Threats

Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Adobe Acrobat Reader DC Remote Code Execution
2. Misconfigured Memcached Servers
3. WordPress ionCube Malware

1. Adobe Acrobat Reader DC Remote Code Execution

Overview

A remote code execution vulnerability has been discovered in Adobe Acrobat Reader DC that runs when either a malicious file is opened, or a socially engineered web-page is accessed.

Malicious JavaScript code is hid inside of a PDF file that can enable a document ID to perform unauthorized operations to trigger a stack-based buffer overflow when opening a PDF file; in which an attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code. This vulnerability poses a great threat as Adobe Acrobat Reader is by far the most popular PDF reader out there with a large user base and is often the default PDF reader on some systems while also integrating with web browsers as a plugin for rendering PDF documents.

Recommendations

Affected Adobe Acrobat Reader versions include:

• 009.20050
• 011.30070
• 006.30394
• And earlier versions

Adobe has released security updates for Adobe Acrobat and Reader, and we recommend applying those updates as soon as possible.

It is also important to exercise good end-user awareness:

• Examine your emails
• Hover over links and attachments—when you hover over a link, a small window pops up to show you where the link really goes. If the real link doesn’t match the sender or doesn’t match what you expect, assume it is poisoned and don’t click it.
• Do you know the sender?

Verify with the person on the email that they truly sent it.

2. Misconfigured Memcached Servers

Overview

Cybercriminals have long used denial of service (DoS) and distributed denial of service (DDoS) attacks which paralyze networks and systems by flooding them with egregious amounts of data. Recently, these cybercriminals have been leveraging misconfigured Memcached servers to amplify these types of attacks, by as much as 51,200x what they normally do. Memcached servers are a type of server used to bolster responsiveness of database-driven websites by improving the memory caching system.

Attackers are able to send a small byte-sized UDP-based packet request to a memcached server on port 11211. The packets would be spoofed to appear as if they were sent from the intended target of the DDoS attack. In response, the memcache server responds by sending the spoofed target a massively disproportionate response.

Recommendations

If using memchached servers, we recommend:

• Disable UDP support if you are not using it as it is enabled by default.
• Ensure that your memchached servers are firewalled from the internet
• Block port 11211 UDP and TCP
• Any developers should also stop using UDP and stop enabling it by default

If using UDP, respond with a strictly smaller packet size than the request—otherwise, the protocol can be abused.

3. WordPress ionCube Malware

Overview

A new subtle strain of malware has been discovered to pose as legitimate ionCube files, aptly named ionCube Malware. This new attack is being utilized by cybercriminals to create backdoors on vulnerable websites which allows them to steal data or plant more damaging malware.

IonCube is a commercial PHP scrambler that turns text-based PHP files—used to create dynamic content on websites—into an undecipherable code often to hide the intellectual property associated with licensed PHP files.

Recommendations

The malware infections are being attributed to out of date content management system (CMS) plugins and platform software. Samples that were identified in the infections are named “diff98.php” and “wrgcduzk.php”, found in the WordPress core directories. Cybercriminal are also naming part of the malicious ionCube code very similar to legitimate code. For example, the real code may look like “_il_exec” but the cybercriminals will use “il_exec”.

We recommend keeping all CMS plugins and software up to date. One of WordPress’ biggest flaws is when one of their many plugins go out of date, making plugin management very important. It would also prove beneficial to examine the ionCube files for inconsistencies and inaccuracies to make sure that nothing was tampered with.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.