The LogicHub Security Roundup: April 2021 Edition
Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we cover a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Netgear File Upload Zero Day
WHAT DOES IT DO?
With this vulnerability, a written class in the Netgear ProSAFE Network Management System fails to validate a user-supplied path, allowing for code execution in the product.
With the ability to arbitrarily execute code along a supplied path, attackers may have free reign over the product - from gaining access to data as the SYSTEM to modifying operation.
Netgear have released a security update as of March 26th.
Cisco IOS XE Boundary Checks
WHAT DOES IT DO?
On some Cisco Catalyst 4500 and 4500-X series switches, a lack of boundary checks on Easy VSS protocol packets allows for a crafted buffer overflow from an attacker. Once this overflow is triggered, the attacker may gain admin access to the underlying Linux operating system or the ability to perform a denial of service.
Complete loss of access through denial of service, possible total breach of confidentiality and data integrity.
No workarounds or patches are available, but some mitigations have been suggested, such as disabling Discovery Protocol.
Snapdragon Buffer Overflow
WHAT DOES IT DO?
This vulnerability copies the data within a RTT/TTY packet without verifying the size of the destination buffer, causing a possible buffer overflow. This can then be used to perform an out-of-bound write of data.
Out-of-bound writes can cause crashes, unexpected behavior, or even code execution. This can result in the complete disruption of the CIA triad.
Qualcomm has addressed this and several other vulnerabilities in their March 2021 patch.
VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.
Certain NETGEAR devices are affected by authentication bypass. This affects RBK852 before 188.8.131.52, RBK853 before 184.108.40.206, RBK854 before 220.127.116.11, RBR850 before 18.104.22.168, and RBS850 before 22.214.171.124.
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
CUSTOMER USE CASE
Automatic Rule Pushing
There is something to be said of being able to make updates on the fly. In the case of irritating IPs and abnormal host activity on a fast-paced network, rules must be pushed to firewalls quickly and effectively to avoid more noise for analysts. This often involves making sure that either all analysts or all in a certain group have access to every security appliance, then allowing them to add rules manually as needed.
Instead of a manual and individual addition of every firewall rule, rules are automatically pushed to the security appliance after the detection of certain activities in connection to an IP. When a case is created that is a verified network scanner or has been verified as a malicious IP, this may be triggered, or an analyst can run the command to automatically input data into a new rule.
BENEFITS TO THIS APPROACH
- Fast rule push for high-throughput environments
- No need for special permissions to devices - all is done through a single agent
- Both a preventative and proactive approach to rule-building
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
A Fake Cybersecurity Firm Built to Target Security Researchers
A North Korean campaign created accounts for fake security firm SecuriElite, aiming to bait users into accessing a malicious website. All of the accounts created have since been suspended and was initially flagged in January of 2021.
Gaming mods, cheat engines are spreading Trojan malware and planting backdoors
Remote access trojans are being distributed en-masse in the form of gaming cheat engines, say researchers with Cisco Talos. Initially spread through malvertising in the form of YouTube videos or website advertisements, malware developers are making more efforts to avoid detection, even going so far as to check their created code against VirusTotal and similar services.
CISA Releases Tool to Review M365 Post-Compromise Activity
The new tool, nicknamed Aviary, is a Splunk-based dashboard that assists researchers in hunting down activity from the SolarWinds supply-chain attack. It allows for the review of Powershell mailbox sign-ins to verify the legitimacy of activities.
Facebook Data Leak: No Notifications, Attributed to Web Scraping
The 500m+ users that were affected by the Facebook data leaking incident will not be receiving notification of their involvement, nor will Facebook be attributing this incident to a hack. Instead, Facebook has attributed this incident to web scraping based on user phone numbers connected to accounts, with the company claiming to have insufficient visibility into the exact accounts affected in order to send notifications.
Ransomware gang urges victims’ customers to demand a ransom payment
In an unusual new method of coercing a ransom from victims, the Clop ransomware gang is emailing the customers, partners, and employees of affected companies in an attempt to pressure them into payment. The emails put special focus on customer information privacy.