Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Windows Hyper-V RCE

What does it do?

This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources which could result in remote code execution on the host server.

Potential Impact

An RCE on the host server could result in full compromise of the CIA triad. Though this vulnerability would require specially crafted requests by an authenticated attacker, it is simple enough to access a possible default account or badly authenticated account for this purpose.

Remediation

Microsoft has released an official patch for this vulnerability.

More Information:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34450

HIGHLIGHT

Windows Kernel RCE

What does it do?

This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root. Virtual machines and devices that utilize SR-IOV are particularly at risk and can increase the likelihood of an RCE being executed.

Potential Impact

As with all RCEs, this can cause severe interference or complete disruption to the CIA triad.

Remediation

An official patch is available from the vendor.

More Information:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34458

HIGHLIGHT

Google Chrome DevTools Sandbox Vulnerability

What does it do?

Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who had convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page. The remainder of the details on this CVE have been made private by Google.

Potential Impact

This sandbox escape allows the attacker to execute code outside of the sandbox intended, which means that possibly damaging and data retrieving commands can be used. Massive privacy and monetary implications are expected for this sort of vulnerability.

Remediation

The vendor has released a patch for this issue.

More Information:

https://vuldb.com/?id.179980

Additional Threats

CVE-2021-35211

Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.

More Info

CVE-2021-33501

Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL.

More Info

CVE-2021-24442

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks

More Info

CVE-2021-37594

In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU.

More Info

CVE-2020-5349

Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileges.

More Info

Description

CVE-2021-35211

Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.

More Info

CVE-2021-33501

Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL.

More Info

CVE-2021-24442

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks

More Info

CVE-2021-37594

In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_SIZE File Contents Request PDU.

More Info

CVE-2020-5349

Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileges.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Suspicious Production Account Activity Triage

Summary

Production accounts are simultaneously the most important and least expected place to see malicious activity on a network. While it’s uncommon to see a compromise situation get this far, it’s extremely important that controls be put in place to monitor and lockdown access to production accounts to perform on the principle of least privilege. Ideally, a production account alarm should look for a certain kind of unusual account operation or login and report on it with a heightened alarm severity.

Automated Solution

Current automation logic starts with a lot of very careful, specific whitelisting. Any normal machine that a production account should touch will be considered, then crosschecked against normal actions. If all matches, no alarm would trigger. But if there is a single mismatch, a case will be created with a heightened severity and an alert to the analysts in charge of the instance.

Benefits to This Approach

This may seem like overkill, but it actually takes a very straightforward and effective approach to such a sensitive set of accounts. Unlike with regular accounts or less privileged user accounts, production accounts can’t have a lot of alarm testing or possible issues, so their detections should be very simplistic in nature while automating out the most false positives possible.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

PrintNightmare Breakdown: Analysis and Remediation

After a devastating 0-day hit Windows machines last month, administrators rushed to turn off the culprit: print spooler. Caused by a patch to fix a previous vulnerability, this breakdown explains how the infection spreads, how to contain it, and some common markers of infection.

Read More

Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC

Microsoft is recommending that system administrators stop using NT LAN Manager following an interesting proof-of-concept in which the attacker uses Microsoft SMB, forcing an authentication and gaining authentication details. From here, password hashes gained can be easily cracked. A Microsoft workaround has been released.

Read More

Google Play Protect fails Android security tests once more

Based on an AV-TEST real-world lab test, the Google Play Protect mobile antivirus ranked last out of 15 applications tested. "Finishing in last place, Google Play Protect only detected 68.8 percent in the real-time test and 76.6 percent in the test with the reference set." It also picked out 70 apps as false positive detections.

Read More

Amazon gets $888 million GDPR fine for behavioral advertising

Using browser tracking and by building massive profiles filled with user data, Amazon has been caught red-handed utilizing data protected by the GDPR. This is the largest fine issued by the European Union in enforcement of the GDPR and was done entirely without user consent. Amazon intends to appeal against the decision.

Read More

NSA Warns Public Networks are Hacker Hotbeds

Those of you regular DEFCON attendees out there need not be told: public WiFi is not safe. The NSA has released a public announcement confirming that Bluetooth, open WiFi, and NFC are all massive targets painted on the backs of corporate tech users. They provide a lot of the same regulations we’ve heard since 2015: turn off NFC and bluetooth when not in use, use a VPN, and think critically in regards to how you connect.

Read More

Ransomware Gangs and the Name Game Distraction

Ransomware gangs change names with the seasons, it seems, typically in an effort to throw off investigators or rebrand themselves in a different direction. The linked KrebsOnSecurity article shows just how often these name changes take place and why it’s so important to keep up as a security researcher.

Read More

Apple plans to scan US iPhones for child sexual abuse images

In a big move for the privacy world, Apple will now scan photos stored locally on iPhones for images of child sexual abuse. neuralMatch scans images before upload to iCloud, searching for known flagged imagery and notifying the National Center for Missing and Exploited Children if instances are found. This move, though morally clear, holds strong and concerning implications for the world of personal privacy,

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO