Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been recently identified in the real world. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

NGINX Absolute Paths

What does it do?

The NGINX controller is a management system allowing for multiple instances of NGINX plus cloud applications to be controlled from a central system. When calling upon system resources, the NGINX controller does not use absolute paths, meaning that the address to these resources is not always ‘set’ within the application and a malicious version of the resource can be created by an attacker.

Potential Impact

This application being a management controller means that it will have higher level access to NGINX cloud applications. If a malicious resource is inserted, it will have the ability to execute arbitrary code and gain access to managed items in the controller.

Remediation

Upgrades have been released for affected versions.

More Information:

https://support.f5.com/csp/article/K43530108

HIGHLIGHT

SolarWinds Authentication Bypass

What does it do?

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands which may result in a compromise of the SolarWinds instance. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands.

Potential Impact

Ability to bypass API authentication means that an attacker can change critical, sometimes highly sensitive information, compromising every part of the CIA triad.

Remediation

Solarwinds Orion updates are available to remediate this issue.

More Information:

https://kb.cert.org/vuls/id/843464

HIGHLIGHT

Jabber Arbitrary Execution

What does it do?

The Cisco Jabber IM and video communication platform uses the Extensible Messaging and Presence Protocol (XMPP) to allow for the transmission of text-based messages. Due to improper validation methods, an attacker can craft a special XMPP message to execute arbitrary programs on a system running Cisco Jabber.

Potential Impact

This issue can cause a series of exploits that allow for the modification of the Jabber application configuration, access to sensitive information within the application, or the execution of commands on the system with the same permissions as the user account running Cisco Jabber.

Remediation

Cisco has released software updates to combat these vulnerabilities.

More Information:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO

Additional Threats

CVE-2020-28864

Certain NETGEAR devices are affected by incorrect configuration of security settings.

More Info

CVE-2020-8257

Improper privilege management on services run by Citrix Gateway Plug-in for Windows, versions before and including 13.0-61.48 and 12.1-58.15, lead to privilege escalation attacks

More Info

CVE-2020-29563

An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device.

More Info

CVE-2019-12768

An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing.

More Info

Description

CVE-2020-28864

Certain NETGEAR devices are affected by incorrect configuration of security settings.

More Info

CVE-2020-8257

Improper privilege management on services run by Citrix Gateway Plug-in for Windows, versions before and including 13.0-61.48 and 12.1-58.15, lead to privilege escalation attacks

More Info

CVE-2020-29563

An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device.

More Info

CVE-2019-12768

An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing.

More Info

From The Field

Real World Use Cases in Action

This section describes a significant use case that our detection and response team has recently seen and remediated, along with some of the benefits of doing so. It is our hope that it will offer some ideas for security practitioners for solving problems that can be seen in the real world using an automation-driven approach.

Customer Use Case

Daily Metrics for Ease of Data Management

Summary

Automation can require a lot of upfront manpower, particularly when a dynamic environment is at stake. Data changes constantly, new detections are needed, and the way that cases are handled may change. While all of these growing pains can cause significant cost, a look into that data can allow for prioritization at-a-glance. How can one decide what to automate first?

Automated Solution

Daily Metrics are an incredible automated tool that can provide well-formatted raw information on problem areas in your instance with little effort. Instead of simply assigning automation tasks as they come to immediate attention, tasks can be prioritized and streamlined for ease of use. These metrics can also be used in the long term to see busy times for increased staffing, errors with alerting that might cause excessive cases, and other issues that might cause significant erroneous data.

Benefits to This Approach

  • Information at-a-glance
  • Quick prioritization of cases and automation development
  • Resource reduction
  • Higher visibility into underlying issues in an environment

Recommended Reading

Here is a compilation of our detection and response teams’s interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Pfizer COVID-19 vaccine documents accessed in EMA cyberattack

With a global pandemic on everyone’s mind, data on new vaccines and methods to combat this virus are in high demand. The European Medicines Agency (EMA) has recently suffered a cyber attack causing some documents related to the Pfizer COVID-19 vaccine to be accessed by attackers. Investigation is ongoing.

Read More

Adobe Flash Player is Dead

The time has come: the much beloved and highly vulnerable Adobe Flash Player has finally reached end of life as of January 1st. This means that browsers will stop supporting the plugin, Adobe will stop providing updates. Many have already received prompts to uninstall the application on Windows 10. This is good news for users and for overall web security - Flash Player is a common attack vector and its retirement will mean a reduced attack surface across the web.

Read More

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw

Networking device manufacturer Zyxel has confirmed the existence of flaws in its firmware, primarily that used on its small business firewalls and VPN gateways. Researchers have confirmed that, even with the patches released to mitigate the vulnerability by Zyxel, the vulnerabilities are undergoing active exploitation. Over 100,000 Zyxel devices have web interfaces open to the internet.

Read More

Zero-Click Apple Zero-Day Uncovered in Pegasus Spy Attack

Eyes are on a zero-day iPhone APT used against Al-Jazeera journalists, especially considering that the exploit is almost completely hands-off. The zero-click KISMET chain exploit in iMessage would contact an installation server followed by a series of cloud connections to download data. 36 journalist phones were affected.

Read More

Ticketmaster Coughs Up $10 Million Fine After Hacking Rival Business

Crime really doesn’t pay. After ticket sales giant Ticketmaster was caught hiring on a prior employee of rival Songkick and encouraging them to use retained credentials to illegally access rival company systems, they were slapped with the colossal fine. Court documents even detail the promotion of the former Songkick employee in connection to the illegal server access, and contain quotes about the desire to undercut the competition.

Read More

NSA warns of hackers forging cloud authentication information

Microsoft Azure admins, beware: the NSA has released an advisory regarding forged authentication information. Coming in the wake of the big Solarwinds breach (see below), the advisory urges admins to sign SAML tokens, perform proper privilege assignments for roles, and harden authentication servers.

Read More

Sealed U.S. Court Records Exposed in Solarwinds Data Breach, VMWare Flaw Vector

The distribution of malicious code through the Solarwinds Orion update functionality has caused a serious incident in national security, releasing sealed U.S. court records, Department of Justice emails, and network access to various public agencies including Homeland Security. The Administrative Office has confirmed that sensitive court documents will be received through an air-gapped method for the time being.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO