June 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Watch the LogicHub Monthly Security RoundUp - June 2022
This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
What Does It Do?: Follina is the new Microsoft Office zero-day sweeping across communications. The vulnerability takes advantage of a component in the Microsoft Support Diagnostic Tool (MSDT), using it for arbitrary code execution. The zero-day is delivered via Office documents that call out to the MSDT. This vulnerability is being actively exploited in the wild.
Potential Impact: With how heavily used Office is in an enterprise environment, this is a vulnerability that should be of special note to organizations. The lack of remediation, active exploit, and ease of use makes this a dangerous exploit for organizations that are unprepared, and can wreak havoc very quickly.
Remediation: There have been no patches released or announced for this issue. The mitigations prescribed by Microsoft are not always possible.
More information
What Does It Do?: This vulnerability affects the Zyxel zysh binary shell, which can be accessible via SSH, telnet, or browser. The issues seen spread multiple problems, including format string bugs and a command injection bug. A proof of concept was released by researchers to display relative ease of exploitation.
Potential Impact: Buffer overflows can cause a wide variety of issues in any environment. With these bugs, one was exploitable for remote code execution while the other was not.
Remediation: Patches are available for each of these CVEs from the vendor. .
More information
What Does It Do?: Seven total vulnerabilities were announced by the Chrome team, with four being of high severity. The details on these high severity vulnerabilities have mostly been hidden until the majority of users can update, but we do know that they involve a use after free in WebGPU and ANGLE, as well as out of bounds access in compositing and WebGL. In other words, all of these are related to memory management issues in different parts of the software.
Potential Impact: Use after free and out of bounds access are both relatively serious issues, and though we don’t know how serious yet, they can potentially be cause for widespread code execution or unauthorized changes.
Remediation: Chrome has released an update for these issues and urges users to patch immediately.
More information
CVE-2022-26776
This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. An attacker may be able to cause unexpected application termination or arbitrary code execution.
More information
CVE-2022-1664
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
More information
CVE-2022-26833
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.
More information
CVE-2022-30506
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
More information
CVE-2022-1927
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
More information
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
Automated Solution
When the Darktrace integration is added to a playbook or command, it takes data from LogicHub ingested sources and pushes it through Darktrace’s API. Darktrace can then perform correlation, return that data back to the playbook/command, and provide information for further research. When this integration is added into a larger flow, that data can be used against other integration outputs or when exploring other sources to create a seamless, snappy detection.
Benefits to this Approach
When using an integration in a playbook, an analyst or engineer can quickly use that connection’s API without having to worry about extensive setup. The result of this is faster automation, more effective case creation and investigation, and fewer false positives from human error.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Freedom at last! That’s right - good faith research attempts are no longer going to be prosecuted. Be warned, ethical-hackers-to-be - this doesn’t mean you can run rampant on networks, it means that unintended consequences of planned testing can’t be prosecuted.
Learn more
After sending 200GB over 60 miles in about 40 minutes, the satellite-to-satellite communication array planned by DARPA is in full swing. Though it’s not trying to compete with Starlink; this array is meant to be a military-exclusive satellite network.
Learn more
We bring this up not because it’s particularly notable, but because it needs to be pointed out and is usually not mentioned: ransomware groups do this very often to get companies off their guard and law enforcement off their tails, and it works too well. Splitting into smaller operations is more beneficial to ransomware tactics and makes them difficult to track.
Learn more
With the advent of automated farming technology (like sprayers, tractors, and harvesting robots) comes more options for exploitation. John Deere, for instance, has spent a lot of time beefing up their software out of concern for incoming attacks.
Learn more
Start your package reviews - pymafka is one to keep an eye out for. Note that this is not PyKafka, the popular Kafka client package, but a similarly named malicious package that about 300 users were duped into downloading, believing it to be legitimate.
Learn more
This is a fantastic new technology for almost anyone and everyone, and it’s super user-friendly. Lumos uses positioning tech and signal strength to create an augmented reality view that shows users where a hidden listening device may be hidden. Like airmon-ng but with greater ease of use for the average person.
Learn more
This is a good highlight of how important it is to keep up on data permissions and management. The data was obtained under the guise of being used for security improvements, but was then used for targeted advertising without notice to users.
Learn more
As SaaS grows, browser-based malware becomes more useful. ChromeLoader attaches itself as an extension onto Chrome and performs a variety of functions, including malvertising, ransomware, and memory injection.
Learn more
With WordPress being so heavily used and improperly secured/malicious plugins being a large portion of web-based attack vectors, the new open source tool aims to better secure the WordPress ecosystem.
Learn more
A DDoS botnet once honed in on business applications like VMWare Workspace, Adobe ColdFusion, and WordPress. Now, it’s shifting focus onto RCE against IoT devices, Android devices, and CSM servers.
Learn more
Another year, another Verizon DBIR. For the 15th annual release, a not-so-big surprise: social engineering and ransomware incidents still rule the industry, and their numbers only rise (13% in ransomware’s case).
Learn more
Podcasts:
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)
Websites:
https://krebsonsecurity.com
https://threatpost.com
https://www.darkreading.com
https://www.wired.com
https://www.social-engineer.org
https://thecyberwire.com
https://news.sophos.com/en-us
https://www.bleepingcomputer.com
https://techcrunch.com
Watch the LogicHub Security RoundUp: June 2022 Edition video
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.
June 22, 2022 Willy Leichter
Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer...
Learn MoreJune 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreJune 14, 2022 Tessa Mishoe
Background The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz...
Learn MoreJune 8, 2022 Ryan Thomas
Alert (or alarm) fatigue is the phenomenon of becoming desensitized (and thus ignoring or failing...
Learn MoreMay 31, 2022 Kumar Saurabh
As a security operations professional, you've put in your fair share of late nights. You know what...
Learn MoreMay 24, 2022 Ryan Thomas
Funny thing about cloud infrastructure - it is well documented that running applications in the...
Learn MoreMay 20, 2022 Willy Leichter
Demystifying the technology with case studies of AI security in action Many automation tools, such...
Learn MoreMay 17, 2022 Willy Leichter
While we’ve been talking about and imagining artificial intelligence for years, it only has...
Learn MoreMay 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreMay 9, 2022 Tessa Mishoe
Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...
Learn More© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap
© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap