Close Quarters Encounters with Third Generation Malware Compels UK and Danish Municipalities to Remodel Vulnerability Management Safeguards

In analyzing the threatscape, regardless of the chosen timeframe, the unequivocal conclusion we face is that the reactionary dynamic between defender and threat actor compels each other to transform, evolve, and, ultimately, face one another on a different type of battlefield. Defenders now have to oppose and repel increasingly complex malware, imbued with malicious code which is more viral, easy to produce (and reproduce), and capable of inflicting crippling damage all across the grid.

This clash between the defender and the attacker becomes increasingly visible when scrutinizing the public sector An  assessment by UK Council’s study on the cyber threat status suggests that city councils all across the United Kingdom have witnessed a steep increase in cyber-attacks, with some regions, such as Sefton, combating up to 30,000 cyber-threats each month.

Based on the indicators, we are looking at a 50% YoY increase in attacks, the bulk of which abuse outdated, unsecured, or legacy software. Denmark is also facing its own cybersecurity crisis; although being deemed one of the most cyber-secure countries in the world, it’s still confronted with numerous challenges, some of which are not necessarily related to the public sector. Denmark’s Centre for Cybersecurity endeavored to create a taxonomy of all (cyber) threats that can potentially endanger the country. Among the threats that received the “Very High” were cyber-espionage and “well-organized” APTs acting from without and within the country to target and undermine various societal levels.

Taking into consideration the characteristics and nuances of how the threatscape has evolved in both geographical regions, Heimdal® has begun a private investigation to determine whether or not municipalities have gone up the hitlist or if this is conjectural or based on seasonality.

Investigative Methodology & Findings

Our investigation’s starting point revolved around the following claim – third-party software is, in general, much more prone to exploitation and, implicitly, more vulnerable compared to OS-centric software. However, in spite of severity and volume, our data (i.e., correlated with open-source threat intelligence) has revealed that vulnerabilities endemic to third-party applications have a less severe impact across all five security areas (i.e., confidentiality, integrity, availability, authenticity, and non-repudiation) compared to OS-associated vulnerabilities.

Operating under this assumption, Heimdal®’s SOC team has proceeded to probe the extracted data.

Insofar, Heimdal®’s investigation has uncovered the following facts – although there is significant percentile difference between identified Operating System-related vulnerabilities and those associated with Heimdal®-monitored third-party application, our data suggests that the OS flaws rated the 8 to 10 CVSS scale (i.e. High to Critical) have a more powerful impact on business operations (compared to 3^rd-party app vulnerabilities), potentially jeopardizing continuity. Subsequently, we can surmise that OS vulnerabilities carry a higher computed risk score.

Furthermore, the same dataset has revealed that throughout the queried time-frame, the incidence rate for OS vulnerabilities is 670 per 1000 (i.e., for every 1,000 discovered vulnerabilities, 670 of them are Operating System related) and 329.35 per 100 for 3^rd-party-related flaws (i.e., for every 1,000 discovered flaws, 329.35 of them are related to third-party applications). The results have been represented in the graph below.

We’ve also computed trend distribution of 3^rd party and OS vulnerabilities based on CVSS scores. Our findings are enclosed in the graph below.

Risk assessment scores* (i.e., computed by factoring in attack vectors used for each vulnerability bracket, average detection time, average remediation time, costs vs benefits vs business impact) when comparing OS vulnerabilities to third-party vulnerabilities are as follows.

*Risk score metric ∈ [0,2] interval, where 0 signifies negligible impact across all business environment and 2 signifies critical impact, scoring associated with high infiltration potential, data breach, data loss and/or destruction.

Vulnerability Management

Another dimension we’ve inspected was CVSS distribution per unit (i.e. both OS-centric and 3^rd party patches shall be considered statistical units.

Our statistical analysis performed on the third-party patching workflow has revealed that a staggering 1.5% of all third-party vulnerabilities patched within the last 3 months carried a CVSS score between 7 (i.e., High) and 10 (i.e. Critical). All vulnerabilities were related to (third-party) drivers, definitions, and security updates. A drill-down of the high-scoring defects reveals the following facts.

• 5% of vulnerable 3rd party apps carried a CVSS 8.1 – 8.8 (i.e. High)
• 17% of vulnerable 3rd party apps carried a CVSS 7.1 – 7.8 (i.e. High)
• 50% of all detected third-party vulnerabilities were Critical (i.e. CVSS between 9.1 and 10).

The 3^rd party vulnerability distribution can be reviewed in the graph below.

Technical Analysis of 3^rd Party and OS Vulnerabilities

Heimdal®’s SOC team has performed a technical analysis on the identified vulnerabilities over the reference period, but also factoring in historical data. Our findings have been summarized below.

3^rd Party Vulnerabilities

Our methodology involves extracting and analyzing data vulnerabilities with a CVSS score higher than 7 (i.e., High).

Vulnerabilities with a CVSS of 10

CVE-2014-0566 – Adobe Acrobat Reader (French, Norsk, and Svenska)

Classified as a denial of service, RCE (i.e., Remote Code Execution), overflow, and memory corruption vulnerability, CVE-2014-0566 would potentially allow threat actors to use an idiopathic attack vector in order to cause a denial of service (i.e., memory corruption) or execute arbitrary code on the victim’s machine. The vulnerability affects machines running Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X.

Additional information (via CVE Details)

• Confidentiality Impact: Complete
• Integrity Impact: Complete
• Availability Impact: Complete
• Access Complexity: Low
• Authentication: Not required
• Gained Access: None

Adobe Acrobat Reader MUI – CVE-2018-4872

Classified as a security bypass vulnerability, CVE-2018-4872 could potentially allow an attacker to bypass safeguards (e.g. sandbox environments) via a defect pertaining to a cross call process. This vulnerability affects machines running Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions.

Additional information (via CVE Details)

• Confidentiality Impact: Complete
• Integrity Impact: Complete
• Availability Impact: Complete
• Access Complexity: Low
• Authentication: Not required
• Gained Access: None

Adobe Acrobat XI Pro (Update only) – CVE-2020-3742

Classified as a execute code vulnerability, CVE-2020-3742 allows an attacker to execute arbitrary code on the victim’s machine by leveraging a heap overflow bug. CVE-2020-3742 affects machines running Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier.

Additional information (via CVE Details)

• Confidentiality Impact: Complete
• Integrity Impact: Complete
• Availability Impact: Complete
• Access Complexity: Low
• Authentication: Not required
• Gained Access: None

CVE-2019-8069 – Adobe Flash Player ActiveX & Adobe Flash Player NPAPI

Classified as code execution vulnerability, CVE-2019-8069 may be leveraged by a threat actor to run arbitrary code on the victim’s machine by exploiting a Same Origin Method Execution Vulnerability. Furthermore, the defect potentially allows the attacker to execute malicious code in the context of the current user. CVE-2019-8069 affects machines running Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier.

Additional information (via CVE Details)

• Confidentiality Impact: Complete
• Integrity Impact: Complete
• Availability Impact: Complete
• Access Complexity: Low
• Authentication: Not required
• Gained Access: None

Adobe Flash Player PPAPI – CVE-2020-9633

A code execution vulnerability that allows an attacker to run arbitrary code on the victim’s machine. CVE-2020-9633 affects clients running Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 (i.e. usually abused with the use-after-free defect).

Additional information (via CVE Details)

• Confidentiality Impact: Complete
• Integrity Impact : Complete
• Availability Impact: Complete
• Access Complexity: Low
• Authentication: Not required

CVE-2016-1038 – Adobe Reader & Adobe Reader XI MUI 

Classified as a restriction bypass vulnerability, CVE-2016-1038 allows a threat actor to circumvent restrictions associated with JavaScript API execution(s). This vulnerability affects Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 (i.e., Windows and Mac OSX).

Additional information (via CVE Details)

• Confidentiality Impact: Complete
• Integrity Impact : Complete
• Availability Impact: Complete
• Access Complexity: Low
• Authentication: Not required
• Gained Access: None

CVE-2021-38503 – Mozilla Firefox DE x86, Mozilla Firefox ES x86, Mozilla Firefox ESR x64, Mozilla Firefox x64, Mozilla Firefox x86, Thunderbird

Catalogued as restriction bypass vulnerability, CVE-2021-38503 allows the threat actor to circumvent restrictions (i.e., navigating top-level frames or script execution) by leveraging a subpar iframe sandbox ruling implement in the XSLT stylesheets.

Additional Information (via CVE Details)

• Confidentiality Impact: Partial
• Availability Impact: Partial
• Access Complexity: Low
• Authentication: Not required
• Gained Access: None

Prevalent vulnerabilities with a CVSS between 9.6 and 9.8

CVE-2016-10917 – Everything x86 & Everything x64

Classified as an SQL injection vulnerability, CVE-2016-10917 affects the Everything WordPress plugin, potentially allowing a threat actor to read, write or commit any changes to the SQL database.

Additional information (via Mitre)

• Confidentiality: Read Application Data
• Access Control: Bypass Protection Mechanism
• Access Control: Bypass Protection Mechanism
• Integrity: Modify Application Data

CVE-2017-2640 – Pidgin

Classified as a code execution vulnerability, CVE-2017-2640 would potentially allow a threat actor to execute arbitrary code in Pidgin or trigger a Denial of Service by leveraging an out-of-bounds write flaw for XML content.

CVE-2018-16550 – TeamViewer 10 Host,TeamViewer 11, TeamViewer 12, TeamViewer 13, TeamViewer 12 Host, TeamViewer 11 Host, TeamViewer 10

A vulnerable TeamViewer component allows the threat actor to circumvent the app’s brute-force authentication safeguard. With cancelling the final auth step, the threat actor could extract the user’s 4-digit PIN.

Additional information (via Mitre)

Integrity & Availability: Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands

CVE-2018-18446 – Paint.Net x64 & Paint.Net x86

Catalogued as a deserialization vulnerability, CVE-2018-18446 allows the threat actor to validate untrusted data.

Additional Information (via Mitre)

• Integrity: Modify Application Data; Unexpected State
• Availability DoS: Resource Consumption (CPU)

CVE-2019-12874 – VLC x86 & VLC x64     

An explotaitable flaw in the zlib_decompress_extra (i.e.m modules/demux/mkv/util.cpp in VLC media player 3.x through 3.0.7 leading to a double-free vulnerability.

Additional information (via MITRE)

Integrity & Confidentiality & Availability: Modify Memory; Execute Unauthorized Code or Commands

Prevalent Vulnerabilities with a CVSS between 7.1 and 8.8

CVE-2022-29072 – 7-zip x64 & 7-zip x86

A misconfiguration in 7zip’s DLLs can potentially be leveraged by a threat actor to achieve privilege escalation and/or execute arbitrary code on the victim’s machine. The vulnerability occurs each time a file with the .7z extension is dragged to the app’s Contents area, under the Help menu.

Additional information (via MITRE)

Integrity & Availability: Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands.

CVE-2021-44686 – Calibre x64 & Calibre x86

A faulty regular expression bug in Calibre allows the attacker to trigger a Regular Expression Denial of Service.

Additional information (via MITRE)

• Availability: DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Resource Consumption (Other)
• Access Control: Protection Mechanism; Other

CVE-2019-6175 – Lenovo System Update             

A Denial of Service (i.e., DoS) vulnerability allows the attacker to write configuration files in non-standard places.

CVE-2021-25631 – Libre Office

Classified as an Incomplete lists of disallowed inputs vulnerability, CVE-2021-25631 can potentially allow the threat actor to bypass Libra Office’s denylist via link manipulation.

Additional information (via MITRE)

Access Control: Bypass Protection Mechanism

CVE-2022-3725 – Wireshark x32 & Wireshark x64            

A defect in Wireshark’s OPUS protocol dissector can permit an attacker to stage a Denial of Service attack on the victim’s machine via crafted files and/or packet injection.

Additional information (via MITRE)

Integrity &Availability: Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands

OS Vulnerabilities

Our methodology involves extracting and analyzing data vulnerabilities with a CVSS score higher than 7.

Vulnerabilities with a CVSS of 10

CVE-2013-1330 – MAC disabled vulnerability in Microsoft SharePoint and Microsoft Exchange Server. For additional information, click on the enclosed link. A threat actor can potentially leverage the unassigned Mac disabled vulnerability in order to execute arbitrary code on the victim’s machine.

Prevalent vulnerabilities with a CVSS between 9 and 9.8

Prevalent vulnerabilities with a CVSS between 8 and 8.8

Prevalent Vulnerabilities with a CVSS between 7 and 7.8

Results

• 4% of OS vulnerabilities had a CVSS of 10.
• 26% of OS vulnerabilities had a CVSS between 9 and 9.9.
• 32% of OS vulnerabilities had a CVSS rating between 7.2 and 8.8.

How can Heimdal® Help?

Organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automated patching.

If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.

Conclusion

To surmise, Heimdal®’s investigation into patching workflows, behaviors, and distribution has discovered the following facts:

• 5% of vulnerable 3rd party apps carried a CVSS 8.1 – 8.8 (i.e. High)
• 17% of vulnerable 3rd party apps carried a CVSS 7.1 – 7.8 (i.e. High)
• 50% of all detected third-party vulnerabilities were Critical (i.e. CVSS between 9.1 and 10).
• 4% of OS vulnerabilities had a CVSS of 10.
• 26% of OS vulnerabilities had a CVSS between 9 and 9.9.
• 32% of OS vulnerabilities had a CVSS rating between 7.2 and 8.8.

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.