https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/ https://thehackernews.com/2019/11/bluekeep-rdp-vulnerability.html; https://www.bleepingcomputer.com/news/security/windows- bluekeep-rdp-attacks-are-here-infecting-with-miners/ https://www.helpnetsecurity.com/2019/06/10/office-equation-editor-exploit/; https://www.fireeye.com/blog/threat-research/2019/06/ government-in-central-asia-targeted-with-hawkball-backdoor.html https://www.infosecurity-magazine.com/news-features/exploited-state-fix/ https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/ https://www.darkreading.com/endpoint/carbanak-cobalt-fin7-group-targets-russian-romanian-banks-in-new-attacks/d/d-id/1332707 https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ ; https://www.zdnet.com/article/ oceanlotus-revamps-public-exploit-code-to-abuse-microsoft-office-software/ 24. 25. 26. 27. 29. 28. 22. 23. CVE-2019-0708 – BLUEKEEP CVE-2017-11882 CVE-2019-0708 is a UAF (use-after-free) vulnerability that abuses Remote Desktop Services in Windows operating systems (Windows XP through Windows Server 2008). A successful exploitation may allow an unauthenticated attacker to run arbitrary code in the kernel level of the system or at least cause a denial of service. Alternatively, it could lead to a complete take-over of the attacked system. During 2019, it was spotted mainly being abused by cryptomining malware, such as Watchbog, 22 or in campaigns distributing such malware families. 23 CVE-2017-11882 is a 17-year-old memory corruption issue in Microsoft Office that resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents. It allows attackers execute remote code on a vulnerable machine, even without user interaction, after a malicious document is opened. Interestingly, this CVE that was mentioned in the highest number of forums in this research, was spotted being exploited years after having a patch available in multiple campaigns, such as a spam campaign against European users distributing RTF files or an espionage campaign against the government sector in Central Asia or a in 2019. 24 Moreover, according to the FBI and the DHS, it is one of the Top Ten flaws exploited by nation-state actors from China, North Korea, Russia and Iran. 25 Among nation-state groups spotted exploiting this CVE: 1. The Iranian group APT34 (aka OilRig). 26 According to researchers, they targeted a government organization in the Middle East. 2. The Pakistani Gorgon Group. 27 They abused this CVE during a campaign targeting different enterprisers in India. 3. The Vietnamese OceanLotus group (aka APT32). 28 They abused this CVE against targets that were interested in Cambodian politics. 4. The Russian FIN7 group. 29 They abused this CVE, while posing as the European Banking Federation. 9 Vulnerability Threat Intelligence Report