The latest sample of puduch attacks still exploits the Flash Vulnerability of hackers

The latest sample of puduch attacks still exploits the Flash Vulnerability of hackers

Morphisec warned that an attack using the Hong Kong Telecom company's website began to use the latest Flash Vulnerability, which has been exploited by North Korea since middle November 2017.

South Korea's Internet and Security Agency (KISA) issued a warning that the CVE-2018-4878 vulnerability, said the vulnerability was exploited by hackers, Adobe within a week to fix the vulnerability.

Morphisec pointed out that the recent observed event was a textbook-style puduch attack. Attackers implant malware on a website that the victim may access.

Because the new attack method does not generate files or leave traces on the hard disk, it is more concealed. In addition, the custom protocol is used for ports that are not filtered.

Security researchers pointed out: "In general, this advanced pool attack is highly targeted in nature and should be supported by a very advanced organization ."

Concealed Enhancement

The Flash Vulnerability used in this attack is very similar to the vulnerability described in the previous CVE-2018-4878 vulnerability analysis, although they use different shellcode.

In the attack, shellcodeexecutes rundll32.exe and overwrites its memory with malicious code. The purpose of this malicious code is to directly download other code to the memory of the rundll32 process.

Security researchers also found that the command and control (C & C) server uses a custom protocol to communicate with the victim through port 443.

Additional code downloaded to rundll32 memory includes the Metasploit Meterpreter and Mimikatz modules. Most modules were compiled in February 15 and the attack started in less than a week.

Despite these advanced concealment features, This attack uses the basic Metasploit framework components that are compiled before the attack and are not obfuscated, making it difficult to trace the attack.

Morphisec said the attack targeted CVE-2018-4878 a few weeks ago, and the attack came from organizations with a national background, all of which gave rise to a feeling of familiarity.

* Reference: SecurityWeek

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151592.htm