Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Security Safari: New Threats in the Wild
This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
Highlight: Chrome Heap Buffer Overflow Zero-Day
What Does It Do?: A heap overflow in the WebRTC component of the Chrome browser. This zero day was originally reported on July 1st and also affects the Android version of Chrome. Potential Impact: Heap overflows result in the possibility of pointers being overwritten in memory, which allows an attacker to redirect a program to malicious code. This can compromise all parts of the CIA triad and is of a high severity.
Potential Impact: With how heavily used Office is in an enterprise environment, this is a vulnerability that should be of special note to organizations. The lack of remediation, active exploit, and ease of use makes this a dangerous exploit for organizations that are unprepared, and can wreak havoc very quickly.
Remediation: A patch has been released by Chrome and is recommended for immediate download.
Highlight: Cryptominers on Linux through Confluence OGNL Injection
What Does It Do?: Shortly after the disclosure of vulnerability CVE-2022-26134 in June, Chinese-speaking APT ‘8220 Gang’ started using the vulnerability (a Confluence OGNL injection zero-day, discussed last month) for initial access into Apache Struts and Docker images. The attackers then establish persistence via cronjob and portscan for possible lateral movement candidates.
Potential Impact:As with all injections of this sort, the ability to install arbitrary code via injection can cause mass damage to all portions of the CIA triad. Combined with persistence and an apparent focus on stealth, this particular use of this vulnerability could slowly drain resources and spread unnoticed if proper monitoring and prevention is not utilized.
Remediation: Per Microsoft, admins should make use of Defender for Endpoint, keep up on updates, and use good credential hygiene to prevent spread.
Highlight: ManageEngine ADAudit Unauthenticated RCE
What Does It Do?: This remote code execution vulnerability allows attackers to exploit XML external entities, Java deserialization, and path traversal, the combination of which can provide an easy avenue to remote code execution.
Potential Impact: ManageEngine ADAudit Plus specializes in managing IT assets on a deep dive level, making exploit of this application especially concerning as it can quickly offer easy access to a wide variety of devices across an entire network. As with all RCEs, this is a very severe issue that can easily result in complete takeover and/or data exfiltration.
Remediation: A service pack has been released by Zoho and should be installed immediately for users on the affected version.
From The Field: Real World Use Cases In Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
Monitoring For Disabled Event Logging
When an adversary wants to make it hard for an investigator to find their activity, they either remove logs after they finish doing what they’d like to do or they prevent logging entirely. In this case, an attacker wanting to prevent logging would adjust the audit policy (secpol.msc) and the advanced policy (auditpol.exe). This could be system-wide or just for a specific set of services, and the use of the audit policy applications could include wiping the policy clear completely.
LogicHub’s detections for event logging can include information on where and when logs were disabled and under what categories/for which applications. Rather than finding out about a compromise or a lack of logs during an investigation after the fact, a notification that logs are being removed arrives after the detection completes.
Benefits to this Approach
This detection can make or break security entirely. Auditing logs means a record of what malicious activity may occur on machines, and having them available means a faster recovery and remediation. Disabled logs can be detrimental to operations without monitoring and alerting.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
VPNs Persist Despite Zero-Trust Fervor
When zero trust tells us that we should reduce our attack surfaces and trust no application, it’s surprising that businesses continue to trend towards VPN usage. It’s hard to fix the problems that VPNs cause in one fell swoop (like network-based trust to internal resources), and important to understand that they are not a one-size-fits-all solution to internal authentication.
How APTs Are Achieving Persistence Through IoT, OT, and Network Devices
No security? No problem! IoT has long been the scourge of security personnel, especially when looking back at Mirai. Today, we see APTs targeting IoT devices due to their lack of compatibility with security solutions and their iffy security (default passwords and questionable protocol usage, for instance).
Pair of Brand-New Cybersecurity Bills Become Law
These bills provide a lot to the world of cybersecurity, including the ability for federal workers to provide their expertise across multiple agencies and increased coordination between DHS and local agencies.
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor
Server-side request forgeries towards manufacturing, telecom, and transport sectors using Exchange Server ProxyLogon vulnerabilities. This Chinese-speaking APT started intrusions almost immediately after ProxyLogon became public knowledge.
API Security Losses Total Billions, But It’s Complicated
APIs are complicated and create a web of layered access to troves of data. So much so that US companies could lose between $12 and $23 billion in 2022 from API misconfigurations. It’s such a concern that OWASP started releasing their annual top ten list in 2019. Gaining visibility into API traffic and understanding asset usage of APIs seems to be key.
Some Worms Use Their Powers for Good
Worms are worms, whether they be the useful nightcrawlers or invasive hammerhead worms. Much like their relatives in the natural world, computer worms can be extremely destructive or a helpful tool that prevents attacks before they start. Hopper is a real worm that uses real exploit techniques and stealth, reporting back on vulnerabilities to help assist in remediation rather than doing damage.
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Tessa Mishoe. Read the original post at: https://www.logichub.com/blog/logichub-security-roundup-2022-edition-july