The LogicHub Security Roundup: February 2021 Edition

Hello, and welcome to the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Active Exploits on Chrome Zero-Day

WHAT DOES IT DO?

A recently-patched Chrome zero day was confirmed by Google to have been exploited for use in the wild. CVE-2021-21148 was patched as of February 4th after a North Korean government-based hacking group likely used it against vulnerability researchers. This is a heap buffer overflow bug.

POTENTIAL IMPACT

If left unpatched and unchecked, heap buffer overflows can cause crashing, infinite program looping, or in this case, a way to introduce arbitrary code and access unauthorized data.

REMEDIATION

Google has released a patch on Chrome version 88.0.4324.150 that addresses this issue.

MORE INFORMATION:

https://www.bleepingcomputer.com/news/security/google-fixes-chrome-zero-day-actively-exploited-in-the-wild/
https://cwe.mitre.org/data/definitions/122.html
https://nvd.nist.gov/vuln/detail/CVE-2020-20269

HIGHLIGHT

Android Packet Injection via Bluetooth

WHAT DOES IT DO?

A series of vulnerabilities patched on 1/5 included a critical security vulnerability in the Android System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. This is due to improper input validation on the packet fragmentation process. Other vulnerabilities repaired in the same patch also used varying methods of remote code execution.

POTENTIAL IMPACT

Arbitrary code execution through this method would allow for unauthorized escalation of privileges without user interaction.

REMEDIATION

Users of Android should install the latest security updates to mitigate risk of attack.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2020-0471
https://source.android.com/security/bulletin/2021-01-01

CUSTOMER USE CASE

CIS AWS Benchmarking

SUMMARY

The CIS benchmarking framework is a set of guidelines that allows organizations to make detections against a wide variety of vendors and products. These benchmarks can also function as a sort of high-level security checklist, ensuring that all corners of a network can be checked and covered. When specifically applied to Amazon Web Services, users are checked daily for security violations.

AUTOMATED SOLUTION

In the LogicHub solution, a flow is created to look at credential age, access keys, and policy violations. Whitelists are made to monitor for known permitted activity, then matched against daily monitoring data. In this way, thousands of users can easily be monitored for compliance and security risks with very little effort.

BENEFITS TO THIS APPROACH
  • Quick and easy compliance based on CIS benchmarks
  • Easily modifiable to improve detections
  • High volume with low effort/processing power

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit