Hacking Book | Free Online Hacking Learning

Home

annual inventory of windows vulnerabilities in 2018

Posted by harmelink at 2020-03-07
all

Annual inventory of windows vulnerabilities in 2018: the old vulnerabilities are enduring and the new 0days are emerging in endlessly

  1. Foreword vulnerability is an important factor affecting network security. As the most commonly used means of malicious attack, vulnerability attack has the trend of target industrialization and means diversification. Both individuals and enterprises are facing severe vulnerability threat.

In 2018, it kicked off the blockbuster "ghost" and "fuse" CPU loopholes. The occurrence of security events such as "ZHENWANG 3 vulnerability exploitation mining" and "412 mount storm" shows that the vulnerability exploitation attack is no longer the "exclusive" of apt organization, and the vulnerability exploitation is developing towards the "low cost" trend.

In the past year, windows, office, ie, flash and other high-risk vulnerabilities have been exposed frequently, and various field exploits have emerged in an endless stream, bringing severe threats to the network security of individuals and enterprises. This report focuses on the analysis of the vulnerability attack situation of Windows platform in 2018, and gives reasonable vulnerability protection suggestions to individuals and enterprises. 2、 The vulnerability inventory of Windows platform in 2018 is a very challenging year for the security industry. According to the vulnerability submission data statistics of cvedetails.com, since 1999, the number of vulnerability submissions of Windows operating system has been increasing year by year. In recent years, it has reached an outbreak period. The number of security vulnerability submissions this year is the highest compared with the last three years More than 40%, the number and severity of security vulnerabilities reached a record high.

2.1 the number of windows security bulletins in 2018 is full of software and hardware vulnerabilities. As the most basic part of network security, patch management is particularly important. When enterprises choose products, they also need to pay attention to the manufacturer's investment in product safety. Only software / platform developers have high investment in product safety, the products can be guaranteed.

As a well-known software developer in the world, Microsoft's security investment in its products is quite in place. Every month, it will carry out maintenance and release patches to fix security vulnerabilities. In 2018, Microsoft released 874 patches for its products (windows, ie / edge, office, etc.) and fixed 728 vulnerabilities, with an average of 60 vulnerabilities per month.

2.2 windows vulnerability impact products & system distribution in 2018, of all the windows products affected by the vulnerability, windows system component vulnerability accounts for 35%, browser vulnerability accounts for 25%, and office vulnerability accounts for 17%.

According to the data monitoring of Tencent's Yujian Threat Intelligence Center, although office and adobe (mainly flash) are relatively exposed to fewer vulnerabilities, the proportion of exploits is the highest. It can be seen that when hackers select vulnerabilities, they are more likely to give priority to the cost of vulnerability utilization, and refer to the coincidence degree between the target population and product users, but there is no positive correlation with the number of vulnerabilities in the product itself.

Compared with 2017, the vulnerability exposure of office and. Net increased significantly in 2018. Compared with the vulnerability of windows system components, the vulnerability of office is often ignored by everyone, but it is loved by hackers. Many professional hacker organizations will choose to use office high-risk vulnerabilities for attacks on important targets. Tencent's threat prevention Intelligence Center once again reminds you that you need to install the office vulnerability patch in time to avoid it Accidentally opening a document is implanted in the back door.

Among all versions of windows, the most vulnerable is windows 10 system, which shows that windows 10 is the mainstream version of the operating system, and its vulnerability exposure is increasing. At the same time, it reminds users that even if the latest version of the operating system is used, the vulnerability risk should not be ignored. It is a necessary step to install security update in time every month to prevent hacker intrusion.

It can also be seen from the year-on-year data in 2017 that the number of vulnerabilities reported on Windows Server 2016 has increased by nearly 7%. At the same time, it can be predicted that there will be more and more vulnerabilities against the new server operating system.

2.3 the area of vulnerability attack in 2018 & industry distribution the area of vulnerability attack in 2018 is related to the local economic level and information popularization. In 2018, the vulnerability attacks were concentrated in Beijing, Shanghai, Guangzhou and other places, with Beijing, the capital city of national government agencies, high-tech talents and wealthy people, taking the lead. Beishangguang is a national economic, political and scientific and technological center, and also in the forefront of China's internationalization. A large number of visible interests are gathered, which is the preferred target of illegal hackers.

According to the data monitoring of Tencent Yujian Threat Intelligence Center, windows operating system has the highest proportion of high-risk vulnerabilities in education, government, health and medical industry.

From the comparative data of the number of attacks, the government, education, medical and health industries have a large number of high-risk vulnerabilities that have not been repaired in time, and the number of attacks is relatively high. Although there are relatively few vulnerabilities in the science and technology industry, the number of attacks is the highest. On the other hand, the attackers who exploit vulnerabilities usually take targeted attacks, and the attacks on the science and technology industry often become the preferred purpose.

2.4 overall vulnerability repair of domestic users & high risk vulnerability repair in 2018, in the overall vulnerability repair of domestic users, the repair rate of windows vulnerability and. Net vulnerability reached more than 70%, followed by ie, flash and office vulnerability repair rate hovering at 60%. The low overall vulnerability repair rate can reflect that the current information security awareness of individual users in China needs to be improved, and the public awareness of the hazards of security vulnerabilities is not in place.

Among the four types of high-risk vulnerabilities (which exist in the field), the high-risk vulnerability of windows has reached 82%, followed by the high-risk vulnerability of IE and. Net about 70%, and the high-risk vulnerability of flash and office only about 50%.

The low repair rate of flash high-risk vulnerability is due to the fact that many third-party software will bring a flash plug-in, while the flash patch officially provided by Microsoft can only update a small part of it, which can not completely cover all flash plug-ins under the directory of the third-party browser, resulting in that the flash vulnerability on some users' computers is difficult to be completely repaired and solved. Office software itself does relatively weak prompts for updates. If there is no strong reminder from the third-party security software, the number of users who take the initiative to install patches to fix office security vulnerabilities is less; on the other hand, there are a large number of pirated office users in China, and these pirated images are often modified by the image makers, so it is difficult to install patches normally. For important government agencies, enterprises and institutions, scientific research institutions, the authenticity of software system is of great significance to reduce the risk of hacker intrusion. 2.5 type distribution of windows vulnerability & the level of vulnerability is distributed among the windows platform vulnerabilities exposed in 2018, with remote code execution vulnerabilities accounting for 42%, followed by information disclosure vulnerabilities and privilege promotion vulnerabilities accounting for 20% respectively. Remote code execution vulnerabilities are popular with hackers because of their concealment and freedom. Two IE "double kill" 0day vulnerabilities (cve-2018-8174, cve-2018-8373) exposed this year are the best examples widely used in malicious attacks.

Office software itself does relatively weak prompts for updates. If there is no strong reminder from the third-party security software, the number of users who take the initiative to install patches to fix office security vulnerabilities is less; on the other hand, there are a large number of pirated office users in China, and these pirated images are often modified by the image makers, so it is difficult to install patches normally. For important government agencies, enterprises and institutions, scientific research institutions, the authenticity of software system is of great significance to reduce the risk of hacker intrusion.

2.5 type distribution of windows vulnerability & the level of vulnerability is distributed among the windows platform vulnerabilities exposed in 2018, with remote code execution vulnerabilities accounting for 42%, followed by information disclosure vulnerabilities and privilege promotion vulnerabilities accounting for 20% respectively. Remote code execution vulnerabilities are popular with hackers because of their concealment and freedom. Two IE "double kill" 0day vulnerabilities (cve-2018-8174, cve-2018-8373) exposed this year are the best examples widely used in malicious attacks.

Among the windows platform vulnerabilities exposed in 2018, "critical" level (the highest level of vulnerability damage) accounted for 23%, and "critical" level still accounted for a higher proportion.

2.6 windows exploit virus distribution & the exploited vulnerability is distributed among the viruses that exploit the vulnerability in 2018, non PE (file format) accounts for 66% of the total, while PE files account for 31%. Common non PE vulnerability viruses include office macro virus and script virus. Compared with PE, non PE virus attack is more flexible, and it is more difficult for security software to detect non PE virus.

Among the known exploits, ms04-028 is a buffer overflow vulnerability found in 2004 in Windows GDI JPG parsing component, which can lead to a buffer overflow in the processing of JPEG files (GDI +), which will allow hackers to execute malicious code. Ms04-028 is a relatively old vulnerability, from which we can see that the fully developed, stable and easy to repeatedly exploit vulnerability is more popular with hackers;

On the other hand, cve-2017-8570 accounted for 8%, and a series of relatively new vulnerabilities began to take up a higher proportion. It is often surprising to exploit new vulnerabilities due to the failure of bug fixes in time.  

2.7 high risk vulnerability inventory of Windows platform in 2018

January 2018

Two high-risk vulnerabilities cve-2018-0798 and cve-2018-0802 have been exposed again by Microsoft office formula editor. Cve-2018-0798 is that when the office formula editor parses the content of matrix record (0x05), it does not perform specific length verification on the members of rows and columns, which causes hackers to specify the length of subsequent rows and columns by elaborately constructing the content, thus causing stack overflow.

Cve-2018-0802 is similar in technical principle. Microsoft fixed these two vulnerabilities by releasing a patch to remove formula editor on January 9.

February 2018

Adobe Flash has been exposed a 0day vulnerability cve-2018-4878. This vulnerability affects Adobe Flash under version 28.0.0.137. By modifying the value of bytearray in flash script object to a special length, arbitrary address reading and writing can be realized to exploit the vulnerability, and then Adobe Flash can be used Player embeds in office documents, mails and other carriers and induces users to open the way to quickly spread the vulnerability. When parsing the ATF file, the invalid pointer offset is used to access the internal data structure, resulting in the vulnerability. A successful attack may lead to the disclosure of sensitive information. The vulnerability was fixed on February 6;

March 2018

Self frisk has exposed a high-risk vulnerability of windows kernel, totel meltdown (cve-2018-1038). The vulnerability is a new problem caused by the patch previously released by Microsoft to fix the "meltdown" vulnerability. The patch mistakenly sets the pml4 authority to the user level, allowing any process to read and modify page table items. The vulnerability only affects Windows 7 X64 and Windows Server 2008 R2 systems, and was fixed on March 29;

April 2018

Ie exposes a 0day vulnerability "double kill" (cve-2018-8174). The vulnerability accesses the unallocated memory through a flaw in the vbscriptclass:: release function, thus triggering the vulnerability to achieve arbitrary address reading and writing. The vulnerability can be triggered by carefully constructed pages or by embedding VBScript script into mail or office documents, which is highly harmful. Therefore, it is named "double kill" vulnerability, and it is used by apt organization in hacking activities as soon as it is exposed. The vulnerability was fixed on May 8;

May 2018

The windows operating system and Adobe Acrobat / reader PDF reader are exposed by ESET in two bundled 0day vulnerabilities. (cve-2018-8120, cve-2018-4990) this is a PDF sample for attack test captured by ESET in March.

Cve-2018-4990 is actually a heap memory out of bounds access arbitrary address release vulnerability. The original sample accurately uses heap injection to layout memory, and then releases two adjacent heap blocks with the size of 0xfff8. After windows heap allocation algorithm merges the heap blocks, it uses the heap block to rewrite an arraybuffer object with the length of 0x66666666 to achieve arbitrary address reading and writing.

Cve-2018-8120 is because the kernel function setimeinfoex does not check the validity of the pointing address of spkllist, the pointer member domain of the target window station tagwindowstation, but directly reads and accesses. The two leaks were fixed in May;

June 2018

Windows 10 is exposed to a 0day vulnerability (cve-2018-8414). This is a remote code execution vulnerability of Windows shell. Because Windows shell may not verify the file path correctly in some cases, it can achieve the purpose of arbitrary reading and writing by triggering the vulnerability with a carefully constructed malicious script. The vulnerability is only applicable to the new file type ". Settingcontent MS" of windows 10, which was not officially assigned CVE number and fixed until August 14.

July 2018

Internet Explorer has been exposed to the 0day vulnerability "double kill" generation II (cve-2018-8242). The reason for its appearance is that the repair patch of "double kill" generation I (cve-2018-8174) in April did not completely solve the vulnerability, resulting in similar problems in VBScript engine. The vulnerability was found and submitted by 360vulcan team, and was fixed on July 10.

August 2018

(1) Exchange server is exposed as a PoC with a memory corruption vulnerability (cve-2018-8302). An attacker can use a phishing attack to trigger a vulnerability to exploit an enterprise user's computer and launch another attack until taking over the exchange server server. During the receiving stored procedure of exchange for voice mail, it will convert voice mail to read topnwords.data and deserialize it through. Net BinaryFormatter. This vulnerability exists in the deserialization process.

(2) Internet Explorer has been exposed by trendmicro the 0day vulnerability of "double kill" generation 3 (cve-2018-8373). Based on the similar principle of "double kill" generation, it obtains arbitrary read permission through the defects in vbscript.dll. Both cases were fixed on August 14.

September 2018

(1) Windows has been exposed with a 0 day vulnerability (cve-2018-8440) in alpc. Through the schrpcsetsecurity function in the advanced local procedure call (alpc) function, it can not correctly check the defect of the user's permission, and obtain the local permission elevation (LPE) to execute malicious code.

(2) Microsoft Jet database engine has been exposed a PoC of remote code execution 0day vulnerability (cve-2018-8423), which is an out of bounds (OOB) write vulnerability that can induce users to open a special file containing data stored in Jet database format, open jet source through object link and Microsoft component embedded in database (OLEDB) to trigger the vulnerability and launch an attack. The two cases were repaired on September 11 and October 9, respectively;

October 2018

(1) Microsoft edge has been disclosed a PoC about the rce high risk vulnerability (cve-2018-8495) of Windows shell, which can be used by attackers to exploit the POC, construct a web page containing a special URI through Microsoft edge, and induce users to open it to run malicious code on a remote computer.

The vulnerability is due to unfiltered special URIs when Windows shell processes URIs, such as wshfile, which is the URI of Windows Script Host pulling script.

(2) Windows has been exposed a 0 day vulnerability of win32k privilege (cve-2018-8453). Its utilization process is complex. In short, it exploits the UAF vulnerability in win32kfull! Xxxdestroywindow function of Win32k.sys component to obtain local privilege. Both cases were repaired on October 9;

November 2018

Windows was exposed again with a 0-day vulnerability in win32k (cve-2018-8589). Its appearance is due to the improper competition condition in the win32k! Xxxmovewindow function, which may cause the information sent between threads at the same time to be improperly locked. The vulnerability was fixed on November 13;

December 2018

(1) Microsoft DNS server has been exposed to a high-risk heap overflow vulnerability (cve-2018-8626). All windows servers that are set as DNS servers will be affected by this vulnerability. An attacker sent a crafted vulnerability to the windows DNS server to exploit a malicious request to trigger a heap overflow and remote code execution. The vulnerability was patched on December 11.

(2) Windows has been exposed for the fourth month in a row. This time, it is a more high-risk kernel transaction manager driver's privilege raising vulnerability (cve-2018-8611), which is caused by improper handling of file operations in the kernel mode, causing kernel transaction manager to generate competitive conditions. This vulnerability bypasses the process mitigation strategy of current mainstream web browsers and escapes from the sandbox, which allows hackers to build a complete remote generation on the web Code execution attack chain. The vulnerability was initially discovered on October 29, and Microsoft assigned a CVE number and released a fix on December 11. 3、 The security industry in 2018, a typical vulnerability security event in 2018, is "bustling". There are extortion virus wildfires in the past, and spring breeze is blowing again; later, with the concept of blockchain being heated, there are frequent mining and horse hanging; on the one hand, there are targeted attacks by apt organizations against enterprises, governments, scientific research institutions, and public institutions; on the other hand, there are "trade letter" phishing email attacks against foreign trade industry and phishing email attacks against individual users, with small-scale outbreaks.

The attack tactics of professional apt organizations play a textbook guiding and exemplary role in the black production of common virus Trojans, which leads to the rapid spread of high-risk vulnerabilities from high-end hackers to low-end black production, and the great influence of high-risk vulnerabilities on information security.

3.1 "new generation ghost" - Intel CPU vulnerability continues to upgrade. After discovering CPU vulnerabilities meltdown and spectrum at the beginning of the year, Intel processor was exposed by Google Project Zero security research team in early May 2018 and found eight new "ghost" hardware vulnerabilities, known as "new generation ghost" - spectrum-ng.

By using this vulnerability, the isolation between virtual machine and virtual machine can be bypassed, and the virtual machine can escape and steal confidential information. In addition, other virtual machines of the same server can be attacked by using this vulnerability.

However, in the second half of the year, Intel CPU was found to have multiple hyper threading vulnerabilities such as tlbleed, foreshadow, portsmash, etc. The portsmash vulnerability (cve-2018-5407) found in early November affects all Intel processors that support hyper threading technology. By using this vulnerability, the attacker's process can steal the privacy data of another process running in the same physical kernel, and the security researchers have realized stealing the private key from the OpenSSL process.

The repair of a series of CPU vulnerabilities is also a series of twists and turns. The hasty release of the patch brings new risks, and at the same time leads to the CPU performance degradation. The patch has to release multiple versions, which eventually urges Intel to speed up the release process of the new generation processor, and becomes the last straw to completely cut off the hyper threading technology. 3.2 the office formula editor exposes new loopholes again, and the phishing attack of business credit is repeated (cve-2017-11882, cve-2018-0802, cve-2018-0798) the office formula editor vulnerability (cve-2017-11882) is a typical stack overflow vulnerability, which exists in the eqnedit.exe component. The vulnerability affects all office versions and is extremely easy to exploit. As the vulnerability was only added by windows on November 14, 2017, ASLR (address randomization) vulnerability mitigation measures were not really fixed, And a large number of users do not upgrade the office patch, so there are still many cases of field attacks. On December 20, 2017, Tencent Yujian Threat Intelligence Center found that there are other vulnerabilities in eqnedt32 module. At the same time, it caught a sample of "blacktech" apt organization using the 0day vulnerability (cve-2018-0802) in office formula editor to attack. The sample used the method of spear attack to disguise the office document with malicious code as the office file for dissemination , with a wide range of influence. On January 9, 2018, the office formula editor revealed new vulnerabilities. This time, windows simply deleted the formula editor to fix the vulnerabilities. However, just one week after the release of the vulnerability patch, several variants of cve-2018-0798 vulnerability and its utilization in the field have begun to appear. On February 26, 2018, Tencent Yujian Threat Intelligence Center captured doc document samples and used cve-2017-11882 to steal sensitive information such as users' bitcoin wallet files by downloading and running the "Boni" Trojan horse that has been open source. On June 1, 2018, Tencent Yujian Threat Intelligence Center once again detected a large-scale "business letter" attack launched against Chinese import and export enterprises, using cve-2017-11882. The amount of such attack mails reached thousands of per day, and virus varieties also emerged in an endless stream. It can be predicted that for a long time in the future, spear attack + simple and easy-to-use office formula editor vulnerability, which is very consistent with the office scene, will still become one of the popular attacks against small and medium-sized enterprises. 3.3 Adobe series products give alarm for many times, and 0day vulnerability is exposed repeatedly

3.2 the office formula editor exposes new loopholes again, and the phishing attack of business credit is repeated (cve-2017-11882, cve-2018-0802, cve-2018-0798) the office formula editor vulnerability (cve-2017-11882) is a typical stack overflow vulnerability, which exists in the eqnedit.exe component. The vulnerability affects all office versions and is extremely easy to exploit. As the vulnerability was only added by windows on November 14, 2017, ASLR (address randomization) vulnerability mitigation measures were not really fixed, And a large number of users do not upgrade the office patch, so there are still many cases of field attacks.

On December 20, 2017, Tencent Yujian Threat Intelligence Center found that there are other vulnerabilities in eqnedt32 module. At the same time, it caught a sample of "blacktech" apt organization using the 0day vulnerability (cve-2018-0802) in office formula editor to attack. The sample used the method of spear attack to disguise the office document with malicious code as the office file for dissemination , with a wide range of influence.

On January 9, 2018, the office formula editor revealed new vulnerabilities. This time, windows simply deleted the formula editor to fix the vulnerabilities. However, just one week after the release of the vulnerability patch, several variants of cve-2018-0798 vulnerability and its utilization in the field have begun to appear.

On February 26, 2018, Tencent Yujian Threat Intelligence Center captured doc document samples and used cve-2017-11882 to steal sensitive information such as users' bitcoin wallet files by downloading and running the "Boni" Trojan horse that has been open source.

On June 1, 2018, Tencent Yujian Threat Intelligence Center once again detected a large-scale "business letter" attack launched against Chinese import and export enterprises, using cve-2017-11882. The amount of such attack mails reached thousands of per day, and virus varieties also emerged in an endless stream.

So it can be predicted,

3.3 Adobe series products give alarm for many times, and 0day vulnerability is exposed repeatedly

3.3.1 Adobe Flash re exposes 0day field utilization (cve-2018-4878, cve-2018-5002). On February 1, 2018, Adobe officially released a security notice (apsa18-01) saying that a latest Adobe Flash Zero Day vulnerability was found to be used to launch a harpoon attack against personnel in South Korea. The 0day vulnerability number is cve-2018-4878, and the official patch has been released on February 5 for repair.

After the vulnerability is publicized, a large amount of spam is found to spread quickly by using the vulnerability. The attacker sends an email with a malicious word document with a short link. After downloading and opening the word document, the attacker uses the vulnerability to open the command line, and then uses the malicious shellcode remote injection command of the linked malicious domain to download a DLL file named m.db, which is executed by the Regsvr32 process OK, finish the attack chain. Cve-2018-5002 was found to be used in the field on June 7, 2018, and hacking was organized by apt The team sent the phishing documents containing the basic salary of Foreign Ministry officials (Arabic) through instant chat or email to attack. After the bait documents were opened by users, the team executed malicious code in the host process excel, and used the fake website as a Trojan download station to achieve the purpose of attack.

Cve-2018-5002 was found to be used in the field on June 7, 2018, and hacking was organized by apt The team sent the phishing documents containing the basic salary of Foreign Ministry officials (Arabic) through instant chat or email to attack. After the bait documents were opened by users, the team executed malicious code in the host process excel, and used the fake website as a Trojan download station to achieve the purpose of attack.

The attacker separated the loader, exploit and payload, making it more difficult for the security engineer to reverse restore the exploit code, which was obviously carefully prepared. This apt organization has painstakingly constructed the attack chain and used the 0day vulnerability to attack relevant government departments, which shows that it has certain political intention. 3.3.2 adobe reader was found to have 0day vulnerability in the exploitation of wild (cve-2018-8120, cve-2018-4990). On May 15, 2018, foreign security vendors captured a PDF sample that used two 0day vulnerabilities to jointly attack, including a 0day vulnerability of adobe reader (cve-2018-4990) and a 0day vulnerability of win32k kernel rights (cve-2018-8120).

3.3.2 adobe reader was found to have 0day vulnerability in the exploitation of wild (cve-2018-8120, cve-2018-4990). On May 15, 2018, foreign security vendors captured a PDF sample that used two 0day vulnerabilities to jointly attack, including a 0day vulnerability of adobe reader (cve-2018-4990) and a 0day vulnerability of win32k kernel rights (cve-2018-8120).

Cve-2018-8120 is a win32k privilege escalation vulnerability. Cve-2018-4990 is a heap memory cross boundary access arbitrary address release vulnerability of Adobe Acrobat / reader. The attack sample obtains code execution permission through cve-2018-4990, and then bypasses Adobe Acrobat / reader's Sandbox protection and realizes arbitrary code execution by exploiting the kernel privilege vulnerability. Interestingly, the sample is only a test sample, and two 0day vulnerabilities have been fixed before they can be used for attacks. 3.4 the old loopholes are repeatedly exploited. Is "eternal blue" really eternal? Most hackers attack personal computers and enterprise servers for the purpose of profiting from illegal channels. Often delicious cake is where, illegal hacker figure is where, virus and Trojan horse also attack to where. And these hackers, whose interests are paramount, can't let go of the easy-to-use and stable old loopholes. Let's take a look at the hot security events that exploit the old loopholes in 2018. 3.4.1 "eternal blue" vulnerabilities: from extortion virus to mining Trojan horse, "eternal blue" is an SMB file sharing protocol vulnerability exposed in 2017, which exists on port 445. Illegal elements use this vulnerability to obtain the highest authority of the system and implant malicious software such as virus Trojan horse into windows system. In recent two years, "eternal blue" vulnerability has become one of the most exploited security vulnerabilities.

3.4 the old loopholes are repeatedly exploited. Is "eternal blue" really eternal? Most hackers attack personal computers and enterprise servers for the purpose of profiting from illegal channels. Often delicious cake is where, illegal hacker figure is where, virus and Trojan horse also attack to where. And these hackers, whose interests are paramount, can't let go of the easy-to-use and stable old loopholes. Let's take a look at the hot security events that exploit the old loopholes in 2018.

3.4.1 "eternal blue" vulnerabilities: from extortion virus to mining Trojan horse, "eternal blue" is an SMB file sharing protocol vulnerability exposed in 2017, which exists on port 445. Illegal elements use this vulnerability to obtain the highest authority of the system and implant malicious software such as virus Trojan horse into windows system. In recent two years, "eternal blue" vulnerability has become one of the most exploited security vulnerabilities.

Blackmail virus is mainly spread through three ways: loophole exploitation, phishing email and advertisement. Among them, more than 80% of the total attacks are launched through vulnerabilities. A typical case is the worm extortion virus that actively spreads through the "eternal blue" vulnerability.

"Wanna cry" can be said to open a new era of blackmail virus, and will continue to this year. In addition, with the concept of blockchain becoming more and more popular, more and more people are joining the ranks of speculation this year, and illegal hackers will not let go of this good opportunity to make profits. In March this year, Tencent's Yujian intelligence threat center captured a Monroe coin mining Trojan, wanna miner, which used the "eternal blue" loophole to spread in the local area network, building the infected machine into a huge Botnet, lurking in mining for a long time, infecting more than 30000 computers in more than 600 domestic enterprises;

In March this year, Tencent's Yujian intelligence threat center captured a Monroe coin mining Trojan, wanna miner, which used the "eternal blue" loophole to spread in the local area network, building the infected machine into a huge Botnet, lurking in mining for a long time, infecting more than 30000 computers in more than 600 domestic enterprises;

In May this year, a Monroe coin mining Trojan "smile" was captured to attack the enterprise server by scanning the "eternal blue" loophole and quietly mining in the background. The Trojan has been active since March. As of May, it has dug 846 Monroe coins in total, and the mining income once reached 1.2 million yuan;

On June 1, a malformed agent named glupteba Trojan horse was caught, which used the "eternal blue" loophole to spread rapidly in the local area network, and the amount of infection increased sharply;

In August this year, TSMC revealed that it suffered from wanna cry blackmail virus attack, which paralyzed the production line and caused a loss of NT $2596 million;

On August 9, bulehero, a worm caught virus, used the "eternal blue" vulnerability to attack and spread in the intranet;

In November, another well-known semiconductor company, Hexin technology, whose factories in the mainland were infected with wannacry blackmail virus, paralyzed the production line and shut down all the factories.

Because the larger the unit and the mechanical system, the more stability they pursue, the older the Windows version they use, such as windows 7sp0, XP and other operating systems that Microsoft has stopped providing update services, there are a large number of security vulnerabilities that cannot be repaired. As long as the vulnerability scenario exists, the security threat will not disappear, and the fight against extortion virus and mining Trojan horse must continue. 3.4.2 in March 2018, Tencent Yujian Threat Intelligence Center detected that, for the first time in China, it used U disk as the transmission carrier, and used the Remote Code Execution Vulnerability of LNK (cve-2017-8464) as the main communication means to mine Monroe coins. Virus samples can automatically infect other inserted removable disks by executing malicious code through the use of LKK vulnerability. Using USB flash disk as the transmission carrier can be used to attack infrastructure, store the core isolation system of key data, etc., which has a greater threat to the internal network security of government and enterprise units. Because the main impact group of this attack is the LAN users who frequently use the USB flash disk to transmit files, the campus, government and enterprises and other units are frequently recruited. In fact, the vulnerability of "ZHENWANG 3" generated by shortcut itself has no technical content, but because of its hyperlink feature, it can execute arbitrary programs or scripts on the system, with high degree of freedom and strong concealment, it is popular in vulnerability exploitation attacks. 3.4.3 "412" Pegasus storm (cve-2016-0189) on April 12, 2018, Tencent Yujian Threat Intelligence Center monitored that a large number of embedded news pages of clients were embedded with malicious code, resulting in users being implanted with mining Trojans, bank Trojans, remote control Trojans, etc. without any knowledge. There are more than 50 clients involved in this wave, affecting more than 20W users, with a wide range of influence.

3.4.2 in March 2018, Tencent Yujian Threat Intelligence Center detected that, for the first time in China, it used U disk as the transmission carrier, and used the Remote Code Execution Vulnerability of LNK (cve-2017-8464) as the main communication means to mine Monroe coins.

Virus samples can automatically infect other inserted removable disks by executing malicious code through the use of LKK vulnerability. Using USB flash disk as the transmission carrier can be used to attack infrastructure, store the core isolation system of key data, etc., which has a greater threat to the internal network security of government and enterprise units. Because the main impact group of this attack is the LAN users who frequently use the USB flash disk to transmit files, the campus, government and enterprises and other units are frequently recruited.

In fact, the vulnerability of "ZHENWANG 3" generated by shortcut itself has no technical content, but because of its hyperlink feature, it can execute arbitrary programs or scripts on the system, with high degree of freedom and strong concealment, it is popular in vulnerability exploitation attacks.

3.4.3 "412" Pegasus storm (cve-2016-0189) on April 12, 2018, Tencent Yujian Threat Intelligence Center monitored that a large number of embedded news pages of clients were embedded with malicious code, resulting in users being implanted with mining Trojans, bank Trojans, remote control Trojans, etc. without any knowledge. There are more than 50 clients involved in this wave, affecting more than 20W users, with a wide range of influence.

The Pegasus exploits a march 2016 VBScript engine corruption vulnerability (cve-2016-0189) to download malicious scripts. Cve-2016-0189 is the same as cve-2018-8174, the new "double kill" 0day vulnerability in IE this year, which was once a 0day vulnerability used for apt attack. The vulnerability exploits the array access out of bounds problem in VBScript engine vbscript.dll to execute malicious code. It can be seen that hackers are also "lazy". Almost all of the vulnerabilities that are widely used are those that are easy to use, stable and have a high success rate. For hackers, unless it is to complete some special tasks, the technical barriers in exploit are one of the factors that must be considered. Three point five In the second half of the year, 0day vulnerability occurred frequently. This year, 0day vulnerability continues to break out. Windows products are suffering from many disasters, not only in patch release and win10 sub version upgrade, but also in a short period of half a year, 10 0day vulnerabilities have been exposed continuously, 7 of which have been found to be used in the field, of which 6 have been found in a few days, It is quickly used by apt organizations to steal confidential information of enterprises and government agencies. The importance of 0day vulnerability can be understood from the hands of these hackers. 3.5.1 the "double kill" 0day vulnerability was exploited by apt organization darkhotel (black shop) apt Organization (cve-2018-8174, cve-2018-8242, cve-2018-8373). On April 18, 2018, the first Internet Explorer "double kill" series vulnerability cve-2018-8174 was found in the field, which opened the rhythm of "stable supply" of one 0day vulnerability per month in the second half of windows. According to reports, the sample comes from an apt organization named darkhotel (apt-c-06). The apt organization is good at using high-risk vulnerabilities to carry out targeted attacks against enterprises and institutions and steal State secrets. Darkhotel launched attacks against government units early in the year by using the office formula editor vulnerability. In the following July and August, Internet Explorer has been exposed the 0day vulnerability of the second generation of "double kill" (cve-2018-8242) and the third generation of "double kill" (cve-2018-8373). Once again, darkhotel uses the same attack technology to launch targeted attacks against corporate executives, defense industry, electronic industry and other important institutions by using the "double killing" three generations. In addition to being used by apt for many times, the "double kill" generation (cve-2018-8174) was also caught by Tencent Yujian Threat Intelligence Center on June 16 in a case of spread and utilization of Trojans. A software called "flow treasure flow version" uses the vulnerability in IE browser embedded in the software to execute shellcode and download DDoS Trojan horse and mining Trojan horse to control the victim computer as a chicken. The maximum number of exploit requests from this sample was more than 300000. 3.5.2 the utilization of cve-2018-8414 by darkhydrus and mahakus, an apt organization, in June 2018, an arbitrary code execution attack technique about ". Settingcontent MS", a new file type introduced by windows 10, was disclosed to POC, and the vulnerability was quickly exploited by illegal hackers and apt organizations as soon as it was disclosed. In the field attack, capture multiple attack samples that exploit the 0day vulnerability.

It can be seen that hackers are also "lazy". Almost all of the vulnerabilities that are widely used are those that are easy to use, stable and have a high success rate. For hackers, unless it is to complete some special tasks, the technical barriers in exploit are one of the factors that must be considered.

Three point five In the second half of the year, 0day vulnerability occurred frequently. This year, 0day vulnerability continues to break out. Windows products are suffering from many disasters, not only in patch release and win10 sub version upgrade, but also in a short period of half a year, 10 0day vulnerabilities have been exposed continuously, 7 of which have been found to be used in the field, of which 6 have been found in a few days, It is quickly used by apt organizations to steal confidential information of enterprises and government agencies. The importance of 0day vulnerability can be understood from the hands of these hackers.

3.5.1 the "double kill" 0day vulnerability was exploited by apt organization darkhotel (black shop) apt Organization (cve-2018-8174, cve-2018-8242, cve-2018-8373). On April 18, 2018, the first Internet Explorer "double kill" series vulnerability cve-2018-8174 was found in the field, which opened the rhythm of "stable supply" of one 0day vulnerability per month in the second half of windows.

According to reports, the sample comes from an apt organization named darkhotel (apt-c-06). The apt organization is good at using high-risk vulnerabilities to carry out targeted attacks against enterprises and institutions and steal State secrets. Darkhotel launched attacks against government units early in the year by using the office formula editor vulnerability.

In the following July and August, Internet Explorer has been exposed the 0day vulnerability of the second generation of "double kill" (cve-2018-8242) and the third generation of "double kill" (cve-2018-8373). Once again, darkhotel uses the same attack technology to launch targeted attacks against corporate executives, defense industry, electronic industry and other important institutions by using the "double killing" three generations.

In addition to being used by apt for many times, the "double kill" generation (cve-2018-8174) was also caught by Tencent Yujian Threat Intelligence Center on June 16 in a case of spread and utilization of Trojans. A software called "flow treasure flow version" uses the vulnerability in IE browser embedded in the software to execute shellcode and download DDoS Trojan horse and mining Trojan horse to control the victim computer as a chicken. The maximum number of exploit requests from this sample was more than 300000.

3.5.2 the utilization of cve-2018-8414 by darkhydrus and mahakus, an apt organization, in June 2018, an arbitrary code execution attack technique about ". Settingcontent MS", a new file type introduced by windows 10, was disclosed to POC, and the vulnerability was quickly exploited by illegal hackers and apt organizations as soon as it was disclosed. In the field attack, capture multiple attack samples that exploit the 0day vulnerability.

It has been reported that darkhydrus used this vulnerability exploitation technology to deliver DNS tunnel communication attacks. In addition, the suspected apt organization mahakus also used this vulnerability to launch attack samples. It was not until August 14, 2018 that Microsoft released the corresponding vulnerability patch and gave the vulnerability number cve-2018-8414. 3.5.3 the exploitation of cve-2018-8453 by the apt organization fruityarmor cve-2018-8453 is a UAF remote code vulnerability in the win32kfull! Xxxdestroywindow function, which was first discovered by Kaspersky Lab in August to be exploited by the apt organization fruityarmor in recent attacks.

It was not until August 14, 2018 that Microsoft released the corresponding vulnerability patch and gave the vulnerability number cve-2018-8414.

3.5.3 the exploitation of cve-2018-8453 by the apt organization fruityarmor cve-2018-8453 is a UAF remote code vulnerability in the win32kfull! Xxxdestroywindow function, which was first discovered by Kaspersky Lab in August to be exploited by the apt organization fruityarmor in recent attacks.

It is reported that the shellcode used in the attack samples captured by Kaspersky Lab has long been used only by fruityarmor in the C2 field. This time, the attack launched by futyarmor using this vulnerability seems to be highly targeted, affecting only a dozen users in the Middle East. 3.5.4 on October 17, Kaspersky laboratory found a small-scale targeted attack on users in the Middle East by apt organization sandcat (cve-2018-8589, cve-2018-8611). The attack exploits windows win32k local privilege vulnerability cve-2018-8589, which only affects Windows 7 x86 and windows server 2008 operating system, temporarily only found to be used for apt activities. However, the vulnerability was found less than a month ago. On October 29, a new 0-day vulnerability cve-2018-8611 in Windows kernel was found to be exploited by the same organization. The new vulnerability can bypass the sandbox of mainstream web browsers, which is more threatening than cve-2018-8589. Almost all of the 0day vulnerabilities exposed in the second half of windows were found through attack samples released by apt organizations. It can be seen that apt organizations prefer to use 0day vulnerabilities to achieve the purpose of surprise and kill with one hit, and minimize the impact of attacks to ensure the concealment of attack activities. 4、 How to protect the loopholes

3.5.4 on October 17, Kaspersky laboratory found a small-scale targeted attack on users in the Middle East by apt organization sandcat (cve-2018-8589, cve-2018-8611). The attack exploits windows win32k local privilege vulnerability cve-2018-8589, which only affects Windows 7 x86 and windows server 2008 operating system, temporarily only found to be used for apt activities.

However, the vulnerability was found less than a month ago. On October 29, a new 0-day vulnerability cve-2018-8611 in Windows kernel was found to be exploited by the same organization. The new vulnerability can bypass the sandbox of mainstream web browsers, which is more threatening than cve-2018-8589.

Almost all of the 0day vulnerabilities exposed in the second half of windows were found through attack samples released by apt organizations. It can be seen that apt organizations prefer to use 0day vulnerabilities to achieve the purpose of surprise and kill with one hit, and minimize the impact of attacks to ensure the concealment of attack activities.

4.1 personal user vulnerability protection 4.1.1 timely repair of security vulnerabilities open real-time protection of security software to prevent vulnerability attacks the most direct and effective way is to use the new version of the system, and timely repair the security vulnerabilities in the system environment.

Tencent's computer manager vulnerability cloud library has collected more than 1000 patches, which supports the vulnerability repair of windows, office, flash and other products. It adopts the fast repair engine, reduces the vulnerability repair time by 50%, and restores the windows update function by 100%, ensuring the accuracy of vulnerability repair and system compatibility. In addition, opening the real-time protection of computer Butler can effectively intercept viruses triggered by vulnerabilities and effectively make up for the lack of timely repair of vulnerabilities due to various reasons.

4.1.2 to cultivate a good habit of using computers, individuals need to improve their awareness of computer network security, not easily download unknown software programs, not easily open suspicious attachments in unknown emails, pay attention to identification & not easily open suspicious websites, and back up important data files in time. 4.2 enterprise user vulnerability protection 4.2.1 establish an effective vulnerability information monitoring system, build a perfect vulnerability patch management ability, establish an effective security information monitoring system, and pay close attention to the threat information early warning of major security media such as "Yujian threat information center".

4.2 enterprise user vulnerability protection 4.2.1 establish an effective vulnerability information monitoring system, build a perfect vulnerability patch management ability, establish an effective security information monitoring system, and pay close attention to the threat information early warning of major security media such as "Yujian threat information center".

At the same time, we need to do a good job in the security management of productivity tools, actively install the latest patches, fix the loopholes, ensure the security of equipment, software and hardware used by individuals / enterprises at all times, and shorten the average duration of loopholes, which can greatly reduce the possibility of being attacked by lawbreakers. The security management system of Tencent Yudian terminal can be used to install system patches in the whole network and improve the security of clients.

4.2.2 security drill, to cultivate employees' good awareness of information security, to organize enterprise information security drill regularly, to improve employees' security awareness by phishing email, phishing web page, social engineering and other pseudo attack means, to make employees have a more profound impression and understanding of information security, and to eliminate security threats from the terminal. 5、 Looking back to 2018, looking forward to 2019, looking back to 2018, extortion virus, mining Trojan horse are popular, smart contract, intelligent hardware, artificial intelligence and other new technologies bring new trends, but at the same time bring new security threats, the number of vulnerability submissions in various fields in the world continues to rise, and 0day vulnerability is becoming more and more common, and major information disclosure events in all walks of life occur one after another in the world, apt organization with The attack of political significance is also becoming more and more rampant. The international information security situation is in a moment of tension. As the guardian of information security, we should always think about how to deal with new changes and always be ready to meet new challenges. 5.1 thinking evolution: in December 2018, domestic hackers started a new era of security attack and defense with a typical attack against the software supply chain combined with the security incident of using vulnerability propagation Trojan (a well-known software manufacturer in Shenzhen, Guangdong Province software upgrade channel propagation Trojan). In the era of continuous technological innovation, the means of "attackers" are constantly evolving and upgrading. As "defenders", we need to broaden our horizons, keep pace with the times, keep up with the old defense concept, and pursue "the devil is one foot higher than the devil", so as to truly become the God of information security. 5.2 thousand Li dike is destroyed in the ant nest. People are always the biggest loophole fishing, advertising and even social engineering and other traditional, low-tech means can be tried repeatedly, becoming the favorite means of spreading viruses and Trojans for hackers, which just shows that the biggest loophole in information security is still in people.

5.1 thinking evolution: in December 2018, domestic hackers started a new era of security attack and defense with a typical attack against the software supply chain combined with the security incident of using vulnerability propagation Trojan (a well-known software manufacturer in Shenzhen, Guangdong Province software upgrade channel propagation Trojan). In the era of continuous technological innovation, the means of "attackers" are constantly evolving and upgrading. As "defenders", we need to broaden our horizons, keep pace with the times, keep up with the old defense concept, and pursue "the devil is one foot higher than the devil", so as to truly become the God of information security.

5.2 thousand Li dike is destroyed in the ant nest. People are always the biggest loophole fishing, advertising and even social engineering and other traditional, low-tech means can be tried repeatedly, becoming the favorite means of spreading viruses and Trojans for hackers, which just shows that the biggest loophole in information security is still in people.

The attack means with low technology content itself is an efficient filter, which can filter out the smart users who have a good understanding of computers and networks, screen out the target groups with low security awareness, and truly achieve high-precision targeted attacks. Based on this situation, enterprises, governments and other institutions need to conduct more security event drills to strengthen the trust of business personnel Only with the awareness of information security can we "fix the loopholes" and ensure the information security. Five point three It is necessary to build a multi-dimensional and three-dimensional security capability system. Security vulnerabilities involve all aspects of computers. Enterprise information security can no longer only be used for simple network isolation, but also comprehensively strengthen the security of network, software and hardware in enterprise productivity equipment, do patch management well and update enterprise software and hardware in time, and build certain vulnerability detection, security emergency response and Threat Intelligence Only with the ability of monitoring and attack tracing, can we have a stronger information security firewall.

Five point three It is necessary to build a multi-dimensional and three-dimensional security capability system. Security vulnerabilities involve all aspects of computers. Enterprise information security can no longer only be used for simple network isolation, but also comprehensively strengthen the security of network, software and hardware in enterprise productivity equipment, do patch management well and update enterprise software and hardware in time, and build certain vulnerability detection, security emergency response and Threat Intelligence Only with the ability of monitoring and attack tracing, can we have a stronger information security firewall.