https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/ https://thehackernews.com/2019/11/bluekeep-rdp-vulnerability.html; https://www.bleepingcomputer.com/news/security/windows- bluekeep-rdp-attacks-are-here-infecting-with-miners/ https:// .helpnetsecurit .com/2019/06/10/oãfce-equation-editor-e ploit/; https:// .åfree e.com/blog/threat-research/2019/06/ government-in-central-asia-targeted-with-hawkball-backdoor.html https:// .infosecurit -maga ine.com/ne s-features/e ploited-state-åf / https:// .åfree e.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-b -apt34.html https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/ https:// .darkreading.com/endpoint/carbanak-cobalt-åfn7-group-targets-russian-romanian-banks-in-ne -attacks/d/d-id/1332707 https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ ; https://www.zdnet.com/article/ oceanlotus-re amps-public-e ploit-code-to-abuse-microsoft-oãfce-soft are/ 24. 25. 26. 27. 29. 28. 22. 23. CVE-2019-0708 – BLUEKEEP CVE-2017-11882 CVE-2019-0708 is a UAF (use-after-free) ulnerabilit that abuses Remote Desktop Services in Windows operating systems (Windows XP through Windows Server 2008). A successful exploitation may allow an unauthenticated attacker to run arbitrary code in the kernel level of the system or at least cause a denial of service. Alternatively, it could lead to a complete take-over of the attacked system. During 2019, it was spotted mainly being abused by cryptomining malware, such as Watchbog, 22 or in campaigns distributing such malware families. 23 CVE-2017-11882 is a 17- ear-old memor corruption issue in Microsoft Oãfce that resides ithin Equation Editor (EQNEDT32.EXE), a component in Microsoft Oãfce that inserts or edits Object Linking and Embedding (OLE) objects in documents. It allows attackers execute remote code on a vulnerable machine, even without user interaction, after a malicious document is opened. Interestingly, this CVE that was mentioned in the highest number of forums in this research, was spotted being exploited years after having a patch available in multiple campaigns, such as a spam campaign against European users distributing RTF åfles or an espionage campaign against the government sector in Central Asia or a in 2019. 24 Moreo er, according to the FBI and the DHS, it is one of the Top Ten æfa s e ploited b nation-state actors from China, North Korea, Russia and Iran. 25 Among nation-state groups spotted exploiting this CVE: 1. The Iranian group APT34 (aka OilRig). 26 According to researchers, they targeted a government organization in the Middle East. 2. The Pakistani Gorgon Group. 27 They abused this CVE during a campaign targeting diâferent enterprisers in India. 3. The Vietnamese OceanLotus group (aka APT32). 28 They abused this CVE against targets that were interested in Cambodian politics. 4. The Russian FIN7 group. 29 They abused this CVE, while posing as the European Banking Federation. 9 Vulnerability Threat Intelligence Report