A wise person once said that the only things in life that are certain are taxes and death. It seems that we can now add another to that short list and that is cybercrime. And like death and taxes, cybercrime is effective because other events bring it to fruition. In the world of cybercrime, one thing stands out as the true friend of the hacker, and that is vulnerability.
Now, vulnerability is a wide term that covers much in computing. You can have a vulnerability in the way you configure a server, perhaps a poorly implemented authentication policy, and so on. But in the context of this article, we will be talking specifically about the CVE or Common Vulnerabilities and Exposures that are found in software products and the protocols they depend upon.
The best way to describe a CVE is by example. Heartbleed was a vulnerability in OpenSSL, a protocol used across the Internet to protect data communications. The vulnerability allowed hackers to exploit system memory and steal encryption keys, allowing them to intercept communications.
A list of CVEs is maintained online by Mitre Corporation, which is a not-for-profit sponsored by the U.S. federal government. Another very useful vulnerability service is CVE Details, which hosts a list of any software package vulnerabilities that are found. If you check out CVE Details you can see the top 50 products showing vulnerabilities in 2017. Both Mitre and CVE Details score the vulnerability as well as describe its impact. Having an audit of software vulnerabilities allows the vendor to take action to close the gap, whilst educating IT professionals about the issue, so they can take action to mitigate the risk.
Ultimately, software vulnerabilities are crucial to the success of cybercrime. And even though we are becoming more aware because of services like CVE Details, those vulnerabilities keep coming back to bite us hard.
Below are listed the top 5 vulnerabilities of 2017 that gave the cybercriminal the edge.
Top 5 Vulnerabilities of 2017
#1 EternalBlue CVE [CVE-2017-0143]
EternalBlue is perhaps the most infamous of 2017 exploits. It was a Microsoft Windows OS vulnerability affecting the Windows Server Message Block (SMB) protocol. EternalBlue was originally used by the NSA as a hacking tool to gather intelligence. It was leaked out earlier in 2017 and ultimately ended up as the exploit behind the massive ransomware attacks of that year, WannaCry and Petya. Microsoft had actually patched the vulnerability before the attacks happened. However, as is the want of these things, many people had not applied the patch and many became victims of the ransomware attacks.
#2 CloudBleed [CVE-2014-0160]
Content delivery network provider CloudFlare had their own version of HeartBleed this year in the guise of ‘CloudBleed’. CloudFlare provides services to millions of websites, so a vulnerability in their services would have a major impact across the Internet. The problem stemmed from an issue with the CloudFlare HTML parser leaking memory, which could result in sensitive data also being leaked. The types of data that could be exposed included login credentials. Although CloudFlare service millions of websites, only 1 in every 3,300,000 HTTP requests were affected by the bug. However, this did include major sites used by millions of users, such as Uber.
#3 Microsoft Office Flaw [CVE-2017-11882]
A Microsoft oldie-but-goldie vulnerability reared its head this year. The flaw was based on a remote code execution vulnerability – that is, it allowed malicious code to be remotely executed, which then took over the machine to ‘carry out its will’. The flaw was a persistent one found in the Microsoft Office suite dating back 17 years. In 2017, it became the weapon of choice of the infamous Cobalt hacking group and was used as the basis for a campaign of spear phishing emails. Again, the issue was around handling of memory. In the phishing campaign, Cobalt placed malicious code in RTF documents to trigger the vulnerability, allowing the download of further malicious files to the user’s computer, which resulted in machine takeover. Windows updates on November 17th contained a patch for the vulnerability.
#4 Apache Struts [CVE-2017-9805]
Apache Struts is a well-used framework used for Java-based web applications. In 2017, there have been several documented cases of Apache Struts vulnerabilities, all involving either remote code execution or remote DoS. CVE-2017-9805 was the latest Struts vulnerability found, allowing the Struts REST plugin to be exploited and malicious code to be executed on the application server. Another Struts vulnerability, CVE-2017-5638, found earlier this year, was thought to be responsible for the major Equifax data breach. A statement by the ex CEO of Equifax Richard Smith pointed to this Struts vulnerability, stating that “[t]he company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information.”
#5 KRACK [various CVE #s, including CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088]
WPA2 is the security protocol used to secure Wi-fi connections. Like OpenSSL and HeartBleed before it, the protocol was found to have a vulnerability, which if exploited, could lead to sensitive data exposure as well as allowing injection of malicious code, including ransomware. KRACK stands for ‘Key Reinstallation Attacks,” and affects all devices using Wi-fi, as they all depend on the protocol. The attack is based on the 4-way key exchange handshake the protocol is built on; the attack works by reusing existing encryption keys. However, the attacker has to be in Wi-fi range of the device, and they need a specific Wi-fi card to manipulate the session, reusing the keys as a prop for hijacking. This allows the attacker to control the session, send false data, steal data, and potentially inject malicious code (the latter is more difficult). Since the exploit discovery, there has been a slew of fixes to KRACK for Android, Windows, and IOS.
Software, and the protocols used for communications are designed, architected, and developed by human beings (at least for the most part to date). The design and development of software and protocols focus on the core functionality and usability of the applications. As part of this, emphasis on secure architecture and coding techniques should be integral to that process. But sometimes, because of external forces, or lack of knowledge, these things can get lost in the rush to get a product out of the door.
Because of human fallibility, the cyber criminals will always have opportunities to take advantage of the vulnerabilities we accidentally add to our IT systems. Vigilance can help both those of us who create software and those of us who use it, to fend off the cyber attacks that we should expect to see in 2018.