The LogicHub Security Roundup: March 2022 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
SECURITY SAFARI
New Threats in the Wild
This section is devoted to threats of particular note that we encountered in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
HIGHLIGHT
Mozilla Use After Free Vulnerabilities
WHAT DOES IT DO?
This vulnerability is for Mozilla Firefox web browser. Use after free flaws are caused by applications trying to use previously reassigned memory, which can cause a variety of problems or (in many cases) remote code executions. The first vulnerability, 26485, is due to a problem in the XSLT parameter processing, which helps browsers translate stylesheets. It is currently being seen in the wild for RCE. The other, 26486, is from a WebGPU framework, and is currently being seen in the wild for sandbox escapes.
POTENTIAL IMPACT
Remote code executions and sandbox escapes are very highly exploitable flaws, usually requiring no existing privileges to the target machine and using attacks with low complexity. As the name suggests, they can be performed remotely and can therefore cause a lot of damage with a higher chance of use.
REMEDIATION
Both of these bugs are fixed in currently available versions of Firefox. Users should update immediately.
MORE INFORMATION:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26486
HIGHLIGHT
Adobe Magento/Commerce Arbitrary Code Execution
WHAT DOES IT DO?
Adobe Magento/Commerce is a full platform for commerce with B2B and B2C in mind. This critical vulnerability is a pre-authenticated arbitrary code execution flaw, caused by a lack of proper input validation. This is a zero-day vulnerability, meaning that it is being actively exploited in the wild. Few other details are available on the input field and methodology.
POTENTIAL IMPACT
Arbitrary code execution is a severe issue that can cause execution of code due to a direct flaw on the target system. This means that, depending on the code executed on the machine, any aspect of the CIA triad could be fully compromised.
REMEDIATION
The issue was patched once, but this first patch was not sufficient to fix the issue. A second patch has since been released and all admins are encouraged to patch it as soon as possible.
MORE INFORMATION:
https://helpx.adobe.com/security/products/magento/apsb22-12.html
HIGHLIGHT
Zimbra Collaboration Suite Zero-Day
WHAT DOES IT DO?
Zimbra is a business email and communication collaboration service. This zero-day exploit has been primarily used in targeting organizations within the European government, using cross-site scripting within a Zimbra email that was opened in a web browser. This issue was mentioned last month, but did not have an extensive amount of information to work with. It has since been posted in the CISA Known Exploited Vulnerabilities catalog.
POTENTIAL IMPACT
Arbitrary code execution has already been seen in prior attack campaigns, which can cause mass damage to all portions of the CIA triad.
REMEDIATION
A hotfix has been made available by the vendor and should be installed as soon as possible. Prior to the Feb 5th hotfix, this was a true zero-day with no workaround or patch.
MORE INFORMATION:
Additional Threats
Description
Multiple CVEs (2022-20699 through 2022-20708)
Series of Cisco Small Business Router Buffer Overflow vulnerabilities
FROM THE FIELD
Real World Use Cases in Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
CUSTOMER USE CASE
Detection of Persistent Programs and Changing Hashes
SUMMARY
Finding consistencies in changing malicious or potentially unwanted files is exceedingly difficult. Many files obfuscate themselves to avoid automatic removal in this way, changing their hashes or automatically changing their names to avoid detection. Over the years, we’ve seen a good amount of these programs and have been able to successfully report on them using automation.
AUTOMATED SOLUTION
Automating to find persistent programs on user machines typically takes a few different methods to cover all bases. The first is through hash analysis - though many programs can change hashes for obfuscation, this can take care of the worst offenders. Hashes are sent via integration to a connected hash analysis service, which reviews reports or even takes a file upload to test the sample in a sandbox. The service returns a report on the file, which is attached to a case.
The second method is through associated programs. A malicious or potentially unwanted program has several different associated programs that it may try to launch, and these can be alerted upon. Items like certain .dll files, writing to temp files, launching cmd.exe, attempting to kill certain programs, and simply being detected by antivirus all can be associated with a malicious file.
In many cases, automation can also be set up to report back hashes of concerning programs in bulk so they can be permanently removed.
BENEFITS TO THIS APPROACH
After these activities are detected and alerted upon, they are correlated into a single case based on an identifying factor, such as a user or machine. This makes investigation much easier and identifies problems across multiple sources, which would otherwise take valuable time to find.
With a lack of automation, it’s unlikely that a program using obfuscation to change hash or name would be found at all. It’s also unlikely that the program would be associated with any events that may be correlated with it.
Recommended Reading
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
SEC weighs reporting requirements for publicly traded companies
In summary, a cyber risk management and disclosure rule set was proposed. Among these rules is one that would require publicly traded companies to disclose breach info within 4 days of discovery. It would also require disclosure of risk management policies and is awaiting public comment before final approval.
Android banking trojan is spreading by copying the tactics of another malware menace
The Medusa and FluBot Android malware strains share tactics in stealing sensitive data from phones, including passwords and banking details. Spread via SMS and replicated through user contacts, the FluBot strain did not go unnoticed in its success and was most likely used as inspiration for Medusa.
New worm and data wiper malware seen hitting Ukrainian networks
The IsaacWiper malware and HermeticWizrd malware strains have not yet been attributed to known threat actors and have been deployed in separate campaigns. Microsoft President Brad Smith has described the attacks as ‘precisely targeted’ and there is no other indication that any other countries have been targeted.
Social media phishing attacks are at an all time high
For the third consecutive year, social media phishing attacks have been rising the ranks as the most used phishing campaigns. Attack sophistication has also risen sharply, with attackers using well-known brands for their impersonation techniques.
Researchers Devise Attack for Stealing Data During Homomorphic Encryption
Homomorphic encryption, though still mostly in the research phases, has a lot of potential applications in cloud storage and computing and it doesn’t require secret keys to work.This is the first known successful side-channel attack for this encryption method, and is set to be presented at DATE22.
Hackers Breach Russian Space Research Institute Website
Related in part to the war with Ukraine according to defacement on the website, the compromise actors claimed to be under the handle of ‘v0g3lsec’ on Twitter. A series of files from the Russian space agency were posted by the attackers, including specific documentation on lunar missions. The attackers claimed to have accessed the files by bruteforcing the password for the ‘admin’ username on the space research institute’s file sharing service.
Iran's MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks
The malware is comprised of a Powershell and Python implant for scripting, a Windows metadata gathering technique, a series of backdoors for command and control, and obfuscated powershell scripts. Organizations should be on the lookout for zip archives with Excel or PDF documents that are transmitted via spearphishing techniques.
'Ticking time bomb': Russian ransomware attacks are coming. What small businesses should do right now.
Including input from yours truly, this is an in-depth analysis of the industry understanding of Russian ransomware. Russia commonly uses ransomware to help bolster government funding, and with the Russian economy struggling due to war efforts, it’s highly likely that we’ll see expensive attacks in greater numbers from Russian APTs.
New Releases in CISA Known Exploited Vulnerabilities Catalog
Recently updated, this catalog keeps track of commonly exploited vulnerabilities seen in the wild. They include patch-by dates that illustrate how quickly federal contractors and enterprises must patch them. Included in this set are a series of Cisco small business router vulnerabilities (included in our CVE section), Microsoft Exchange and Excel vulnerabilities, and a series of Adobe vulnerabilities. Many of these are not new, but are still very commonly exploited. Among them includes the SeriousSam vulnerability fixed in July 2021.