NEWS

It’s time to update your Apple devices to ward off a zero-day threat discovered by an anonymous researcher.

As is customary for Apple, the advisory revealing this attack is somewhat threadbare, and doesn’t reveal a lot of information with regard to what’s happening, but if you own an iPad or iPhone you’ll want to get yourself on the latest version.

The zero-day is being used out in the wild, and Apple holding back the specifics may be enough to slow down the risk of multiple threat actors taking advantage of the issue, known as CVE-2022-42827. However, Apple’s lack of detail means it’s not possible to explain what to watch out for if you think your device may have been compromised.

The vulnerability affects the kernel code, the core of the software that operates the device. It can be abused to run remote code execution attacks, which can lead to issues like crashing and / or data corruption. According to Apple, the issue impacts:

• iPhone 8 and later
• iPad Pro (all models)
• iPad Air 3rd generation and later
• iPad 5th generation and later
• iPad mini 5th generation and later

At time of writing, there is very little you can do other than fire up your Apple product and make your way to the updates section. There is no reason to panic, but no need to delay either.

How to update your device

It’s entirely possible that your device is already set to update automatically. If so, then you shouldn’t have to worry about this one: Your device will do it all for you. If not, and your device is on the list above, don’t worry. The route to updating your iPhone or iPad is very standard across the board, no matter which specific flavour you happen to be running:

1. Plug into a power source and enable Wi-Fi

2. Select Settings > General, and then Software Update.

3. Select your desired update(s) and begin the install process.

Automatic updates can be applied like so:

1. Settings > General > Software Update

2. Select Automatic Updates, and then enable Download iOS Updates

3. Turn on Install iOS Updates.

Finally, for Rapid Security Response updates (which ensures important security fixes are applied as soon as possible):

1. Settings > General > Software Update

2. Select Automatic Updates

3. Enable the Security Responses & System Files option

There have been numerous publicly documented zero-day attacks aimed at Apple products this year. While most of these tend to be quite targeted and specific, there is absolutely no harm in getting into the habit of updating. It doesn’t just help to protect you from issues such as the one above, but many other potentially less serious issues too.

Stay safe out there!

Hiep Hinh is a Principal MDR Analyst at Malwarebytes, where he supports 24/7/365 Managed Detection and Response (MDR) efforts. Hiep has over 16 years of experience in the cybersecurity and intelligence fields, including for the US Army as an intelligence analyst and for the Airforce Computer Emergency Response Team (AFCERT/33NWS). Hiep is an expert user of Endpoint Detection and Response (EDR) platforms and is highly-skilled in incident response, DLP (data loss prevention), data mining, and threat hunting, among other things. In this post, Hiep breaks down his threat hunting career and shares tips and best practices for those looking to become a cyber threat hunter (or who are just interested to listen!). 

When I first heard the words “cyber threat hunter”, I imagined a sort of Holmesian figure with an upturned collar sitting at a desk, scouring a network for signs of intruders. And when I talked to Hiep Hinh, Principal MDR Analyst at Malwarebytes, I found out I was more or less right in my guess—minus the trenchcoat, maybe. 

Threat hunting is all about nipping stealthy attackers (and malware) in the bud. It’s plain to see why this is such important work—just consider that the median number of days between system compromise and detection is 21. The earlier cyber threat hunters can find threats, the earlier they can send them off to the remediation team.

Hiep has been threat hunting for a while—since 2007, in fact. According to Hiep, threat hunting is a natural part of incident response, SOC work, and network monitoring in general. 

“I’ve been doing threat hunting for a decent amount of time. I got my start in cybersecurity at the Air Force Computer Emergency Response Team (AFCERT) in ‘07, where we monitored and defended the Air Force network,” said Hiep. “I did a lot of the forensics work back then, but we were still very deeply involved with just the network monitoring aspect as well.”

For Hiep, effective threat hunting starts with really understanding the network. 

“I think to be an effective cyber threat hunter, you have to have a good understanding of what ‘normal’ behavior is,” he says. “For example, you should be able to answer questions like, ‘What are common activities seen in the environment? What are the users usually using? When are they usually online? What are they usually connecting from?’, and so on.”

“All of this information gets put under your belt, you take that knowledge, and now look for things that stand out. Using this understanding of normal will make certain activity stand out such as users that are on way too late, or are logging in from a different country than usual.” 

“A threat hunter is most effective when they know the network well.” – Hiep Hinh

Hiep’s advice? If a cyber threat hunter isn’t a part of the company or used to seeing the environment, take some time to learn what is normal. It can be very overwhelming to jump into an environment with thousands of endpoints and separate malicious and benign activity.

“Threat hunting is used to find threats that aren’t caught by antivirus or your other defenses. It’s literally looking for things that are unfound, advanced, and hidden, right? So the only way to do that is by knowing what’s normal, and trying to catch that weird stuff, keep catching those outliers.”

If worse comes to worse, however, and a cyber threat hunter doesn’t know the network well, Hiep says there are “low-hanging fruit” you can look out for. 

“It’s easy to go after low hanging fruit. It’s easy to go after a bunch of indicators, like lists of hashes, looking for VPN and RDP tools, and looking for a lot of freeware stuff that generally is used during attacks, such as IP scanners.” says Hiep. “These are the really quick and dirty threat hunts, if you don’t have a lot of time, and you don’t have the ability to actually sit on the network for a while and find out. These findings can potentially lead you to more juicy activity.”

Of course, while threat hunting is undeniably an essential component to a security team, we want to prevent bad actors from accessing our systems in the first place. To that end, Hiep told me about some of the most common ways adversaries break into an environment. 

“The most common thing is credentials being stolen or used for to get into these systems, things like phishing. That’s like, the quickest way to do it,” says Hiep. “Otherwise, there’s other ways such as vulnerabilities that people can exploit to access your network. That’s why it’s good to keep everything updated.“

One of the things I found most interesting about my conversation with Hiep was how much of a science and art threat hunting is. Just like how scientists form a hypothesis about something before setting off to prove or disprove it, so do threat hunters. If a cyber threat hunter notices an unusual spike in network traffic, for example, their hypothesis might be that there’s an attacker on the network doing data exfiltration. 

Hiep’s cybersecurity “battle-station” 

Back view. Hiep may or may not be a fan of Godzilla. 

Hiep describes what hypotheses look like in threat hunting:

“Your hypothesis lets you target a specific problem so that you don’t get overwhelmed with all the different types of data at your disposal. As a threat hunter you hypothesize certain attack scenarios, one example could be data exfiltration.”

“Knowing that attackers may want to steal your data to ransom or sell to a third party.  We could then focus on data coming out of your network. Here is where having a solid understanding of average traffic in and out of your network becomes extremely useful or if users in the environment actively use file sharing sites.” 

Like any hypothesis, however, there is a chance that it’s wrong and the thing you’re investigating is totally normal. A big part of threat hunting is not necessarily trying to prove that an anomaly is bad, but rather just validating the activity. 

“You’re not always gonna find something when threat hunting. There’s a lot of hit and miss. Whether or not my hypothesis for some potential malicious activity bears fruit, however, the act of finding or not finding something leaves the environment safer or validates activity seen.” 

“Just because I determine that the system is downloading and uploading a ton of data doesn’t necessarily mean it’s bad. Maybe a user is just sending out their christmas pics from the last decade. It’s not bad, it just stands out.”

“There has to be like a very solid communication between the threat hunters and the IT and the security departments of the company so you can quickly go through all those validations and move on. Otherwise you will just kind of be spinning.” – Hiep Hinh

The uncertainty of whether or not an indicator of compromise (IOC) is a genuine threat or not is part of what makes threat hunting so difficult, especially when you consider the vast amount of data threat hunters have to take in from all of their endpoints. That’s why threat hunters need to rely on more than just their skills to help investigate IOCs—they also need the right Endpoint Detection and Response (EDR) platform.

“You’re gonna get an overwhelming amount of data, and will need to put it into segments, separate it, understand it, and then, potentially find something that stands out. So it’s tough. You need something that can dissect that data quickly, effectively, and present it to the threat hunter in a very clear and easy to manipulate tool, this way you spend more time finding baddies and not be bogged down in data prep.” 

Like many cybersecurity professionals, Hiep’s career is full of twists and turns; he’s probably seen more sides of cybersecurity than you can count on one hand. That includes SOC work, forensics, malware analysis, and more, each of which Hiep feels has over the years given him a leg-up in the world of threat hunting.

“Working in a bunch of different positions throughout the years is helpful because threat hunting is all about knowing what’s normal, right?” Hiep says. “And at some point in your career, you’ve gone through the gamut and looked at tons of things. This experience helps you get through the noise and make determinations on actual malicious activity.”

If you’re an aspiring threat hunter, try to get as much experience as you can working in network monitoring roles. An experienced cyber professional can look at a wall of alerts and go, ‘I’ve seen this many times. This activity is normal. This is somebody just doing XY&Z’. They can then look at another and go, ‘That’s strange.’ But, according to Hiep, they can’t easily tell you why it’s strange.

“There’s nothing that really teaches you that,” Hiep says. “It just comes from working it for a long time, like any other job, I think.”

Dedicated experts, precise technology

Hiep is just one of many experienced cyber threat hunters on the Malwarebytes MDR team. Purpose-built for resource-constrained teams, Malwarebytes MDR provides alert monitoring and threat prioritization with flexible options for remediation—at a cost that makes sense. Our highly-effective, easy-to-deploy EDR technology coupled with our team of security experts creates the perfect one-two combo for fighting cybercrime.

More MDR resources

• Get the eBook: Is MDR right for my business?

• 3 ways MDR can drive business growth for MSPs

• Cyber threat hunting for SMBs: How MDR can help

• EDR vs MDR vs XDR–What’s the Difference?

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod’s—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is more complex.  

In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn’t have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN. 

“[My PIN is] not something they could guess… So I thought ‘That’s impossible,'” Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. “But the bank… what they failed to mention is that every customer’s PIN can actually be viewed on the banking app once you logged in.”

Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information. 

Tune in today to also learn about what you can do to help protect yourself from this type of crime. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Cisco has published a security advisory for a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an authenticated, remote attacker to read and delete files on an affected device. The bug, with a CVSS score of 7.1 has no patch and no workaround. Cisco plans to provide a fixed release for version 3.1 in November, and a fixed release for version 3.2 in January, 2023. Release 3.0 and earlier are not vulnerable.

Cisco advises that hot fixes are available on request.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most urgent patch in this update is aimed at CVE-2022-20822.

CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths.

An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that they should not have access to.

Also in the advisory

The Cisco advisories page mentions another vulnerability in the ISE. The CVE-2022-20959 vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

And then there is a vulnerability worth noting because it is rated as high impact. CVE-2022-20933 is a vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart.

A patch is available for both.

Insufficient validation

The clear pattern here then it is insufficient validation of input on remotely accessible services.

Missing or improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection. While customers are entitled to expect proper input validation, it is a problem that haunts all web interfaces, and has done for decades.

So, instead of relying on the input validation provided by the vendor, users should consider adding extra measures, such as only allowing connections from trusted IP addresses, a limited numbers of authentication requests, and disabling access from the internet where it’s appropriate.

Last week on Malwarebytes Labs:

• Thermal cameras could help reveal your password
• How to spot a scam
• Warning: “FaceStealer” iOS and Android apps steal your Facebook login
• Criminal group busted after stealing hundreds of keyless cars
• Fake tractor fraudsters plague online transactions
• DeadBolt ransomware gang tricked into giving victims free decryption keys
• Why Log4Text is not another Log4Shell
• Ransomware attack freezes newspaper printing system
• Man scammed IRL for a phone he sold online
• 5 essential security tips for SMBs
• Microsoft fixes driver blocklist placing users at risk from BYOVD attacks
• Microsoft breach reveals some customer data
• New PHP-based Ducktail infostealer is now after crypto wallets
• Venus ransomware targets remote desktop services
• Suspected LAPSUS$ group member arrested in Brazil
• Third-party application patching: Everything you need to know for your business
• Gas, a positive social network for teens (no, really)
• Looking for student debt relief? Watch out for scammers says the FBI
• Former cop abused unrevoked system access to extort women
• Large typosquatting campaign delivers tech support scams

Stay safe!