The LogicHub Security Roundup: April 2022 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Apple Buffer Overflow Zero Days

WHAT DOES IT DO?

A pair of zero days in iOS, iPadOS, and macOS Monterey were actively being exploited in the wild prior to patch. The issues were out-of-bound write issues in an Intel Graphics driver and the Apple AVD media decoder. Out-of-bounds write issues allow for the unintentional ability to write to memory, which can then be leveraged by an attacker for remote code execution.

POTENTIAL IMPACT

Buffer overflows and out-of-bounds writes result in remote code execution, which can cause a downpour of issues with all aspects of the CIA triad.

REMEDIATION

Apple urges all of those affected to patch immediately with the newly available security updates.

MORE INFORMATION:

https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-days-used-to-hack-iphones-macs/

HIGHLIGHT

NodeIPC ‘Protestware’

WHAT DOES IT DO?

This one is highly unusual, but it means that NodeIPC is no longer recommended for use. Package node-ipc from 10.1.1 and before 10.1.3 includes malicious code that targets Russian and Belarussian IPs, overwriting files using a ‘heart emoji’ write pattern. This vulnerability means that anyone using the module in their development may cause issues with anyone using an IP from that region.

POTENTIAL IMPACT

Full system wipes are nothing to treat lightly, but this code has a significant problem. If a user is using a VPN, they may also be seen as a targeted user despite not living within the region.

REMEDIATION

Many are currently recommending that node-ipc not be used at all. This is difficult, as node-ipc is a common dependency. Users can add overrides to past versions of node-ipc in current code, but as node-ipc is a transitive dependency this doesn’t always fix the problem. Use at your own risk.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2022-23812

HIGHLIGHT

OpenSSL Palo Alto DoS

WHAT DOES IT DO?

A vulnerability in a version of the OpenSSL library used by Palo Alto’s PAN-OS, GlobalProtect, and Cortex XDR allows for denial of service (DoS) attacks. Though this flaw has been patched in the OpenSSL library, this older version being used by Palo Alto has yet to be patched. A function used to calculate modular square root contains a bug causing it to loop infinitely when a certificate or public key is required.

POTENTIAL IMPACT

A DoS attack severely affects availability of resources, leading to problems with uptime and possible issues with connected applications.

REMEDIATION

Palo Alto has recommended that users with the Threat Prevention service enable Threat IDs 92409 and 92411 to block incoming attacks. Though this has yet to be seen in the wild, a proof-of-concept does exist.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2022-0778

Additional Threats

Description

CUSTOMER USE CASE

Threat Hunting in Github

SUMMARY

- Github is frequently a repository for confidential intellectual property (IP). An attacker accessing the right github repository can steal critical proprietary information about product roadmap, unresolved bugs, product vulnerabilities, etc. In the wrong hands, this information can be incredibly damaging to a company.

AUTOMATED SOLUTION

LogicHub playbooks can automatically baseline github activity, profiling a broad range of data points, including the typical number of github repositories and authorized users, unique logins from specific IP addresses, and the expected behavior of individual users within the repository. This establishes a profile of expected behavior that can be used to identify when a user is behaving abnormally. Rather than waiting for indications that a breach has occurred, LogicHub can proactively hunt for suspicious activity and automatically disable an account before it is used to perform malicious actions like stealing critical data.

BENEFITS TO THIS APPROACH

Hunting down open sources of intellectual property and sensitive data by hand is exceedingly difficult, as it would require sifting through a huge amount of accounts and repositories for unusual activity and cross referencing to normal baseline activity. To do this on a regular basis would require hundreds of hours of time for an average sized company. By automating a search through Github data, this check can be completed without human intervention and with no need for manual action concerning accounts.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.