Talos is disclosing a single NULL pointer dereference vulnerability in the tinysvcmdns library. Tinysvcmdns is a tiny MDNS responder implementation for publishing services. This is essentially a mini and embedded version of Avahi or Bonjour.
This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:
- “Golden Time” campaign.
- “Evil New Year” campaign.
- “Are you Happy?” campaign.
- “FreeMilk” campaign.
- “North Korean Human Rights” campaign.
- “Evil New Year 2018” campaign.
On January 2nd of 2018, the “Evil New Year 2018” was started. This campaign copies the approach of the 2017 “Evil New Year” campaign.
The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.
Based on our analysis, the “Golden Time”, both “Evil New Year” and the “North Korean Human Rights” campaigns specifically targeted South Korean users. The attackers used spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite. Group 123 has been known to use exploits (such as CVE-2013-0808) or scripting languages harnessing OLE objects. The purpose of the malicious documents was to install and to execute ROKRAT, a remote administration tool (RAT). On occasion the attackers directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes: the document only contained a downloader designed to download ROKRAT from a compromised web server.
Additionally, the “FreeMilk” campaign targeted several non-Korean financial institutions. In this campaign, the attackers made use of a malicious Microsoft Office document, a deviation from their normal use of Hancom documents. This document exploited a newer vulnerability, CVE-2017-0199. Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki. PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.
Finally, we identified a 6th campaign that is also linked to Group 123. We named this 6th campaign “Are You Happy?”. In this campaign, the attackers deployed a disk wiper. The purpose of this attack was not only to gain access to the remote infected systems but to also wipe the first sectors of the device. We identified that the wiper is a ROKRAT module.
Technology has evolved in incredible ways that has helped people to create and visualize media like never before. Today, people can use tools such as Blender to visualize, model, and animate 3D content, especially since it’s free and open-source software. However, this also make it an attractive target for adversaries to audit and find vulnerabilities. Given the user base of Blender, exploiting these vulnerabilities to compromise a user could have a significant impact as attackers could use the foothold gained by attacking Blender to further compromise an organization’s network.
Today, Talos is disclosing multiple vulnerabilities that have been identified in Blender. These vulnerabilities could allow an attacker to execute arbitrary code on an affected host running Blender. A user who opens a specially crafted file in Blender that is designed to trigger one of these vulnerabilities could be exploited and compromised.
Talos has responsibly disclosed these vulnerabilities to Blender in an attempt to ensure they are addressed. However, Blender has declined to address them stating that “fixing these issues one by one is also a waste of time.” As a result, there currently is no software update that addresses these vulnerabilities. Additionally, Blender developers believe that “opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust] the source it is coming from.”
Talos has discovered two XSS vulnerabilities in Ruby Rails Gems. Rails is a Ruby framework designed to create web services or web pages. Ruby Gems is a package manager for distributing software packages as ‘gems’. The two XSS vulnerabilities were discovered in two different gem packages: delayed_job_web and rails_admin.
Ruby is widely used as a language for web development. Gem packages allow software engineers to reuse code across multiple development projects. As such, the discovery of a vulnerability in a gem may mean that many different systems are affected by that vulnerability.
Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.
TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.
TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.
Further on, TALOS-2017-0464 – TALOS-2017-0471 / CVE-2017-12112 – CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.
Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.
Cisco Talos is aware of three new vulnerabilities impacting Intel, AMD, Qualcomm and ARM processors used by almost all computers. We are investigating these issues and although we have not observed exploitation of these vulnerabilities in the wild, that does not mean that it has not occurred. We have observed publicly available proof of concept exploit code being developed to exploit these vulnerabilities.
These issues have been assigned the following CVE entries:
Meltdown: An attacker can access kernel memory from user space
- Rogue data cache load (CVE-2017-5754)
Spectre: An attacker can read memory contents from other users’ running programs