Shulou(Shulou.com)05/31 Report--

This article will explain in detail the investigation on the CVE-2018-4878 vulnerability attack on the website of a telecom company in Hong Kong. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Earlier, researchers discovered that the website of a Hong Kong telecom company had been hacked. On March 21, Morphisec Lab conducted an investigation into the website attack. Investigators finally found that after the official website of the telecom group was hacked, a Flash exploit CVE-2018-4878 exploit file was embedded in the main page home.php.

Overview of attacks

The attack is a textbook targeted "puddle attack" in which the attacker induces the victim's system to be infected and opens the door to the attacker by implanting malware or code into websites that the target victim may visit. This kind of attack is often used in cyber espionage. The Morphisec investigation found that the puddle attack had very advanced kill-free escape features: the attack was completely undocumented, leaving no persistence or traceability on the victim's disk, and a custom protocol was used on a non-filtered port. In general, this advanced type of puddle attack is highly targeted and can have a very complex attacker background.

When the CVE-2018-4878 vulnerability code was disclosed, there were a number of state-supported hacker attacks, malware attacks and the spread of vulnerability exploitation toolkits around the world. This puddle attack is the latest attack to exploit CVE-2018-4878 vulnerabilities. At present, after the Morphisec analysis report, the malicious code of the Hong Kong telecom company's website has been removed, and the security condition of the website has returned to normal.

Attack analysis

The home.php main page of the exploit file (Flash exploit) embedded by the attacker:

This embedded Flash exploit is very similar to the previously common CVE-2018-4878 exploit program, except that it is a post-post-exploitation executor:

Its shellcode executes a valid rundll32.exe process on the Windows system, which is injected to hide the memory space where the malicious code is running, and then shellcode downloads other subsequent exploits and injects it into the rundll32 process:

The C2 server used by the attacker is 106 [.] 185.24.241 (Japan). It uses a custom protocol on port 443 when communicating with the victim host. Currently, Morphisec is conducting an in-depth analysis of this protocol:

Metasploit module used in the attack

The subsequent exploits that shellcode downloads and injects into the rundll32 process space include Metasploit Meterpreter and Mimikatz modules, which were compiled the week before the attack, February 15:

The following yellow modules are the original Metasploit utilization modules:

Through investigation, Morphisec found that this complex puddle attack is a prelude to an attacker's planned in-depth attack and may have a very deep and complex attacker background. Morphisec claims that due to the use of the CVE-2018-4878 exploiting program in this attack, it is highly similar to previous attacks found to be related to national hacking activities, and there may be some links. At present, Morphisec has not traced back to the specific attackers, they will continue to follow up the investigation.

Attack characteristics

Flash-58D15B7A49193022D8FB9712FAC1A9E2

C2-106 [.] 185.24.241 (li715-241.members.linode [.] com:https)

This is the end of the investigation on the CVE-2018-4878 vulnerability attack on the website of a telecom company in Hong Kong. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.