Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Security Safari: New Threats in the Wild
This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
Highlight: Follina Zero-Day
What Does It Do?: Follina is the new Microsoft Office zero-day sweeping across communications. The vulnerability takes advantage of a component in the Microsoft Support Diagnostic Tool (MSDT), using it for arbitrary code execution. The zero-day is delivered via Office documents that call out to the MSDT. This vulnerability is being actively exploited in the wild.
Potential Impact: With how heavily used Office is in an enterprise environment, this is a vulnerability that should be of special note to organizations. The lack of remediation, active exploit, and ease of use makes this a dangerous exploit for organizations that are unprepared, and can wreak havoc very quickly.
Remediation: There have been no patches released or announced for this issue. The mitigations prescribed by Microsoft are not always possible.
Highlight: Zyxel Buffer Overflows
What Does It Do?: This vulnerability affects the Zyxel zysh binary shell, which can be accessible via SSH, telnet, or browser. The issues seen spread multiple problems, including format string bugs and a command injection bug. A proof of concept was released by researchers to display relative ease of exploitation.
Potential Impact: Buffer overflows can cause a wide variety of issues in any environment. With these bugs, one was exploitable for remote code execution while the other was not.
Remediation: Patches are available for each of these CVEs from the vendor. .
Highlight: Chrome Use After Free and Out of Bounds Access
What Does It Do?: Seven total vulnerabilities were announced by the Chrome team, with four being of high severity. The details on these high severity vulnerabilities have mostly been hidden until the majority of users can update, but we do know that they involve a use after free in WebGPU and ANGLE, as well as out of bounds access in compositing and WebGL. In other words, all of these are related to memory management issues in different parts of the software.
Potential Impact: Use after free and out of bounds access are both relatively serious issues, and though we don’t know how serious yet, they can potentially be cause for widespread code execution or unauthorized changes.
Remediation: Chrome has released an update for these issues and urges users to patch immediately.
This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. An attacker may be able to cause unexpected application termination or arbitrary code execution.
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
From The Field: Real World Use Cases In Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
Automating with Darktrace
Darktrace is an integration that has been recently tuned in the LogicHub environment. Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment. When working with data directly, a user might manually correlate activity and would require a long length of time to understand the environment baseline.
When the Darktrace integration is added to a playbook or command, it takes data from LogicHub ingested sources and pushes it through Darktrace’s API. Darktrace can then perform correlation, return that data back to the playbook/command, and provide information for further research. When this integration is added into a larger flow, that data can be used against other integration outputs or when exploring other sources to create a seamless, snappy detection.
Benefits to this Approach
When using an integration in a playbook, an analyst or engineer can quickly use that connection’s API without having to worry about extensive setup. The result of this is faster automation, more effective case creation and investigation, and fewer false positives from human error.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
U.S. DOJ will no longer prosecute ethical hackers under CFAA
Freedom at last! That’s right - good faith research attempts are no longer going to be prosecuted. Be warned, ethical-hackers-to-be - this doesn’t mean you can run rampant on networks, it means that unintended consequences of planned testing can’t be prosecuted.
Two military satellites just communicated with each other using space lasers
After sending 200GB over 60 miles in about 40 minutes, the satellite-to-satellite communication array planned by DARPA is in full swing. Though it’s not trying to compete with Starlink; this array is meant to be a military-exclusive satellite network.
Conti ransomware shuts down operation, rebrands into smaller units
We bring this up not because it’s particularly notable, but because it needs to be pointed out and is usually not mentioned: ransomware groups do this very often to get companies off their guard and law enforcement off their tails, and it works too well. Splitting into smaller operations is more beneficial to ransomware tactics and makes them difficult to track.
Cyber security: Global food supply chain at risk from malicious hackers
With the advent of automated farming technology (like sprayers, tractors, and harvesting robots) comes more options for exploitation. John Deere, for instance, has spent a lot of time beefing up their software out of concern for incoming attacks.
Malicious Python repository package drops Cobalt strike on Windows, MacOS & Linux Systems
Start your package reviews - pymafka is one to keep an eye out for. Note that this is not PyKafka, the popular Kafka client package, but a similarly named malicious package that about 300 users were duped into downloading, believing it to be legitimate.
Lumos system can find hidden cameras and IoT devices in your Airbnb or hotel room
This is a fantastic new technology for almost anyone and everyone, and it’s super user-friendly. Lumos uses positioning tech and signal strength to create an augmented reality view that shows users where a hidden listening device may be hidden. Like airmon-ng but with greater ease of use for the average person.
Twitter fined $150 Million for misusing users' data for advertising without consent
This is a good highlight of how important it is to keep up on data permissions and management. The data was obtained under the guise of being used for security improvements, but was then used for targeted advertising without notice to users.
ChromeLoader malware hijacks browsers with ISO files
As SaaS grows, browser-based malware becomes more useful. ChromeLoader attaches itself as an extension onto Chrome and performs a variety of functions, including malvertising, ransomware, and memory injection.
YODA tool found ~47,000 malicious WordPress plugins installed in over 24,000 sites
With WordPress being so heavily used and improperly secured/malicious plugins being a large portion of web-based attack vectors, the new open source tool aims to better secure the WordPress ecosystem.
EnemyBot puts enterprises in the crosshairs with raft of '1-Day' bugs
A DDoS botnet once honed in on business applications like VMWare Workspace, Adobe ColdFusion, and WordPress. Now, it’s shifting focus onto RCE against IoT devices, Android devices, and CSM servers.
Old hacks die hard: Ransomware, social engineering top Verizon DBIR threats – again
Another year, another Verizon DBIR. For the 15th annual release, a not-so-big surprise: social engineering and ransomware incidents still rule the industry, and their numbers only rise (13% in ransomware’s case).
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.