The LogicHub Security Roundup: December 2020 Edition

Hello, and welcome to the first edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Samsung Factory Reset Protection (FRP) Bypass

WHAT DOES IT DO?

Samsung’s Factory Reset Protection (FRP) is a feature that allows users to prevent stolen devices that they own from being used by others after a factory reset. It’s a key feature that can help reduce the frequency of stolen phones on the market.

This bypass allows an assailant to use the Secure Folder feature to prevent FRP from communicating with the remainder of the device. The process is simple enough to perform that there are even several online tutorials on the topic.

POTENTIAL IMPACT

Though personal data does seem to be secure, the problem with this threat is the ease of use and loss of property. It can cause certain models to gain demand due to their newfound appreciation on the black market and make theft more of a problem to businesses.

REMEDIATION

A patch has been released by Samsung and has been pushed in latest updates.

MORE INFORMATION:

CVE-2020-28340

HIGHLIGHT

Android RCE

WHAT DOES IT DO?

In the Android security bulletin released near the beginning of November, a patch was announced that fixed a series of severe security flaws. The most severe flaw announced was a proximity-based flaw that could allow attackers to execute arbitrary code as a privileged process.

Using exif_entry_get and exif-entry.c, attackers could cause an integer overflow if a third party application used the libraries to process remote image data. The most significant thing of note here is that this does not require any form of user interaction to pull off.

POTENTIAL IMPACT

Any form of remote code execution flaw means a significant reduction in security through the entirety of the CIA triad, it all depends on what form of code execution is chosen and available to the attacker. It is for this reason that impact from these vulnerabilities is set so high. Remediation: A patch has been released by Android. Please ensure that you or the mobile device manager for your business installs this update. More Information: CVE-2020-0452

REMEDIATION

A patch has been released by Android. Please ensure that you or the mobile device manager for your business installs this update.

MORE INFORMATION:

CVE-2020-28340

Additional Threats

Description

CUSTOMER USE CASE

Automated Salesforce Monitoring

SUMMARY

Salesforce users used to be manually added to lists, looked up via search engines, and their activity had to be verified through a series of different methods. Though effective, this process took far more time than desired and caused a greater chance for error. User managers had to be contacted regularly to confirm the presence of a user.

AUTOMATED SOLUTION

Through automated commands and custom integrations like Cisco Talos integration, cases now arrive with all information on the user previously seen in logs available to the investigator. The creation of the account, prior activity, IP rating, any existing social media, and the user’s full name become easy to access and useful for triage. In some instances, the case can be automatically resolved.

BENEFITS TO THIS APPROACH
  • Quick access to information
  • Consistent in sourcing and data
  • Automated resolution
  • Information consolidated for reporting
  • Methods of lookup are documented within the automated monitoring process

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit