The LogicHub Security Roundup: July 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Windows Print Spooler Vulnerability

WHAT DOES IT DO?

This Windows Print Spooler Vulnerability, dubbed PrintNightmare, is a zero-day vulnerability that allows an attacker to gain admin-level privileges. An existing patch was in place to deal with a portion of the vulnerable content that originally existed (namely a remote code execution vulnerability), but it did not deal with this security flaw. This vulnerability is being actively exploited in the wild.

POTENTIAL IMPACT

If the targeted machine has Print Spooler turned on, is networked, and the attacker has access to any account on the machine, an attacker can quickly gain admin access to the machine. From here, they will be able to execute commands, gain access to other networked machines, make significant changes to permissions, or exfiltrate information.

REMEDIATION

While a patch has been released as of July 7th, many are not able to install it and must use a workaround instead (namely, deactivating print spooler, which is also not possible for many corporate environments).

MORE INFORMATION:

https://www.logichub.com/blog/printnightmare-breakdown-analysis-and-remediation

HIGHLIGHT

phplist RCE

WHAT DOES IT DO?

The application does not check any file extensions stored in the plugin zip file. Uploading a malicious plugin which contains php files with extensions like PHP,phtml,php7 copies the malicious plugin to the plugins directory, leading to a remote code execution.

POTENTIAL IMPACT

Possible execution of malicious code leading to loss or leak of data, tampering with machines, and unintended access to accounts.

REMEDIATION

No remediations have been listed for this vulnerability as of this posting.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2020-22249

Additional Threats

Description

CUSTOMER USE CASE

Identity and Access Management Monitoring

SUMMARY

Managing the constant ingress and egress of access, logins, and other user-based requests is a daunting task. As items come in from a log collector, users need to be authenticated quickly and to the appropriate level of access. While there are already solutions in place on most networks to handle a large quantity of logons and access requests, many are not very capable at uncovering discrepancies in logon past the basics of passwords or SSO success/failure. Regularly overlooked items include proper permissions for account creation, policy changes, proper SSO usage, access key changes, and mismatched locations.

AUTOMATED SOLUTION

A with many things, some of our best playbooks are our simplest. In this case, implementing simple whitelists/blacklists against custom user lists decided by the client allows for easy rule comparison. These lists can also be created against groups, specific logon countries, and two-factor types. We use integrations to pull data or check different sources for updated information, then compare and contrast all these pieces against every logon.

BENEFITS TO THIS APPROACH

Though simple, this approach is efficient and incredibly effective. Comparing against predefined lists (which can be automatically populated as tuning occurs) is much faster than score calculation. When users are waiting to access resources, it’s better to have as few analyst reviewed cases as possible while still maintaining an acceptable level of security against fraudulent logins.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit