The LogicHub Security Roundup: April 2021 Edition
Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we cover a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
SECURITY SAFARI
New Threats in the Wild
This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
HIGHLIGHT
Netgear File Upload Zero Day
WHAT DOES IT DO?
With this vulnerability, a written class in the Netgear ProSAFE Network Management System fails to validate a user-supplied path, allowing for code execution in the product.
POTENTIAL IMPACT
With the ability to arbitrarily execute code along a supplied path, attackers may have free reign over the product - from gaining access to data as the SYSTEM to modifying operation.
REMEDIATION
Netgear have released a security update as of March 26th.
MORE INFORMATION:
HIGHLIGHT
Cisco IOS XE Boundary Checks
WHAT DOES IT DO?
On some Cisco Catalyst 4500 and 4500-X series switches, a lack of boundary checks on Easy VSS protocol packets allows for a crafted buffer overflow from an attacker. Once this overflow is triggered, the attacker may gain admin access to the underlying Linux operating system or the ability to perform a denial of service.
POTENTIAL IMPACT
Complete loss of access through denial of service, possible total breach of confidentiality and data integrity.
REMEDIATION
No workarounds or patches are available, but some mitigations have been suggested, such as disabling Discovery Protocol.
MORE INFORMATION:
HIGHLIGHT
Snapdragon Buffer Overflow
WHAT DOES IT DO?
This vulnerability copies the data within a RTT/TTY packet without verifying the size of the destination buffer, causing a possible buffer overflow. This can then be used to perform an out-of-bound write of data.
POTENTIAL IMPACT
Out-of-bound writes can cause crashes, unexpected behavior, or even code execution. This can result in the complete disruption of the CIA triad.
REMEDIATION
Qualcomm has addressed this and several other vulnerabilities in their March 2021 patch.
MORE INFORMATION:
Additional Threats
Description
CVE-2021-21982
VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.
CVE-2021-29066
Certain NETGEAR devices are affected by authentication bypass. This affects RBK852 before 3.2.17.12, RBK853 before 3.2.17.12, RBK854 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
CVE-2021-1818
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
FROM THE FIELD
Real World Use Cases in Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
CUSTOMER USE CASE
Automatic Rule Pushing
SUMMARY
There is something to be said of being able to make updates on the fly. In the case of irritating IPs and abnormal host activity on a fast-paced network, rules must be pushed to firewalls quickly and effectively to avoid more noise for analysts. This often involves making sure that either all analysts or all in a certain group have access to every security appliance, then allowing them to add rules manually as needed.
AUTOMATED SOLUTION
Instead of a manual and individual addition of every firewall rule, rules are automatically pushed to the security appliance after the detection of certain activities in connection to an IP. When a case is created that is a verified network scanner or has been verified as a malicious IP, this may be triggered, or an analyst can run the command to automatically input data into a new rule.
BENEFITS TO THIS APPROACH
- Fast rule push for high-throughput environments
- No need for special permissions to devices - all is done through a single agent
- Both a preventative and proactive approach to rule-building
Recommended Reading
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
A Fake Cybersecurity Firm Built to Target Security Researchers
A North Korean campaign created accounts for fake security firm SecuriElite, aiming to bait users into accessing a malicious website. All of the accounts created have since been suspended and was initially flagged in January of 2021.
Gaming mods, cheat engines are spreading Trojan malware and planting backdoors
Remote access trojans are being distributed en-masse in the form of gaming cheat engines, say researchers with Cisco Talos. Initially spread through malvertising in the form of YouTube videos or website advertisements, malware developers are making more efforts to avoid detection, even going so far as to check their created code against VirusTotal and similar services.
CISA Releases Tool to Review M365 Post-Compromise Activity
The new tool, nicknamed Aviary, is a Splunk-based dashboard that assists researchers in hunting down activity from the SolarWinds supply-chain attack. It allows for the review of Powershell mailbox sign-ins to verify the legitimacy of activities.
Facebook Data Leak: No Notifications, Attributed to Web Scraping
The 500m+ users that were affected by the Facebook data leaking incident will not be receiving notification of their involvement, nor will Facebook be attributing this incident to a hack. Instead, Facebook has attributed this incident to web scraping based on user phone numbers connected to accounts, with the company claiming to have insufficient visibility into the exact accounts affected in order to send notifications.
Ransomware gang urges victims’ customers to demand a ransom payment
In an unusual new method of coercing a ransom from victims, the Clop ransomware gang is emailing the customers, partners, and employees of affected companies in an attempt to pressure them into payment. The emails put special focus on customer information privacy.