Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

Watch the LogicHub Monthly Security RoundUp - April 2022 

Security Safari: New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

Highlight: Apple Buffer Overflow Zero Days
What Does It Do?: A pair of zero days in iOS, iPadOS, and macOS Monterey were actively being exploited in the wild prior to patch. The issues were out-of-bound write issues in an Intel Graphics driver and the Apple AVD media decoder. Out-of-bounds write issues allow for the unintentional ability to write to memory, which can then be leveraged by an attacker for remote code execution.
Potential Impact: Buffer overflows and out-of-bounds writes result in remote code execution, which can cause a downpour of issues with all aspects of the CIA triad.
Remediation: Apple urges all of those affected to patch immediately with the newly available security updates.
More Information: https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-days-used-to-hack-iphones-macs/

Highlight: NodeIPC ‘Protestware’
What Does It Do?: This one is highly unusual, but it means that NodeIPC is no longer recommended for use. Package node-ipc from 10.1.1 and before 10.1.3 includes malicious code that targets Russian and Belarussian IPs, overwriting files using a ‘heart emoji’ write pattern. This vulnerability means that anyone using the module in their development may cause issues with anyone using an IP from that region.
Potential Impact: Full system wipes are nothing to treat lightly, but this code has a significant problem. If a user is using a VPN, they may also be seen as a targeted user despite not living within the region.
Remediation: Many are currently recommending that node-ipc not be used at all. This is difficult, as node-ipc is a common dependency. Users can add overrides to past versions of node-ipc in current code, but as node-ipc is a transitive dependency this doesn’t always fix the problem. Use at your own risk.
More Information: https://nvd.nist.gov/vuln/detail/CVE-2022-23812

Highlight: OpenSSL Palo Alto DoS
What Does It Do?: A vulnerability in a version of the OpenSSL library used by Palo Alto’s PAN-OS, GlobalProtect, and Cortex XDR allows for denial of service (DoS) attacks. Though this flaw has been patched in the OpenSSL library, this older version being used by Palo Alto has yet to be patched. A function used to calculate modular square root contains a bug causing it to loop infinitely when a certificate or public key is required.
Potential Impact: A DoS attack severely affects availability of resources, leading to problems with uptime and possible issues with connected applications.
Remediation: Palo Alto has recommended that users with the Threat Prevention service enable Threat IDs 92409 and 92411 to block incoming attacks. Though this has yet to be seen in the wild, a proof-of-concept does exist.
More Information: https://nvd.nist.gov/vuln/detail/CVE-2022-0778

From The Field: Real World Use Cases In Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Threat Hunting in Github

Summary
Github is frequently a repository for confidential intellectual property (IP). An attacker accessing the right github repository can steal critical proprietary information about product roadmap, unresolved bugs, product vulnerabilities, etc. In the wrong hands, this information can be incredibly damaging to a company.

Automated Solution
LogicHub playbooks can automatically baseline github activity, profiling a broad range of data points, including the typical number of github repositories and authorized users, unique logins from specific IP addresses, and the expected behavior of individual users within the repository. This establishes a profile of expected behavior that can be used to identify when a user is behaving abnormally. Rather than waiting for indications that a breach has occurred, LogicHub can proactively hunt for suspicious activity and automatically disable an account before it is used to perform malicious actions like stealing critical data.

Benefits to this Approach
Hunting down open sources of intellectual property and sensitive data by hand is exceedingly difficult, as it would require sifting through a huge amount of accounts and repositories for unusual activity and cross referencing to normal baseline activity. To do this on a regular basis would require hundreds of hours of time for an average sized company. By automating a search through Github data, this check can be completed without human intervention and with no need for manual action concerning accounts.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Finnish govt agency warns of unusual aircraft GPS interference
As a result of this interference, several flights were canceled out of an abundance of caution (though airlines can safely navigate without GPS). This is thought to be due to GPS spoofing, which is a relatively easy method of interrupting or hijacking a GPS link. An attacker fools a device by simulating GPS signals - accompanying hardware to do so is relatively inexpensive and easily available.
For More: https://www.bleepingcomputer.com/news/technology/finnish-govt-agency-warns-of-unusual-aircraft-gps-interference/

Android malware Escobar steals your Google Authenticator MFA codes
Authenticator applications are currently touted as one of the most secure ways to perform MFA. This specific malware (Escobar/Aberebot) undermines those expectations with a Google Auth code stealing feature. Nestled among VNC, webpage injection, SMS dispatch, photo capture, and audio recording features, this beta version of a malware-for-rent appears to be a capable banking trojan and is worth keeping an eye on.
For More: https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/

New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable
This interesting new attack type uses embedded third-party single sign-on options (such as Twitter or Facebook) in websites as a vehicle of delivering a convincingly crafted fake window via iframe. This technique has actually been used once before in the wild to steal Steam application credentials.
For More: https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html

Corrupted open-source software enters the Russian battlefield
As Russian users and corporations are being blocked from legitimate applications (and many years after Putin’s order to move government agencies to open source applications), open source is being adopted en masse. In response, the package maintainer behind the enormously popular NPM (Javascript package manager) has created ‘protestware’ that adds a protest message against Russia’s recent invasion of Ukraine… followed by destruction of the filesystems on machines with Russian or Belorussian IP addresses. They then added this module as a dependency to Node-ipc. Node-ipc is currently being recommended against use by many developers for this action.
For More: https://www.zdnet.com/article/corrupted-open-source-software-enters-the-russian-battlefield/

Microsoft confirms they were hacked by Lapsus$ extortion group
We reviewed this topic and provided a bit of an explanation about what this means for the industry in the attached article, but essentially: Lapsus$ group used an insider at Microsoft to access systems and release a trove of source code. Microsoft released a detailed writeup on Lapsus gang in response, including detailed TTPs, but no note of exactly how their compromised account was taken.
For More: https://www.logichub.com/blog/drawing-the-red-line-insider-threats-in-cybersecurity

Honda bug lets a hacker unlock and start your car via replay attack
Replay attacks are regularly seen for this purpose in car hacking - the attacker captures the signals from key fob to car, then replays them when desired to unlock the car themselves. 2016 to 2020 Honda Civic owners will not have this flaw directly fixed by Honda per a statement from Honda. All owners can do right now is have their key fob reset at the dealership should they believe a replay attack has occurred.
For More: https://www.bleepingcomputer.com/news/security/honda-bug-lets-a-hacker-unlock-and-start-your-car-via-replay-attack/

Kaspersky In Trouble
Kaspersky has been receiving a lot of large hits to P.R. and business in general due to sanctions imposed on Russia and Belarus. Included are HackerOne’s removal of Kaspersky’s bug bounty program off its platform, German officials warning against the program, and the US FCC adding the company to the list of national security threats. This is a bit of a problem, as Kaspersky antivirus is used by home users and in enterprises across the world, so it may mean a large decommissioning project for those with it installed.
For More: https://www.bleepingcomputer.com/news/security/us-says-kaspersky-poses-unacceptable-risk-to-national-security/

Recommended Sources

Podcasts:
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)

Websites:
https://krebsonsecurity.com
https://threatpost.com
https://www.darkreading.com
https://www.wired.com
https://www.social-engineer.org
https://thecyberwire.com
https://news.sophos.com/en-us
https://www.bleepingcomputer.com
https://techcrunch.com

Watch the LogicHub Security RoundUp: April 2022 Edition video
Learn more about LogicHub
Download the eBook The Definitive Guide to AI and Automation Powered Detection and Response

###

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More