What are the top 10 security vulnerabilities used by APT groups?

Overview

APT attack (Advanced Persistent Threat, Advanced Persistent Threat) is a form of attack that uses advanced attack methods to conduct long-term and persistent network attacks on specific targets. The principle of APT attacks is more advanced and advanced than other attack forms. Its advanced nature is mainly reflected in precise information collection, high degree of concealment, and the use of various complex target system/application vulnerabilities.

In order to have a more comprehensive understanding of the cutting-edge results of global APT research, the 360 ​​Threat Intelligence Center has sorted out the most important part of APT attacks (security vulnerabilities used by APT organizations), with reference to After several indicators such as various APT research reports and research results, APT attack activities or the vulnerabilities most commonly used by APT organizations, and the value of the vulnerabilities, combined with the 360 ​​Threat Intelligence Center's understanding of cyber warfare such as APT attacks, we screened out the Come to the top 10 security vulnerabilities (categories) used by APT organizations.

In this report, 360 Threat Intelligence Center will first explain the value evaluation standards of mainstream vulnerabilities used by APT organizations and the most commonly used vulnerability categories of each APT organization. These constitute the main criteria for selecting these 10 major (categories) vulnerabilities. Opinions and Reasons. Then, the most representative single vulnerability is selected for the 10 major (categories) security vulnerabilities used by APT organizations, and the background, utilization and impact scope of each vulnerability, related APT organizations and important events are introduced, and then a summary of each category is proposed. Vulnerability protection countermeasures and suggestions. Finally, based on the analysis in the previous chapters, the 360 ​​Threat Intelligence Center summarized the development trends of vulnerabilities used by APT and put forward some of its own conclusions.

Main point

The vulnerability attack technology used by top APT organizations such as Equation is far ahead of other APT organizations

Other APT organizations are attacking In terms of technology and cyber warfare thinking, it lags far behind top APT organizations such as Equation. APT attack techniques can be divided into two categories: one is the attack techniques of organizations represented by Equation, and the other is the attack techniques of other organizations. This is mainly reflected in the fact that top APT attacks mainly achieve targeted and precise strikes through underlying implantation, attacking network infrastructure such as core routing/firewalls, and attacking network servers. Other APT organizations mainly use phishing attacks combined with client vulnerabilities to carry out APT attacks.

The Equation Organization Quantuminsert (quantum implant) achieves targeted strikes by attacking network infrastructure

Narrow vulnerability classification

We can narrowly divide the vulnerabilities commonly used by APT organizations into vulnerabilities that attack network infrastructure/server/services and vulnerabilities that attack client application software.

Network infrastructure/server/service vulnerabilities

This type of vulnerability mainly affects network infrastructure (routing and switching equipment, firewalls, etc.), servers, and various services ( SMB/RPC/IIS/Remote Desktop, etc.). Attackers can usually use corresponding vulnerabilities to compromise core network facilities and then move laterally or further implant malicious code into other clients in the network, causing huge harm. Judging from public information, such vulnerabilities are mainly used by top APTs such as Equation. used by the organization.

Client software vulnerabilities

This type of vulnerability is mainly implemented through phishing attacks, mainly targeting client application software, such as browsers, Office software, PDF, etc. The disadvantage of this type of vulnerability is that it requires target user interaction, so the overall vulnerability value is lower than the vulnerability value of attacking the server.

The APT organization’s top ten (categories) vulnerabilities

360 Threat Intelligence Center selected the top ten (categories) vulnerabilities used by the APT organization in recent years, which includes 2 types of server-side vulnerabilities. Category 8 client-side vulnerabilities. Server-side vulnerabilities include firewall device vulnerabilities in the NSA's network arsenal and SMB protocol vulnerabilities exploited by "Eternal Blue." Client-side vulnerabilities include Type 2 vulnerabilities in mobile Android and iOS, Type 4 Microsoft Office software vulnerabilities, Flash vulnerabilities and Windows privilege escalation vulnerabilities.

360 Threat Intelligence Center will introduce the background, vulnerability exploitation, related vulnerabilities and impact scope, related APT organizations and events, patches and solutions for each type of vulnerability.

1. Firewall device vulnerabilities

As a network border device, firewalls are usually not the target of attackers. Especially in the APT field, vulnerabilities targeting firewall devices were even rarer. Until 2016, Among the first batch of tools leaked by Shadow Broker, a large number of tools targeting firewalls and routing devices were exposed. Equation Group’s activities of directly attacking border devices for many years were fully exposed. Here we choose CVE-2016-6366 as a typical example of this type of vulnerability. represent.

The Equation Organization’s Quantum insert (quantum implant attack tool) monitors/identifies the victim’s virtual ID in the network by intruding into border firewalls, routing devices, etc., and then sends the attacker’s network traffic to The vulnerability attack code is "injected" into the corresponding application (such as IE browser) to accurately implant malicious code.

1) Vulnerability Overview

On August 13, 2016, the hacker organization ShadowBrokers claimed to have breached the Equation Group, a hacker team that develops cyber weapons for the NSA, and disclosed the related tools used internally, the EXBA-extrabacon tool, which is based on the 0-day vulnerability CVE-2016 -6366 is a buffer overflow vulnerability in the SNMP service module of the Cisco firewall.

2) Vulnerability details

CVE-2016-6366 (a buffer overflow vulnerability based on the Cisco firewall SNMP service module), target The device must be configured and enabled with the SNMP protocol and must know the SNMP communication code. After the vulnerability is executed, the firewall's authentication for Telnet/SSH can be turned off, allowing attackers to perform unauthorized operations.

As shown below, sub_817A5A0 is a self-implemented copy function in the corresponding firmware. There is no length detection inside the function, and the caller of the function also does not detect the length of the copy, resulting in overflow.

Finally, any Telnet login can be realized:

##3) Related CVE

#CVE numberVulnerability Description##CVE-2016-6366A buffer overflow vulnerability in the SNMP service moduleCVE-2016-6367Remote Code Execution4)

Related APT Organization

#APT Organization##Equation GroupCVE-2016-6366Equation GroupCVE-2016-6367Related APT events

CVE No.
	##5)

NSA targets A top-secret electronic surveillance program (Project Prism) implemented worldwide. 6)

Patches and solutions

Timely update network edge device firmwareSoftware manufacturer Cisco has released vulnerability response Patchhttps://blogs.cisco.com/security/shadow-brokers

2. SMB communication protocol vulnerability

SMB (Server MessageBlock) communication protocol is Microsoft The protocol developed by Microsoft and Intel in 1987 is mainly used as a communication protocol for Microsoft networks.

On April 14, 2017, ShadowBrokers published the Windows-related files that appeared in previously leaked documents. The leaked information contained a set of remote code exploitation frameworks related to Windows systems (the scope of network services involved Including SMB, RDP, IIS and various third-party mail servers), a series of SMB remote vulnerability 0day tools (EternalBlue, Eternalromance, Eternalchampoin, Eternalsynergy) were later integrated into multiple worm families and broke out on May 12 of the same year. WanaCry integrated EternalBlue at the time.

1)

Vulnerability Overview

The EternalBlue tool uses three vulnerabilities in the SMB protocol, among which the main out-of-bounds memory write vulnerability belongs to Microsoft CVE-2017-0144 in the MS17-010 patch package, through this integrated tool, an attacker can directly and remotely gain control of the vulnerable machine. 2)

Vulnerability details

The core vulnerability in EternalBlue is CVE-2017-0144, which is triggered through the SMB_COM_TRANSACTION2 command of the SMB protocol , when the length of the FEALIST field is greater than 10000, it will cause memory out-of-bounds writing. Since the maximum length of the FEA LIST of the SMB_COM_TRANSACTION2 command itself is FFFF, the second vulnerability is involved here, that is, SMB_COM_TRANSACTION2 can be confused as SMB_COM_NT_TRANSACT, thereby sending a The SMB_COM_TRANSACTION2 command with a FEA LIST field length greater than 10,000 realizes out-of-bounds writing, and finally uses the third vulnerability to perform memory layout and finally achieve code execution. 3)

Related CVE

ShadowBrokers leaked SMB attack tool, patched with the MS17-010 patch, which covers CVE-2017-0143 , CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148 five vulnerabilities, including several flaws in the SMB protocol, which are combined with each other to form the Shadow Brokers leak tool targeting SMB Protocol's Eternal series of weapons.

##CVE NumberVulnerability Description

4) Related organizations

The leaked tool itself comes from EquationGroup, a hacker organization under the NSA. After the related tools were leaked, they were used by a large number of ransomware and worms. .

	##CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0148SMB Protocol Vulnerability

Equation groupEnternal seriesSuspected LazarusEnternalblue

##Related APT organizations	Related vulnerabilities

5) Related events

On May 12, 2017, a large-scale Wanacry ransomware worm broke out around the world. The incident was later revealed to be related to Lazarus.

6) Patch solution

Update operating system patches in a timely manner.

Software manufacturer Microsoft has released a patch corresponding to the vulnerability:

https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2017/ms17-010

3. Office OLE2Link Logic Vulnerability

Office OLE2Link is an important feature in Microsoft Office software (Office). It allows Office documents to insert remote objects into the document through object linking technology when the document is opened. Automatic loading processing. Due to improper design, serious logical vulnerabilities occurred during this processing process, and we selected CVE-2017-0199 as a typical representative of this type of vulnerability.

1) Vulnerability Overview

On April 7, 2017, researchers from McAfee and FireEye revealed a 0-day vulnerability in Microsoft Office Word Related details (CVE-2017-0199). An attacker can send a malicious document with an OLE2link object attachment to the victim and trick the user into opening it. When a user opens a malicious document, the Office OLE2Link mechanism does not consider the corresponding security risks when processing the target object, thereby downloading and executing the malicious HTML application file (HTA).

2) Vulnerability details

CVE-2017-0199 exploits OfficeOLE2Link object link technology to embed malicious link objects in documents. Call URL Moniker to download the HTA file in the malicious link to the local. URLMoniker identifies the content-type field in the response header and finally calls mshta.exe to execute the attack code in the HTA file.

In terms of impact, CVE-2017-0199 affects almost all versions of Office software. It is one of the vulnerabilities with the widest impact in the history of Office vulnerabilities. It is easy to construct and triggers stably, which makes it It was rated as the best client security vulnerability at the 2017 BlackHat Black Hat Conference.

3) Related CVE

For CVE-2017-0199, Microsoft adopted a mechanism called "COMActivation Filter", patch Two dangerous CLSIDs are directly blocked, {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} ("htafile" object) and {06290BD3-48AA-11D2-8432-006008C3FBFC} ("script" object). CVE-2017-8570 uses another object: "ScriptletFile", the CLSID is "{06290BD2-48AA-11D2-8432-006008C3FBFC}", thus bypassing the patch of CVE-2017-0199.

##CVE NumberVulnerability DescriptionCVE-2017-0199CVE-2017- 8570

Office OLE2Link Remote Code Execution Vulnerability
Office OLE2Link Remote Code Execution Vulnerability

4)

Related APT Organization## The #OfficeOLE2Link logic vulnerability has a simple principle, is easy to construct, and is stable in triggering. It is favored by APT organizations and has been included in the attack arsenal of most APT organizations.

##Related APT organizationMahecao, APT37CVE-2017-0199CVE-2017-8570

CVE number

mohecao

5) Related APT incidents

In June 2017, Ukraine and other countries suffered large-scale Petya variant ransomware attacks, and the attackers used Microsoft Office to remotely execute The code vulnerability (CVE-2017-0199) is delivered via email, and the Eternal Blue vulnerability is used to spread after successful infection.

In March 2018, the 360 ​​Threat Intelligence Center released a report "Analysis of the Latest Cyber ​​Attack Activities of the Mahacao APT Organization Against my country's Sensitive Institutions" stating that the Mahacao Organization (APT-C-09) targets my country's sensitive institutions. Targeted attacks using harpoon emails with CVE-2017-8570 vulnerability:

6) Patch and solution

Try not to open documents from unknown sources. You can also use anti-virus software such as 360 Security Guard to scan the document before opening it to reduce the risk as much as possible. If possible, try to use a virtual machine to open it. Unfamiliar document.

Software manufacturer Microsoft has released a patch corresponding to the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570

4. Office Equation Editor Vulnerability

EQNEDT32.EXE (Microsoft Equation Editor), this component was first used in Microsoft Office 2000 and Microsoft 2003 to insert and edit equations into documents. Although equation-related editing has changed since Office 2007, in order to maintain the version For compatibility reasons, EQNEDT32.EXE itself has not been removed from the Office suite. The suite has never been modified since it was compiled 17 years ago, which means it does not have any security mechanisms (ASLR, DEP, GS cookies...). And because the EQNEDT32.EXE process uses DCOM to start and is independent of the Office process, it is not protected by the sandbox of higher versions of Office. Therefore, this type of vulnerability has the property of "bypassing" the sandbox protection and is extremely harmful. We will select the first vulnerability found in this component, CVE-2017-11882, to present this type of vulnerability in a typical form.

1) Vulnerability Overview

On November 14, 2017, Embedi published a blog post Skeletonin the closet. MS Office vulnerability you didn't know about, this article analyzes the discovery and utilization of the CVE-2017-11882 vulnerability that appears in EQNEDT32.EXE. CVE-2017-11882 is a buffer overflow vulnerability when parsing the formula Font Name field. By constructing an illegal formula Doc/RTF documents, which can lead to code execution.

2) Vulnerability details

CVE-2017-11882 is a stack overflow vulnerability, as shown below in the Font Name field in the red box It will eventually cause stack overflow, and the return address is overwritten as 00430c12, which points to the WinExe function. The first parameter of the parent function just points to the construction character, causing WinExe to execute the command in the construction character.

3) Related CVE

Since November 14, 2017, CVE- 2018-0802/CVE-2018-0798 Two vulnerabilities related to EQNEDT32.EXE were discovered one after another.

CVE-2017-11882Font Name field overflowCVE-2018-0802lfFaceName field overflowCVE-2018-0798matrix record parsing stack overflow

##CVE Number	Vulnerability Description

4) Related APT organizations

##Related APT OrganizationCVE Number##APT34CVE-2017-11882马草CVE-2017-11882

5) Related APT events

APT34 delivers harpoon emails via CVE-2017-11882 to attack financial and government institutions in many countries in the Middle East.

6) Patch and solution

Individual users need to be very careful when downloading and opening documents from unknown sources, and use protection programs such as 360 Security Guard Scan for viruses, Trojans and rogue software with tools to reduce risks as much as possible. If possible, try to use a virtual machine to open unfamiliar documents.

Software manufacturer Microsoft has released a patch corresponding to the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

https://portal.msrc.microsoft.com /en-US/security-guidance/advisory/CVE-2018-0798

5. OOXML type confusion vulnerability

OOXML is a technical specification developed by Microsoft for Office2007 products and has now become an international The document format standard is compatible with the former international standard open document format and the Chinese document standard "Biaowentong". Office rich text itself contains a large number of XML files. Due to improper design, serious problems occurred when the XML files were processed. The most typical obfuscation vulnerabilities include CVE-2015-1641 and CVE-2017-11826. Here we choose the most popular OOXML type obfuscation vulnerability in recent years, CVE-2015-1641, as a typical representative.

1) Vulnerability Overview

In April 2015, Microsoft patched an Office Word type confusion with CVE number CVE-2015-1641 loopholes. OfficeWord did not verify the customXML object when parsing the displacedByCustomXML attribute of the Docx document, causing type confusion and arbitrary memory writing. Finally, carefully constructed tags and corresponding attribute values ​​​​can cause remote arbitrary code execution. This is an OOXML type obfuscation vulnerability with a very high success rate and is often used by APT organizations.

2) Vulnerability details

In CVE-2015-1641, because OfficeWord does not strictly verify the incoming customXML object, As a result, objects such as smartTag can be passed in. However, the processing flow of smartTag objects is different from that of customXML. If the customXML tag is confused and parsed by the smartTag tag in some way, then the element attribute value in the smartTag tag will be regarded as a address, and then obtain another address through simple calculation. Subsequent processing will overwrite the previously calculated address with the id value (from moveFromRangeEnd), resulting in unpredictable memory writing results. Then by writing controllable function pointers and carefully constructing the memory layout through Heap Spray, the code is ultimately executed:

3) Related CVE

On September 28, 2017, the 360 ​​Chasing Sun team captured an in-the-wild attack that exploited the Office 0day vulnerability (CVE-2017-11826). This vulnerability affects almost all Microsoft currently supported products. All Office versions, in-the-wild attacks only target specific Office versions. The attack takes the form of malicious Docx content embedded in an RTF document.

CVE-2015-1641customXML object type confusionCVE-2017-11826Incorrect idmap tag calculation in XML leads to confusion

##CVE Number	Vulnerability Description

4) Related APT organizations# The exploitation technology related to ##CVE-2015-1641 has long been disclosed, and the success rate of exploiting this vulnerability is very high. Therefore, this vulnerability was one of the most commonly used Office vulnerabilities by major APT organizations before the Office OLE2Link logic vulnerability became popular.

##Related APT organizationMohecao, APT28CVE-2015-1641An unknown APT in East Asia OrganizationCVE-2017-11826

5) Related APT incidents

The Mahacao APT organization has used a large number of attacks including CVE-2015- 1641 vulnerability documentation.

6) Patch and solution

Individual users need to be very careful when downloading and opening documents from unknown sources, and use protection programs such as 360 Security Guard Scan for viruses, Trojans and rogue software with tools to reduce risks as much as possible. If possible, try to use a virtual machine to open unfamiliar documents.

Software manufacturer Microsoft has released a patch corresponding to the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570

6. EPS (EncapsulatedPost Script) script parsing vulnerability

EPS full name is EncapsulatedPost Script, which is an extension type of PostScript and is suitable for color-accurate bit-coding on multiple platforms and high-resolution output devices. Graph and vector output, so corresponding support has been introduced in Office. However, since 2015, multiple EPS-related vulnerabilities in Office have been exploited, including CVE-2015-2545, CVE-2017-0261, CVE-2017- 0262, which eventually led to Microsoft having to disable the EPS component in Office, and here we choose CVE-2017-0262 as a typical representative.

1) Vulnerability Overview

FireEye researchers disclosed it in the article EPSProcessing Zero-Days Exploited by Multiple Threat Actors on May 7, 2017 Multiple EPS0-day vulnerabilities are exploited in the wild, including CVE-2017-0262. CVE-2017-0262 is a vulnerability in the forall instruction in ESP. The forall instruction improperly verifies parameters, leading to code execution.

2) Vulnerability details

The exploitation sample of CVE-2017-0262 first performs four-byte xor encoding of the actual EXP , the key is c45d6491:

The key point of the vulnerability lies in the following line of code. In EPS, the forall instruction will be executed for each object in the first parameter. Processing function proc (i.e., the second parameter). Due to the loose judgment on the type of the second parameter, 0xD80D020, the memory address previously controlled by the attacker through heap spraying, is used as the address of the processing function, and the esp stack is controlled. , resulting in the final code execution:

3) Related CVE

CVE number

CVE-2015-2545UAF vulnerabilityCVE-2017-0261Save, in the restore command UAF vulnerabilityCVE-2017-0262Forall parameter type verification is not strict leading to code execution

##CVE Number	Vulnerability Description

4) Related APT organizations

Since the EPS vulnerability itself is difficult to exploit, and EPS has been executed in isolation in a sandbox since Office 2010, it is often necessary to Privilege escalation vulnerabilities are assisted, so the users of this series of vulnerabilities are often well-known large-scale APT organizations.

##Related APT organizationCVE numberUndisclosedTurlaAPT28

5) Related APT incidents

APT28 organization affects the French election by sending harpoon emails (CVE-2017-0262/CVE-2017-0263) , the email was attached with an Office file named Trump's_Attack_on_Syria_English.docx, which resulted in as much as 9G of data from the Macron campaign team being uploaded to the external network.

6) Patch and solution

Individual users download and open documents from unknown sources You need to be very cautious and use anti-virus, Trojan and rogue software tools such as 360 Security Guard to scan to reduce the risk as much as possible. If possible, try to use a virtual machine to open unfamiliar documents.

Software manufacturer Microsoft has released a patch corresponding to the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2545

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261

https://portal.msrc.microsoft.com /en-US/security-guidance/advisory/CVE-2017-0262

7. Windows Privilege Elevation Vulnerability

In recent years, there have been more and more vulnerability attacks targeting Windows clients, which directly leads to Major manufacturers have introduced "sandbox" protection technology to their client software. The core idea is to run the application in an isolated environment. The isolated environment is usually a low-privilege environment. The sandbox can also be regarded as a Virtual containers allow less secure programs to run. Even if the client software is invaded by malicious code, it will not pose an actual threat to the user's computer system.

Common client programs that have introduced "sandbox" protection include: IE/Edge browser, Chrome browser, Adobe Reader, Microsoft Office office software, etc. When a client-side program vulnerability is combined with a Windows privilege escalation vulnerability, an application's "sandbox" protection can be bypassed.

1) Vulnerability Overview

In the process of vulnerability attack on the EPS (EncapsulatedPost Script) component of Office software, due to Office 2010 The EPS script filter process fltldr.exe on and higher versions is protected in a low-privilege sandbox. To break through the low-privilege sandbox protection measures, an attacker must use a remote code execution vulnerability in conjunction with a kernel privilege escalation vulnerability. Combination attack. Therefore, we choose the local privilege escalation vulnerability (CVE-2017-0263) in Win32k.sys, which is combined with the EPS type confusion vulnerability (CVE-2017-0262), as a typical representative.

2) Vulnerability details

The code that exploits the CVE-2017-0263 vulnerability will first create three PopupMenus and add the corresponding menu items . Since the UAF vulnerability appears in the kernel's WM_NCDESTROY event and will overwrite the tagWnd structure of wnd2, the bServerSideWindowProc flag can be set. Once bServerSideWindowProc is set, the user-mode WndProc procedure is treated as a kernel callback function and so is called from the kernel context. At this time, WndProc was replaced by the kernel ShellCode by the attacker, and the privilege escalation attack was finally completed.

3) Related CVE

CVE-2015-2545
CVE-2017-0261
CVE-2017-0262

##CVE-2015-2546CVE-2016-7255##CVE-2017- 0001Windows GDI Privilege Elevation VulnerabilityCVE-2017-0263Win32k Free Use After Free Elevation of Privilege Vulnerability4)

##CVE Number	Vulnerability Description
Win32k Memory Corruption Elevation of Privilege Vulnerability
Win32k Local Elevation of Privilege Vulnerability

Related APT organizations

##Related APT organization##Undisclosed CVE-2015-2546

CVE number

##Turla

CVE-2016-7255, CVE-2017-0001

APT28

CVE-2017-0263

5) Related APT incidents

APT attacks against Japan and Taiwan and APT28 attacks against the French election.

6) Patch and solution

Individual users need to be very careful when downloading and opening documents from unknown sources, and use protection programs such as 360 Security Guard Scan for viruses, Trojans and rogue software with tools to reduce risks as much as possible. If possible, try to use a virtual machine to open unfamiliar documents.

Software manufacturer Microsoft has released a patch corresponding to the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2546

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7255

https://portal.msrc.microsoft.com /en-US/security-guidance/advisory/CVE-2017-0001

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263

8. Flash Vulnerability

Due to its cross-platform popularity, Flashplayer has always attracted the attention of various APT organizations. Starting from 2014, Flash vulnerabilities began to explode. Especially in 2015, HackingTeam leaked data Two 0-day vulnerabilities, CVE-2015-5122/CVE-2015-5199, and the exploitation technology related to Flash vulnerabilities were disclosed. Flash vulnerabilities began to become the new favorite of APT organizations. Although Adobe and Google later cooperated, multiple Flash security mechanisms were released one after another ( Such as isolation heap, vector length detection), which has greatly raised the threshold for Flash vulnerability exploitation, but there are also weird people who have confused vulnerabilities such as CVE-2015-7645. Here we choose the 0-day in the wild CVE-2018-4878 discovered not long ago as a typical representative of this type of vulnerability.

1) Vulnerability Overview

On January 31, 2018, South Korea CERT issued an announcement stating that a Flash0day vulnerability (CVE-2018-4878) was discovered. Exploited in the wild, attackers attack designated targets by sending Office Word attachments containing embedded malicious Flash objects.

2) Vulnerability details

CVE-2018-4878 attacks through the DRMManager object in the Flash om.adobe.tvsdk package, as shown in the following code As shown, a MyListener object instance is created in the triggeruaf function, initialized through initialize, and the instance is set to null. The first LocalConnection().connect() will cause gc to recycle the memory of the instance, and the second LocalConnection() ).connect() triggers an exception. A new MyListener instance will be created during exception handling. The memory manager will allocate the memory of the previous MyListener object instance to the new object, which is the danglingpointer here. Set the timer and use it in its callback function. Detect whether uaf is triggered. If successful, the position will be determined through Mem_Arr:

##3) Related CVE

#CVE numberVulnerability Description##CVE-2017-11292UAFCVE-2018-4878UAF##4)Related APT organizations

##Related APT organizationAPT28CVE-2017-11292, CVE-2018-4878

CVE number

##Group 123

CVE-2018-4878

5) Related APT incidents

Group123 used CVE-2018-4878 to attack sensitive departments in South Korea.

6) Patch and solution

Individual users need to be very careful when downloading and opening documents from unknown sources, and use protection programs such as 360 Security Guard Scan for viruses, Trojans and rogue software with tools to reduce risks as much as possible. If possible, try to use a virtual machine to open unfamiliar documents.

Software manufacturer Adobe has released a patch corresponding to the vulnerability:

https://helpx.adobe.com/security/products/flash-player/apsb18-03.html

https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

9. iOS Trident vulnerability

The iOS Trident vulnerability is currently the only A publicly disclosed remote attack example targeting iOS system browsers, and was actually used in APT attacks against specific targets.

1) Vulnerability Overview

The iOS Trident vulnerability refers to a series of 0-day vulnerabilities targeting iOS systems before iOS9.3.5, which exploits 3 0-day vulnerabilities. day vulnerabilities, including a WebKit vulnerability, a kernel address disclosure vulnerability and a privilege escalation vulnerability. A combination of three zero-day vulnerabilities can be used to remotely jailbreak an iOS device and install and run any malicious code.

2) Vulnerability details

The iOS Trident vulnerability exploit payload can be triggered by accessing a specific URL, so it can be sent via SMS, email, social network or instant messaging, etc. The malicious link induces the target to click and open the link to trigger the vulnerability. Due to the arbitrary code execution vulnerability in the WebKit JavaScriptCore library, when the Safari browser accesses a malicious link and triggers the execution of a malicious JavaScript payload, the exploit code enters the Safari WebContent process space. It then exploited two other vulnerabilities to escalate privileges and jailbreak the iOS device. Finally, the Trident vulnerability enables the download and execution of malicious modules used for persistence control.

Image source[3]

3) Related CVE

## The #iOS Trident vulnerability involves three 0-day vulnerabilities. The CVE numbers and related information are as shown in the following table:

##CVE NumberVulnerability Description##CVE-2016-4655Kernel information leakageCVE-2016-4656Elevation of privilegeCVE-2016-4657WebKit Remote Code Execution

4) Related APT organizations and incidents

The Trident vulnerability was initially discovered after Ahmed Mansoor, an important human rights defender in the United Arab Emirates, discovered it in August 2016. On the 10th and 11th of March, his iPhone received two text messages, the contents of which were that he could click on the link to view secret content about the torture of prisoners held in UAE prisons. It then forwarded the text message content to Citizen Lab, which was jointly analyzed and discovered by Citizen Lab and Lookout security company. Finally, it was found that the Trident vulnerability and related malicious payloads were related to the well-known Israeli spyware monitoring company NSO Group.

Picture source[1]

5) Patch and solution

Apple subsequently released iOS 9.3.5 on August 25, 2016, which patched the Trident vulnerability [2].

10. Android browser remote2local vulnerability exploit

The leak of the Android browser vulnerability exploit code reveals that online arms dealers and government and law enforcement agencies use remote attack vulnerabilities to attack and monitor Android users , and the vulnerability exploitation process is almost perfect, which also reflects the artistic characteristics of vulnerability exploitation technology.

The exploit code can affect almost all mainstream Android devices and system versions at that time.

1) Vulnerability Overview

The Android browser remote2local vulnerability was exploited in July 2015 when Hacking Team was invaded and internal source code information was leaked Later, the leaked source code contained attack exploit code targeting browsers of Android 4.0. Purpose of the program.

This vulnerability is exploited by combining three N-day vulnerabilities of Google Chrome and a privilege escalation vulnerability targeting the Android system to complete the complete attack process.

2) Vulnerability details

The Android browser vulnerability is mainly exploited because of the vulnerability in WebKit Regarding the libxslt library for XML language parsing and XSLT conversion, its exploitation process is actually a combined exploitation process based on multiple vulnerabilities. It first uses an information leakage vulnerability to obtain information related to memory addresses, and uses arbitrary memory reading and writing to construct a ROP attack to ultimately achieve the purpose of executing arbitrary code. It finally executes the privilege escalation code. The privilege escalation vulnerability used in this exploit is CVE-2014-3153, which is generated from the kernel's Futex system call. After elevating the privileges to obtain root privileges, the malicious APK application is installed silently.

3) Related CVE

Hacking Team’s remote2local exploit tool for Android browsers combines 3 browser-specific vulnerabilities and 2 vulnerabilities for privilege escalation.

CVE-2011-1202Information leakageCVE-2012-2825Arbitrary memory readCVE-2012-2871Heap overflowCVE-2014-3153Elevation of Privilege VulnerabilityCVE-2013-6282Read and write to any kernel address

4) Related APT organizations and incidents

The relevant utilization of this vulnerability has not been disclosed in historical public incident reports, due to the focus on reporting to the government Hacking Team, an Italian company that provides computer intrusion and surveillance services to departments and law enforcement agencies, was hacked in July 2015. Its internal source code and related data emails were leaked, revealing for the first time that it had a complete attack and exploitation code for this vulnerability.

And in the leaked emails, the company frequently explains to customers the method and process of exploiting the vulnerability.

5) Patches and solutions

The Android 4.4 system released by Google This version fixes the above issues.

Summary

The top APT organization of Equation 1 has mastered the most advanced vulnerability attack technology

The top APT organization of Equation 1 has mastered the most advanced vulnerability attack technology Vulnerability attack technology, which includes its full coverage of vulnerabilities in almost all Internet-related facilities, equipment, software, and applications, while other APT organizations still prefer to use vulnerabilities in client software to conduct phishing attacks.

Vulnerability attacks against Office are still the focus of most APT attacks

From the perspective of frequency of use, Office vulnerabilities are still the most commonly used vulnerabilities by most APT organizations , and is still a very effective entry point for APT attacks.

Mobile APT attacks have gradually become a new hot spot

The popularity and market share of mobile devices have increased significantly, so APT organizations have also begun to target them The target's attack scope extends to mobile devices. In the past APT activities targeting mobile device attacks, the browser attack exploits leaked by the Trident vulnerability for iOS systems and Hacking Team for Android systems were particularly outstanding, and revealed that mobile targeted attacks also have the same characteristics as shown in past network attacks. The advanced technical features also reveal the fact that online arms dealers produce and sell cyber weapons targeting mobile platforms.

##CVE Number	Vulnerability Description

The above is the detailed content of What are the top 10 security vulnerabilities used by APT groups?. For more information, please follow other related articles on the PHP Chinese website!