The Cyber Attack Glossary
January 30, 2019
CVE – Common Vulnerabilities and Exposures (CVE) is a reference identifier for publicly known vulnerabilities.
CVEs are unique and identify a specific vulnerability. They are assigned by CNAs whereas the primary CNA is ‘Mitre Corporation’.
Attack analysis of the CVE 2018-15982 exploit
Attack analysis of the CVE 2017-8570 exploit
Emotet is able to intercept network traffic in order to access bank and financial accounts. When running in a sandboxed environment, Emotet changes its behavior to avoid detection.
These days, it is spread to new computers using malspam campaigns, mostly through links and macro-enabled documents.
Sandbox evasion techniques
A new attack based on Emotet
Logical exploit – As opposed to an exploit that exploits a ‘bug’ in the application, a logical exploit stands for abusing an existing use case of the system or application,
in which, eventually the attacker’s code is able to run.
Macro attack – A common way for attackers to run code on the victim’s computer is embedding malicious VBA macros in MS office files.
This code, usually running automatically when the file is loaded, tends to attempt and avoid detection using various obfuscation methods when it eventually attempts to run a payload.
NotPetya – In June 2017, a major attack that was launched mostly on Ukranian companies with what seemed to be a variant of Petya.
The Ukranian authorities and the CIA suspected that Russia launched the attack, disguised as ransomware, but was really a sophisticated tool that targeted key Ukrainian computer systems.
NotPetya received its name due to the big differences compared to earlier versions. The destruction it caused is estimated in billions of dollars.
Petya – Initially discovered in March 2016, Petya is a family of ransomware that was widely spread through malicious email attachments.
Petya carries its attack by infecting the Master Boot Record (MBR) to run a payload that encrypts the hard drive and prevents the computer from booting.
Sandbox Evasion – Sandboxing cyber security solutions are based on opening files in a ‘controlled environment’. As such they monitor file actions – API calls, file access, network – to characterize their behavior and determine if they’re malicious.
Attackers have developed multiple evasion techniques to bypass sandboxes.
Sandbox evasion techniques
WannaCry – A ransomware worm that was widely spread in May 2017. It said to have affected more than 200K computers across 150 countries.
The damages WannaCry caused are estimated in hundreds of millions of dollars. It’s estimated that North Korea was behind the attack.
A variant of WannaCry was able to temporarily shut down Taiwan Semiconductor Manufacturing Company in August 2018.