2017’s Notable Vulnerabilities and Exploits
A hacker or cybercriminal’s toolbox would not be complete without vulnerabilities and exploits. They are what social engineering is to fraudsters and scammers. In the first half of 2017, Trend Micro’s Zero Day Initiative discovered and disclosed 382 new vulnerabilities. Zero-days in 2017 increased to 49 from a mere eight the previous year. Any one of these can allow an attacker into a vulnerable system or network, which is why it’s important to keep the systems and applications updated (or deploy virtual patching). As this year’s biggest cybersecurity incidents showed, it only takes one weak link to affect millions.
Divulged by Google’s Project Zero team in February, Cloudbleed
is a security issue in Cloudflare’s proxy services. The bug allowed unauthorized access to sensitive data in the memory of programs run on the internet infrastructure provider’s web servers. These include credentials, website cookies/browsing sessions, Application Program Interface (API) keys, and private messages that search engines like Google’s cached.
Shadow Broker Exploit Dumps
In 2016, a hacker group named Shadow Brokers put several stolen hacking tools and exploits up for sale, but failed to make a profit. The group incrementally dumped
the tools the following year, including the infamous EternalBlue exploit. The trove of leaked tools included more than 20 exploits and 30 information-stealing Trojans.
The open-source framework used for building Java web applications grabbed headlines this year when the attack vector for the Equifax data breach
to be a vulnerability in Apache Struts. The security flaw (CVE-2017-5638
), which was patched
last March, allowed attackers to gain unauthorized access to data via remote code execution. The impact was unprecedented, affecting 145 million U.S. and 400,000
U.K. customers, as well as 100,000
At the last Black Hat conference, security researchers presented their findings
on a vulnerability (CVE-2017-0752
) in the Android mobile operating system. Dubbed Toast Overlay
, it can deceive unwitting users into installing malware by superimposing benign images atop malicious apps. Toast Overlay abuses the alerts and notifications features in Android’s Accessibility Service. All versions of Android were susceptible except the latest, Oreo.
BlueBorne are authentication, authorization, and information disclosure issues. BlueBorne can lead to man-in-the-middle attacks
when successfully exploited, letting hackers hijack the Bluetooth-enabled device.
Key Reinstallation Attack
(KRACK) is a proof of concept that exploits vulnerabilities in the Wi-Fi Protected Access 2 (WPA2) protocol. KRACK entails flaws in how handshakes (the communication between devices) are authenticated, letting an attacker eavesdrop on the network traffic between the device and Wi-Fi access point.
Controller Area Network (CAN)
Intel Management Engine
CAN is the network protocol connecting in-vehicle equipment and systems, enabling them to communicate. It’s been the standard in modern cars since it debuted in production vehicles in 1989. A collaborative research
from Trend Micro Forward-Looking Threat Research Team, Politecnico di Milano, and Linklayer Labs uncovered a design flaw in CAN—how it handles error messages, to be exact.
On November 20, Intel released an advisory
detailing several flaws in its Management Engine (ME). It’s a feature incorporated in Intel processor chips that lets system administrators remotely manage computers. The vulnerabilities reportedly
also affect servers and internet-of-things (IoT) platforms. When successfully exploited, the flaws can provide access to ME and ME-related services, enabling them to execute arbitrary code and cause system crashes.