Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

Batch of NETGEAR Vulnerabilities

What does it do?

NETGEAR routers are popular routers sold for home use. Along with the Nighthawk R6700 gaming router, there were a series of vulnerabilities found for other versions of NETGEAR router firmware, including mishandling of IEEE 1905 protocols, varying remote code execution vulnerabilities, and command injections affecting the device’s update functionality. These vulnerabilities can be found in the National Vulnerability Database.

Potential Impact

Many of these flaws are quite severe and should be carefully reviewed by users of NETGEAR routers. Some potential effects can include full device access, data theft, device manipulation, and possible privilege escalation.

Remediation

Some of these vulnerabilities have been successfully patched, but many for the R6700 have not. Additionally, some of the hardware-related vulnerabilities (such as with MediaTek microchips), may be much more difficult to patch and instead must be mitigated.

More Information:

https://www.bleepingcomputer.com/news/security/netgear-leaves-vulnerabilities-unpatched-in-nighthawk-router/

HIGHLIGHT

Zoho ManageEngine Authentication Bypass

What does it do?

Zoho ManageEngine is a popular IT management solution used by enterprises for desktop, mobile device, general patching, and other management purposes. In this vulnerability, Zoho ManageEngine Desktop Central is specifically affected by an authentication bypass vulnerability that was seen in active exploitation this past December.

Potential Impact

Attackers taking advantage of this vulnerability could gain unintended and unauthorized access to Desktop Central.

Remediation

Several patches have been released to address this issue as of December 3rd. Users affected are urged to patch immediately.

More Information:

https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp

HIGHLIGHT

IBM Spectrum Protect Plus Cross-Origin Resource Sharing

What does it do?

IBM Spectrum Protect Plus is a popular option for backup and data replication on all manner of data platforms. Cross-origin resource sharing uses HTTP headers to embed images, scripts, and other elements from other domains. This feature was enabled on Spectrum Protect Plus.

Potential Impact

The main problem with cross-origin resource sharing is in its lack of predictability. If the outside domain suddenly serves malware and access control is not properly configured (as in this case), then malware will be served in the requesting application. This can have disastrous effects on users.

Remediation

More Information:

https://exchange.xforce.ibmcloud.com/vulnerabilities/214956

Additional Threats

CVE-2021-44152

An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.

More Info

CVE-2021-44833

The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.

More Info

CVE-2021-43985

An unauthenticated remote attacker can access mySCADA myPRO Versions 8.20.0 and prior without any form of authentication or authorization.

More Info

Description

CVE-2021-44152

An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.

More Info

CVE-2021-44833

The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.

More Info

CVE-2021-43985

An unauthenticated remote attacker can access mySCADA myPRO Versions 8.20.0 and prior without any form of authentication or authorization.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Log4J Automation and Response

Summary

Log4J was a major exercise in patience for every network admin, security engineer, and response team, and we were certainly no different. Though we faced our hardships in producing an effective solution for Log4J, we can comfortably speak on some of the difficulties we witnessed. Besides the typical ‘spray and pray’ attempts on random servers across the web, we also witnessed widespread targeted pentest usage of Log4J crafted strings by attackers. Thankfully, due to our automation below, we were able to keep a close eye on clients and maintain an effective security posture.

Automated Solution

The first step in any automated solution is to identify the signatures of the problem (in this case, a lot of LDAP activity and successful traffic out to domains requested in crafted strings), implement careful monitoring (we chose to link into some IP reputation checks, log pulls from different client sources to cross-reference, and case/alert creation upon discovery of successful data transfer), and ensure that the solution is tuned to satisfaction (lots of tuning towards different fuzzing methods was implemented). After assigning scoring based on severity and creating the cases, manual triage was performed. The fact that there were a comfortable number of cases for our MDR to manually triage signaled that our automation was (and continues to be) a massive success.

Benefits to This Approach

As with any automation that addresses a fast-growing problem, there has to be a careful balance between speed and effectiveness. Even then, the amount of time and energy spent on producing this automation is miniscule compared to the heavy workload that would have awaited manual review of every log collector’s Log4J detections, especially without the ability to cross-reference between sources. Because of the speed of this automation, we were able to alert concerned clients to possible malicious attempts in a timely manner.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Kronos hit with ransomware, warns of data breach and 'several week' outage

The Kronos Private Cloud managed to knock out several customers’ services according to the message posted on the Kronos community message board. This caused some waves in the security community, as some companies contracting Kronos would not be able to process their payrolls, namely multiple local governments and enterprises like Tesla.

Read More

Australia's first data strategy to create 'one-stop shop' for accessing government data

Coming on the heels of last month’s concerning security advancements by the Australian government is an attempt to modernize all data access methods for citizens. This has sparked a review into the Australian Privacy Act, which may need some modernization as well. One drawback? The goalposts are rather far, with 2025 being the expected delivery time for the proposed modernization plans and 2030 being the extended goal for updated implementation.

Read More

Microsoft December 2021 Patch Tuesday: Zero-day exploited to spread Emotet malware

This was one interesting Patch Tuesday for Microsoft. 67 security fixes were released for Office, Powershell, Edge, Print Spooler, and RDC, accented by six zero-day vulnerabilities (though thankfully only one of these was being exploited in the wild). This being Patch Tuesday, all of these vulnerabilities were addressed in some form.

Read More

Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips

Various radio communications work together to communicate simultaneously on one chip in modern-day smartphones. This mechanism, known as ‘coexistence’, is the target of the latest attack that can directly pull passwords or observe Bluetooth packets from the Wi-Fi combo chip. Dubbed ‘Spectra’, this idea has been floating around for a while, but is starting to become better formed as a concept. Users are urged to regularly remove unused Wi-Fi networks, Bluetooth pairings, and only use trusted networks if at all possible.

Read More

Microsoft informs customers of 'NotLegit' Azure bug

Discovered in October, the Azure bug affects ‘all PHP, Node, Ruby, and Python applications deployed using Local Git on a clean default application in Azure App Service since September 2017’. Apps from September 2017 onward with any Git source after a file was created or modified in the application container were also affected. Only users of Local Git were impacted.

Read More

Y2K22

The Y2K22 bug, dubbed such due to its similarity to Y2K, caused a bit of a panic for Microsoft Exchange server admins. The FIP-FS malware scanner integrated into Exchange 2016 and 2019 stores its date in 32 bit format. But when the year 2022 arrived, the 32 bit format caused issues with date and time validations (much like the ones seen in 2000). Now, it’s not just Microsoft, but Honda and SonicWall who are seeing issues. Some car owners are seeing their clocks now set at 2002, and SonicWall users are unable to access the junk inbox and message logs for incoming or outgoing emails.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO