CVE-2018-4878 case: for a Hong Kong Telecommunications Company website is intrusion investigations-vulnerability and early warning-the black bar safety net

! [](/Article/UploadPic/2018-4/2018410185227201. jpg? www. myhack58. com)
Earlier, a researchers found that a Hong Kong Telecommunications Company website hacking attack, 3 May 21, Morphisec laboratory on the site of attack to carry out the investigation, investigators eventually found that the telecommunications company of the Group’s official website was hacked, the home page home. php is embedded with a Flash exploit CVE-2018-4878 exploit file.
Attack overview
The attack was an example of a textbook targeted“watering hole attack”, the attacker through the target victims may access on the website of the implant malicious software or code, to induce the victim system to be infected, giving an attacker the open portal, this attack used in cyber espionage on. Morphisec survey found that the watering hole attack with a very high level offree to killescape features: attack is completely without documents, in the victim on the disk does not leave any persistent or can be traced back traces, also in a non-filtered port using a custom Protocol. Generally speaking, this advanced type of watering hole attack is extremely targeted, and also has a very sophisticated attacker background.
When the CVE-2018-4878 vulnerability code was disclosed after the global range occurs within a multi-national support hacker attacks, malicious software attacks and exploit kits diffusion utilization, the watering hole attack is also regarded as the use of CVE-2018-4878 vulnerability a recent assault case. Currently, the Morphisec analysis report, the Hong Kong Telecommunications Company website, the malicious code has been cleared, site security situation to return to normal.
Attack analysis
Be the attackers embed exploits files Flash Virus the home. php main page:
! [](/Article/UploadPic/2018-4/2018410185228639. jpg? www. myhack58. com)
This is an embedded Flash exploit with the previous universal CVE-2018-4878 exploit programs are very similar, but differs in that it is a use-type post-exploitation the program:
! [](/Article/UploadPic/2018-4/2018410185228777. png? www. myhack58. com)
Its shellcode will perform Windows System in effective rundll32. exe process, by injecting the process, use it to hide malicious code from running in memory space, and then, the shellcode will download the other follow-up use of code injection to the rundll32 process:
! [](/Article/UploadPic/2018-4/2018410185229606. png? www. myhack58. com)
! [](/Article/UploadPic/2018-4/2018410185229608. png? www. myhack58. com)
The attacker uses the C2 server is the 106[.] 185.24.241 Japan, it is in the victim host communications, use the 443 port for the custom Protocol, at present, Morphisec being on the Protocol for an in-depth analysis:
! [](/Article/UploadPic/2018-4/2018410185229504. png? www. myhack58. com)
Attacks using the Metasploit module
shellcode download injected into the rundll32 process space of the subsequent use of the code including the Metasploit Meterpreter and Mimikatz module, from the time point of view, these modules are in the attack the previous week, which is 2 on 15 May to be compiled:
! [](/Article/UploadPic/2018-4/2018410185229378. png? www. myhack58. com)
Following the yellow module is the original Metasploit exploit module:
! [](/Article/UploadPic/2018-4/2018410185229133. png? www. myhack58. com)
Summary
Through the investigation, Morphisec found that the complexity of the watering hole attack is that the attacker plans to conduct in-depth attack of the prelude, may have very high complexity of the attacker’s background. Morphisec claimed that, since the attack uses the CVE-2018-4878 the use of the program, and prior to be found for countries hacking related attacks were highly similar, where there may be some Association. Currently, Morphisec also unlocated traced back to a specific attacker, they will continue to follow up investigation.
Attack feature
Flash – 58D15B7A49193022D8FB9712FAC1A9E2
C2 - 106[.] 185.24.241 (li715-241. members. linode[.] com:https)