingtheEquifaxbreachviatheprismofanunpatchedvulnerability,itiseasytoseethepotentialdangerousfalloutthatcanresult.xiiiOrganizationsareresponsibleforpromptlypatchingvulnerabilities,especiallythosedeemedhighorcriticalriskbytheNationalInstituteofStandardsandTechnology.Accordingtoa2018reportbyasecurity-as-a-servicevulnerabilitymanagementservice,thewebapplicationlayeriswherethemajorityofthehighandcriticalriskexposureresides.xivHowever,thischallengetopromptlypatchvulnerabilitiesmaybeexacerbatedbythefactthatpatchesaren’timmediatelyavailableforknownvulnerabilities.Accordingtoasitethatprovidescomprehensiveandtimelyintelligenceonthelatestsecurityvulnerabilities,ofallthosedisclosedin2017,only76percenthadfixesavailable.xvThisdemonstrateshowthevulnerabilitymanagementecosystemissymbiotic,relyingonthe
LookingGlass STRATISS: Confidential |
6
promptidentificationofunknownvulnerabilitiesaswellasthetechnological“fixes”requiredtomitigatetherisk.
Conclusion TheactorXbearsmonitoringintheundergroundduetohisassociationwiththesaleofthesetypesofexploits.Theactor’sstrongreputationlevelreflectshisreliabilityofsellingbonafideexploitscoupledwithcustomersatisfaction.Thehighqualityoftheexploitallowstheactortocommandasteeperpricepointand,assuch,allowsXtobejudiciouswithhissales.Thisinturnreducestheactor’sfootprintintheunderground,amovethatkeepshisprofilelow.One-dayvulnerabilitieslikeCVE-2018-8453areextremelyvaluabletohostileactorsthatleveragethemtofullyexploitcompromisedcomputers.Atthistime,manyofthesevulnerabilitiesaretypicallyassociatedwithsuspectedstateactorsandhavebeenusedtosupportclandestinecyberoperations.Forexample,onOctober16,2018,CVE-2018-8453wasobservedbeingexploitedbythe“FruityArmor”advancedpersistentthreatactortargetingvictimsintheMiddleEastregion,accordingtoonecomputersecurityvendor.xviNotwithstanding,vulnerabilitiesoncemadepubliccanbeusedbyanyactorandagainstanyindustryorsector,whichmakesitincumbentonorganizationstoquicklyapplypatches.Assessingrisksandprioritizingdeploymentsarekeyaspectsofanyorganization’spatchmanagementcycleandareanecessarycomponentofalargercybersecuritystrategy.Asone-dayandzero-dayvulnerabilitiescontinuetobecomemoreandmoreprevalent,proactivedevelopmentandtestingofpatchmanagementprocesseswillgreatlyhelpreduceanorganization’sexposureandremediationefforts.InformationCut-OffDate:December6,2018
LookingGlass STRATISS: Confidential |
7
Traffic-Light Protocol for Information Dissemination Color WhenShouldItBeUsed? HowMayItBeShared
RED
SourcesmayuseTLP:REDwheninformationcannotbeeffectivelyacteduponbyadditionalparties,andcouldleadtoimpactsonaparty’sprivacy,reputation,oroperationsifmisused.
RecipientsmaynotshareTLP:REDwithanypartiesoutsideofthespecificexchange,meeting,orconversationinwhichitisoriginallydisclosed.
AMBER
SourcesmayusetheTLP:AMBERwheninformationrequiressupporttobeeffectivelyacteduponbutcarriestheriskstoprivacy,reputation,oroperationsifsharedoutsideoftheorganizationsinvolved.
RecipientsmayonlyshareTLP:AMBERinformationwithmembersoftheirownorganization,andonlyaswidelyasnecessarytoactonthatinformation.
GREEN
SourcesmayuseTLP:GREENwheninformationisusefulfortheawarenessofallparticipatingorganizationsaswellaswithpeerswithinthebroadercommunityorsector.
RecipientsmayshareTLP:GREENinformationwithpeersandpartnerorganizationswithintheirsectororcommunity,butnotviapubliclyaccessiblechannels.
WHITE
SourcesmayuseTLP:WHITEwheninformationcarriesminimalornoriskofmisuse,inaccordancewithapplicablerulesandproceduresforpublicrelease.
TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols.
LookingGlass STRATISS: Confidential |
8
A Note on Estimative Language Estimativelanguageisusedinordertoconveyanassessedlikelihoodorprobabilityofanevent,aswellasthelevelofconfidenceascribedtoajudgment.Assessmentsarebasedoncollectedinformation(whichisoftenincomplete),aswellaslogic,argumentation,andprecedents.Confidencelevelsprovideassessmentsofthequalityandquantityofthesourceinformationthatsupportsjudgments. None Low Moderate High Complete0-10% 11-49% 50-79% 80-99% 100%
• Complete:Totallyreliableandcorroboratedinformationwithnoassumptionsandclear,undisputedreasoning.
• High:Wellcorroboratedinformationfrommultipleprovensources,extensive
databases,and/oradeephistoricalunderstandingoftheissue.Thereareminimalassumptionspresent.Theanalyticreasoningisdominatedbylogicalinferencesdevelopedthroughestablishedmethodologyormultipleanalytictechniques.Highconfidencedoesnotimplyanassessmentisfactoracertainty.
• Moderate:Partiallycorroboratedinformationfromsufficientqualitysources(amix
ofprovenandunprovensources)withsomedatabasesand/orhistoricalunderstandingoftheissue.Thereareassumptionspresent,ofwhichsomeshouldbecrucialtotheanalysis.Reasoningisamixtureofstrongandweakinferencesdevelopedthroughsimpleanalytictechniquesoranestablishedmethodology.
• Low:Uncorroboratedinformationfromgoodormarginalsources(mixofsemi-
provenandunprovensources)withminimaldatabaseorhistoricalunderstandingoftheissue.Therearemanyassumptionscriticaltotheanalysis.Reasoningisdominatedbyweakinferencesthroughfewanalytictechniques.
• None:Thereisnodirectinformationorpartiallycorroboratedinformationto
supportanalyticassessmentsorjudgments,oritisexploratoryanalysis.
LookingGlass STRATISS: Confidential |
9
Source and Information Reliability Source Rating DescriptionA Reliable Nodoubtaboutthesource'sauthenticity,trustworthiness,or
competency.Historyofcompletereliability.B UsuallyReliable Minordoubts.Historyofmostlyvalidinformation.C FairlyReliable Doubts.Providedvalidinformationinthepast.D NotUsuallyReliable Significantdoubts.Providedvalidinformationinthepast.E Unreliable Lacksauthenticity,trustworthiness,andcompetency.Historyof
invalidinformation.F Can’tBeJudged Insufficientinformationtoevaluatereliability.Mayormaynotbe
reliable.Information Rating Description1 Confirmed Logical,consistentwithotherrelevantinformation,confirmedby
independentsources.2 ProbablyTrue Logical,consistentwithotherrelevantinformation,notconfirmed
byindependentsources.3 PossiblyTrue Reasonablylogical,agreeswithsomerelevantinformation,not
confirmed.4 DoubtfullyTrue Notlogicalbutpossible,nootherinformationonthesubject,not
confirmed.5 Improbable Notlogical,contradictedbyotherrelevantinformation.6 Can’tBeJudged Thevalidityoftheinformationcannotbedetermined.
ihttps://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb625957(v=msdn.10)iihttps://nvd.nist.gov/vuln/detail/CVE-2018-8453iiihttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453ivhttp://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdfvhttps://lab.getapp.com/zero-day-attacks/vihttps://www.fortinet.com/content/dam/fortinet/assets/threat-reports/Q1-2018-Threat-Landscape-Report.pdfviihttps://www.fifthdomain.com/industry/2018/09/25/why-the-market-for-zero-day-vulnerabilities-on-the-dark-web-is-vanishing/viiihttps://globenewswire.com/news-release/2018/02/28/1401427/0/en/Zero-Day-Exploits-Are-Most-Prevalent-Attack-in-Hybrid-Cloud-Environments-according-to-Capsule8-Sponsored-Study.htmlixhttps://www.zdnet.com/article/zero-days-fileless-attacks-are-now-the-most-dangerous-threats-to-the-enterprise/xhttps://www.darkreading.com/cloud/it-takes-an-average-38-days-to-patch-a-vulnerability/d/d-id/1332638
LookingGlass STRATISS: Confidential |
10
xihttps://www.welivesecurity.com/2018/04/19/patching-shut-window-unpatched/xiihttps://dzone.com/articles/80-of-breaches-still-result-of-poor-patch-managemexiiihttps://ninjarmm.com/it-horror-stories-why-unpatched-software-hurts-business/xivhttps://www.edgescan.com/wp-content/uploads/2018/05/edgescan-stats-report-2018.pdfxvhttps://www.riskbasedsecurity.com/2018/05/vulnerability-management-so-much-more-than-just-patch-management/xvihttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/