The LogicHub Security Roundup: February 2021 Edition
Hello, and welcome to the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Active Exploits on Chrome Zero-Day
WHAT DOES IT DO?
A recently-patched Chrome zero day was confirmed by Google to have been exploited for use in the wild. CVE-2021-21148 was patched as of February 4th after a North Korean government-based hacking group likely used it against vulnerability researchers. This is a heap buffer overflow bug.
If left unpatched and unchecked, heap buffer overflows can cause crashing, infinite program looping, or in this case, a way to introduce arbitrary code and access unauthorized data.
Google has released a patch on Chrome version 88.0.4324.150 that addresses this issue.
Android Packet Injection via Bluetooth
WHAT DOES IT DO?
A series of vulnerabilities patched on 1/5 included a critical security vulnerability in the Android System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. This is due to improper input validation on the packet fragmentation process. Other vulnerabilities repaired in the same patch also used varying methods of remote code execution.
Arbitrary code execution through this method would allow for unauthorized escalation of privileges without user interaction.
Users of Android should install the latest security updates to mitigate risk of attack.
CUSTOMER USE CASE
CIS AWS Benchmarking
The CIS benchmarking framework is a set of guidelines that allows organizations to make detections against a wide variety of vendors and products. These benchmarks can also function as a sort of high-level security checklist, ensuring that all corners of a network can be checked and covered. When specifically applied to Amazon Web Services, users are checked daily for security violations.
In the LogicHub solution, a flow is created to look at credential age, access keys, and policy violations. Whitelists are made to monitor for known permitted activity, then matched against daily monitoring data. In this way, thousands of users can easily be monitored for compliance and security risks with very little effort.
BENEFITS TO THIS APPROACH
- Quick and easy compliance based on CIS benchmarks
- Easily modifiable to improve detections
- High volume with low effort/processing power
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Card Resellers Facing Shutdown
This month, not only did we see the famous Joker’s Stash card market shutdown, but we watched ValidCC’s sudden seizure by law enforcement. Both of these credit card markets were larger players in the world of stolen credential marketing, with Joker’s Stash having a history since late 2014. Though this is not the end of the line for the stolen card market, it is sure to make resale more difficult in the coming months as vendors search for a place to sell their ill-gotten wares.
U.S. Cybersecurity Funds Announced
The new presidential administration has laid out plans for $10 billion in cybersecurity spending, mostly targeting hiring efforts for the Cybersecurity Infrastructure Security Agency. With more nation state actors causing trouble for government entities, this new spending plan is a definite relief, but experts like Tom Kellermann with VMWare Carbon Black insist that the number should definitely be more, ‘... about $100 billion over time’.
Increase In Industrial Network Security Holes Over Past Year
Industrial networks have been steadily increasing in popularity for threat actors over the past decade given their high value and their (typically low) security prowess. This year, a massive 33% increase over 2018’s industrial network vulnerabilities show just how far new threat efforts have come, especially with 71% of bugs being remotely exploitable.
Twice As Nice: Company Pays Ransomware Twice
Getting hit by ransomware is already hard enough on a company. In one organization’s case, lightning struck twice. A blog post by the U.K.’s National Cyber Security Centre spoke of this example in a trend of recent ransomware cases, noting that the organization had not been able to confirm and resolve the security hole after the first incident, causing it to be hit again by the same actor and method.
In an ongoing event, Myanmar has been facing significant internet blackouts across the country following a successful coup. As citizens protest, the Myanmar Ministry of Transport and Communications released a statement demanding that service providers block Twitter and Instagram. Facebook was blocked earlier this week.