Detect Malware Associated with the Most Exploited CVEs - Intezer

    Talk to Sales

    Please leave your details and our representative would contact you immediately

    First Name

    Last Name

    Job Title

    Company

    Business email

    Country

    Phone (optional)

    We’re using (optional)

    Detect Malware Associated with the Most Exploited CVEs

    Written by Intezer - 25 June 2020

      Share article
      FacebookTwitterLinkedInRedditCopy Link

      Get Free Account

      Join Now

      Top Blogs

      Unpatched or undetected software vulnerabilities are a common method for malware delivery once exploited by attackers.

      Last month, the US-CERT urged IT security professionals to patch the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors from 2016 to 2019. The alert advised that a concerted effort among the public and private sectors to patch their systems and implement programs to keep system patching up to date could diminish some foreign cyber threats to U.S. interests.

      Below are some of the malware families commonly associated with these CVEs, delivered by attackers following a successful exploitation:

      CVE-2017-11882
      Loki, FormBook, Pony/FAREIT

      CVE-2017-0199
      LATENTBOT, Dridex

      CVE-2012-0158
      Dridex

      CVE-2018-4878
      DOGCALL aka RokRAT

      CVE-2017-8759
      FINSPY, FinFisher

      CVE-2015-1641
      Carbanak

      According to the IBM X-Force Threat Intelligence Index 2020, CVE-2017-11882, a vulnerability in Microsoft Office’s Microsoft Equation Editor, and CVE-2017-0199, a vulnerability in Microsoft Word, are the most common vulnerabilities leveraged by attackers.

      Top vulnerabilities leveraged in malspam

      They were used in nearly 90 percent of malspam messages despite being well-publicized and dated. These findings highlight how delays in patching allow cybercriminals to continue to use old vulnerabilities and still see some success in their attacks.”

      In addition to patching, we recommend security personnel use our Endpoint Analysis scanner to detect any post exploitation malware payloads on their machines.

      Here is an example of an endpoint infected with Loki malware:

      The endpoint scanner provides visibility over the code executing on your machine. This is applicable if you are using unpatched vulnerable software or would like to ensure your machine is clean from any payload delivered by a zero-day exploit. A zero-day is a vulnerability in a software which is unknown to the public and hasn’t been reported to the company responsible for providing a patch for this vulnerability.

      DarkHotel is an APT group known for delivering malware via zero-day exploits. In its latest attack documented by researchers at Qihoo 360, DarkHotel exploited a zero-day in Sangfor VPN which provides remote access to the network used by Chinese government agencies and their employees. The vulnerability, which was placed in the update mechanism, allowed the attackers to install a backdoor trojan onto the victims’ endpoints.

      Scanning the memory of your endpoints periodically will allow you to detect in-memory threats that have been executed due to a successful vulnerability exploitation.

      Intezer Analyze community users can scan one endpoint per day. Get the endpoint scanner

      Intezer

      Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work. Try it yourself for free: analyze.intezer.com

      Recommended Articles

      New: Connect Microsoft Defender with Intezer's Autonomous SOC solutionNew: Connect Microsoft Defender with Intezer's Autonomous SOC solution Learn more
      Generic filters
      Exact matches only
      Search in title
      Search in content
      Search in excerpt