LogicHub Security RoundUp: July 2022

by Tessa Mishoe on July 15, 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

Watch the Security RoundUp – July 2022

Security Safari: New Threats in the Wild

This section is devoted to threats of particular note that have been seen in the past month. A select few of particular interest will be highlighted in greater detail. NIST NVD data will be used to make these determinations.

Highlight: Chrome Heap Buffer Overflow Zero-Day

What Does It Do?: A heap overflow in the WebRTC component of the Chrome browser. This zero day was originally reported on July 1st and also affects the Android version of Chrome. Potential Impact: Heap overflows result in the possibility of pointers being overwritten in memory, which allows an attacker to redirect a program to malicious code. This can compromise all parts of the CIA triad and is of a high severity.
Potential Impact: With how heavily used Office is in an enterprise environment, this is a vulnerability that should be of special note to organizations. The lack of remediation, active exploit, and ease of use makes this a dangerous exploit for organizations that are unprepared, and can wreak havoc very quickly.
Remediation: A patch has been released by Chrome and is recommended for immediate download.
More information

Highlight: Cryptominers on Linux through Confluence OGNL Injection

What Does It Do?: Shortly after the disclosure of vulnerability CVE-2022-26134 in June, Chinese-speaking APT ‘8220 Gang’ started using the vulnerability (a Confluence OGNL injection zero-day, discussed last month) for initial access into Apache Struts and Docker images. The attackers then establish persistence via cronjob and portscan for possible lateral movement candidates.
Potential Impact:As with all injections of this sort, the ability to install arbitrary code via injection can cause mass damage to all portions of the CIA triad. Combined with persistence and an apparent focus on stealth, this particular use of this vulnerability could slowly drain resources and spread unnoticed if proper monitoring and prevention is not utilized.
Remediation: Per Microsoft, admins should make use of Defender for Endpoint, keep up on updates, and use good credential hygiene to prevent spread.
More information

Highlight: ManageEngine ADAudit Unauthenticated RCE

What Does It Do?: This remote code execution vulnerability allows attackers to exploit XML external entities, Java deserialization, and path traversal, the combination of which can provide an easy avenue to remote code execution.
Potential Impact: ManageEngine ADAudit Plus specializes in managing IT assets on a deep dive level, making exploit of this application especially concerning as it can quickly offer easy access to a wide variety of devices across an entire network. As with all RCEs, this is a very severe issue that can easily result in complete takeover and/or data exfiltration.
Remediation: A service pack has been released by Zoho and should be installed immediately for users on the affected version.
More information

From The Field: Real World Use Cases In Action

In this section, we’ll be covering a significant use case that our teams recently saw and remediated, along with some of the benefits of doing so. It is our hope that this section can give some ideas for both current and future customers as to what problems can be seen in the real world and how they can be solved using LogicHub automations.

Monitoring For Disabled Event Logging

When an adversary wants to make it hard for an investigator to find their activity, they either remove logs after they finish doing what they’d like to do or they prevent logging entirely. In this case, an attacker wanting to prevent logging would adjust the audit policy (secpol.msc) and the advanced policy (auditpol.exe). This could be system-wide or just for a specific set of services, and the use of the audit policy applications could include wiping the policy clear completely.

Automated Solution

LogicHub’s detections for event logging can include information on where and when logs were disabled and under what categories/for which applications. Rather than finding out about a compromise or a lack of logs during an investigation after the fact, a notification that logs are being removed arrives after the detection completes.

Benefits to this Approach

This detection can make or break security entirely. Auditing logs means a record of what malicious activity may occur on machines, and having them available means a faster recovery and remediation. Disabled logs can be detrimental to operations without monitoring and alerting.

Recommended Sources

Podcasts:
(New to Podcasts? Recommended players are Spotify and PocketCasts)
Cyberwire Daily Podcast
ThreatPost Daily Podcast
Smashing Security (Weekly)
Hacking Humans by Cyberwire (Weekly, social engineering)
Hak5 Podcast (Weekly)
The Social Engineer Podcast (Monthly)
The Shared Security Podcast (Weekly)

Websites:
https://krebsonsecurity.com
https://threatpost.com
https://www.darkreading.com
https://www.wired.com
https://www.social-engineer.org
https://thecyberwire.com
https://news.sophos.com/en-us
https://www.bleepingcomputer.com
https://techcrunch.com

Watch the LogicHub Security RoundUp: June 2022 Edition video

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Tessa Mishoe. Read the original post at: https://www.logichub.com/blog/logichub-security-roundup-2022-edition-july