The LogicHub Security RoundUp: May 2022 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
SECURITY SAFARI
New Threats in the Wild
This section is devoted to threats of particular note that we encountered in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.
HIGHLIGHT
Cisco Enterprise NFV Infrastructure VM Escape
WHAT DOES IT DO?
A vulnerability in the Next Generation Input/Output (NGIO) feature of Cisco Enterprise NFVIS could allow an authenticated, remote attacker to escape from the guest VM to gain unauthorized root-level access on the NFVIS host.
POTENTIAL IMPACT
This vulnerability is due to insufficient guest restrictions. An attacker could exploit this vulnerability by sending an API call from a VM that will execute with root-level privileges on the NFVIS host. A successful exploit could allow the attacker to compromise the NFVIS host completely.
REMEDIATION
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
MORE INFORMATION:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9
HIGHLIGHT
F5 BIG-IP RCE
WHAT DOES IT DO?
This vulnerability is one that has an extremely simple PoC (proof of concept). By sending a POST request for a bash shell to a vulnerable host (one with REST access), the user can gain full shell access to a machine. This is notable due to how easy this process is, and how easy it is to confirm: one crafted request is enough.
POTENTIAL IMPACT
This is a critical severity vulnerability that allows full access to the host with no bounds, and requires no credentials to use.
REMEDIATION
Patches have been made available for many versions of BIG IP products, listed in the article below. Patch immediately.
MORE INFORMATION:
https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html
HIGHLIGHT
Azure Insufficient Tenant Separation
WHAT DOES IT DO?
This vulnerability allows a user to access Synapse tenants that should be inaccessible to them using the Integration Runtime infrastructure or Redshift in Azure, gaining full remote code exploit (RCE) abilities. This issue would not be limited to a single tenant - in fact, almost any adjacent tenant using the Open Database Connectivity Driver to access Redshift and Integration Runtime was vulnerable.
POTENTIAL IMPACT
As with all remote code executions, this could allow an attacker with intentional or public access to one Synapse tenant the ability to pivot and access other unintended tenants. As with all RCEs, the impact could be devastating.
REMEDIATION
Though a fix has been released, the original reporting group (Orca) recommends being cautious with use of the infrastructure.
MORE INFORMATION:
https://orca.security/resources/blog/azure-synapse-analytics-security-advisory/
Additional Threats
Description
CVE-2021-22600
There’s a lack of useful information on this one, which is why it didn’t make our highlights. Based on recent patches surrounding the announcement of this vulnerability, it was likely in connection with some form of privilege escalation. Google just finished patching this vulnerability, though it’s been around since at least January.
CVE-2022-27588
Once again, very little on this vulnerability besides its critical score. Businesses using QNAP VS Series NVR running QVR should patch immediately.
FROM THE FIELD
Real World Use Cases in Action
In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.
CUSTOMER USE CASE
Automating with Flashpoint
SUMMARY
This month, the LogicHub team assembled an integration for FlashPoint intelligence services. Intelligence services aim to drag a figurative ‘net’ through the trove of data available online and pull out compromised credentials, stolen data, general intelligence/OSINT reports, payment data, and other notable items from across the internet and dark web. Pulling this data manually would take a lot of review and would need to constantly change, including pastebins, forums, card seller sites, marketplaces, and more general postings.
AUTOMATED SOLUTION
Through the new integration, users can easily interface with the FlashPoint API for quick return on ingested data. The API returns a readout on intel that can then be combined with other sources or modified for a user-friendly data printout.
BENEFITS TO THIS APPROACH
The use of open source intelligence is a big concern for larger organizations. It can clue in attackers to convenient avenues for invasion, or can allow them to use your resources without any effort at all. By correlating data from intelligence services and using this ingested information to patch or more generally improve security standing, businesses directly cripple the abilities of their potential adversaries.
Recommended Reading
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
Firms Push for CVE-Like Cloud Bug System
Twenty two years ago, it was impossible to see what the current state of vulnerabilities would be. Now, we have issues tracking vulnerabilities in cloud-based systems due to a lack of standard tracking systems.
More than 10,000 Redline Malware Attacks in April Targeting Internet Explorer Vulnerability
We did a general overview of Redline attacks a few months ago, and now that knowledge has a new use as a new wave of Redline attacks hit. These attacks target CVE-2021-26411, which is an Internet Explorer zero-day double free that was patched in March of 2021.
Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload
Automated vulnerability management is starting to take a bigger step into the market now with more organizations honing in on security posture. Being able to automatically evaluate your entire network for vulnerabilities at once and then prioritize them creates a (supposedly) easy one-step solution. Only time will tell how popular and effective this resource becomes.
CISA’s 2021 Top Exploited Vulnerabilities Report
It’s here! The CISA aggregates reports from the US, Australia, Canada, UK, and New Zealand and offers some general mitigation strategies from the vulnerabilities found, plus an explanation surrounding each. This is a must-read.
BlackCat Ransomware
The ransomware has been spreading rapidly and hitting hard with massive ransoms against larger companies. From an aggregation of bulletins and data surrounding the ransomware, we’ve put together a BlackCat article that can help organizations prepare.
Fake Windows 10 Updates Infect You with Magniber Ransomware
These false updates show as .msi extension files from fake cracked/pirated software sites, the campaign having started around April 8th. Once the .msi is executed, it will begin the process of deleting shadow copies, encrypting files, and requesting an average ransom of about $2,500.
Emotet Malware Now Installs via PowerShell in Windows Shortcut Files
Emotet has added yet another tool to their belt in the form of .lnk files, especially as Office macros are now coming disabled by default. The technique is gaining on usage according to ESET telemetry.
Hackers are Now Hiding Malware in Windows Event Logs
By injecting shellcode payloads into Key Management Services, attackers have started obfuscating and sneakily bypassing detection. These attacks have been seen in the wild, though in a targeted campaign.
Lincoln College to Close After 157 Years Due to Ransomware Attack
To add insult to injury, after they were beaten down by the pandemic, Lincoln College faced insurmountable costs and losses from a ransomware attack that caused them to announce the closing of their doors. By having their Fall enrollment projections and admissions activities inaccessible, the future was simply too uncertain.
Mr. Goxx is Back!
To add insult to injury, after they were beaten down by the pandemic, Lincoln College faced insurmountable costs and losses from a ransomware attack that caused them to announce the closing of their doors. By having their Fall enrollment projections and admissions activities inaccessible, the future was simply too uncertain.
Recommended Sources
PODCASTS
(New to Podcasts? Recommended players are Spotify and PocketCasts)
