Software

Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed

Wait, what? Wasn’t the Stuxnet LNK vulnerability CVE-2010-2568, reported by Sergey Ulasen, patched years ago? Didn’t Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?

Yes, it was, but MS10-046 didn’t completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after Equation’s poorly QA’d USB worm spread across Pakistan exploiting the same LNK vulnerability years earlier than Stuxnet. Now, to be precise, this fix patches the newly generated label CVE-2015-0096, but the flawed functionality still is maintained with LNK handling code used to support custom icons from .cpl files. And, we have not observed a different implementation of this newly report LNK exploit in-the-wild. Yet.

Fanny

So, machines have remained vulnerable to an actively exploited codebase providing custom icon-loading support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two “target” files – one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. “Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma — the defender must be strong everywhere, while the attacker needs to find only one mistake.” In this case, it’s more that the attacker had to chain together a complex series of overlooked steps.

Microsoft’s release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 – IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.

Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox