We observed a large spike in the number of devices scanning the internet for port 7001/TCP since April 27, 2018. Our analysis found that it’s increased activity was caused by cybercriminals engaging in cryptomining via exploiting CVE-2017-10271. The flaw is a patched Oracle WebLogic WLS-WSAT vulnerability that can allow remote attackers to execute arbitrary code on unpatched servers. This marks the second time attackers abused CVE-2017-10271 for cryptomining purposes this year. In February, the vulnerability was exploited to deliver 64-bit and 32-bit variants of an XMRig Monero miner.Read More
Android’s regular security update for December 2017 included a fix for a serious vulnerability that could allow attackers to modify installed apps without affecting their signature. This would allow an attacker to gain access to the affected device (indirectly). First found by researchers in July, this vulnerability (designated as CVE-2017-13156, and also called the Janus vulnerability) affects versions of Android from 5.1.1 to 8.0; approximately 74% of all Android devices have these versions installed.Read More
The Linux vulnerability called Dirty COW (CVE-2016-5195) was first disclosed to the public in 2016. The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It is categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.Read More
In July 2016, we worked with @kafeine of Proofpoint to help bring down the AdGholas malvertising campaign. This campaign started operating in 2015, which affected a million users per day during its peak before it was shut down earlier this year. It used the Angler and Neutrino exploit kits to attack victims. It also used steganography to hide malicious code within a picture.
In the process of working on this campaign, we found and analyzed an information disclosure vulnerability in both Internet Explorer and Microsoft Edge. We worked with Microsoft to address this flaw, named as CVE-2016-3351. Previously considered as a zero-day vulnerability, this issue was fixed in MS16-104 for Internet Explorer and MS16-105 for Edge, which was released though a patch earlier this week.Read More
Earlier this week, an independent researcher publicly disclosed a severe vulnerability in MySQL. This is a very popular open-source DBMS which is used by many organizations to manage their backend databases and websites. Proof of concept code was provided as part of the disclosure.
This particular vulnerability was designated as CVE-2016-6662, one of two serious flaws that the researcher found. This vulnerability allows an attacker to create the MySQL configuration file without having the privileges to do so, effectively taking over the server. The other assigned as CVE-2016-6663 has not yet been disclosed.Read More