Weekly Intelligence
cyber-security-exim-vulnerability

June 16th Weekly Surface Attribution Intelligence

Overview

This week there were five (5) distinct vulnerabilities being discussed across the dark web. We did not identify any of these vulnerabilities being used by threat actors in Mitre’s ATT&CK framework.

These vulnerabilities currently impact over 100 active instances of deployed technology across the global internet. At the time of our research, the majority of affected vulnerable infrastructure are located in China, the United States and Germany.

Details

This week we did not identify any of these vulnerabilities being used by threat actors in Mitre’s ATT&CK framework.

This was a unique week of dark web activities as we typically see discussions around Microsoft technologies. Instead we say a JavaScript framework for web applications, WordPress plugins for forums and reverse-proxy program and load balancing firewall being targeted.

JUNE_16_ATTACK_LIKELIHOOD_CHART

Dojo Dijit Package

Dojo’s Dijit package contains the widget that maintains the library for Dojo Toolkit which is a JS framework for web applications. The CVE record, which is still undergoing technical analysis for this JavaScript package, indicates that there is a cross-site scripting vulnerability in the Editor’s LinkDialog plugin.

According to the Dojo Github page[1], the package is still being maintained; however, development has shifted to modern dojo[2]. The DojoToolkit.org website also lists several enterprise customers such as Cisco, JPMorgan, Marriott and IBM who use the package.

Organization’s should consider checking for the existence of this JavaScript package which can be implemented into a site via the following scripts tag in HTML.

JAVASCRIPT_PACKAGE_JUNE_16

[1] https://github.com/dojo/dijit

[2] https://dojo.io/

WordPress Plugin Gvectors wpforo

The Gvectors wpforo plugin is a fully-featured WordPress forums plugin. Three new Cross-Site Scripting (XSS) vulnerabilities were in discussing this week regarding this specific WordPress forum plugin. CVE-2019-19111 and CVE-2019-19110 both impact the wp-admin/admin.php?page=wpforo-phrases s parameter while CVE-2019-19112 affects the wpf-dw-td-value class of dashboard.php.

Verification of this plugin can be reviewed in the WordPress admin panel.

GVECTOR_WPFORO_JUNE_16

Apsis Gmbh Pound Program

A 2016 vulnerability was also at the top of the list of vulnerabilities being discussed this week. The Pound program, which was created by the Swiss-based IT Security company Apsis Gmbh, is a reverse proxy, load balancer and HTTPS front-end for Web server(s). Pound was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively.

This vulnerability impacts several distributions in the Debian Linux operating system. As of the date of this publication, security issues impacting these Debian instances were reported as also being impacted by CVE-2018-21245 as a result of the Apsis Pound software.

APSIS_POUND_SOFTWARE

A survey of global internet infrastructure identified over 100 active instances of deployed infrastructure that are potentially susceptible to this week’s vulnerabilities.

The majority of these vulnerabilities can be found in China, the United States and Germany.

LOCATIONS_VULNERABILITIES_JUNE_16

About Cybeta

Cybeta is a cybersecurity data science firm focused on developing advanced analytics for early indications and warning of potential or emerging cyber-attacks. Our flagship product, Threat Beta, has been independently verified and validated to provide accurate forecasting of future breach exposure.

Cybeta works with various data providers as well as through our own deployment of network sensors to provide a continuous stream of near-real time data for our analytics and prediction engine. By providing corporate executives and government officials with advanced insights into future attack potential, we are enabling organizations to make the shift towards an active defense cybersecurity strategy.

About Our Newsletter

In an effort to further our mission of enabling organizations to take on an active defense cybersecurity strategy, our newsletter is the result of our analytic work which culls through dark web forums; collects, aggregates and analyzes internet infrastructure data, vulnerabilities, weaknesses and exploits deployed around the world.

Each week our newsletter will present our findings of which vulnerabilities and exploits were being discussed by hackers, nation states, cyber criminals and information security researchers across the dark web. We map this data to the tactics, techniques and procedures (TTPs) we see in the Mitre ATT&CK framework datasets. 

Where and when it is available, we will also present where we have uncovered these specific vulnerabilities, while not drawing attention to the specific organization owning the vulnerable infrastructure.