Morphisec Cyber Security Blog

Over the past year, Morphisec and several other endpoint protection companies have been tracking a resurgence in activity from the Cobalt Group. Cobalt, also known as Carbanak and Anunak, is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. The most recent attacks can be grouped

So far, 2018 has turned out to be anything but business as usual, at least on the cybersecurity front. The revelation about CPU vulnerabilities Meltdown and Spectre (and all the offshoots); the explosion in cryptojacking – which is likely even more widespread than current estimates; the lightning speed at which the newest sophisticated attack technology is adopted by mass market criminals.

After more than four years with no weaponized exploits for Adobe Acrobat Reader, researchers at ESET identified a weaponized PDF that allows attackers to execute arbitrary code on the targeted machine and eventually assume full system control. The PDF exploits two previously unknown vulnerabilities, Acrobat Reader vulnerability CVE-2018-4990 and a privilege escalation vulnerability in Microsoft Windows, CVE-2018-8120.

Adobe Reader has a built-in sandbox feature that usually makes exploitation difficult. By combining vulnerabilities, this attack achieves code execution and then bypasses the sandbox protection to fully compromise the targeted system.

In April, researchers at Qihoo 360 Core Security Division discovered a VBScript vulnerability actively exploited in targeted attacks. Since then, it has appeared in additional attack campaigns. The vulnerability, CVE-2018-8174, dubbed "Double Kill",  is significant on several counts.

On March 21,2018, Morphisec Labs began investigating the compromised website of a leading Hong Kong Telecommunications company after being alerted to it by malware hunter @PhysicalDrive0. The investigation, conducted by Morphisec researchers Michael Gorelik and Assaf Kachlon, determined that the Telecom group's corporate site had indeed been hacked. Attackers added an embedded Adobe Flash file that exploits the Flash vulnerability CVE-2018-4878 on the main home.php page.

Morphisec researchers Michael Gorelik and Andrey Diment have discovered CIGslip, a new method which can be exploited by attackers to bypass Microsoft’s Code Integrity Guard (CIG) and load malicious libraries into protected processes such as Microsoft Edge.

The Lazarus Group, also known as Hidden Cobra, may be in play again. The notorious cybercrime group is allegedly responsible for some of the most devastating attacks over the past few years, including the SWIFT network hack that stole $81 million Central Bank of Bangladesh issued and the 2014 destructive wiper attack against Sony Pictures. Some also link the WannaCry ransomware breakout to the same group.

Many of the existing reports covering the Lazarus attacks suggest links to North Korea. In fact, Hidden Cobra is the U.S. Government’s designation for malicious cyber activity conducted by the North Korean government.

On February 28, 2018, Morphisec Labs identified and prevented a suspicious document uploaded to VirusTotal that exploits the latest Flash vulnerability CVE-2018-4878. While analyzing the exploit and the downloaded payload, we immediately identified a near-perfect match to many of the techniques used during various attacks that are attributed to the Lazarus Group.

On February 22, 2018, Morphisec Labs spotted several malicious word documents exploiting the latest Flash vulnerability CVE-2018-4878 in the wild in a massive malspam campaign. Adobe released a patch early February, but it will take some companies weeks, months or even years to rollout the patch and cyber criminals keep developing new ways to exploit the vulnerability in this window. 

Before diving into the analysis of CVE-2018-4878, a quick reminder that this is the continuation of our previous post, which provided background on CVE-2018-4878, including a  video of how Morphisec prevents any attacks leveraging this Flash vulnerability. Morphisec prevents the attack at all phases and components in the attack chain – during the exploit, the shellcode, as well as the malware which is executed using wbscript.exe with additional in-memory command control code.

At the time of the previous post, the vulnerability was still a zero-day. Adobe released a new version that fixed the flaw yesterday. With that fix available, Morphisec is now free to release technical details of the attack.

How an organization handles the time between the unleashing of a zero-day and the availability of a patch is telling. There are basically two kinds of companies – those that try to mitigate the risk as best they can while they wait for a patch and those that have a security tool able to prevent zero-days. The latest Flash-Player zero-day CVE-2018-4878 is yet another example.