Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
Highlight: Cisco Enterprise NFV Infrastructure VM Escape
What Does It Do?: A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host. Potential Impact: This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to compromise the NFVIS host completely. Remediation: Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. More Information
Highlight: F5 BIG-IP RCE
What Does It Do?: This vulnerability is one that has an extremely simple PoC (proof of concept). By sending a POST request for a bash shell to a vulnerable host (one with REST access), the user can gain full shell access to a machine. This is notable due to how easy this process is, and how easy it is to confirm: one crafted request is enough. Potential Impact: This is a critical severity vulnerability that allows full access to the host with no bounds, and requires no credentials to use. Remediation: Patches have been made available for many versions of BIG IP products, listed in the article below. Patch immediately. More Information
Highlight: Azure Insufficient Tenant Separation
What Does It Do?: This vulnerability allows a user to access Synapse tenants that should be inaccessible to them using the Integration Runtime infrastructure or Redshift in Azure, gaining full remote code exploit (RCE) abilities. This issue would not be limited to a single tenant - in fact, almost any adjacent tenant using the Open Database Connectivity Driver to access Redshift and Integration Runtime was vulnerable. Potential Impact: As with all remote code executions, this could allow an attacker with intentional or public access to one Synapse tenant the ability to pivot and access other unintended tenants. As with all RCEs, the impact could be devastating. Remediation: Though a fix has been released, the original reporting group (Orca) recommends being cautious with use of the infrastructure. More Information
CVE-2021-22600 There’s a lack of useful information on this one, which is why it didn’t make our highlights. Based on recent patches surrounding the announcement of this vulnerability, it was likely in connection with some form of privilege escalation. Google just finished patching this vulnerability, though it has been around since at least January. More information
CVE-2022-27588 Once again, very little on this vulnerability besides its critical score. Businesses using QNAP VS Series NVR running QVR should patch immediately. More information
From The Field: Real World Use Cases In Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
Automating with Flashpoint
This month, the LogicHub team assembled an integration for FlashPoint intelligence services. Intelligence services aim to drag a figurative ‘net’ through the trove of data available online and pull out compromised credentials, stolen data, general intelligence/OSINT reports, payment data, and other notable items from across the internet and dark web. Pulling this data manually would take a lot of review and would need to constantly change, including pastebins, forums, card seller sites, marketplaces, and more general postings.
Automated Solution Through the new integration, users can easily interface with the FlashPoint API for quick return on ingested data. The API returns a readout on intel that can then be combined with other sources or modified for a user-friendly data printout.
Benefits to this Approach The use of open source intelligence is a big concern for larger organizations. It can clue in attackers to convenient avenues for invasion, or can allow them to use your resources without any effort at all. By correlating data from intelligence services and using this ingested information to patch or more generally improve security standing, businesses directly cripple the abilities of their potential adversaries.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Firms Push for CVE-Like Cloud Bug System Twenty-two years ago, it was impossible to see what the current state of vulnerabilities would be. Now, we have issues tracking vulnerabilities in cloud-based systems due to a lack of standard tracking systems. For More: https://threatpost.com/cve-cloud-bug-system/179394/
Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload Automated vulnerability management is starting to take a bigger step into the market now with more organizations honing in on security posture. Being able to automatically evaluate your entire network for vulnerabilities at once and then prioritize them creates a (supposedly) easy one-step solution. Only time will tell how popular and effective this resource becomes. For More: https://thehackernews.com/2022/05/which-hole-to-plug-first-solving.html
CISA’s 2021 Top Exploited Vulnerabilities Report It’s here! The CISA aggregates reports from the US, Australia, Canada, UK, and New Zealand and offers some general mitigation strategies from the vulnerabilities found, plus an explanation surrounding each. This is a must-read. For More: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
BlackCat Ransomware The ransomware has been spreading rapidly and hitting hard with massive ransoms against larger companies. From an aggregation of bulletins and data surrounding the ransomware, we’ve put together a BlackCat article that can help organizations prepare. For More: https://www.logichub.com/blog/bad-luck-blackcat-ransomware-bulletin
Mr. Goxx is Back! After a mild hiatus (and the loss of the original Mr. Goxx), the crypto-trading hamster stream is back with a new enclosure, a better camera, and a whole lot more trading. Put it on in the background, and enjoy watching a hamster that’s better at trading than most investors. For More: https://www.twitch.tv/mr_goxx