Security Safari

New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

HIGHLIGHT

WordPress Publications ZIP RCE

What does it do?

The WordPress wp-publications plugin allows users to create bibliographies for publications and other similar lists. A file included in the plugin, bibtexbrowser.php, allows an attacker to use the included ‘Q_FILE’ as a way to access local files. Attackers can then use .ZIP files to trigger remote code execution.

Potential Impact

This vulnerability, at the least, allows an attacker to access unauthorized files. At the worst, an attacker can upload malicious code and gain a large foothold in the network, possibly resulting in a widespread compromise.

Remediation

As this application has been removed for available download and is not patched, the recommendation for this plugin is to uninstall immediately.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2021-38360

HIGHLIGHT

SAP Netweaver Proxy Attacks

What does it do?

SAP Netweaver is a software development, provisioning, and management environment. In several versions, crafted queries can be sent by someone with access to the server to perform proxy attacks (this is a type of man in the middle attack). Sensitive data is leaked to the attacker through the installed proxy, with a victim unaware that their data is being accessed. Notably, if this server is running on the open internet, the severity of this vulnerability is much greater.

Potential Impact

A proxy attack of this type can fully undermine the CIA triad, resulting in complete compromise if certain information (such as passwords) are seen by the attacker.

Remediation

There is currently a hotfix available, but the affected functionality can be deactivated if the hotfix is not possible.

More Information:

https://nvd.nist.gov/vuln/detail/CVE-2021-33690

HIGHLIGHT

Zoom Client Validation Failure

What does it do?

Zoom is a video meeting application. When updating, .msi files used in the updating process are not properly validated, leading to improperly signed update files. This lack of validation means that a fake .msi update file can be used for remote code execution.

Potential Impact

As is the nature of remote code executions, this is essentially an open avenue for an attacker to write malicious code that will do almost anything on the system. This can mean complete compromise of the CIA triad.

Remediation

Update past version 5.3.0. All versions prior were affected.

More Information:

https://explore.zoom.us/en/trust/security/security-bulletin/

Additional Threats

CVE-2021-23031

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

More Info

CVE-2021-22005

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

More Info

Description

CVE-2021-23031

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

More Info

CVE-2021-22005

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

More Info

From The Field

Real World Use Cases in Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Customer Use Case

Network Connection Triage with Talos

Summary

When a new external IP hits a network, there are a few things that should be known on the IP. Activity should be logged thoroughly enough to understand what the IP is doing on the network and why, to the point where activity can be traced through all actions on the network from point of entry. IPs should also be vetted by reputation using a trusted IP reputation platform. In this use case, we take IP reputation and apply it towards traffic on the network using Cisco Talos.

Automated Solution

Manually reviewing reputation can take a while. Using a command takes much less time, but fully automating a reputation lookup is quick and painless. After scraping a case for IPs, they are sent en masse to Cisco Talos and their lookup results returned to the case. From there, the case can be closed if no suspicious reputations are seen, sent to an analyst if the combined scoring of the activity and the reputation is high enough, or priority lowered and reviewed at a later time if scoring is lower.

Benefits to This Approach

Besides the obvious savings of time and money with this form of automation, it’s also a method of triaging cases without human intervention. Depending on traffic, hundreds of cases could come in and be triaged without being touched. Other automation could look into priority of servers and hosts being hit by the IP and adjust accordingly.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

China declares all crypto-currency transactions illegal

Bitcoin’s price took a sharp dip of more than $2,000 after China banned decentralized currency. Though trading cryptocurrency in China has been illegal since 2019, this is an indication that China wants all cryptocurrency activity banned.

Read More

New malware steals Steam, Epic Games Store, and EA Origin accounts

The trojan, known as BloodyStealer, is being used to gather credit card, password, and PII data from unsuspecting users, specifically targeting game platforms like Steam, Origin, and GOG. It is currently being sold under a subscription model and contains antivirus evasion methods.

Read More

Mr Goxx, the crypto-trading hamster beating human investors

A hamster from Germany running in a wheel is choosing better cryptocurrency trade options than many professional traders. Every day, he enters his ‘office’, and a Twitch stream shows the masterful trader at work.

Read More

Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang

This backdoor command-and-control malware is version agnostic and can gain access to any legitime Active Directory program information. Nobelium uses the malware primarily for remote exfiltration. Mitigations include multi-factor authentication, host-based firewalls, and removal of potentially unwanted programs.

Read More

Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems

The ‘LANtenna Attack’ allows an attacker to pick up on radio waves emitted from ethernet cables via software-defined radio. Though complex, this is a great example of how creative attacks on unusual targets can become.

Read More

What Happened to Facebook, Instagram, & WhatsApp?

After widespread outages in the social media giants, many ask: why did this happen? In this case, it was a routine Border Gateway Protocol update that knocked services offline.

Read More

Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing’s Favorite Web Host

After being dropped by other domain registrars, users tend to flock to Epik for their right-wing material hosting. Now, many of those sites may be out of luck as a group of alleged hackers on 4chan have claimed to have stolen account credentials, emails, and domain purchase/transfer info.

Read More

European Parliament calls for ban on AI-powered mass surveillance

This ban looks to prevent the use of intrusive surveillance technology, such as facial recognition, in public spaces. Criminal suspects are the only exclusion, with Clearview AI (a facial recognition network for law enforcement) being an express example of what should be avoided.

Read More

LET'S GET STARTED

I would like to

Submit

Request a Demo

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO