Zero Day Diary

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q1 2017

ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.

ZEROING IN

Cybercriminals are earning enormous profits selling zero day bugs on the black market

Microsoft, Google, commercial sector continues to struggle with zero day vulnerability disclosure policies.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Mar. 31, 2017

Given that new software continuously comes to market, every day presents a potentially new discovery of a zero day exploit. In this first quarter, many of the disclosures prompted the question, What is the most responsible way to disclose zero day vulnerabilities?

Rather than having vendors and tech companies warring with each other, some leaders in the security industry have called for the establishment of industry-wide policies to expedite the discovery, reporting, and patching of zero day bugs.

Short of having a uniform policy, companies like Google follow their own rules. Meanwhile, cybercriminals are earning enormous profits selling zero day bugs on the black market while governments continue to hoard their knowledge, leaving the commercial sector to fend for itself.

ZERO DAY DIARY

March

Mar. 30. Legacy antivirus systems fail to recognize new signatures because malware is changing so quickly. As a result, nearly 30 percent of all malware attacks are zero day exploits.

Mar. 27. Sometimes even security researchers get it wrong, which is what appears to have happened when Cybellum reported a zero day vulnerability named DoubleAgent. Sophos clarified the severity of the vulnerability and the back story on DoubleAgent.

Mar. 22. Even though LastPass, a password manager, had to fix a zero day flaw, Rapid7 said that this shouldn’t sway the trust of users. The disclosure proves that bug bounty programs can lead to quick fixes with little harm, and password managers are still reliable.

Mar. 16. Hoping that researchers will identify and disclose the most dangerous bugs that need fixing, Intel joins the ranks of Microsoft, Google, and Facebook, launching its own bug bounty program.

Mar. 13. The study released by the RAND Institute continues to make noise across the security industry, raising questions about disclosure and hoarding discovered bugs.

grayfooterline

RELATED: Digital Defense Cloud Platform Researches and Discovers Unknown Zero Day Vulnerabilities

grayfooterline

Mar. 11. Wired reports on a week’s worth of news, calling the post A One Stop Guide to Zero Day Exploits, in the aftermath of the WikiLeaks data dump.

Mar. 9. The RAND Institute examines the life and times and exactly what to do about zero day vulnerabilities.

Mar. 8. The Boston Globe investigates the potentiality of criminals discovering and hoarding the very same zero day exploits that the CIA had found.

Mar. 8. Tables are turned and the corporate character of Google is called into question after they disclosed vulnerabilities in both Microsoft and Cloudflare before a patch was released.

Mar. 8. Likely to go on for some time in the aftermath of the Vault7 revelations, debates over whether hoarding zero day vulnerabilities are good or bad for security continued.

Mar. 7. WikiLeaks published the long list of zero day exploits and tools that the CIA had allegedly been using to spy on iPhone and Android users.

Mar. 6. After a security firm issued a patch for the long standing Microsoft vulnerability discovered by Google, users were finally able to take advantage of a fix.

Mar. 5. Hacker earned $5,000 from Uber for reporting a vulnerability that allowed him to get free rides in India and the United States.

Mar. 3. The malware involved in the UK attack on Barts Health Trust reportedly took advantage of a zero day vulnerability.

Mar. 2. User credentials are more often used to breach organizations, so should cyber security teams be overly concerned with zero day vulnerabilities?

Mar. 1. Windows SMB vulnerability continued to cause headaches. The vulnerability was deemed the the “zero day that keeps on giving.”

Mar. 1. Zero day exploits allow hackers to work around established security measures including sandbox strategies.

February

Feb. 28. The clock ticked for 90 days, in accordance with Google’s disclosure policy on zero day bugs, when another Microsoft vulnerability was made public before a patch was available.

Feb. 22. Though they released a patch for critical vulnerabilities in Adobe Flash Player, two zero day bugs remained unfixed until March, leaving Microsoft Windows users vulnerable.

Feb. 22. No foreseeable changes expected in the vulnerabilities equities process (VEP), the process government agencies use to disclose zero day bugs.

Feb. 18. Proof of concept available in another Microsoft bug discovered by Google’s Project Zero team.

Feb. 16. Exodus Intelligence, a company that specializes in zero day vulnerability research, partners with NSS Labs to enhance their testing capabilities in determining exploitable vulnerabilities.

Feb. 16. A last minute issue that couldn’t be fixed in time for Patch Tuesday delays Microsoft’s weekly release of patches for the first time.

Feb. 10. A malware program, likely part of the cache of exploits used by Russian hacking group that goes by many aliases including APT28, is targeting Macs with what was possibly a known exploit. A bit unusual as the group is renowned for its use of zero day exploits.

Feb. 10. The door to information about discoveries of zero day vulnerabilities is slowly closing for commercial industries as more of those disclosures are more often now either sold for profit on the black market or hoarded by governments.

grayfooterline

RELATED: VMaaS, Vulnerability Management-as-a-Service with on-demand access to a Personal Security Analyst

grayfooterline

Feb. 10. Cybersecurity practitioners, moonlighting as bounty hunters, take advantage of the growing zero day vulnerability market.

Feb. 8. 2016 saw a tremendous growth in software vulnerabilities despite continued calls for building security into the development life cycle. Also on the rise were paid disclosures of zero day bugs found by third parties or vendors.

Feb. 8. A new report calls for better cooperation between the government and private sector in sharing information about zero day vulnerabilities.

Feb. 7. New platform introduced by Kenna Security in partnership with Exodus Intelligence promises to provide greater visibility into zero day metadata, giving security teams immediate knowledge of vulnerabilities.

Feb. 6. Those left vulnerable by the zero day Windows SMB bug have to wait until Patch Tuesday for a fix.

Feb. 1. A particularly dangerous zero day vulnerability in WordPress was patched and fixed, but given the seriousness of the vulnerability, users are strongly encouraged to keep current with their updates.

Feb. 1. New exploit acquisition program from Zimperium focuses on N-day rather than zero day exploits.

January

Jan. 30. Security Intelligence examines the growth of available exploits in darknet marketplaces and looks at ways that enterprises can zero in on the dilemma of zero day vulnerabilities.

Jan. 25. Developers can mitigate risks by practicing secure coding and testing to find zero day vulnerabilities before hackers do.

Jan. 25. Zero day vulnerabilities discovered hiding out in browser extensions, but the critical Cisco WebEx vulnerability has been patched.

Jan. 24. Regardless of how seemingly insignificant a software update might seem, Apple’s IOS 10.2.1 update fixes more than ‘bugs and security on the phone’. A look at the security content page revealed that there were some malicious WebKit vulnerabilities discovered by Google’s Project Zero.

Jan. 19. Confirmation that a zero day exploit kit targeting Windows Server Message Block was part of a collection of cyber weapons served as a reminder that the outdated version of SMB v1 should not be used.

Jan. 17. Trust in Adobe Flash continues to decline as concerns mount that the repeated vulnerabilities are threatening enterprise security.

grayfooterline

RELATED: Digital Defense, Inc. – Reduce Risk. Build a Culture of Security.

grayfooterline

Jan. 16. Microsoft’s Windows Defender APT research team reported that exploit mitigation techniques running in the Windows 10 systems on the Anniversary Update actually neutralized zero day vulnerabilities and reduce the attack surface against future exploits.

Jan. 12. Windows customers are encouraged to keep their patches up to date after ShadowBrokers hackers put an exploit kit, which includes a zero day vulnerability, on sale for $750 bitcoin.

Jan. 11. Adobe Flash continues to cause problems across multiple computing platforms as Google’s Project Zero researchers discover five zero-day issues.  

Jan. 11. Even though bug bounty programs have helped companies successfully identify zero day bugs, they can also put security at risk when details are posted in public forums.

Jan. 9. Once a hacker exploits zero day vulnerabilities and is able to access valuable data, they turn to these top marketplaces on the dark web to sell those stolen credentials.

Jan. 5. Will establishing an industry standard for responsible disclosure of zero day vulnerabilities benefit the security industry?

Jan. 4. Brazen hacker known as CyberZeist exploits zero day vulnerability in the Plone Content Management System (CMS) of the FBI’s website.
Jan. 3. A Legal Hackers researcher discovered a zero day bug marked as having extreme criticality in PHPMailer, which is widely used in the ‘contact us’ section of websites.

Stay tuned for the Q2 2017 edition of the Zero Day Diary.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

grayfooterline

Q4 2016

ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.

ZEROING IN

Cyber bounty hunters and hackers exposed critical flaws during the final quarter of 2016

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jan. 3, 2017

Microsoft patched several holes while tensions rose in the tech world after Google disclosed a Microsoft zero day before it had been patched. Adobe patched nearly 100 vulnerabilities in the final quarter of 2016, with 83 patches in October alone.

The patches, though, were not released before hackers took advantage of the vulnerability, elevating the critical status to an exploit in the wild, something no developer wants to hear.

An ever-increasing amount of new code and a robust underworld economy will be stoking the market in 2017 for zero-day vulnerabilities, according to Cybersecurity Ventures’ newly released annual Zero Day Report.

ZERO DAY LIST

December

Dec. 28. The research team at Check Point discovered three zero-day vulnerabilities in the unserialized mechanism in PHP 7, the web programing language used in a large majority of websites.

Dec. 19. Gaining access to programs in Linux can allow hackers to delve deeper into the operating system, which means the exploit has greater potential to result in data exfiltration.

Dec. 19. Noting that criminals can now purchase zero-day exploits, industry leaders face the future of cyberwar and prepare for the unexpected.

Dec. 15. Opening or browsing a music file running on Linux could leave desktops vulnerable. A second zero-day exploit on Fedora 25, released by Chris Evans is said to run as a ‘classic drive-by’.

Dec. 15. Advanced persistent threat groups spy on users in Europe and Turkey using a Wingbird backdoor in a zero-day exploit discovered in FinFisher.  

Dec. 13. Another 31 vulnerabilities patched across multiple Microsoft product lines. The Flash zero-day is one of the four zero-day vulnerabilities listed as critical.

grayfooterline

RELATED: DDoS Report, Q1 2017. DDoS attacks are the most dangerous cyber threat to every organization in the world.

grayfooterline

Dec. 9. Vulnerabilities and backdoor codes in video cameras from multiple manufacturers continue to raise security concerns as they can potentially become part of IoT botnets and cause massive DDoS attacks.

Dec. 9. Hackers imply that they exploited a zero-day vulnerability when they hacked into the Twitter account of Indian tycoon Vijay Mallya.

Dec. 7. Concerns of vulnerabilities in IoT devices continue to grow, noting that the multiplying number of connected devices that come to market will only increase the attack surface, particularly with zero-day bugs.

Dec. 7. Among the many predictions experts made for 2017, novel zero-day reflection and amplification attacks will appear with more frequency, enabling more sophisticated and targeted attacks.

Dec. 6. Security experts and researchers weigh in on a call for consensus on responsible disclosure guidelines for reporting zero-days.  

Dec. 6. The Dutch take issue with the Netherlands after they grant permission for police and secret service agencies to exploit zero-day vulnerabilities, calling it a subterfuge for surveillance programs.

Dec. 6. Vulnerable IP cameras go unpatched as two zero-days are exploited, allowing hackers to spy on computer users and take over the device.

Dec. 5. Hefty competition at HITCON CTF 2016 results in the discovery of three zero-day vulnerabilities and a big win  of $10,000 for Korea’s Cykorkinesis.

Dec. 4. In response to the zero-day security issues Adobe Flash has experience, Google Chrome decides to replace Flash with HTML5.

Dec.1. Exploit targeting Tor users deemed a near perfect replica of the zero day bug used by the FBI to identify anonymous users. Some question whether the bug was developed by the Feds.

November

Nov. 29. The Mac Observer gives Kudos to Apple’s ability to patch zero day exploits, having successful created in a fix for the issues in just ten days.

Nov. 29. Tor users find themselves under attack from a zero-day exploit in the wild that executed malicious code through the Firefox browser.

Nov. 28. ISP customers of Deutsche Telekom and Eircom were targeted through their home routers using Mirai malware, leaving Internet port 7547 open which caused a weekend service outage.  

Nov. 28. Senior software engineer, Anotio Sanso, at Adobe disclosed a vulnerability in PayPal’s OAuth that allowed him to override the validation and return a client token.

Nov. 28. Vanity Fair spotlights the evolution of zero-days, going back to the days of old when hackers held onto their discoveries. In telling the story of a grad student who discovered spyware that could control the iPhone, they take a look at how zero day exploits have changed.

Nov. 24. Zeus type malware used to target African and Asian banks, delivering a zero day to users by way of phishing emails and social engineering.

Nov. 16. Dark Reading’s Radio invites leaders in the security industry to engage in a live discussion, debating the benefits and drawbacks of bug bounty programs, responsible disclosure, and the “gray market” in zero day vulnerabilities.

grayfooterline

RELATED: The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

grayfooterline

Nov. 10. In only 18 seconds, South Korean security researchers hacked two different vulnerabilities in Microsoft Edge at PwnFest2016 in Seoul.

Nov. 9. Pawn Storm cast a wide net in its attempt to exploit a zero day vulnerability discovered in Adobe Flash. Between late October and early November, the espionage group targeted several governments world-wide with spear-phishing campaigns trying to capitalize on the combined vulnerabilities in Flash and Windows.

Nov. 9. In response to the criticism over the time it took for Microsoft to respond to the zero-day vulnerability exploited by Fancy Bear, security experts debate over responsible disclosure.

Nov. 8. After nearly two weeks of internally testing solutions to the zero-day Flash and Windows Kernel vulnerabilities, Microsoft released a patch for their troublesome duo of flaws.

Nov. 7. Belkin home products issue updates for the firmware flaws discovered in WeMo devices.

Nov. 3. Invincea Labs presented at Black Hat Europe 2016 sharing how they detected two zero-day vulnerabilities in an Android phone application, a first in IoT security research.  

Nov. 2. Apple challenges the reporting time frame of Google’s Project Zero program, which aims to not only identify but fix zero-day vulnerabilities in popular software.

Nov. 2. Tensions rise in the tech industry as two of the largest enterprises disagree on the timing of when the Microsoft vulnerability was made public.

Nov. 1. After Microsoft still had not issued a fix, Google went public about the vulnerability issue as users were under attack by a group formerly tied to Russia’s prestigious intelligence agency.  

Nov. 1. Microsoft issues an advisory recognizing that the same group that hacked the DNC was exploiting the win32k.sys vulnerability identified by Google.

October

Oct. 31. Nearly 10 days after Google privately reported a flaw in the Windows kernel, the zero-day vulnerability was used in attacks.

Oct. 27. After Google fully patched the vulnerability on its Nexus 6P, security researchers at the 2016 mobile Pwn2Own event in Tokyo were able to exploit it and other fully patched devices.

Oct. 27. Few in the tech industry were surprised to learn of yet another vulnerability discovered in Flash Player that allows attackers to remotely execute code and take control of a compromised system.  

Oct. 26. Urgent call for Windows users to update asap as malware exploits newly discovered vulnerability.

Oct. 26. Art reflects reality in the debut of VICELAND’s series CYBERWAR. The first episode of the new season, “The Zero-day Market” fictionalizes the reality of the growing market of zero-days.

Oct. 24. Ruxton hacking confab in Melbourne reveals flaws in wireless keyboard and mouse that can’t be patched, but will be updated in newer versions.

Oct. 21. ESET reveals the extensive hacking activity of the group, sometimes knowns as Fancy Bear and Pawn Storm among other names. In addition to having a minimum of six zero-day exploits to hack the DNC, they’ve also targeted embassies, academics, and political groups worldwide.

Oct. 17. A $5,000,000 happy birthday celebration for Facebook’s bug bounty program seems a little pricey, but over the past five years researchers have earned hefty sums for discovering more than 900 bugs and zero day vulnerabilities.

grayfooterline

RELATED: Ransomware Report says Crypto ransomware targeting critical infrastructure

grayfooterline

Oct. 17. Censorship questions over reporting issues were tweeted out after IBM asked researcher, Maurizio Agazzini, to refrain from releasing sections of his disclosure that list the exploits.

Oct. 12. Internet Explorer vulnerability serves as a reminder to take caution when clicking as the flaw CVE-2016-3298, requires that the bad actors trick targets into opening attachments or visiting malicious websites.

Oct. 12. Hackers get busy exploiting four of Microsoft’s zero day vulnerabilities using malvertising campaigns and avoid researchers by checking target systems.

Oct. 11. Of the 45 vulnerabilities that Microsoft addressed using its new update technology for October’s Patch Tuesday, five were rated critical for zero-day flaws.

Oct. 3. Dell EMC customers were issued patches after Digital Defense discovered five zero-day vulnerabilities in Dell EMC’s vApp Manager for Unisphere for VMAX, a web application used to manage all of EMC’s storage platforms.

Oct. 2. A JPEG 2000 image file format vulnerability reported by Cisco Talos security experts posed risks that, if exploited, could have had serious impacts. The file format used to share pictures in a variety of file types through several different hosts, making it possible for attackers to exploit the flaw through email and cloud storage.

Stay tuned for the Q1 2017 edition of the Zero Day Diary.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

grayfooterline

© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.