You are viewing 'zero-day'
Data Analysis of CVE-2017-5638 Exploit Attempts
A major vulnerability, the Apache Struts 2 0-Day vulnerability (CVE-2017-5638), was recently discovered on March 6, 2017. Here at NTT Security, we analyze these types of vulnerabilities, setup detection capabilities and analyze any exploit attempts by threat actors as detected via the NTT Security Global Managed Security Services Platform.
This blog takes a further look, via data analysis, into the active exploit attempts of the Apache Struts 2 0-Day vulnerability as seen in the NTT Security Global Managed Security Services Platform. Through our analysis, we were able to uncover the source of the attacks, industries targeted, malware samples, and more. Additionally, based on our research, we were able to conclude that exploit attempts for this vulnerability will remain popular for some time, and have listed migitation and recommended actions further below in this blog to avoid future exploit attempts.Background
On March 6, Apache released a... read more >
How long is too long?
There has been a lot of chatter on social media lately surrounding the topic of public vulnerability disclosure. Doing a quick Google search, I found a ton of resources, discussions and blog posts available, covering different ways to properly disclose a vulnerability. Several are listed below:
CVE-2016-0728: Evaluating the Threat Level
On January 14, 2016 researchers at Perception Point identified a 0-day local privilege escalation vulnerability (CVE-2016-0728) in Linux Kernel versions 3.8 to 4.4 (2012 – 2016). This flaw exists due to the kernel’s keyrings security facility used to retain cached security data, authentication keys, encryption keys and other data. Using a local user account, one can free a referenced keyring object and overwrite it to be executed in the kernel, escalating privileges to root. Based on statistics provided by Perception Point, tens of millions of personal computers (PCs), servers and 66% of all Android devices may be vulnerable.
On December 28, Adobe published a new version of Flash Player to secure 19 flaws in its code, updating a version of Flash which Adobe released earlier this month. Today’s release patches these 19 flaws, including multiple zero day vulnerabilities. Of these, CVE-2015-8561 is being actively exploited in the wild.
Adobe states this vulnerability “is being used in limited, targeted attacks” and described it as “an integer overflow vulnerability that could lead to code execution.” The only observed exploitation to date has been via a phishing campaign.
2014 is the Year of the Retro Vulnerability
Last month, Shellshock exploited a 24+ year old flaw in the bash shell. Now we find that SSL 3.0, which is almost old enough to drive, is the basis of an attack which renders more modern encryption useless. This one goes by the name of POODLE (Padding Oracle On Downgraded Legacy Encryption).
Despite its name, this one has nothing to do with the Oracle database system (or dogs, for that matter). It’s a new way to exploit known flaws (CVE-2014-3566) in SSL 3.0. The details are in this short research paper, published by Google researchers on the OpenSSL site. The paper contains some heavy math, but the upshot is a conversation similar to this one:
Server: Please log in using a secure protocol. I recommend TLS.
Client: I don’t speak... read more >