Saturday, March 3, 2018

Re-purposing Lucrative Exploits

Last month Adobe released a Flash security update to remediate the zero-day Remote Code Execution (RCE) CVE-2018-4878 vulnerability that was most visibly being utilized by the North Koreans to spy upon the south. The South Korean CERT team noted that the exploit was being actively used by the North to target valuable information assets in the south as early as 31, January 2017. The vulnerability, scoring a 9.8 out of 10 base score from the National Vulnerability Database (NVD) was quickly acknowledged by Adobe who posted a bulletin (APSA18-01) with security advisory details for the critical vulnerability including mitigations. The 9.8 base score from the NVD was due to the flaw being exploitable over the internet, requiring low skill to execute the attack, without any privileges on the target machine, and no user interaction with the target. The exploit is realized by a malicious malformed flash object being embedded in Office documents. Once opened the embedded SWF flash file would execute, downloading an additional payload from the web, the Remote Access Trojan ROKRAT.

Adobe released a patch for the troubling zero-day on 6 of February to address CVE-2018- 4878 aiming to protect victims from the RCE vulnerability, but attackers found a new way to exploit CVE-2018-4878 as noted by TREND MICRO in their February 27, 2018 report stating "The campaign involves the use of malicious spam - specifically with a spam email that with an embedded link that directs the recipient to a Microsoft Word lure document (Detected by Trend Micro as TROJ_CVE20184878.A and SWF_CVE20184878.A) stored on the malicious website safe-storage[.]biz. After the file is downloaded and executed, it will prompt the user to enable editing mode to view what's inside the document. This document is what triggers the exploitation of CVE-2018-4878 - in particular, a cmd.exe window is opened that is remotely injected with a malicious shellcode."
 This reviving of CVE-2018-4878 illustrates not only the classic "cat and mouse" dance between attacker and defender but also the ability and keenness of attackers to adapt methods to keep exploiting lucrative vulnerabilities such as those with high NVD scores.

Sources: exploits/new-campaign-exploits-cve-2018-4878-anew-via-malicious-microsoft- word-documents

Thanks to Peraton CIP report for this information