Adobe Flash Player zero-day vulnerability
Target: Middle Eastern markets.
Attack Vector: Adobe’s Flash Player software.
Summary: Security researchers from a number of security firms independently contacted Adobe to report attackers using a previously undisclosed zero-day vulnerability in the wild on a large scale. The vulnerability, CVE-2018-5002, affects Adobe’s Flash Player software with firmware version of 126.96.36.199 and earlier. Adobe released a new firmware patch 188.8.131.52 and urged users to install it if they do not have automatic updates activated. This is the second zero-day vulnerability Adobe have patched in 2018 following Korean based attackers deploying CVE-2018-4878 against Korean targets in January .
Risk assessment summary: The threat is assessed as 3c MODERATE. This zero-day vulnerability has been observed actively exploited and, although patched, it remains a vulnerability with many systems still unprotected, driving up the likelihood of successful exploitation. This is likely to stay high until organisations update firmware in their estate. Flash Player is one of Adobes most popular products, raising the likelihood and risk of attack.
DrayTek router zero-day vulnerability
Target: DrayTek routers and servers
Attack Vector: DNS hijacking
Summary: DrayTek the Taiwanese manufacturer of customer premises equipment such as routers and servers has acknowledged a zero-day vulnerability being present in many of its core router products. Over the weekend a number of users took to social media sites to report problems with their DNS settings, stating that they had seen an unknown IP address inserted into their settings 184.108.40.206, this was proven to be hosted by China Telecom. DrayTek has now confirmed in a press release that this is a new vulnerability targeting home routers and that they have issued a firmware patch in response to this incident. The attack is currently actively being exploited at the present time on unpatched devices, and further attacks and development of this vulnerability are a possibility.
Risk assessment summary: The threat is assessed as 3c MODERATE. This vulnerability is a significant threat to users, which is likely to be exploited further by actors, on any unpatched devices. DrayTek deployed a firmware patch on the 18th May 2018, however, many devices will remain unpatched, as the firmware update requires a manual installation. Therefore the risk of further attacks by this vector remains a significant risk factor, as there are over 800,000 DrayTek devices connected to the internet, but it is unknown if this vulnerability affects all of these devices at the present time. According to a Shodan search based on the number of DrayTek devices by country, the UK has 264,387, Netherlands 148,804, Vietnam 73,786, Taiwan 51,588 and Germany 31,078.
This vulnerability allows the actor to change DNS settings and allow Man in the Middle attacks or to recruit the device into a botnet. The DNS setting could also direct traffic to a phishing website, which would then deliver a malicious payload to the target machine behind the router. The threat is further heightened by the technical alert issued in relation to APT activities around routers and networks on the 16th April 2018 in relation to another home router supplier MikroTik. The report stated that adversaries were seeking to gain access to routers and networks to leverage weak protocols and service ports associated with network administration activities to gain either intermittent or persistent access to devices.
Office 365 Zero-Day Dubbed ‘baseStriker’ Used in Phishing Campaigns
Target: Office 365 users
Attack Vector: Phishing
Summary: A new zero-day vulnerability, discovered last week known as baseStriker, allows attackers to send malicious emails that bypass security systems including Advanced Threat Protects on Office 365 accounts. The flaw takes advantage of how Office 365 servers scan incoming emails and attackers have discovered a way to bypass the system by declaring a simple < base > HTML tag in the < head > section. It is being used to carry out more effective and advanced phishing attacks as links will appear genuine after passing through servers without getting scanned. The link could point the victim to a malicious phishing site or to a file that downloads malware.
Risk assessment summary: The threat is assessed as 3c MODERATE primarily due to a fix or patch not yet being available. Although the Office 365 security flaw may be one of the largest to date, this zero-day vulnerability, known as baseStriker, is in its early stages and the overall impact remains unknown. Phishing remains a top attack vector for cybercriminals and those exploiting this vulnerability are sending well-crafted emails with few, if any, spelling mistakes. It is likely a large spam campaign using this method will occur in the upcoming days or weeks if a patch is not issued in a timely manner. Office 365 is used by a vast amount of large companies including over a reportedly 70% of Fortune 500 companies and upon successful exploitation, the impact would be significant.