Security Week 45: Chrome and BlueKeep Wildlife Vulnerabilities

Google released a Chrome browser update on October 31, in which two serious vulnerabilities were closed. One of them (CVE-2019-13720) was used in real attacks and was discovered (news, research) by Kaspersky Lab experts. A use-after-free vulnerability (CVE-2019-13720) allows arbitrary code to be executed on systems with 64-bit Windows and Chrome browser versions 76 and 77.

The problem was detected using the Automatic Exploit Prevention system, which is part of the Kaspersky Lab security solutions and aimed at identifying previously unknown attacks. The malicious Javascript code that launches the attack has been injected into the Korean news website. Researchers have called this campaign Operation WizardOpium, and so far there are no signs allowing to combine this malicious activity with other cybercriminal operations. The exploit code hints at a larger operation that exploits other vulnerabilities in common software.

This is not the only "live" attack that was discovered last week. On November 3, an interesting description of an attack on computers with the BlueKeep vulnerability was published on the Kryptos Logic blog. This issue in the Remote Desktop Services feature in Windows 7 and Windows 2008 Server was discovered in May. Despite the fact that the patch was released not only for these (relatively) modern OSs, but also for unsupported Windows XP and 2003 Server, at the time the patch was released, there were about a million vulnerable systems. In September, an exploit for BlueKeep was published as part of the Metasploit package. Even on an unpatched system, you can change the settings to make exploitation of the vulnerability impossible. Nevertheless, the researchers proceeded from the high probability that many systems would not be updated and configured correctly. How then to determine when they will begin to attack for real?

With the help of hanipots – deliberately poorly configured systems on which the vulnerability allows arbitrary code to be executed remotely and without authorization. On November 2, researcher Kevin Bumont announced (his version of events is here) that the chanipots belonging to him began to fall spontaneously “into the blue screen”. Analysis of the crashes showed that attacks on Remote Desktop Services are actually being carried out, and their nature corresponds to the capabilities of the code published as part of Metasploit. After successful penetration from the attacker’s server, PowerShell commands are sequentially loaded and executed, until finally the payload is downloaded – the cryptominer. Naturally, after the publication of the exploit, such “pranks” were inevitable, but in this case we also have an interesting example of attack analysis, which begins as the administrator’s usual headache – the system crashes and no one knows why. (For a long time) it’s time to update, but the number of systems with the BlueKeep vulnerability has not decreased much in five months and is now estimated at 700+ thousand.

What else happened:

Information about 7.5 million Adobe Creative Cloud subscribers was shared for a week. The incorrectly configured database contained detailed information about customers, but there were no passwords and credit card numbers. The Web.com registrar's customer base has also leaked.

The 30th anniversary of the Cascade virus. This is the first malware program studied back in 1989 by Eugene Kaspersky. A post with a digression into history and detailed infographics about the evolution of threats over three decades is published here.

According to Akamai, 90% of phishing sites live no more than a day. The top phishers include Microsoft, Paypal, and LinkedIn.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *