Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data is used to make these determinations.

HIGHLIGHT

Windows Print Spooler Vulnerability

What does it do?

This Windows Print Spooler Vulnerability, dubbed PrintNightmare, is a zero-day vulnerability that allows an attacker to gain admin-level privileges. An existing patch was in place to deal with a portion of the vulnerable content that originally existed (namely a remote code execution vulnerability), but it did not deal with this security flaw. This vulnerability is being actively exploited in the wild.

Potential Impact

If the targeted machine has Print Spooler turned on, is networked, and the attacker has access to any account on the machine, an attacker can quickly gain admin access to the machine. From here, they will be able to execute commands, gain access to other networked machines, make significant changes to permissions, or exfiltrate information.

Remediation

While a patch has been released as of July 7th, many are not able to install it and must use a workaround instead (namely, deactivating print spooler, which is also not possible for many corporate environments).

More Information:

https://www.logichub.com/blog/printnightmare-breakdown-analysis-and-remediation

HIGHLIGHT

phplist RCE

What does it do?

The application does not check any file extensions stored in the plugin zip file. Uploading a malicious plugin which contains php files with extensions like PHP,phtml,php7 copies the malicious plugin to the plugins directory, leading to a remote code execution.

Potential Impact

Possible execution of malicious code leading to loss or leak of data, tampering with machines, and unintended access to accounts.

Remediation

No remediations have been listed for this vulnerability as of this posting.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2020-22249

Additional Threats

CVE-2021-32521

Use of MAC address as an authenticated password in QSAN Storage Manager, XEVO, SANOS allows local attackers to escalate privileges.

More Info

CVE-2021-34624

A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .

More Info

CVE-2021-33346

There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization.

More Info

CVE-2021-35029

An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.

More Info

CVE-2021-31531

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

More Info

Description

CVE-2021-32521

Use of MAC address as an authenticated password in QSAN Storage Manager, XEVO, SANOS allows local attackers to escalate privileges.

More Info

CVE-2021-34624

A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .

More Info

CVE-2021-33346

There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization.

More Info

CVE-2021-35029

An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.

More Info

CVE-2021-31531

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Identity and Access Management Monitoring

Summary

Managing the constant ingress and egress of access, logins, and other user-based requests is a daunting task. As items come in from a log collector, users need to be authenticated quickly and to the appropriate level of access. While there are already solutions in place on most networks to handle a large quantity of logons and access requests, many are not very capable at uncovering discrepancies in logon past the basics of passwords or SSO success/failure. Regularly overlooked items include proper permissions for account creation, policy changes, proper SSO usage, access key changes, and mismatched locations.

Automated Solution

A with many things, some of our best playbooks are our simplest. In this case, implementing simple whitelists/blacklists against custom user lists decided by the client allows for easy rule comparison. These lists can also be created against groups, specific logon countries, and two-factor types. We use integrations to pull data or check different sources for updated information, then compare and contrast all these pieces against every logon.

Benefits to This Approach

Though simple, this approach is efficient and incredibly effective. Comparing against predefined lists (which can be automatically populated as tuning occurs) is much faster than score calculation. When users are waiting to access resources, it’s better to have as few analyst reviewed cases as possible while still maintaining an acceptable level of security against fraudulent logins.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Android Apps with 5.8 million Installs Caught Stealing Users' Facebook Passwords

The importance of using trusted apps and performing research ahead of time once more highlights itself as a series of otherwise functional apps requested a Facebook logon to remove advertisements. If the user chose to log in to Facebook, their credentials were harvested and exported to an external server. Google has removed these applications since discovery just as a new verification system for developer accounts has gone into place.

Read More

CISA releases new ransomware self-assessment security audit tool

The new Ransomware Readiness Assessment tool aims to help organizations understand where their security posture lies on industry standards, aiming to help educate and improve understanding of best practices. Results are presented in a user-friendly dashboard format, complete with tutorial.

Read More

Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground

Posted on RaidForums, the data appears to have been scraped from public profiles and did not likely result from a breach. This collection is a continuation of a 500 million record collection from April, containing both that and newly collected data. This collection will likely be used for spam campaigns or identity theft. It also makes spear phishing targets all that much easier.

Read More

One-Click Exploit Could Have Let Attackers Hijack Any Atlassian Account

Via Atlassian’s SSO capabilities, attackers could quickly and easily access sensitive information. Reported on January 8th, a fix was released as part of updates on May 18th. Exploit allowed for use of XSS and CSRF to inject code, but required that a user be tricked into clicking through special link.

Read More

Google fixes seventh Chrome zero-day exploited in the wild this year

The team at Google has been having a crazy year. On June 17th, the Stable release channel featured a rollout of Chrome fixes, including a patch for an arbitrary code execution zero-day. Users are advised to update immediately if they haven’t done so already.

Read More

Intuit notifies customers of compromised TurboTax accounts

Using account takeover attacks (in which old passwords from other breaches are tested against known accounts), multiple Intuit customers have lost peace of mind in the safety of their data, including social security numbers, addresses, date of births, and financial information. Users should frequently change passwords and check for breached passwords.

Read More

New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites

The new attack, dubbed ALPACA (Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication), uses a flaw in transport layer security to redirect that TLS traffic to an unintended endpoint. These attacks are man-in-the-middle attacks, tricking users into opening unintended TLS connections via crafted links. These sessions can be used to move sensitive data to an FTP server or to perform XSS attacks of varying types.

Read More

One Fastly customer triggered internet meltdown

When one user changed their Fastly settings, they accidentally triggered a bug in a recent software update that sent 85% of the Fastly network into turmoil. Though the issue was resolved within a little under an hour, this sort of buy highlights the importance of stringent testing processes.

Read More

Amazon shared your Internet with neighbors on June 8th - how to opt out

Amazon Echo and Ring devices are now automatically sharing your internet through a sort of platform-specific roaming internet access initiative. Though Amazon states that a maximum shared bandwidth of 500MB a month applies, this sort of sharing isn’t within many peoples’ comfort zones. You can get information on how to opt out in the linked article from BleepingComputer.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO