LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

Watch the Security RoundUp – July 2022

Security Safari: New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

Highlight: Chrome Heap Buffer Overflow Zero-Day

What Does It Do?: A heap overflow in the WebRTC component of the Chrome browser. This zero day was originally reported on July 1st and also affects the Android version of Chrome. Potential Impact: Heap overflows result in the possibility of pointers being overwritten in memory, which allows an attacker to redirect a program to malicious code. This can compromise all parts of the CIA triad and is of a high severity.
Potential Impact: With how heavily used Office is in an enterprise environment, this is a vulnerability that should be of special note to organizations. The lack of remediation, active exploit, and ease of use makes this a dangerous exploit for organizations that are unprepared, and can wreak havoc very quickly.
Remediation: A patch has been released by Chrome and is recommended for immediate download.
More information

Highlight: Cryptominers on Linux through Confluence OGNL Injection

What Does It Do?: Shortly after the disclosure of vulnerability CVE-2022-26134 in June, Chinese-speaking APT ‘8220 Gang’ started using the vulnerability (a Confluence OGNL injection zero-day, discussed last month) for initial access into Apache Struts and Docker images. The attackers then establish persistence via cronjob and portscan for possible lateral movement candidates.
Potential Impact:As with all injections of this sort, the ability to install arbitrary code via injection can cause mass damage to all portions of the CIA triad. Combined with persistence and an apparent focus on stealth, this particular use of this vulnerability could slowly drain resources and spread unnoticed if proper monitoring and prevention is not utilized.
Remediation: Per Microsoft, admins should make use of Defender for Endpoint, keep up on updates, and use good credential hygiene to prevent spread.
More information

Highlight: ManageEngine ADAudit Unauthenticated RCE

What Does It Do?: This remote code execution vulnerability allows attackers to exploit XML external entities, Java deserialization, and path traversal, the combination of which can provide an easy avenue to remote code execution.
Potential Impact: ManageEngine ADAudit Plus specializes in managing IT assets on a deep dive level, making exploit of this application especially concerning as it can quickly offer easy access to a wide variety of devices across an entire network. As with all RCEs, this is a very severe issue that can easily result in complete takeover and/or data exfiltration.
Remediation: A service pack has been released by Zoho and should be installed immediately for users on the affected version.
More information

From The Field: Real World Use Cases In Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Monitoring For Disabled Event Logging

When an adversary wants to make it hard for an investigator to find their activity, they either remove logs after they finish doing what they’d like to do or they prevent logging entirely. In this case, an attacker wanting to prevent logging would adjust the audit policy (secpol.msc) and the advanced policy (auditpol.exe). This could be system-wide or just for a specific set of services, and the use of the audit policy applications could include wiping the policy clear completely.

Automated Solution

LogicHub’s detections for event logging can include information on where and when logs were disabled and under what categories/for which applications. Rather than finding out about a compromise or a lack of logs during an investigation after the fact, a notification that logs are being removed arrives after the detection completes.

Benefits to this Approach

This detection can make or break security entirely. Auditing logs means a record of what malicious activity may occur on machines, and having them available means a faster recovery and remediation. Disabled logs can be detrimental to operations without monitoring and alerting.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

VPNs Persist Despite Zero-Trust Fervor

When zero trust tells us that we should reduce our attack surfaces and trust no application, it’s surprising that businesses continue to trend towards VPN usage. It’s hard to fix the problems that VPNs cause in one fell swoop (like network-based trust to internal resources), and important to understand that they are not a one-size-fits-all solution to internal authentication.
Learn more

How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

No security? No problem! IoT has long been the scourge of security personnel, especially when looking back at Mirai. Today, we see APTs targeting IoT devices due to their lack of compatibility with security solutions and their iffy security (default passwords and questionable protocol usage, for instance).
Learn more

Pair of Brand-New Cybersecurity Bills Become Law

These bills provide a lot to the world of cybersecurity, including the ability for federal workers to provide their expertise across multiple agencies and increased coordination between DHS and local agencies.
Learn more

APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

Server-side request forgeries towards manufacturing, telecom, and transport sectors using Exchange Server ProxyLogon vulnerabilities. This Chinese-speaking APT started intrusions almost immediately after ProxyLogon became public knowledge.
Learn more

API Security Losses Total Billions, But It’s Complicated

APIs are complicated and create a web of layered access to troves of data. So much so that US companies could lose between $12 and $23 billion in 2022 from API misconfigurations. It’s such a concern that OWASP started releasing their annual top ten list in 2019. Gaining visibility into API traffic and understanding asset usage of APIs seems to be key.
Learn more

Some Worms Use Their Powers for Good

Worms are worms, whether they be the useful nightcrawlers or invasive hammerhead worms. Much like their relatives in the natural world, computer worms can be extremely destructive or a helpful tool that prevents attacks before they start. Hopper is a real worm that uses real exploit techniques and stealth, reporting back on vulnerabilities to help assist in remediation rather than doing damage.
Learn more

Recommended Sources

Podcasts:
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)

Websites:
https://krebsonsecurity.com
https://threatpost.com
https://www.darkreading.com
https://www.wired.com
https://www.social-engineer.org
https://thecyberwire.com
https://news.sophos.com/en-us
https://www.bleepingcomputer.com
https://techcrunch.com

Watch the LogicHub Security RoundUp: June 2022 Edition video

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.


*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Tessa Mishoe. Read the original post at: https://www.logichub.com/blog/logichub-security-roundup-2022-edition-july