Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations. Remember: When applying patches to mitigate or remediate these vulnerabilities, always make sure to perform a backup ahead of time in case anything goes wrong.

HIGHLIGHT

Pulse Secure VPN RCE

What does it do?

In an unfortunate and ironic turn of events, a workaround XML file for an RCE deactivates protection for an earlier RCE workaround. The released patch, according to the Threatpost article, “...may allow for an unauthenticated, remote attacker to execute code as a user with root privileges”. From the CERT Coordination Center report and Threatpost:

“When specifying a long server name for some SMB operations, the smbclt application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,” CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it’s managed to trigger the vulnerability by targeting the CGI script /dana/fb/smb/wnf.cgi, although “Other CGI endpoints may also trigger the vulnerable code.”

Potential Impact

EIther of these vulnerabilities can cause significant damage to vulnerable machines. As these can cause buffer overflows followed by remote code execution, data may be modified, leaked, or destroyed. Machine access may be retained by the attacker, and their access would be root privileges.

Remediation

There are two fixes available at the moment, and each one comes with its own caveats. Applying the most recent workaround (2105) will deactivate 2104, but requires that the system be on a new version or it will reactivate the old RCE. It also blocks use of the Windows File Share Browser If the second fix (setting a windows initial file browsing policy of deny for SMB connections) is performed, none of the connections that trigger the vulnerability will be allowed, but no legitimate SMB connections will be allowed, either.

More Information:

https://threatpost.com/pulse-secure-vpns-critical-rce/166437/

HIGHLIGHT

Hyper-V Kernel Trickery

What does it do?

This vulnerability allows for a guest virtual machine to create conditions for a denial of service on the Hyper-V host kernel by forcing an invalid kernel read address. Though all of the potential for this vulnerability is not yet known, hardware-specific side effects related to devices attached to the Hyper-V host could cause abnormalities and possible further vulnerabilities.

Potential Impact

This vulnerability causes, at a minimum, a denial of service to the host machine, but could cause a release of information through unintended effects upon hardware devices.

Remediation

Updates have been made available by the vendor to patch out this vulnerability.

More Information:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476

HIGHLIGHT

Solarwinds Validation Failure

What does it do?

Solarwinds vulnerability exploitation is on the rise, and this CVE is an interesting example. No authentication is necessary to exploit this vulnerability. Due to a lack of properly validated user-supplied data, deserialization may be performed and arbitrary code execution could then take place.

Potential Impact

As with all cases of arbitrary code execution, this one can cause complete compromise of the CIA triad, leaking or tampering with sensitive data.

Remediation

This vulnerability has been patched in an update made available by Solarwinds. Solarwinds also recommends ensuring proper segmentation on networks with SQL server instances, strict access control on a least-privilege basis, and separating Orion servers from the rest of customer infrastructure using VLANs and jumpboxes.

More Information:

https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htm#Fixed

Additional Threats

CVE-2020-4561

IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.

More Info

CVE-2021-22891

A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.

More Info

CVE-2021-33514

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field.

More Info

CVE-2021-31324

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.

More Info

CVE-2021-23008

On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

More Info

CVE-2021-31955

Windows Kernel Information Disclosure Vulnerability: The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

More Info

Description

CVE-2020-4561

IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.

More Info

CVE-2021-22891

A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.

More Info

CVE-2021-33514

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field.

More Info

CVE-2021-31324

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.

More Info

CVE-2021-23008

On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

More Info

CVE-2021-31955

Windows Kernel Information Disclosure Vulnerability: The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems are seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Detecting Binary Masquerading

Summary

A lot of Windows programs are going to be launching, running, being installed, and working on a large network, especially one that has a more exclusive focus on Windows deployment. It is understandable, then, that finding malware masquerading as a Windows binary can be rather difficult and time consuming. In one case this month, a malware install alert was triggered on a binary that otherwise appeared normal. Using the automated solution below, an impressive near-exact clone of Microsoft Office was found, with binaries that were just in different paths than usual. Along with a unique conversation from the machine in question to an IP with a bad reputation, the machine was marked for quarantine, a sweep for similar incidents performed, and the end machine cleaned.

Automated Solution

In the LogicHub solution against binary masquerading, we first search for indicators of normality: in the case above, that was ensuring that binary paths were normal in every detection and searching for unique firewall conversations. After the initial process of correlating logs and sources, each alarm on a Windows binary is checked against known binary paths. IPs involved in potentially unusual activity or excessive conversations are automatically checked in batches against a series of reputation websites. All of this data is correlated and scored according to possibility of compromise, and a case is opened if that score crosses a client-specified threshold.

Benefits to This Approach

  • Quick review of large amounts of information - activity from binaries is common in Windows machines, so removing the noise is important
  • Finds covert malware that otherwise looks completely normal to the user
  • All information leading to a detection or associated with a machine is assigned to a single case and is easy to correlate

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

U.S. Declares State of Emergency After Largest Pipeline Shut Down by Ransomware

The largest pipeline in the U.S., the Colonial Pipeline, has shut down almost entirely as of May 10th and caused a state of emergency in 13 states and the District of Columbia. An attack from Darkside ransomware group, the pipeline accounts for 48% of natural gas supply across the southeastern US. The state of emergency is in place until June 10th or the Colonial Pipeline Company is able to restore some services.

Read More

4 Million Email Addresses Used by Emotet Released, Posted to HaveIBeenPwned

It’s time to check in on HaveIBeenPwned.com and see if you were one of the unlucky ones who had their email used by the Emotet malware campaign. The email addresses were released by the FBI in tandem with a tool that uninstalled the malware from affected computers. These addresses aren’t publicly visible, and require the address owner to check for compromise.

Read More

Office365 Phishing On the Rise

Usual phishing advice doesn’t apply to the new O365 attacks. The link that is clicked by a targeted user directs to an actual O365 login page, but features a pop-up requesting permissions from an application that looks like it comes from Microsoft. This tactic both lends legitimacy and bypasses all two-factor authentication.

Read More

After Solarwinds, White House Pushes for Electrical Grid Security

Coming after the devastating Solarwinds attacks (now attributed to Russian actors), the Biden administration is working to roll out security for electrical grids across the U.S. This plan is based on incentives rather than regulations, providing monitoring software and requesting reporting of attacks.

Read More

Fake Comment Crisis at the FCC

The Federal Communications Commission has confirmed the illegitimacy of millions of fake comments regarding net neutrality. Comments both for and against the neutral treatment of data were added by fabricating names and using fake identities, causing confusion for legislators. Petitions and comments like this greatly influence legislative decisions, and fake comments can mean a direct disruption of the Democratic process.

Read More

Deepfake Surge

Deepfaking (the creation of hyper realistic photos and videos with faces or bodies that aren’t their own) has been rising over the past 10 years, and it’s about to surge again with a massive uptick in deepfake tech crossing the dark web. Reported by Recorded Future, how-tos and best practices are becoming commonplace fare. Be vigilant, and don’t trust everything that even your own eyes see.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO