Welcome to the Top Hacks and Exploits of 2017!
In this article we will be listing hacks and exploits of 2017! Please note this is not all the CVE's that came out this year.
We will also post links to the Metasploit modules, POC or scripts for the exploits, because... well.... no one else does in their articles! LAAAAME!! We all should know how to use Google by now? Right? It is 2018 after all.......
Now that I think about it.... I haven't found another article online yet that lists the hacks for the 2017 year, so here we gooooooooooooo!
Cisco warned users on April 10 that an exploit targeting the flaw had been made public and provided some mitigation advice, but patched the issue soon after.
Once exploited, an unauthenticated, remote attacker can remotely execute malicious code on a device with elevated privileges to take full control of the device or cause a reboot of the affected device.
The vulnerability is in the default configuration of the affected Cisco devices and affects 264 Catalyst switches, 51 industrial Ethernet switches, and 3 other devices if they are running IOS and are configured to accept Telnet connections.
The Shadow brokers also release 3 Cisco exploits this year that affect Cisco ASA, Cisco PIX, and Cisco Firewall.
These exploits were dubbed EXTRABACON, EPICBANANA, and JETPLOW.
NSA and Eternal Blue
The Eternalblue exploit got famous due to it being used in Wannacry ransomware. The WannaCry ransomware attacks were one of the most powerful cyber attacks the online world had ever witnessed. WannaCry infection began from the United Kingdom's National Health Service (NHS) on May 12th, 2017 and took control of 200,000 outdated Windows-based devices in 150 countries.
Although Shadow Breakers appeared in the summer of 2016, after hacking the National Security Agency (NSA) and leaking its hacking tools and exploits. Those exploits were later on used by hackers and cybercriminals to spread WannaCry, Bad Rabbit, and Petya malware.
However, the group made a comeback and leaked yet another trove of Windows exploits. According to New York Times NSA had been "deeply infiltrated" over the years, especially after The Shadow Brokers conducted a massive data breach against its cyber infrastructure.
This exploit well known for the Equifax breach and was rated critical with a maximum 10.0 score
Apache Struts CVE-2017-5638
The Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 18.104.22.168.
The Equifax breach exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said on 9/1/17.
It probability didn't help either that Equifax bash history was left on a pubic Github! Shame Shame.....
https://pastebin.com/w2SfQGqK EquiFax bash history Github
Apache Struts cve-2017-9805
Subsequent to the Equifax breach, the Apache Foundation released fixes for a number of additional Apache Struts 2 vulnerabilities (CVE-2017-9805, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611)
This Apache exploit was also used in the SANS Holiday Hack Challenge to access the public web server. Fun times!
Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.
Armis has released POC scripts that currently work for a unpatched Pixel 7.1.2 patch level Aug/July 2017 and Nexus 5X 7.1.2 patch level Aug/July 2017. Another security researcher was able to get a POC working for another version of Android as well. Blueborne has many CVE codes and all of them are available on the official website.
Security researcher Mathy Vanhoef publicly disclosed a serious vulnerability in the WPA2 encryption protocol this year. Most devices and routers currently rely on WPA2
to encrypt your WiFi traffic, so chances are you're affected.
WPA2 is a type of encryption used to secure the vast majority of Wi-Fi networks. A WPA2 network provides unique encryption keys for each wireless client that connects to it. The vulnerability, dubbed "KRACK" (Key Reinstallation AttaCKs), is actually a group of multiple vulnerabilities that when successfully exploited, could allow attackers to intercept and steal data transmitted across a Wi-Fi network.
The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Abusing Microsoft DDE
Senspost originally wrote an article on how you can get command execution on MSWord without any Macros, or memory corruption.
This was later used in multiple malware attacks.
Attackers behind Locky and Hancitor were actively abused Microsoft's Dynamic Data Exchange (DDE) feature to infect victims with booby-trapped Office documents.
The DDE feature allows Office programs to load data from other Office programs. Attackers can abuse this functionality by using it to load instructions to launch a command prompt and run malicious code.
Microsoft originally did not patch this as it was not classified as an "exploit" but then later decided to make a patch later in the year in December.The DDE code execution was later also found to work with copies of Outlook as well as Word.
More links can be found in a tutorial on this site about Abusing DDE
FireEye Uncovers CVE-2017-8759
FireEye originally discovered a 0day (CVE-2017-8759) in the wild to distribute FINSPY malware. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.
FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance.
This vulnerability affects Oracle Identity Manager (OIM) component of Oracle Fusion Middleware—an enterprise identity management system that automatically
manages users' access privileges within enterprises.
The security loophole is due to a "default account" that an unauthenticated attacker over the same network can access via HTTP to compromise Oracle Identity Manager. The bug impacts Oracle Identity Manager versions 22.214.171.124, 126.96.36.199, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0, and 18.104.22.168.0.
Huawei 0 day
Researchers at Check Point have discovered a zero-day vulnerability in Huawei home router HG532. Thousands of attempts have been made to exploit the flaw in the wild. Analysts picked up on suspicious security alerts from sensors and honeypots, which pointed to attacks exploiting an unknown vulnerability in HG532 routers. The attackers' goal was to create an updated variant of the Mirai botnet, which caused infrastructure damage around the world in 2016.
The 0 day for the Huawei router was also dropped on pastebin on Christmas day, what a nice Santa!
Well that's it my hacker friends! Here's a link to another article about the top data breaches of 2017!