The LogicHub Security Roundup: July 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
Windows Print Spooler Vulnerability
WHAT DOES IT DO?
This Windows Print Spooler Vulnerability, dubbed PrintNightmare, is a zero-day vulnerability that allows an attacker to gain admin-level privileges. An existing patch was in place to deal with a portion of the vulnerable content that originally existed (namely a remote code execution vulnerability), but it did not deal with this security flaw. This vulnerability is being actively exploited in the wild.
If the targeted machine has Print Spooler turned on, is networked, and the attacker has access to any account on the machine, an attacker can quickly gain admin access to the machine. From here, they will be able to execute commands, gain access to other networked machines, make significant changes to permissions, or exfiltrate information.
While a patch has been released as of July 7th, many are not able to install it and must use a workaround instead (namely, deactivating print spooler, which is also not possible for many corporate environments).
WHAT DOES IT DO?
The application does not check any file extensions stored in the plugin zip file. Uploading a malicious plugin which contains php files with extensions like PHP,phtml,php7 copies the malicious plugin to the plugins directory, leading to a remote code execution.
Possible execution of malicious code leading to loss or leak of data, tampering with machines, and unintended access to accounts.
No remediations have been listed for this vulnerability as of this posting.
Use of MAC address as an authenticated password in QSAN Storage Manager, XEVO, SANOS allows local attackers to escalate privileges.
A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .
There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization.
An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.
Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
CUSTOMER USE CASE
Identity and Access Management Monitoring
Managing the constant ingress and egress of access, logins, and other user-based requests is a daunting task. As items come in from a log collector, users need to be authenticated quickly and to the appropriate level of access. While there are already solutions in place on most networks to handle a large quantity of logons and access requests, many are not very capable at uncovering discrepancies in logon past the basics of passwords or SSO success/failure. Regularly overlooked items include proper permissions for account creation, policy changes, proper SSO usage, access key changes, and mismatched locations.
A with many things, some of our best playbooks are our simplest. In this case, implementing simple whitelists/blacklists against custom user lists decided by the client allows for easy rule comparison. These lists can also be created against groups, specific logon countries, and two-factor types. We use integrations to pull data or check different sources for updated information, then compare and contrast all these pieces against every logon.
BENEFITS TO THIS APPROACH
Though simple, this approach is efficient and incredibly effective. Comparing against predefined lists (which can be automatically populated as tuning occurs) is much faster than score calculation. When users are waiting to access resources, it’s better to have as few analyst reviewed cases as possible while still maintaining an acceptable level of security against fraudulent logins.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Android Apps with 5.8 million Installs Caught Stealing Users' Facebook Passwords
The importance of using trusted apps and performing research ahead of time once more highlights itself as a series of otherwise functional apps requested a Facebook logon to remove advertisements. If the user chose to log in to Facebook, their credentials were harvested and exported to an external server. Google has removed these applications since discovery just as a new verification system for developer accounts has gone into place.
CISA releases new ransomware self-assessment security audit tool
The new Ransomware Readiness Assessment tool aims to help organizations understand where their security posture lies on industry standards, aiming to help educate and improve understanding of best practices. Results are presented in a user-friendly dashboard format, complete with tutorial.
Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground
Posted on RaidForums, the data appears to have been scraped from public profiles and did not likely result from a breach. This collection is a continuation of a 500 million record collection from April, containing both that and newly collected data. This collection will likely be used for spam campaigns or identity theft. It also makes spear phishing targets all that much easier.
One-Click Exploit Could Have Let Attackers Hijack Any Atlassian Account
Via Atlassian’s SSO capabilities, attackers could quickly and easily access sensitive information. Reported on January 8th, a fix was released as part of updates on May 18th. Exploit allowed for use of XSS and CSRF to inject code, but required that a user be tricked into clicking through special link.
Google fixes seventh Chrome zero-day exploited in the wild this year
The team at Google has been having a crazy year. On June 17th, the Stable release channel featured a rollout of Chrome fixes, including a patch for an arbitrary code execution zero-day. Users are advised to update immediately if they haven’t done so already.
Intuit notifies customers of compromised TurboTax accounts
Using account takeover attacks (in which old passwords from other breaches are tested against known accounts), multiple Intuit customers have lost peace of mind in the safety of their data, including social security numbers, addresses, date of births, and financial information. Users should frequently change passwords and check for breached passwords.
New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites
The new attack, dubbed ALPACA (Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication), uses a flaw in transport layer security to redirect that TLS traffic to an unintended endpoint. These attacks are man-in-the-middle attacks, tricking users into opening unintended TLS connections via crafted links. These sessions can be used to move sensitive data to an FTP server or to perform XSS attacks of varying types.
One Fastly customer triggered internet meltdown
When one user changed their Fastly settings, they accidentally triggered a bug in a recent software update that sent 85% of the Fastly network into turmoil. Though the issue was resolved within a little under an hour, this sort of buy highlights the importance of stringent testing processes.
Amazon shared your Internet with neighbors on June 8th - how to opt out
Amazon Echo and Ring devices are now automatically sharing your internet through a sort of platform-specific roaming internet access initiative. Though Amazon states that a maximum shared bandwidth of 500MB a month applies, this sort of sharing isn’t within many peoples’ comfort zones. You can get information on how to opt out in the linked article from BleepingComputer.