The LogicHub Security Roundup: October 2021 Edition
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.
WordPress Publications ZIP RCE
WHAT DOES IT DO?
The WordPress wp-publications plugin allows users to create bibliographies for publications and other similar lists. A file included in the plugin, bibtexbrowser.php, allows an attacker to use the included ‘Q_FILE’ as a way to access local files. Attackers can then use .ZIP files to trigger remote code execution.
This vulnerability, at the least, allows an attacker to access unauthorized files. At the worst, an attacker can upload malicious code and gain a large foothold in the network, possibly resulting in a widespread compromise.
As this application has been removed for available download and is not patched, the recommendation for this plugin is to uninstall immediately.
SAP Netweaver Proxy Attacks
WHAT DOES IT DO?
SAP Netweaver is a software development, provisioning, and management environment. In several versions, crafted queries can be sent by someone with access to the server to perform proxy attacks (this is a type of man in the middle attack). Sensitive data is leaked to the attacker through the installed proxy, with a victim unaware that their data is being accessed. Notably, if this server is running on the open internet, the severity of this vulnerability is much greater.
A proxy attack of this type can fully undermine the CIA triad, resulting in complete compromise if certain information (such as passwords) are seen by the attacker.
There is currently a hotfix available, but the affected functionality can be deactivated if the hotfix is not possible.
Zoom Client Validation Failure
WHAT DOES IT DO?
Zoom is a video meeting application. When updating, .msi files used in the updating process are not properly validated, leading to improperly signed update files. This lack of validation means that a fake .msi update file can be used for remote code execution.
As is the nature of remote code executions, this is essentially an open avenue for an attacker to write malicious code that will do almost anything on the system. This can mean complete compromise of the CIA triad.
Update past version 5.3.0. All versions prior were affected.
On version 16.0.x before 126.96.36.199, 15.1.x before 15.1.3, 14.1.x before 188.8.131.52, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 184.108.40.206, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
CUSTOMER USE CASE
Network Connection Triage with Talos
When a new external IP hits a network, there are a few things that should be known on the IP. Activity should be logged thoroughly enough to understand what the IP is doing on the network and why, to the point where activity can be traced through all actions on the network from point of entry. IPs should also be vetted by reputation using a trusted IP reputation platform. In this use case, we take IP reputation and apply it towards traffic on the network using Cisco Talos.
Manually reviewing reputation can take a while. Using a command takes much less time, but fully automating a reputation lookup is quick and painless. After scraping a case for IPs, they are sent en masse to Cisco Talos and their lookup results returned to the case. From there, the case can be closed if no suspicious reputations are seen, sent to an analyst if the combined scoring of the activity and the reputation is high enough, or priority lowered and reviewed at a later time if scoring is lower.
BENEFITS TO THIS APPROACH
Besides the obvious savings of time and money with this form of automation, it’s also a method of triaging cases without human intervention. Depending on traffic, hundreds of cases could come in and be triaged without being touched. Other automation could look into priority of servers and hosts being hit by the IP and adjust accordingly.
This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.
China declares all crypto-currency transactions illegal
Bitcoin’s price took a sharp dip of more than $2,000 after China banned decentralized currency. Though trading cryptocurrency in China has been illegal since 2019, this is an indication that China wants all cryptocurrency activity banned.
New malware steals Steam, Epic Games Store, and EA Origin accounts
The trojan, known as BloodyStealer, is being used to gather credit card, password, and PII data from unsuspecting users, specifically targeting game platforms like Steam, Origin, and GOG. It is currently being sold under a subscription model and contains antivirus evasion methods.
Mr Goxx, the crypto-trading hamster beating human investors
A hamster from Germany running in a wheel is choosing better cryptocurrency trade options than many professional traders. Every day, he enters his ‘office’, and a Twitch stream shows the masterful trader at work.
Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang
This backdoor command-and-control malware is version agnostic and can gain access to any legitime Active Directory program information. Nobelium uses the malware primarily for remote exfiltration. Mitigations include multi-factor authentication, host-based firewalls, and removal of potentially unwanted programs.
Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems
The ‘LANtenna Attack’ allows an attacker to pick up on radio waves emitted from ethernet cables via software-defined radio. Though complex, this is a great example of how creative attacks on unusual targets can become.
What Happened to Facebook, Instagram, & WhatsApp?
After widespread outages in the social media giants, many ask: why did this happen? In this case, it was a routine Border Gateway Protocol update that knocked services offline.
Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing’s Favorite Web Host
After being dropped by other domain registrars, users tend to flock to Epik for their right-wing material hosting. Now, many of those sites may be out of luck as a group of alleged hackers on 4chan have claimed to have stolen account credentials, emails, and domain purchase/transfer info.
European Parliament calls for ban on AI-powered mass surveillance
This ban looks to prevent the use of intrusive surveillance technology, such as facial recognition, in public spaces. Criminal suspects are the only exclusion, with Clearview AI (a facial recognition network for law enforcement) being an express example of what should be avoided.