Shulou(Shulou.com)05/31 Report--

The editor today takes you to understand what are the top 10 security vulnerabilities used by the APT organization. The knowledge points in the article are introduced in great detail. Friends who feel helpful can browse the content of the article with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Let's follow the editor to learn more about "what are the top 10 security vulnerabilities used by the APT organization?"

Overview

APT attack (Advanced Persistent Threat, Advanced persistent threat) is a form of long-term persistent network attack against specific targets by using advanced means of attack. The principle of APT attack is more advanced and advanced than other forms of attack, and its advanced nature is mainly reflected in accurate information collection, high concealment, and the use of a variety of complex target system / application vulnerabilities.

In order to have a more comprehensive understanding of the cutting-edge achievements of global APT research, the threat Intelligence Center combs the most important part of APT attacks (security vulnerabilities used by APT organizations). After referring to several indicators such as various APT research reports and research results, APT attacks or vulnerabilities most commonly used by APT organizations, and the value of vulnerabilities, and combined with 360threat Intelligence Center's understanding of cyber warfare such as APT attacks. Filter out the top 10 security vulnerabilities used by APT organizations in recent years.

In this report, the threat Intelligence Center will first describe the value assessment criteria of the mainstream vulnerabilities used by APT organizations and the categories of vulnerabilities most commonly used by APT organizations, which constitute the main viewpoints and reasons for selecting the top 10 vulnerabilities. Then select the most representative single vulnerability according to the top 10 security vulnerabilities used by APT organizations, and introduce the background, utilization and scope of influence, relevant APT organizations and important events of each vulnerability, and then put forward countermeasures and suggestions for the protection of each type of vulnerability. Finally, based on the analysis of the previous chapter, the threat Intelligence Center summarizes the development trend of vulnerabilities used by APT and puts forward some conclusions.

Main viewpoints

Top APT organizations such as Formula use far more exploit techniques than other APT organizations.

The attack technology and cyber warfare thinking of top APT organizations such as Formula are far ahead of other APT organizations. The APT attack technology of one kind of organization can be divided into one category, and the APT attack technology of other organizations can be divided into another category. This is mainly reflected in the top APT attacks mainly through the underlying implantation, attacks on core routing / firewall and other network infrastructure, attacks on network servers to achieve fixed-point precision attacks. While other APT organizations mainly implement APT attacks through fishing attacks with client vulnerabilities.

The equation organization Quantuminsert (Quantum implantation) achieves a targeted strike by attacking network infrastructure.

Narrow vulnerability classification

We can narrowly divide the vulnerabilities commonly used in APT organizations into vulnerabilities that attack network infrastructure / server / service class and those that attack client application software class.

Network infrastructure / server / service vulnerabilities

Such vulnerabilities mainly affect network infrastructure (routing switching devices, firewalls, etc.), servers, various services (SMB/RPC/IIS/ remote desktops, etc.). Attackers can usually exploit the core network facilities by using corresponding vulnerabilities to move horizontally or further implant malicious code into other clients in the network, which is very harmful. From the perspective of public information, such vulnerabilities are mainly used by top APT organizations such as Formula.

Client software class vulnerabilities

This kind of vulnerability is mainly attacked by fishing attacks, mainly aimed at client application software, such as browser, Office office software, PDF and so on. The disadvantage of this kind of vulnerability is that it requires target user interaction, so the overall value of the vulnerability is lower than that of the attack server.

Top Ten loopholes in APT Organization

The threat Intelligence Center selected the top 10 vulnerabilities used by APT in recent years, including 2 types of server vulnerabilities and 8 types of client vulnerabilities. Server vulnerabilities include firewall device vulnerabilities in NSA network arsenal and SMB protocol vulnerabilities used by Eternal Blue. Client vulnerabilities include mobile Android and iOS 2 vulnerabilities, 4 Microsoft Office software vulnerabilities, Flash vulnerabilities and Windows rights loopholes.

The threat Intelligence Center will introduce the background, exploitation, related vulnerabilities and scope of influence, relevant APT organizations and events, patches and solutions for each type of vulnerability.

1. Firewall device vulnerability

Firewall, as a network boundary device, usually does not belong to the target of attackers, especially in the field of APT. Vulnerabilities for firewall devices are even more rare. Until a large number of tools aimed at firewalls and routing devices were exposed in the first batch of Shadow Broker leaked tools in 2016, the activities of formula organizations directly attacking border devices for many years were not thoroughly exposed. Here we choose CVE-2016-6366 as a typical representative of such vulnerabilities.

On the other hand, the Quantum insert (Quantum implantation attack tool) organized by the equation monitors / identifies the victim's virtual ID in the network by invading boundary firewalls, routing devices, etc., and then "injects" the exploit code of the corresponding applications (such as IE browsers) into the network traffic to carry out accurate malicious code implantation.

1) Overview of vulnerabilities

The guest organization ShadowBrokers claimed to have cracked the hacker team Equation Group, which developed network weapons for NSA, and disclosed its internal use of the related tool, the EXBA-extrabacon tool, which is based on the 0-day vulnerability CVE-2016-6366. It is a buffer overflow vulnerability in the Cisco firewall SNMP service module.

2) vulnerability details

CVE-2016-6366 (based on a buffer overflow vulnerability in the Cisco firewall SNMP service module), the target device must be configured and enabled with the SNMP protocol and must know the communication code of the SNMP. After the execution of the vulnerability, the authentication of the firewall to the Telnet/SSH can be turned off, thus allowing an attacker to take unauthorized actions.

The sub_817A5A0 shown below is a self-implemented copy function in the corresponding firmware. There is no detection length inside the function, and the caller of the function also does not detect the length of the copy, resulting in an overflow.

Finally, any Telnet login can be achieved:

3) related CVE

CVE numbering vulnerability describes a buffer overflow vulnerability in CVE-2016-6366SNMP service module CVE-2016-6367 remote code execution

4) related APT organizations

APT Organization CVE number Equation GroupCVE-2016-6366Equation GroupCVE-2016-6367

5) related APT events

NSA's top secret electronic surveillance program (Project Prism) is implemented worldwide.

6) patches and solutions

Update network boundary device firmware in a timely manner

Software manufacturer Cisco has released a patch for the vulnerability.

Https://blogs.cisco.com/security/shadow-brokers

2. SMB communication protocol loophole

SMB (Server MessageBlock) communication protocol is a protocol formulated by Microsoft and Intel in 1987, which is mainly used as the communication protocol of Microsoft network.

On April 14, 2017, ShadowBrokers released files that previously leaked parts of the document related to Windows, which included a framework for remote code utilization related to Windows systems (including SMB, RDP, IIS and various third-party mail servers), in which a series of SMB remote vulnerability 0day tools (EternalBlue,Eternalromance,Eternalchampoin,Eternalsynergy) were then integrated into multiple worm families. WanaCry, which broke out on May 12 of the same year, integrated EternalBlue at that time.

1) Overview of vulnerabilities

The EternalBlue tool uses three vulnerabilities in the SMB protocol, in which the out-of-boundary memory write vulnerability of the principal belongs to CVE-2017-0144 in the Microsoft MS17-010patch pack. Through this integrated tool, the attacker can gain control of the vulnerable machine directly.

2) vulnerability details

The core vulnerability in EternalBlue is CVE-2017-0144, which is triggered by the SMB_COM_TRANSACTION2 command of the SMB protocol. When the length of the FEALIST field is greater than 10,000, it will cause memory to write out of bounds. Since the maximum length of the FEALIST of the SMB_COM_TRANSACTION2 command itself is FFFF, the second vulnerability is involved here, that is, SMB_COM_TRANSACTION2 can be confused as SMB_COM_NT_TRANSACT. Thus, it is possible to send a SMB_COM_TRANSACTION2 command with a FEA LIST field length greater than 10000, to achieve out-of-bounds writing, and finally to carry out memory layout through the third vulnerability, and finally to achieve code execution.

3) related CVE

The SMB attack tool leaked by ShadowBrokers is patched by patch MS17-010, which covers the five vulnerabilities of CVE-2017-0143jcvery2017-0144jcverle 2017-0145mcvlle 2017-0145and contains several flaws in the SMB protocol, which are combined to form an eternal series of weapons against the SMB protocol in the ShadowBrokers leak tool.

CVE numbering vulnerabilities explain CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0148SMB protocol vulnerabilities

4) related organizations

The leaked tool itself came from EquationGroup, a hacker organization owned by NSA, and was used by a large number of extortion worms after the leak.

Related APT organization related vulnerabilities Equation groupEnternal series suspected LazarusEnternalblue

5) related events

The global outbreak of the Wanacry blackmail worm on May 12, 2017 was later proved to be related to Lazarus.

6) Patch solution

Update operating system patches in time.

Software maker Microsoft has released a patch for the vulnerability:

Https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2017/ms17-010

3. Office OLE2Link logic loophole

Office OLE2Link is an important feature of Microsoft Office Software (Office). It allows Office documents to insert remote objects into the document through object linking technology and load automatically when the document is opened. Due to improper design, there are serious logic loopholes in this process, and we choose CVE-2017-0199 as the typical representative of such vulnerabilities.

1) Overview of vulnerabilities

On April 7, 2017, McAfee and FireEye researchers revealed details of a 0-day vulnerability in Microsoft OfficeWord (CVE-2017-0199). An attacker can send a malicious document with an attachment to an OLE2link object to the victim to trick the user into opening it. When a user opens a malicious document, the Office OLE2Link mechanism does not consider the corresponding security risks in dealing with the target object, thus downloading and executing the malicious HTML application file (HTA).

2) vulnerability details

CVE-2017-0199 uses OfficeOLE2Link object linking technology to embed malicious link objects in the document, and then calls URLMoniker to download the HTA file in the malicious link locally. URLMoniker recognizes the content-type field in the response header, and finally calls mshta.exe to execute the attack code in the HTA file.

In terms of impact, CVE-2017-0199, which affects almost all versions of Office software, is one of the most widely affected Office vulnerabilities in history, and is easy to construct and trigger stability, which made it the best client security vulnerability at the BlackHat Black Hat Conference in 2017.

3) related CVE

For CVE-2017-0199, Microsoft adopted a mechanism called "COMActivation Filter", and the patch directly blocked two dangerous CLSID, {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} ("htafile" object) and {06290BD3-48AA-11D2-8432-006008C3FBFC} ("script" object). CVE-2017-8570 takes advantage of another object: "ScriptletFile", where CLSID is "{06290BD2-48AA-11D2-8432-006008C3FBFC}", bypassing the patch for CVE-2017-0199.

CVE numbering vulnerability describes CVE-2017-0199Office OLE2Link remote code execution vulnerability CVE-2017-8570Office OLE2Link remote code execution vulnerability

4) related APT organizations

OfficeOLE2Link logic loophole is simple in principle, easy to construct and stable to trigger. It is favored by APT organizations and has been included in the attack arsenal by most APT organizations.

Related APT organizations CVE No. Mahogany, APT37CVE-2017-0199 Moloch CVE-2017-8570

5) related APT events

In June 2017, Ukraine and other countries were attacked by a large-scale Petya variant extortion virus, which was delivered via email using the Microsoft Office remote execution code vulnerability (CVE-2017-0199). After successful infection, it was spread using the Eternal Blue vulnerability.

In March 2018, the threat Intelligence Center released a report entitled "Analysis of the latest cyber attack activities of APT against sensitive institutions in China" that the Maha Grass Organization (APT-C-09) targeted sensitive institutions in China using harpoon mail with CVE-2017-8570 vulnerability.

6) patches and solutions

Try not to open a document from an unknown source, you can also use antivirus software such as 360 Security Guardian to scan the document and open it as much as possible to reduce the risk, and try to use a virtual machine to open an unfamiliar document if possible.

Software maker Microsoft has released a patch for the vulnerability:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570

4. Office Formula Editor vulnerability

EQNEDT32.EXE (Microsoft Formula Editor), which was first launched in MicrosoftOffice 2000 and Microsoft 2003 to insert and edit equations into documents. Although equation-related edits have changed since Office 2007, EQNEDT32.EXE itself has not been removed from the Office suite in order to maintain version compatibility. The suite has not been modified since it was compiled 17 years ago, which means it does not have any security mechanism (ASLR,DEP,GS cookies … ). And because the EQNEDT32.EXE process starts in DCOM mode and is independent of the Office process, so it is not protected by the high version of Office sandboxie, so this kind of vulnerability has the attribute of "bypassing" sandboxie protection naturally, which is very harmful. Here we choose CVE-2017-11882, the first vulnerability found under this component, as a typical example of this type of vulnerability.

1) Overview of vulnerabilities

On November 14, 2017, Embedi posted a blog post Skeletonin the closet. MS Office vulnerability you didn't know about, this article analyzes the discovery and exploitation of CVE-2017-11882 vulnerability in EQNEDT32.EXE. CVE-2017-11882 is a buffer overflow vulnerability in formula Font Name field parsing, which can lead to code execution by constructing Doc/RTF documents with illegal formulas.

2) vulnerability details

CVE-2017-11882 is a stack overflow vulnerability. The Font Name field in the red box shown below will eventually cause the stack to overflow. The return address is overwritten as 00430c12, which points to the WinExe function. The first argument of the parent function points to the construction character, which causes WinExe to execute the command in the construction character.

3) related CVE

Since November 14, 2017, two EQNEDT32.EXE-related vulnerabilities in CVE-2018-0802/CVE-2018-0798 have been discovered one after another.

CVE numbering vulnerability indicates that CVE-2017-11882Font Name field overflow CVE-2018-0802lfFaceName field overflow CVE-2018-0798matrix record parsing stack overflow

4) related APT organizations

Related APT organization CVE No. APT34CVE-2017-11882 Moloch CVE-2017-11882

5) related APT events

APT34 attacks financial and government institutions in the Middle East via CVE-2017-11882 harpoon mail.

6) patches and solutions

Individual users need to be very careful to download and open documents from unknown sources, use anti-virus Trojan rogue software tools such as 360 security guards to scan to minimize the risk, and try to use a virtual machine to open unfamiliar documents if possible.

Software maker Microsoft has released a patch for the vulnerability:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798

5. OOXML type obfuscation vulnerability

OOXML is a technical specification developed by Microsoft for Office2007 products. It has become an international document format standard, which is compatible with the former international standard open document format and the Chinese document standard "Standard Wentong". Office rich text itself contains a large number of XML files. Due to improper design, there are serious confusion loopholes in the processing of XML files, including CVE-2015-1641 CVERue 2017-11826. Here we choose the most popular OOXML type confusion vulnerability CVE-2015-1641 as a typical representative.

1) Overview of vulnerabilities

In April 2015, Microsoft patched an Office Word type obfuscation vulnerability with CVE number CVE-2015-1641. OfficeWord does not validate the customXML object when parsing the displacedByCustomXML properties of Docx documents, resulting in type confusion and arbitrary memory writing. Finally, carefully constructed tags and corresponding attribute values can cause remote arbitrary code execution. This is the first OOXML type obfuscation vulnerability that has a very high success rate and is frequently used by APT organizations.

2) vulnerability details

In CVE-2015-1641, because OfficeWord does not strictly check the incoming customXML object, objects such as smartTag can be passed in, but the processing flow of smartTag object is not the same as customXML. If the customXML tag is confused and parsed by the smartTag tag in some way, then the element attribute value in the smartTag tag will be regarded as an address, and then get another address after a simple calculation. The final process overwrites the id value of the moveFromRangeEnd to the previously calculated address, resulting in arbitrary memory writes. It then results in code execution by writing controllable function pointers and carefully constructing the memory layout through Heap Spray:

3) related CVE

On September 28th, the 360th Japan pursuit team captured an out-of-office attack that exploited the Office0day vulnerability (CVE-2017-11826), which affected almost all Office versions currently supported by Microsoft, and only targeted specific Office versions. The attacker attacks in the form of malicious Docx content embedded in the RTF document.

CVE numbering vulnerability indicates confusion of CVE-2015-1641customXML object types caused by miscalculation of idmap tags in CVE-2015-2017-11826XML

4) related APT organizations

The exploitation technology related to CVE-2015-1641 has long been made public, and the success rate of this vulnerability is very high, so this vulnerability is one of the most commonly used Office vulnerabilities in major APT organizations before Office OLE2Link logic vulnerabilities are popular.

Related APT organization CVE No. Mahogany, APT28CVE-2015-1641 an unknown APT organization in East Asia CVE-2017-11826

5) related APT events

The APT organization of Maha Grass has made extensive use of vulnerability documents containing CVE-2015-1641 in a number of attacks in China since 2016.

6) patches and solutions

Individual users need to be very careful to download and open documents from unknown sources, use anti-virus Trojan rogue software tools such as 360 security guards to scan to minimize the risk, and try to use a virtual machine to open unfamiliar documents if possible.

Software maker Microsoft has released a patch for the vulnerability:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570

6. EPS (EncapsulatedPost Script) script parsing vulnerability

The full name of EPS, EncapsulatedPost Script, is an extension of PostScript, which is suitable for color accurate bitmap and vector output on multi-platform and high resolution output devices, so corresponding support has been introduced in Office, but since 2015, EPS-related vulnerabilities in several Office have been exploited, including CVE-2015-2545, CVEVue 2017-0261, CVEVIX 2017-0262, which eventually led to Microsoft having to disable the EPS component in Office. Here we choose CVE-2017-0262 as the typical representative.

1) Overview of vulnerabilities

In the article EPSProcessing Zero-Days Exploited by Multiple Threat Actors on May 7, 2017, FireEye researchers disclosed the wild exploitation of a number of EPS0-day vulnerabilities, including CVE-2017-0262 and ESP 2017-0262, which is one of the forall instructions in ESP, resulting in code execution due to improper verification of parameters in the forall instruction.

2) vulnerability details

In the utilization sample of CVE-2017-0262, the actual EXP is first encoded by four-byte xor, and the key is c45d6491:

The key point of the vulnerability lies in the following line of code. In EPS, the forall instruction executes the handler function proc (that is, the second parameter) on each object in the first parameter. Here, due to the lack of strict judgment on the type of the second parameter, the memory address previously controlled by the attacker through the heap spray is used as the address of the handler, so that the esp stack is controlled, resulting in the final code execution:

3) related CVE

CVE numbering vulnerability indicates CVE-2015-2545UAF vulnerability UAF vulnerability in CVE-2017-0261Saverestore instruction CVE-2017-0262forall parameter type checking is not strict resulting in code execution

4) related APT organizations

Because it is difficult to exploit EPS vulnerabilities, and EPS has been isolated and executed in a sandbox since Office 2010, it often needs the assistance of rights-raising vulnerabilities, so the users of this series of vulnerabilities are often well-known large APT organizations.

The relevant APT organization CVE number is not disclosed CVE-2015-2545TurlaCVE-2017-0261APT28CVE-2017-0262

5) related APT events

APT28 influenced the French election by sending a harpoon email (CVE-2017-0262/CVE-2017-0263) attached to an Office file called Trump's_Attack_on_Syria_English.docx, causing as many as 9G of Macron's campaign data to be uploaded to the public network at that time.

6) patches and solutions

Individual users need to be very careful to download and open documents from unknown sources, use anti-virus Trojan rogue software tools such as 360 security guards to scan to minimize the risk, and try to use a virtual machine to open unfamiliar documents if possible.

Software maker Microsoft has released a patch for the vulnerability:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2545

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262

7. Windows rights promotion loophole

In recent years, there are more and more vulnerability attacks against Windows clients, which directly leads to the introduction of "sandboxie" protection technology to their client software. its core idea is to run applications in an isolated environment, which is usually a low-permission environment, and sandboxie can also be regarded as a virtual container to allow less secure programs to run. Even if the client software is invaded by malicious code, it will not pose a real threat to the user's computer system.

The common client programs protected by "sandboxie" are: IE/Edge browser, Chrome browser, Adobe Reader, Microsoft Office office software and so on. And client program vulnerabilities if combined with Windows rights loopholes can penetrate the application "sandboxie" protection.

1) Overview of vulnerabilities

In the process of exploiting the EPS (EncapsulatedPost Script) component of Office office software, because the EPS script filter process fltldr.exe on Office 2010 and its higher version is protected in low-privilege sandboxie, in order to break the low-privilege sandboxie protection measures, attackers must use remote code execution vulnerabilities combined with kernel privilege vulnerabilities. Therefore, we choose the local privilege escalation vulnerability (CVE-2017-0263) in Win32k.sys, which is combined with EPS type confusion vulnerability (CVE-2017-0262), as a typical example.

2) vulnerability details

The CVE-2017-0263 exploit code first creates three PopupMenus and adds appropriate menus. Because the UAF vulnerability occurs in the kernel's WM_NCDESTROY event and overrides the tagWnd structure of wnd2, the bServerSideWindowProc flag can be set. Once bServerSideWindowProc is set, the user-mode WndProc procedure is treated as a kernel callback function, so it is called from the kernel context. At this time, the WndProc was replaced by the kernel ShellCode by the attacker, and the power-raising attack was finally completed.

3) related CVE

CVE numbering vulnerability describes CVE-2015-2546Win32k memory corruption privilege escalation vulnerability CVE-2016-7255Win32k local privilege escalation vulnerability CVE-2017-0001Windows GDI privilege escalation vulnerability CVE-2017-0263Win32k release reuse privilege escalation vulnerability

4) related APT organizations

The CVE numbers of relevant APT organizations do not disclose CVE-2015-2546TurlaCVE-2016-7255 and CVE-2017-0001APT28CVE-2017-0263.

5) related APT events

APT attacks on Japan and Taiwan and APT28 attacks on French elections.

6) patches and solutions

Individual users need to be very careful to download and open documents from unknown sources, use anti-virus Trojan rogue software tools such as 360 security guards to scan to minimize the risk, and try to use a virtual machine to open unfamiliar documents if possible.

Software maker Microsoft has released a patch for the vulnerability:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2546

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7255

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263

8. Flash vulnerability

Flashplayer has been concerned by various APT organizations because of its cross-platform popularity. From 2014, Flash vulnerabilities began to break out, especially in 2015, when two 0-day vulnerabilities in HackingTeam leaked data CVE-2015-5122/CVE-2015-51991Flash vulnerabilities were made public, and Flash vulnerabilities began to become the new favorite of APT organizations, although after that, Adobe and Google cooperated, and a number of Flash security mechanisms emerged one after another (such as isolation heap, vector length detection). The threshold for Flash vulnerability exploitation has been greatly raised, but there is no shortage of geeks who confuse vulnerabilities such as CVE-2015-7645. Here we choose the wild 0-day CVE-2018-4878 discovered not long ago as a typical example of this kind of vulnerability.

1) Overview of vulnerabilities

On January 31, 2018, South Korea's CERT announced the discovery of a wild exploitation of the Flash0day vulnerability (CVE-2018-4878), in which an attacker attacked a specified target by sending an Office Word attachment containing a malicious Flash object.

2) vulnerability details

CVE-2018-4878 attacks through the DRMManager object in the Flash om.adobe.tvsdk package. As shown in the following code, an instance of the MyListener object is created in the triggeruaf function, initialized by initialize, and set to null, followed by the first LocalConnection (). Connect () causes gc to reclaim the instance's memory, triggers an exception the second time LocalConnection (). Connect (), and creates a new MyListener instance in exception handling. The memory manager allocates the memory of the previous MyListener object instance to the new object, that is, danglingpointer here, sets timer, detects whether uaf is triggered in its callback function, and locates through Mem_Arr if it succeeds:

3) related CVE

CVE numbering vulnerability description CVE-2017-11292UAFCVE-2018-4878UAF

4) related APT organizations

Related APT organizations CVE numbers APT28CVE-2017-11292, CVE-2018-4878Group 123CVE-2018-4878

5) related APT events

Group123 uses CVE-2018-4878 to attack sensitive departments in South Korea.

6) patches and solutions

Individual users need to be very careful to download and open documents from unknown sources, use anti-virus Trojan rogue software tools such as 360 security guards to scan to minimize the risk, and try to use a virtual machine to open unfamiliar documents if possible.

Software manufacturer adobe has released patches for the vulnerability:

Https://helpx.adobe.com/security/products/flash-player/apsb18-03.html

Https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

9. IOS Trident vulnerability

IOS Trident vulnerability is the only publicly disclosed example of remote attack against iOS system browsers, and it is really used in APT attacks aimed at characteristic targets.

1) Overview of vulnerabilities

The iOS Trident vulnerability refers to a series of 0 day vulnerabilities aimed at iOS systems before the iOS9.3.5 version, which exploits three 0 day vulnerabilities, including a WebKit vulnerability, a kernel address disclosure vulnerability and a rights enhancement vulnerability. By combining three 0 day vulnerabilities, it is possible to remotely jailbreak iOS devices and install and run arbitrary malicious code.

2) vulnerability details

IOS Trident vulnerability payload can be triggered by visiting a specific URL, so it can trigger the vulnerability by sending malicious links such as text messages, e-mails, social networks or instant messaging to induce the target person to click on the open link. Due to an arbitrary code execution vulnerability in WebKit JavaScriptCore inventory, when a Safari browser accesses a malicious link and triggers a malicious JavaScript payload execution, it uses the code to enter the Safari WebContent process space. It then uses two other vulnerabilities to elevate privileges and jailbreak iOS devices. Finally, the Trident vulnerability makes it possible to download and run malicious modules for persistence control.

Picture source [3]

3) related CVE

The iOS Trident vulnerability involves three 0 day vulnerabilities whose CVE number and related information are shown in the following table:

CVE numbering vulnerability indicates that CVE-2016-4655 kernel information leaks CVE-2016-4656 rights CVE-2016-4657WebKit remote code execution

4) related APT organizations and events

The Trident loophole was originally discovered when Ahmed Mansoor, a leading human rights defender in the United Arab Emirates, received two text messages on his iPhone phone on August 10 and 11, 2016, saying that he could click on a link to view secret information about the torture of prisoners held in the United Arab Emirates. It then forwarded the text message to Citizen Lab (Citizen Lab), which was jointly analyzed by Citizen Lab and Lookout Security Company, and finally found that the Trident vulnerability and related malicious payload were related to NSO Group, a famous Israeli spyware monitoring company.

Picture source [1]

5) patches and solutions

Apple then released iOS 9.3.5 on August 25, 2016, patching the Trident vulnerability [2].

Exploitation of remote2local vulnerability in 10.Android browser

The leakage of the exploit code of the Android browser reveals that the network arms merchants and the government and law enforcement agencies make use of remote attack vulnerabilities to attack and monitor Android users, and the vulnerability exploitation process is almost perfect, which also reflects the artistic characteristics of vulnerability exploitation technology.

The exploit code could almost affect the vast majority of mainstream Android devices and system versions at that time.

1) Overview of vulnerabilities

The remote2local vulnerability of Android browser is exploited after Hacking Team was invaded and the internal source code was leaked in July 2015. the leaked source code contains the attack code against the browser of the Android 4.0.x-4.3.x system, which can achieve remote code execution and execute the elevated code to upgrade to root privileges, and finally achieve the purpose of silently installing malicious programs.

This vulnerability combines three N-day vulnerabilities of GoogleChrome and rights raising vulnerabilities for Android system to complete the complete exploitation attack process.

2) vulnerability details

The exploit of the Android browser is mainly due to the libxslt library about XML language parsing and XSLT transformation in WebKit, which is actually based on the combined exploitation of multiple vulnerabilities. First of all, it uses an information leakage vulnerability to obtain memory address-related information, and uses memory arbitrary read and write to construct ROP attacks to finally achieve the purpose of executing arbitrary code. It finally executes the claim code, and the claim vulnerability used in this exploit is CVE-2014-3153, which is generated by the Futex system call of the kernel. When the rights are granted root rights, execute silent installation of malicious APK applications.

3) related CVE

Hacking Team's remote2local exploit tool for Android browsers combines three vulnerabilities for browsers and two for entitlement.

CVE numbering vulnerability indicates that CVE-2011-1202 information leaks CVE-2012-2825 arbitrary memory read CVE-2012-2871 heap overflow CVE-2014-3153 claim vulnerability CVE-2013-6282 kernel arbitrary address read and write

4) related APT organizations and events

The exploitation of the vulnerability has not been disclosed in historically public incident reports, and the internal source code and related data emails of Hacking Team, an Italian company that specializes in providing computer intrusion and surveillance services to government and law enforcement agencies, were compromised in July 2015, revealing for the first time that it had complete exploit code for the vulnerability.

And the company frequently appears in the leaked e-mails to explain to customers how to exploit the vulnerability.

5) patches and solutions

Google fixed the above problem in the released version of the Android4.4 system.

Summary

Top APT organizations such as Formula have the most advanced vulnerability attack techniques.

Top APT organizations such as Formula have mastered the most advanced vulnerability attack technology, which includes full coverage of almost all Internet-related facilities, devices, software, and application vulnerabilities, while other APT organizations still prefer to use client software vulnerabilities for phishing attacks.

Vulnerability attacks against Office are still the focus of most APT attacks

In terms of frequency of use, Office vulnerabilities are still the most commonly used vulnerabilities in most APT organizations, and are still very effective entrances to APT attacks.

Mobile APT attacks have gradually become a new hot spot.

With the popularity of mobile devices and the significant increase in market share, APT organizations have also begun to extend the scope of attacks against their targets to the field of mobile devices. In the past APT attacks against mobile devices, Trident loopholes in iOS systems and browser attacks against Hacking Team leaks in Android systems are particularly outstanding, and it reveals that mobile targeted attacks also have the technical advanced characteristics shown in past network attacks, and also reveals the fact that network arms dealers make and sell network weapons aimed at mobile platforms.

Thank you for your reading, the above is the whole content of "what are the top 10 security vulnerabilities used by the APT organization?" learn friends to hurry up to operate it. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.