The LogicHub Security Roundup: January 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we provide a sampling of the past month’s significant threats, informative use cases seen by our SOC and research teams, and a series of recommended articles, podcasts, and other useful resources.
NGINX Absolute Paths
WHAT DOES IT DO?
The NGINX controller is a management system allowing for multiple instances of NGINX plus cloud applications to be controlled from a central system. When calling upon system resources, the NGINX controller does not use absolute paths, meaning that the address to these resources is not always ‘set’ within the application and a malicious version of the resource can be created by an attacker.
This application being a management controller means that it will have higher level access to NGINX cloud applications. If a malicious resource is inserted, it will have the ability to execute arbitrary code and gain access to managed items in the controller.
Upgrades have been released for affected versions.
SolarWinds Authentication Bypass
WHAT DOES IT DO?
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands which may result in a compromise of the SolarWinds instance. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands.
Ability to bypass API authentication means that an attacker can change critical, sometimes highly sensitive information, compromising every part of the CIA triad.
Solarwinds Orion updates are available to remediate this issue.
Jabber Arbitrary Execution
WHAT DOES IT DO?
The Cisco Jabber IM and video communication platform uses the Extensible Messaging and Presence Protocol (XMPP) to allow for the transmission of text-based messages. Due to improper validation methods, an attacker can craft a special XMPP message to execute arbitrary programs on a system running Cisco Jabber.
This issue can cause a series of exploits that allow for the modification of the Jabber application configuration, access to sensitive information within the application, or the execution of commands on the system with the same permissions as the user account running Cisco Jabber.
Cisco has released software updates to combat these vulnerabilities.
Certain NETGEAR devices are affected by incorrect configuration of security settings.
Improper privilege management on services run by Citrix Gateway Plug-in for Windows, versions before and including 13.0-61.48 and 12.1-58.15, lead to privilege escalation attacks
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device.
An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing.
CUSTOMER USE CASE
Daily Metrics for Ease of Data Management
Automation can require a lot of upfront manpower, particularly when a dynamic environment is at stake. Data changes constantly, new detections are needed, and the way that cases are handled may change. While all of these growing pains can cause significant cost, a look into that data can allow for prioritization at-a-glance. How can one decide what to automate first?
Daily Metrics are an incredible automated tool that can provide well-formatted raw information on problem areas in your instance with little effort. Instead of simply assigning automation tasks as they come to immediate attention, tasks can be prioritized and streamlined for ease of use. These metrics can also be used in the long term to see busy times for increased staffing, errors with alerting that might cause excessive cases, and other issues that might cause significant erroneous data.
BENEFITS TO THIS APPROACH
- Information at-a-glance
- Quick prioritization of cases and automation development
- Resource reduction
- Higher visibility into underlying issues in an environment
Here is a compilation of our detection and response teams’s interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Pfizer COVID-19 vaccine documents accessed in EMA cyberattack
With a global pandemic on everyone’s mind, data on new vaccines and methods to combat this virus are in high demand. The European Medicines Agency (EMA) has recently suffered a cyber attack causing some documents related to the Pfizer COVID-19 vaccine to be accessed by attackers. Investigation is ongoing.
Adobe Flash Player is Dead
The time has come: the much beloved and highly vulnerable Adobe Flash Player has finally reached end of life as of January 1st. This means that browsers will stop supporting the plugin, Adobe will stop providing updates. Many have already received prompts to uninstall the application on Windows 10. This is good news for users and for overall web security - Flash Player is a common attack vector and its retirement will mean a reduced attack surface across the web.
Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw
Networking device manufacturer Zyxel has confirmed the existence of flaws in its firmware, primarily that used on its small business firewalls and VPN gateways. Researchers have confirmed that, even with the patches released to mitigate the vulnerability by Zyxel, the vulnerabilities are undergoing active exploitation. Over 100,000 Zyxel devices have web interfaces open to the internet.
Zero-Click Apple Zero-Day Uncovered in Pegasus Spy Attack
Eyes are on a zero-day iPhone APT used against Al-Jazeera journalists, especially considering that the exploit is almost completely hands-off. The zero-click KISMET chain exploit in iMessage would contact an installation server followed by a series of cloud connections to download data. 36 journalist phones were affected.
Ticketmaster Coughs Up $10 Million Fine After Hacking Rival Business
Crime really doesn’t pay. After ticket sales giant Ticketmaster was caught hiring on a prior employee of rival Songkick and encouraging them to use retained credentials to illegally access rival company systems, they were slapped with the colossal fine. Court documents even detail the promotion of the former Songkick employee in connection to the illegal server access, and contain quotes about the desire to undercut the competition.
NSA warns of hackers forging cloud authentication information
Microsoft Azure admins, beware: the NSA has released an advisory regarding forged authentication information. Coming in the wake of the big Solarwinds breach (see below), the advisory urges admins to sign SAML tokens, perform proper privilege assignments for roles, and harden authentication servers.
Sealed U.S. Court Records Exposed in Solarwinds Data Breach, VMWare Flaw Vector
The distribution of malicious code through the Solarwinds Orion update functionality has caused a serious incident in national security, releasing sealed U.S. court records, Department of Justice emails, and network access to various public agencies including Homeland Security. The Administrative Office has confirmed that sensitive court documents will be received through an air-gapped method for the time being.