CVE 2018- 8453 MONTHL Y RISK & THREAT ANAL YSIS REPORT

PRODUCED DECEMBER 2018

THREAT ANALYSIS AND INVESTIGATIONS

LookingGlass STRATISS: Confidential |

1

Overall Report Distribution is TLP: GREEN Overall Source/Information Reliability: B2

Executive Summary OnDecember6,2018,threatactorXadvertisedthesaleoftheCVE-2018-8453one-dayexploitinacybercrimeforum.Theexploitenablesprivilegeescalationforanattackerthatfacilitatesthefullcompromiseofavictimizedsystem.ThereislimitedinformationonX,thoughheisassociatedwiththesaleofone-dayexploitsandenjoysafavorablereputationlevel,bolsteringhisbonafidesasareliablesellerofmerchandise.Todate,suspectedstateactorshavebeenobservedleveragingtheCVE-2018-8453exploitagainsttargetedentitiesintheMiddleEastregion;however,thepublicitysurroundingthisvulnerabilitycoupledwithslowimplementationofavailablepatchesmakeanyorganizationsusceptibletocompromise.Patchmanagementremainsachallengefororganizationsandisnecessarytoreducemitigationandremediationexpensesincurredbycompaniespost-compromise,whichcanbeextremelycostly.

Key Points • InearlyDecember2018,threatactorXadvertisedthesaleofaone-daylocal

privilegeescalationexploitinacybercrimeforum.Elevationprivilegeexploitsenableattackerstofully-compromiseavictimizedmachine.Sinceitsdisclosure,hostileactorshavebeenobservedleveragingtheCVE-2018-8453exploitintargetedattacksdirectedagainstentitiesintheMiddleEastregion.

• ThereislimitedinformationonX.However,theactorisassociatedwithadvertising

thesaleofone-dayexploitsinthecybercrimeundergroundinthepast.Solidreputationlevelsandpositivefeedbackfromforummembersindicatethattheactorisacrediblesourceofthesetypesofexploits.

• Zero-andone-dayvulnerabilitiesaregenerallyconsideredcriticalfororganizations

topatch.Whileconsidered“rare”andtypicallybelievedtobeusedprimarilybystateactors,theyneverthelesscanbeextremelycostlyfororganizationstomitigateandremediateiftheyfailtopromptlypatchthesevulnerabilities.

*This report is based on open source findings. Therefore, the report is open source intelligence and does not constitute definitive evidence. Information found in the open source cannot necessarily be verified and is presented as intelligence and as additional information to enhance or expand current investigations.

******

LookingGlass STRATISS: Confidential |

2

CVE-2018-8453 Being Sold on Exploit[.]in OnDecember6,2018,RussianthreatactorXadvertisedthesaleofaone-daylocalprivilegeescalation(LPE)exploitCVE-2018-8453forWindowsoperatingsystemsintheExploit[.]incybercrimeforum(seeFigure1).TheexploitenablesanattackertobypassSupervisorModeAccessPrevention(SMAP),kerneldataexecutionprevention(DEP),kerneladdressspacelayoutrandomization(KASLR),WindowsIntegrityLevel,andtheuseraccesscontrol.

Figure1.ScreenshotofAdvertisementinExploit[.]in

(source:LookingGlassThreatResearch)Pertheactor’sposting,detailsoftheexploitareasfollows:Supportedversions:XP/2003/Vista/2008/W7/2008R2/W8/2012/W8.1/2012R2/W10TH1-RS3/2016Supportedarchitecture:x86/x64Developmentstage:v1.0.81207(stable)x86shellcodesize:13Kb(avg.exec.time:2-5seconds)

LookingGlass STRATISS: Confidential |

3

x64shellcodesize:19Kb(avg.exec.time:2-5seconds)Theactorassertedthatthecodewaswritten“fromscratch.”PerX,theexploitcomesintheformofshellcode(note:shellcodeisinstructionsthatgointoeffectoncethecodeisdeployedintoanapplication),whichisreadytobeembeddedintotheattacker’sprojects.Atthistime,anewfunctionappearsinthecode:<BOOLGetSystemPWNED(ULONGulProcescId);>TheactorstatesthatthepackagecontainsdemosourcecodethatopensthecommandconsolewithSYSTEMrights.Forthosepotentialbuyersthatworkonbootkits/rootkitslockers,Xassertsthatthecodecanruninring0modewithsomemodifications(note:ring0isthelevelwiththemostprivilegesandinteractswiththecomputer’shardwareandmemory).TheactorclaimsthattheexploithasbeensuccessfullytestedonWindowsbuildsrangingfromXPSP0toWindows10RS3(approximatelyahundredsystems)fromvariousyearsupthroughSeptember2018.Theexploitisabletoworkundera“Guest”account,aswellasfrom“LowIntegrity”(note:theWindowsIntegrityMechanism“providestheabilityforresourcemanagers,suchasthefilesystem,tousepre-definedpoliciesthatblockprocessesoflowerintegrityfromreadingormodifyingobjectsofhigherintegrity”i).Additionally,theactorstatesthattheexploitwastestedonsuchsecuritysolutionsasKasperskyTotalSecurity2019,AvastInternetSecurity2019,andESETSmartSecurity11.Theactorindicatesthatotherchecksonsecuritysolutionsareavailableonrequest.ThepriceoftheexploitislistedatUSD10,000,payableinBitcoin.

What is CVE-2018-8453? AnelevationofprivilegevulnerabilityexistsinWindowswhentheWin32kcomponentfailstoproperlyhandleobjectsinmemory,akaa"Win32kElevationofPrivilegeVulnerability."ThisaffectsWindows7,WindowsServer2012R2,WindowsRT8.1,WindowsServer2008,WindowsServer2019,WindowsServer2012,Windows8.1,WindowsServer2016,WindowsServer2008R2,Windows10,andWindows10Servers.iiAnattackerwhosuccessfullyexploitedthisvulnerabilitycouldrunarbitrarycodeinkernelmode.Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.Toexploitthisvulnerability,anattackerwouldfirsthavetologontothesystem.Anattackercouldthenrunaspecially-craftedapplicationthatcouldexploitthevulnerabilityandtakecontrolofanaffectedsystem.iiiInOctober2018,Microsoftreleasedapatchforthisvulnerability.

LookingGlass STRATISS: Confidential |

4

Who is X? Unsurprisingly,thereisadearthofinformationontheactor.Thealias“X”isnotuniqueinthecybercriminalunderground,whichmakesitchallengingtolinktheactorviathisaliastospecificpostings.Theactor’spostingsintheundergroundhaveprimarilyfocusedonthesaleofone-dayexploits.Basedonhisfavorabilityrankings,Xprovidesvalidexploits.Thefactthattheactorprimarilyoperatesinonecybercrimeforum(atleastunderthisalias)maybeanattempttoreducehisfootprintinthecybercrimeundergroundandevadescrutinyfromlawenforcementelements.Anotheraliasassociatedwiththisactoris“Z”Thisdeterminationwasmadebylinkingtheactor’sJabberaccountplaybit[@]exploit[.]imwithaprofilewiththataliasandapostingthathemadeonCVE-2016-7255.However,LookingGlassanalystsbelievethattheactorsolelyusestheXaliasonundergroundforumsandZasanaliasforvideositessuchasYouTubeandDe-visions.Cyber Crime Forums

Exploit[.]in.TheactorjoinedthisforumunderthealiasXonMay25,2008.Asofthiswriting,theactorhasmadeapproximately90posts,mostofwhichfocusonthesaleofexploitsanddroppers.Theactorenjoysa+10-favorabilityrating,whichindicatesthatXhassoldreliablyinthepast.SinceJune24,2012,theactorhasopenedthreadsthatfocusedonsellingone-dayexploitsforWindowsOS.Allfeedbackhasbeenfavorable.Antichat[.]ru.TheactorjoinedthisforumunderthealiasXonMay20,2012.Theactorhasonlymadeonepostingthusfarinwhichhepostednegativefeedbackaboutthesaleofadedicatedserver.Theactor’slastvisitonthissitewasonJune13,2013.

Contact Information

Jabber xyz[@]exploit[.]imxyz[@]hacklab[.]li

Zero- and One-Day Exploits Zero-dayandone-dayexploitsrefertotheamountoftimethatacompanyisawareofthevulnerabilitiesintheirnetworksthatcouldbetakenadvantageofbyhostileactors.Whilezero-daysreferto“holes”thatanorganizationisnotcognizantof(oneacademicpaperonzero-daysindicatesthatsomeoftheseexploitshavegoneunnoticedandunpatchedforupto10monthsiv),one-daysrefertoanorganization’sacknowledgementofavulnerability

LookingGlass STRATISS: Confidential |

5

thatstillremainsunpatched.Zero-daysareconsideredgenerally“rare”;theoverwhelmingmajorityofexploitsfacedbyorganizationsarebasedonvulnerabilitiesgenerallyknownforapproximatelyoneyear.vAccordingtoafirstquarter2018report,acomputersecuritycompany’sresearchfoundthatzero-daymarketsaregrowingandmaturingforanyoneabletopurchasethemforlegitimateorillegitimatereasons.viPerthesamereport,asofthefirstquarterin2018,45zero-dayvulnerabilitieshadbeendiscovered(note:othervendorsmayhavedifferentstatistics).PeraJuly2018MassachusettsInstituteofTechnologypaper,anonlinesubscriptionserviceofferszero-dayexploitsatacostofapproximatelyUSD150,000/month.viiOnecompanyhasfoundthatzero-dayattacksareincreasinglybeingusedbyhostileactorstoattackhybridcloudenvironments.viiiRemediatingtheresultsofzero-dayattackscanbecostlyfororganizations.Accordingtoanonlinecomputersecuritynewssite,“theaveragecompanyenduresacostofUSD7.12million,orUSD440perendpoint.”ix

Patch Management is Important Inanenvironmentwhereattackerstypicallyoutpacetheabilityofnetworkdefenders,theabilitytodetectandpatchvulnerabilitiesiscriticalformaintainingtheconfidentiality,integrity,andavailabilityofinformationsystemsandthedataresidentonthem.Accordingtoacompanythatspecializesinanext-gencloudWebApplicationFirewallthatenableswebapplicationstodefendthemselves,ittakesmorethanamonthforan“averageorganization”topatchitsmostcriticalvulnerabilities(liketheonerepresentedbytheCVE-2018-8453vulnerability).xThisisofparamountconcerngiventhatexploitingknownvulnerabilitiesisapopularmethodforhostileactorstogainunauthorizedaccessintoorganizations.AccordingtoastudybythePonemonInstitutethatinterviewed3,000worldwidecybersecurityprofessionals,morethanhalfofbreachedorganizationsdiscoveredthatwhatfacilitatedtheintrusionwastheexploitationofavulnerabilityforwhichapatchwasavailablebuthadnotbeenapplied.xiIn2017,300polledorganizationsofvarioussizesfoundthat80percentofbreachesweretheresultofpoorpatchmanagementpractices,accordingtoaglobalanalyticfirmstudy.xiiWhenviewingtheEquifaxbreachviatheprismofanunpatchedvulnerability,itiseasytoseethepotentialdangerousfalloutthatcanresult.xiiiOrganizationsareresponsibleforpromptlypatchingvulnerabilities,especiallythosedeemedhighorcriticalriskbytheNationalInstituteofStandardsandTechnology.Accordingtoa2018reportbyasecurity-as-a-servicevulnerabilitymanagementservice,thewebapplicationlayeriswherethemajorityofthehighandcriticalriskexposureresides.xivHowever,thischallengetopromptlypatchvulnerabilitiesmaybeexacerbatedbythefactthatpatchesaren’timmediatelyavailableforknownvulnerabilities.Accordingtoasitethatprovidescomprehensiveandtimelyintelligenceonthelatestsecurityvulnerabilities,ofallthosedisclosedin2017,only76percenthadfixesavailable.xvThisdemonstrateshowthevulnerabilitymanagementecosystemissymbiotic,relyingonthe

LookingGlass STRATISS: Confidential |

6

promptidentificationofunknownvulnerabilitiesaswellasthetechnological“fixes”requiredtomitigatetherisk.

Conclusion TheactorXbearsmonitoringintheundergroundduetohisassociationwiththesaleofthesetypesofexploits.Theactor’sstrongreputationlevelreflectshisreliabilityofsellingbonafideexploitscoupledwithcustomersatisfaction.Thehighqualityoftheexploitallowstheactortocommandasteeperpricepointand,assuch,allowsXtobejudiciouswithhissales.Thisinturnreducestheactor’sfootprintintheunderground,amovethatkeepshisprofilelow.One-dayvulnerabilitieslikeCVE-2018-8453areextremelyvaluabletohostileactorsthatleveragethemtofullyexploitcompromisedcomputers.Atthistime,manyofthesevulnerabilitiesaretypicallyassociatedwithsuspectedstateactorsandhavebeenusedtosupportclandestinecyberoperations.Forexample,onOctober16,2018,CVE-2018-8453wasobservedbeingexploitedbythe“FruityArmor”advancedpersistentthreatactortargetingvictimsintheMiddleEastregion,accordingtoonecomputersecurityvendor.xviNotwithstanding,vulnerabilitiesoncemadepubliccanbeusedbyanyactorandagainstanyindustryorsector,whichmakesitincumbentonorganizationstoquicklyapplypatches.Assessingrisksandprioritizingdeploymentsarekeyaspectsofanyorganization’spatchmanagementcycleandareanecessarycomponentofalargercybersecuritystrategy.Asone-dayandzero-dayvulnerabilitiescontinuetobecomemoreandmoreprevalent,proactivedevelopmentandtestingofpatchmanagementprocesseswillgreatlyhelpreduceanorganization’sexposureandremediationefforts.InformationCut-OffDate:December6,2018

LookingGlass STRATISS: Confidential |

7

Traffic-Light Protocol for Information Dissemination Color WhenShouldItBeUsed? HowMayItBeShared

RED

SourcesmayuseTLP:REDwheninformationcannotbeeffectivelyacteduponbyadditionalparties,andcouldleadtoimpactsonaparty’sprivacy,reputation,oroperationsifmisused.

RecipientsmaynotshareTLP:REDwithanypartiesoutsideofthespecificexchange,meeting,orconversationinwhichitisoriginallydisclosed.

AMBER

SourcesmayusetheTLP:AMBERwheninformationrequiressupporttobeeffectivelyacteduponbutcarriestheriskstoprivacy,reputation,oroperationsifsharedoutsideoftheorganizationsinvolved.

RecipientsmayonlyshareTLP:AMBERinformationwithmembersoftheirownorganization,andonlyaswidelyasnecessarytoactonthatinformation.

GREEN

SourcesmayuseTLP:GREENwheninformationisusefulfortheawarenessofallparticipatingorganizationsaswellaswithpeerswithinthebroadercommunityorsector.

RecipientsmayshareTLP:GREENinformationwithpeersandpartnerorganizationswithintheirsectororcommunity,butnotviapubliclyaccessiblechannels.

WHITE

SourcesmayuseTLP:WHITEwheninformationcarriesminimalornoriskofmisuse,inaccordancewithapplicablerulesandproceduresforpublicrelease.

TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols.

LookingGlass STRATISS: Confidential |

8

A Note on Estimative Language Estimativelanguageisusedinordertoconveyanassessedlikelihoodorprobabilityofanevent,aswellasthelevelofconfidenceascribedtoajudgment.Assessmentsarebasedoncollectedinformation(whichisoftenincomplete),aswellaslogic,argumentation,andprecedents.Confidencelevelsprovideassessmentsofthequalityandquantityofthesourceinformationthatsupportsjudgments. None Low Moderate High Complete0-10% 11-49% 50-79% 80-99% 100%

• Complete:Totallyreliableandcorroboratedinformationwithnoassumptionsandclear,undisputedreasoning.

• High:Wellcorroboratedinformationfrommultipleprovensources,extensive

databases,and/oradeephistoricalunderstandingoftheissue.Thereareminimalassumptionspresent.Theanalyticreasoningisdominatedbylogicalinferencesdevelopedthroughestablishedmethodologyormultipleanalytictechniques.Highconfidencedoesnotimplyanassessmentisfactoracertainty.

• Moderate:Partiallycorroboratedinformationfromsufficientqualitysources(amix

ofprovenandunprovensources)withsomedatabasesand/orhistoricalunderstandingoftheissue.Thereareassumptionspresent,ofwhichsomeshouldbecrucialtotheanalysis.Reasoningisamixtureofstrongandweakinferencesdevelopedthroughsimpleanalytictechniquesoranestablishedmethodology.

• Low:Uncorroboratedinformationfromgoodormarginalsources(mixofsemi-

provenandunprovensources)withminimaldatabaseorhistoricalunderstandingoftheissue.Therearemanyassumptionscriticaltotheanalysis.Reasoningisdominatedbyweakinferencesthroughfewanalytictechniques.

• None:Thereisnodirectinformationorpartiallycorroboratedinformationto

supportanalyticassessmentsorjudgments,oritisexploratoryanalysis.

LookingGlass STRATISS: Confidential |

9

Source and Information Reliability Source Rating DescriptionA Reliable Nodoubtaboutthesource'sauthenticity,trustworthiness,or

competency.Historyofcompletereliability.B UsuallyReliable Minordoubts.Historyofmostlyvalidinformation.C FairlyReliable Doubts.Providedvalidinformationinthepast.D NotUsuallyReliable Significantdoubts.Providedvalidinformationinthepast.E Unreliable Lacksauthenticity,trustworthiness,andcompetency.Historyof

invalidinformation.F Can’tBeJudged Insufficientinformationtoevaluatereliability.Mayormaynotbe

reliable.Information Rating Description1 Confirmed Logical,consistentwithotherrelevantinformation,confirmedby

independentsources.2 ProbablyTrue Logical,consistentwithotherrelevantinformation,notconfirmed

byindependentsources.3 PossiblyTrue Reasonablylogical,agreeswithsomerelevantinformation,not

confirmed.4 DoubtfullyTrue Notlogicalbutpossible,nootherinformationonthesubject,not

confirmed.5 Improbable Notlogical,contradictedbyotherrelevantinformation.6 Can’tBeJudged Thevalidityoftheinformationcannotbedetermined.

ihttps://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb625957(v=msdn.10)iihttps://nvd.nist.gov/vuln/detail/CVE-2018-8453iiihttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453ivhttp://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdfvhttps://lab.getapp.com/zero-day-attacks/vihttps://www.fortinet.com/content/dam/fortinet/assets/threat-reports/Q1-2018-Threat-Landscape-Report.pdfviihttps://www.fifthdomain.com/industry/2018/09/25/why-the-market-for-zero-day-vulnerabilities-on-the-dark-web-is-vanishing/viiihttps://globenewswire.com/news-release/2018/02/28/1401427/0/en/Zero-Day-Exploits-Are-Most-Prevalent-Attack-in-Hybrid-Cloud-Environments-according-to-Capsule8-Sponsored-Study.htmlixhttps://www.zdnet.com/article/zero-days-fileless-attacks-are-now-the-most-dangerous-threats-to-the-enterprise/xhttps://www.darkreading.com/cloud/it-takes-an-average-38-days-to-patch-a-vulnerability/d/d-id/1332638

LookingGlass STRATISS: Confidential |

10

xihttps://www.welivesecurity.com/2018/04/19/patching-shut-window-unpatched/xiihttps://dzone.com/articles/80-of-breaches-still-result-of-poor-patch-managemexiiihttps://ninjarmm.com/it-horror-stories-why-unpatched-software-hurts-business/xivhttps://www.edgescan.com/wp-content/uploads/2018/05/edgescan-stats-report-2018.pdfxvhttps://www.riskbasedsecurity.com/2018/05/vulnerability-management-so-much-more-than-just-patch-management/xvihttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/