The LogicHub Security Roundup: March 2022 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Mozilla Use After Free Vulnerabilities

WHAT DOES IT DO?

This vulnerability is for Mozilla Firefox web browser. Use after free flaws are caused by applications trying to use previously reassigned memory, which can cause a variety of problems or (in many cases) remote code executions. The first vulnerability, 26485, is due to a problem in the XSLT parameter processing, which helps browsers translate stylesheets. It is currently being seen in the wild for RCE. The other, 26486, is from a WebGPU framework, and is currently being seen in the wild for sandbox escapes.

POTENTIAL IMPACT

Remote code executions and sandbox escapes are very highly exploitable flaws, usually requiring no existing privileges to the target machine and using attacks with low complexity. As the name suggests, they can be performed remotely and can therefore cause a lot of damage with a higher chance of use.

REMEDIATION

Both of these bugs are fixed in currently available versions of Firefox. Users should update immediately.

MORE INFORMATION:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26486

HIGHLIGHT

Adobe Magento/Commerce Arbitrary Code Execution

WHAT DOES IT DO?

Adobe Magento/Commerce is a full platform for commerce with B2B and B2C in mind. This critical vulnerability is a pre-authenticated arbitrary code execution flaw, caused by a lack of proper input validation. This is a zero-day vulnerability, meaning that it is being actively exploited in the wild. Few other details are available on the input field and methodology.

POTENTIAL IMPACT

Arbitrary code execution is a severe issue that can cause execution of code due to a direct flaw on the target system. This means that, depending on the code executed on the machine, any aspect of the CIA triad could be fully compromised.

REMEDIATION

The issue was patched once, but this first patch was not sufficient to fix the issue. A second patch has since been released and all admins are encouraged to patch it as soon as possible.

MORE INFORMATION:

https://helpx.adobe.com/security/products/magento/apsb22-12.html

HIGHLIGHT

Zimbra Collaboration Suite Zero-Day

WHAT DOES IT DO?

Zimbra is a business email and communication collaboration service. This zero-day exploit has been primarily used in targeting organizations within the European government, using cross-site scripting within a Zimbra email that was opened in a web browser. This issue was mentioned last month, but did not have an extensive amount of information to work with. It has since been posted in the CISA Known Exploited Vulnerabilities catalog.

POTENTIAL IMPACT

Arbitrary code execution has already been seen in prior attack campaigns, which can cause mass damage to all portions of the CIA triad.

REMEDIATION

A hotfix has been made available by the vendor and should be installed as soon as possible. Prior to the Feb 5th hotfix, this was a true zero-day with no workaround or patch.

MORE INFORMATION:

https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/

Additional Threats

Description

CUSTOMER USE CASE

Detection of Persistent Programs and Changing Hashes

SUMMARY

Finding consistencies in changing malicious or potentially unwanted files is exceedingly difficult. Many files obfuscate themselves to avoid automatic removal in this way, changing their hashes or automatically changing their names to avoid detection. Over the years, we’ve seen a good amount of these programs and have been able to successfully report on them using automation.

AUTOMATED SOLUTION

Automating to find persistent programs on user machines typically takes a few different methods to cover all bases. The first is through hash analysis - though many programs can change hashes for obfuscation, this can take care of the worst offenders. Hashes are sent via integration to a connected hash analysis service, which reviews reports or even takes a file upload to test the sample in a sandbox. The service returns a report on the file, which is attached to a case.

The second method is through associated programs. A malicious or potentially unwanted program has several different associated programs that it may try to launch, and these can be alerted upon. Items like certain .dll files, writing to temp files, launching cmd.exe, attempting to kill certain programs, and simply being detected by antivirus all can be associated with a malicious file.

In many cases, automation can also be set up to report back hashes of concerning programs in bulk so they can be permanently removed.

BENEFITS TO THIS APPROACH

After these activities are detected and alerted upon, they are correlated into a single case based on an identifying factor, such as a user or machine. This makes investigation much easier and identifies problems across multiple sources, which would otherwise take valuable time to find.

With a lack of automation, it’s unlikely that a program using obfuscation to change hash or name would be found at all. It’s also unlikely that the program would be associated with any events that may be correlated with it.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.