Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

Watch the LogicHub Monthly Security RoundUp - May 2022

Security Safari: New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

Highlight: Cisco Enterprise NFV Infrastructure VM Escape

What Does It Do?: A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.
Potential Impact: This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to compromise the NFVIS host completely.
Remediation:
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
More Information

Highlight: F5 BIG-IP RCE

What Does It Do?: This vulnerability is one that has an extremely simple PoC (proof of concept). By sending a POST request for a bash shell to a vulnerable host (one with REST access), the user can gain full shell access to a machine. This is notable due to how easy this process is, and how easy it is to confirm: one crafted request is enough.
Potential Impact: This is a critical severity vulnerability that allows full access to the host with no bounds, and requires no credentials to use.
Remediation: Patches have been made available for many versions of BIG IP products, listed in the article below. Patch immediately.
More Information

Highlight: Azure Insufficient Tenant Separation

What Does It Do?: This vulnerability allows a user to access Synapse tenants that should be inaccessible to them using the Integration Runtime infrastructure or Redshift in Azure, gaining full remote code exploit (RCE) abilities. This issue would not be limited to a single tenant - in fact, almost any adjacent tenant using the Open Database Connectivity Driver to access Redshift and Integration Runtime was vulnerable.
Potential Impact: As with all remote code executions, this could allow an attacker with intentional or public access to one Synapse tenant the ability to pivot and access other unintended tenants. As with all RCEs, the impact could be devastating.
Remediation: Though a fix has been released, the original reporting group (Orca) recommends being cautious with use of the infrastructure.
More Information

CVE-2021-22600
There’s a lack of useful information on this one, which is why it didn’t make our highlights. Based on recent patches surrounding the announcement of this vulnerability, it was likely in connection with some form of privilege escalation. Google just finished patching this vulnerability, though it has been around since at least January.
More information

CVE-2022-27588
Once again, very little on this vulnerability besides its critical score. Businesses using QNAP VS Series NVR running QVR should patch immediately.
More information

From The Field: Real World Use Cases In Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Automating with Flashpoint

Summary

This month, the LogicHub team assembled an integration for FlashPoint intelligence services. Intelligence services aim to drag a figurative ‘net’ through the trove of data available online and pull out compromised credentials, stolen data, general intelligence/OSINT reports, payment data, and other notable items from across the internet and dark web. Pulling this data manually would take a lot of review and would need to constantly change, including pastebins, forums, card seller sites, marketplaces, and more general postings.

Automated Solution
Through the new integration, users can easily interface with the FlashPoint API for quick return on ingested data. The API returns a readout on intel that can then be combined with other sources or modified for a user-friendly data printout.

Benefits to this Approach
The use of open source intelligence is a big concern for larger organizations. It can clue in attackers to convenient avenues for invasion, or can allow them to use your resources without any effort at all. By correlating data from intelligence services and using this ingested information to patch or more generally improve security standing, businesses directly cripple the abilities of their potential adversaries.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Firms Push for CVE-Like Cloud Bug System
Twenty-two years ago, it was impossible to see what the current state of vulnerabilities would be. Now, we have issues tracking vulnerabilities in cloud-based systems due to a lack of standard tracking systems.
For More: https://threatpost.com/cve-cloud-bug-system/179394/

More than 10,000 Redline malware attacks in April targeting Internet Explorer vulnerability
We did a general overview of Redline attacks a few months ago, and now that knowledge has a new use as a new wave of Redline attacks hit. These attacks target CVE-2021-26411, which is an Internet Explorer zero-day double free that was patched in March of 2021.
For More: https://therecord.media/more-than-10000-redline-malware-attacks-in-april-targeting-internet-explorer-vulnerability/

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload
Automated vulnerability management is starting to take a bigger step into the market now with more organizations honing in on security posture. Being able to automatically evaluate your entire network for vulnerabilities at once and then prioritize them creates a (supposedly) easy one-step solution. Only time will tell how popular and effective this resource becomes.
For More: https://thehackernews.com/2022/05/which-hole-to-plug-first-solving.html

CISA’s 2021 Top Exploited Vulnerabilities Report
It’s here! The CISA aggregates reports from the US, Australia, Canada, UK, and New Zealand and offers some general mitigation strategies from the vulnerabilities found, plus an explanation surrounding each. This is a must-read.
For More: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

BlackCat Ransomware
The ransomware has been spreading rapidly and hitting hard with massive ransoms against larger companies. From an aggregation of bulletins and data surrounding the ransomware, we’ve put together a BlackCat article that can help organizations prepare.
For More: https://www.logichub.com/blog/bad-luck-blackcat-ransomware-bulletin

Fake Windows 10 updates infect you with Magniber ransomware
These false updates show as .msi extension files from fake cracked/pirated software sites, the campaign having started around April 8th. Once the .msi is executed, it will begin the process of deleting shadow copies, encrypting files, and requesting an average ransom of about $2,500.
For More: https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/

Emotet malware now installs via PowerShell in Windows shortcut files
Emotet has added yet another tool to their belt in the form of .lnk files, especially as Office macros are now coming disabled by default. The technique is gaining on usage according to ESET telemetry.
For More: https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/

Hackers are now hiding malware in Windows Event Logs
By injecting shellcode payloads into Key Management Services, attackers have started obfuscating and sneakily bypassing detection. These attacks have been seen in the wild, though in a targeted campaign.
For More: https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/

Lincoln College to close after 157 years due ransomware attack
To add insult to injury, after they were beaten down by the pandemic, Lincoln College faced insurmountable costs and losses from a ransomware attack that caused them to announce the closing of their doors. By having their Fall enrollment projections and admissions activities inaccessible, the future was simply too uncertain.
For More: https://www.bleepingcomputer.com/news/security/lincoln-college-to-close-after-157-years-due-ransomware-attack/

Mr. Goxx is Back!
After a mild hiatus (and the loss of the original Mr. Goxx), the crypto-trading hamster stream is back with a new enclosure, a better camera, and a whole lot more trading. Put it on in the background, and enjoy watching a hamster that’s better at trading than most investors.
For More: https://www.twitch.tv/mr_goxx

Recommended Sources

Podcasts:
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)

Websites:
https://krebsonsecurity.com
https://threatpost.com
https://www.darkreading.com
https://www.wired.com
https://www.social-engineer.org
https://thecyberwire.com
https://news.sophos.com/en-us
https://www.bleepingcomputer.com
https://techcrunch.com

Watch the LogicHub Security RoundUp: May 2022 Edition video

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More