The LogicHub Security Roundup: December 2020 Edition
Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
SECURITY SAFARI
New Threats in the Wild
This section is devoted to threats of particular note that have been recently identified in the real world. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
HIGHLIGHT
Samsung Factory Reset Protection (FRP) Bypass
WHAT DOES IT DO?
Samsung’s Factory Reset Protection (FRP) is a feature that allows users to prevent stolen devices that they own from being used by others after a factory reset. It’s a key feature that can help reduce the frequency of stolen phones on the market.
This bypass allows an assailant to use the Secure Folder feature to prevent FRP from communicating with the remainder of the device. The process is simple enough to perform that there are even several online tutorials on the topic.
POTENTIAL IMPACT
Though personal data does seem to be secure, the problem with this threat is the ease of use and loss of property. It can cause certain models to gain demand due to their newfound appreciation on the black market and make theft more of a problem to businesses.
REMEDIATION
A patch has been released by Samsung and has been pushed in latest updates.
MORE INFORMATION:
HIGHLIGHT
Android RCE
WHAT DOES IT DO?
In the Android security bulletin released near the beginning of November, a patch was announced that fixed a series of severe security flaws. The most severe flaw announced was a proximity-based flaw that could allow attackers to execute arbitrary code as a privileged process.
Using exif_entry_get and exif-entry.c, attackers could cause an integer overflow if a third party application used the libraries to process remote image data. The most significant thing of note here is that this does not require any form of user interaction to pull off.
POTENTIAL IMPACT
Any form of remote code execution flaw means a significant reduction in security through the entirety of the CIA triad, it all depends on what form of code execution is chosen and available to the attacker. It is for this reason that impact from these vulnerabilities is set so high. Remediation: A patch has been released by Android. Please ensure that you or the mobile device manager for your business installs this update. More Information: CVE-2020-0452
REMEDIATION
A patch has been released by Android. Please ensure that you or the mobile device manager for your business installs this update.
MORE INFORMATION:
Additional Threats
Description
CVE-2020-28864
Buffer overflow in WinSCP 5.17.8 allows a malicious FTP server to cause a denial of service or possibly have other unspecified impact via a long file name.
CVE-2020-3531
A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to access the back-end database of an affected system.
The vulnerability exists because the affected software does not properly authenticate REST API calls. An attacker could exploit this vulnerability by obtaining a cross-site request forgery (CSRF) token and then using the token with REST API requests. A successful exploit could allow the attacker to access the back-end database of the affected device and read, alter, or drop information.
CVE-2020-15993
Use after free in printing in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
FROM THE FIELD
Real World Use Cases in Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
CUSTOMER USE CASE
Automated Salesforce Monitoring
SUMMARY
Salesforce users used to be manually added to lists, looked up via search engines, and their activity had to be verified through a series of different methods. Though effective, this process took far more time than desired and caused a greater chance for error. User managers had to be contacted regularly to confirm the presence of a user.
AUTOMATED SOLUTION
Through automated commands and custom integrations like Cisco Talos integration, cases now arrive with all information on the user previously seen in logs available to the investigator. The creation of the account, prior activity, IP rating, any existing social media, and the user’s full name become easy to access and useful for triage. In some instances, the case can be automatically resolved.
BENEFITS TO THIS APPROACH
- Quick access to information
- Consistent in sourcing and data
- Automated resolution
- Information consolidated for reporting
- Methods of lookup are documented within the automated monitoring process
Recommended Reading
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
AstraZeneca Targeted by Possible North Korean Intelligence Group
With AstraZeneca in the big race to find a vaccine for COVID-19, two phishing scams from LinkedIn targeted employees of the company in an attempt to plant malicious code.
Brazilian Ministry of Health Data Exposed
Over 243 million Brazilian citizens’ personal information was leaked for six months in an open database, the password being left in the source code of the Ministry of Health website.
APT Using CryptoMiners As Distraction
APT group BISMUTH has been using cryptominers as a distraction from more targeted spearphishing activity upon their targets in an interesting new tactic.
iPhone Over the Air Takeover
A previously patched vulnerability from Apple was dug into by a curious researcher, who found the true reaches of the bug over six months: a wormable OTA bug that would have allowed attackers to see everything on your phone with ease.
Financial CyberCrime Evolution Via Pandemic
The world of financial cybercrime is changing due to the pandemic, with security becoming less prominent in large companies due to fast online shifts, lack of employee training, and easy DDoS opportunities. Next year is looking even worse.