Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

Watch the LogicHub Monthly Security RoundUp - June 2022

Security Safari: New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

Highlight: Follina Zero-Day

What Does It Do?: Follina is the new Microsoft Office zero-day sweeping across communications. The vulnerability takes advantage of a component in the Microsoft Support Diagnostic Tool (MSDT), using it for arbitrary code execution. The zero-day is delivered via Office documents that call out to the MSDT. This vulnerability is being actively exploited in the wild.
Potential Impact: With how heavily used Office is in an enterprise environment, this is a vulnerability that should be of special note to organizations. The lack of remediation, active exploit, and ease of use makes this a dangerous exploit for organizations that are unprepared, and can wreak havoc very quickly.
Remediation:
There have been no patches released or announced for this issue. The mitigations prescribed by Microsoft are not always possible.
More information

Highlight: Zyxel Buffer Overflows

What Does It Do?: This vulnerability affects the Zyxel zysh binary shell, which can be accessible via SSH, telnet, or browser. The issues seen spread multiple problems, including format string bugs and a command injection bug. A proof of concept was released by researchers to display relative ease of exploitation.
Potential Impact: Buffer overflows can cause a wide variety of issues in any environment. With these bugs, one was exploitable for remote code execution while the other was not.
Remediation: Patches are available for each of these CVEs from the vendor. .
More information

Highlight: Chrome Use After Free and Out of Bounds Access

What Does It Do?: Seven total vulnerabilities were announced by the Chrome team, with four being of high severity. The details on these high severity vulnerabilities have mostly been hidden until the majority of users can update, but we do know that they involve a use after free in WebGPU and ANGLE, as well as out of bounds access in compositing and WebGL. In other words, all of these are related to memory management issues in different parts of the software.
Potential Impact: Use after free and out of bounds access are both relatively serious issues, and though we don’t know how serious yet, they can potentially be cause for widespread code execution or unauthorized changes.
Remediation: Chrome has released an update for these issues and urges users to patch immediately.
More information

CVE-2022-26776
This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. An attacker may be able to cause unexpected application termination or arbitrary code execution.
More information

CVE-2022-1664
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
More information

CVE-2022-26833
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.
More information

CVE-2022-30506
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code through a crafted ZIP file.
More information

CVE-2022-1927
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
More information

From The Field: Real World Use Cases In Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Automating with Darktrace

Summary
Darktrace is an integration that has been recently tuned in the LogicHub environment. Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment. When working with data directly, a user might manually correlate activity and would require a long length of time to understand the environment baseline.

Automated Solution
When the Darktrace integration is added to a playbook or command, it takes data from LogicHub ingested sources and pushes it through Darktrace’s API. Darktrace can then perform correlation, return that data back to the playbook/command, and provide information for further research. When this integration is added into a larger flow, that data can be used against other integration outputs or when exploring other sources to create a seamless, snappy detection.

Benefits to this Approach
When using an integration in a playbook, an analyst or engineer can quickly use that connection’s API without having to worry about extensive setup. The result of this is faster automation, more effective case creation and investigation, and fewer false positives from human error.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

U.S. DOJ will no longer prosecute ethical hackers under CFAA

Freedom at last! That’s right - good faith research attempts are no longer going to be prosecuted. Be warned, ethical-hackers-to-be - this doesn’t mean you can run rampant on networks, it means that unintended consequences of planned testing can’t be prosecuted.
Learn more

Two military satellites just communicated with each other using space lasers

After sending 200GB over 60 miles in about 40 minutes, the satellite-to-satellite communication array planned by DARPA is in full swing. Though it’s not trying to compete with Starlink; this array is meant to be a military-exclusive satellite network.
Learn more

Conti ransomware shuts down operation, rebrands into smaller units

We bring this up not because it’s particularly notable, but because it needs to be pointed out and is usually not mentioned: ransomware groups do this very often to get companies off their guard and law enforcement off their tails, and it works too well. Splitting into smaller operations is more beneficial to ransomware tactics and makes them difficult to track.
Learn more

Cyber security: Global food supply chain at risk from malicious hackers

With the advent of automated farming technology (like sprayers, tractors, and harvesting robots) comes more options for exploitation. John Deere, for instance, has spent a lot of time beefing up their software out of concern for incoming attacks.
Learn more

Malicious Python repository package drops Cobalt strike on Windows, MacOS & Linux Systems

Start your package reviews - pymafka is one to keep an eye out for. Note that this is not PyKafka, the popular Kafka client package, but a similarly named malicious package that about 300 users were duped into downloading, believing it to be legitimate.
Learn more

Lumos system can find hidden cameras and IoT devices in your Airbnb or hotel room

This is a fantastic new technology for almost anyone and everyone, and it’s super user-friendly. Lumos uses positioning tech and signal strength to create an augmented reality view that shows users where a hidden listening device may be hidden. Like airmon-ng but with greater ease of use for the average person.
Learn more

Twitter fined $150 Million for misusing users' data for advertising without consent

This is a good highlight of how important it is to keep up on data permissions and management. The data was obtained under the guise of being used for security improvements, but was then used for targeted advertising without notice to users.
Learn more

ChromeLoader malware hijacks browsers with ISO files

As SaaS grows, browser-based malware becomes more useful. ChromeLoader attaches itself as an extension onto Chrome and performs a variety of functions, including malvertising, ransomware, and memory injection.
Learn more

YODA tool found ~47,000 malicious WordPress plugins installed in over 24,000 sites

With WordPress being so heavily used and improperly secured/malicious plugins being a large portion of web-based attack vectors, the new open source tool aims to better secure the WordPress ecosystem.
Learn more

EnemyBot puts enterprises in the crosshairs with raft of '1-Day' bugs

A DDoS botnet once honed in on business applications like VMWare Workspace, Adobe ColdFusion, and WordPress. Now, it’s shifting focus onto RCE against IoT devices, Android devices, and CSM servers.
Learn more

-----------

Old hacks die hard: Ransomware, social engineering top Verizon DBIR threats – again

Another year, another Verizon DBIR. For the 15th annual release, a not-so-big surprise: social engineering and ransomware incidents still rule the industry, and their numbers only rise (13% in ransomware’s case).
Learn more

Recommended Sources

Podcasts:
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)

Websites:
https://krebsonsecurity.com
https://threatpost.com
https://www.darkreading.com
https://www.wired.com
https://www.social-engineer.org
https://thecyberwire.com
https://news.sophos.com/en-us
https://www.bleepingcomputer.com
https://techcrunch.com

Watch the LogicHub Security RoundUp: June 2022 Edition video

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More