AlienVault, an AT&T cyber security company, released a survey with Top Ten lists of security threats in 2018, from CVE numbers to Threat Actors based on the first two quarters of this year. From the table below, we can see a big trend regarding exploitation on Microsoft Office suite. The platform is commonly targeted to propagate threats via macro execution, where attackers trick the victims to execute malicious code.
The number one exploit ranked in the table however shows the use of a highly critical vulnerability in the Office suite affecting Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016. The vulnerability allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory (Microsoft Office Memory Corruption Vulnerability). A Proof of Concept Exploit code and demonstration video can be found on Github and YouTube.
Exploits Top Ten List
|
RANK |
EXPLOIT | NUMBER OF REPORTS | RELATED TO PRODUCT |
|
1 |
CVE-2017-11882 |
18 |
MS Office |
|
2 |
CVE-2017-8570 | 7 | MS Office |
|
3 |
CVE-2018-4878 | 7 | Adobe Flash |
|
4 |
CVE-2017-10271 | 6 | WebLogic |
|
5 |
CVE-2018-0802 | 6 | MS Office |
| 6 | CVE-2017-0199 | 5 |
MS Office |
|
7 |
CVE-2017-0144 | 4 |
Windows OS |
| 8 | CVE-2018-7600 | 4 |
Drupal |
| 9 | CVE-2017-8759 | 3 |
MS Office |
| 10 | CVE-2018-10561 | 3 |
GPON Routers |
CVE-2017-11882 – Demonstration video by EMBEDI:
We can also see the appearance of Drupal ranked at the 8th position. The vulnerability allows remote attackers to execute arbitrary code and was named Drupalgeddon 2, widely exploited as soon as it made the news due how easy it’s to exploit. An exploit Proof of Concept can be found on Github.
Advanced Threat Actors Top Ten List
According to the survey the table below shows the Top Ten most reported APT group in the first two quarters of 2018.
|
RANK |
ADVANCED PERSISTENT THREAT | LOCATION |
|
1 |
Lazarus Group | North Korea |
| 2 | Sofacy |
Russia |
|
3 |
MuddyWater | Iran |
| 4 | Oil Rig |
Iran |
|
5 |
Patchwork | India |
| 6 | Energetic Bear |
Russia |
|
7 |
Kimsuky | North Korea |
|
8 |
APT 15 |
China |
| 9 | Stone Panda |
China |
| 10 | Turia |
Russia |
It’s not a surprised to see Lazarus Group ranked as first, the cybercrime group is very active in the financial market. On October 2, 2018, the US-CERT, FBI, Homeland Security and Department of Treasury issued an alert regarding their activities on stealing money from ATMs in Asia and Africa since 2016, the campaign was named FASTCash. It’s important to mention the USA government uses the name Hidden Cobra to track Lazarus Group activity.
In such a wild environment, it’s important to have constant analysis on our corporate systems. Get in touch with LIFARS to schedule a call with our experts.