<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2022 3600 <![CDATA[QNAP Warns of Deadbolt Ransomware Targeting NAS Devices]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/qnap-warns-of-deadbolt-ransomware-targeting-nas-devices http://duo.com/decipher/qnap-warns-of-deadbolt-ransomware-targeting-nas-devices

QNAP is warning customers that attackers are exploiting known flaws in older versions of the company’s software for some of its NAS devices to install the Deadbolt ransomware.

The company issued an advisory on Thursday saying that its internal incident response team had observed a new spate of attacks deploying the ransomware in recent days. Deadbolt ransomware actors have targeted QNAP devices in the past on several occasions and at one point claimed to have a zero day in the NAS software. The recent wave of attacks are targeting Internet-facing devices running versions 4.3.6 and 4.4.1 of the QTS software.

“According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series. QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet,” the advisory says.

Deadbolt is a relatively new strain of ransomware, having emerged earlier this year. The actors deploying it generally have targeted NAS devices specifically and have compromised thousands of them in past campaigns. QNAP NAS devices were not the only targets, but they appear to be the targets of choice for this ransomware group. QNAP issued a similar advisory in January when Deadbolt first appeared on the scene, and urged customers to not expose their NAS devices to the Internet.

For organizations that do expose the devices to the Internet, QNAP recommends that administrators disable port forwarding on their routers and also disable UPnPfunctionality on their NAS devices.

<![CDATA[CISA: Federal Agencies Must Fix VMware Bugs Within Five Days]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/cisa-federal-agencies-must-fix-vmware-bugs-within-five-days http://duo.com/decipher/cisa-federal-agencies-must-fix-vmware-bugs-within-five-days

The Cybersecurity and Infrastructure Security Agency (CISA) is ordering federal civilian executive branch agencies to apply updates that mitigate against several serious VMware vulnerabilities within five days.

In a Wednesday emergency directive, CISA highlighted the four recently patched VMware bugs (CVE-2022-22954, CVE-2022-22960, CVE-2022-22972 and CVE-2022-22973) as an “unacceptable risk” for agencies. Agencies have until May 23 to enumerate all impacted VMware products on their networks and then either deploy updates or remove the products from the network until updates can be applied.

“This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” according to CISA’s emergency directive.

The flaws impact VMware’s Workspace ONE Access (formerly Identity Manager) identity management solution, and vRealize Automation, an infrastructure management platform for configuring IT resources and automating container-based application delivery. Also affected are VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The flaws include a critical remote code execution vulnerability (CVE-2022-22954) stemming from server-side template injection and high-severity bug (CVE-2022-22960) allowing attackers with local access to escalate privileges to root. VMware released patches on April 6, but CISA said that within 48 hours attackers reverse engineered the updates and started to exploit impacted VMware products that remained unpatched. In one case, CISA said it deployed an incident response team to a “large organization” where attackers were exploiting CVE-2022-22954. The agency said it has also received information, including indicators of compromise (IOCs), from third parties about observed exploitation at multiple other large organizations.

The other two vulnerabilities (CVE-2022-22972 and CVE-2022-22973) were patched on Wednesday. The first flaw (CVE-2022-22972) could enable an attacker with network access to the user interface to obtain administrative access without authentication. The other bug (CVE-2022-22973) is a privilege escalation error allowing an attacker with local access to escalate privileges to root.

“CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products,” according to the directive.

CISA said that agencies must “assume compromise” if they find any instances of impacted VMware products accessible from the internet. In this case, they should immediately disconnect the products from the network and report any anomalies identified to CISA. Additionally, agencies must remove products from their networks if they are unsupported by the vendor (either due to end of life or end of service).

While CVE 2022-22954 and CVE 2022-22960 were previously added to CISA's catalog of known exploited vulnerabilities, emergency directives allow the Department of Homeland Security (DHS) to require more timely actions for federal agencies in response to known security flaws, and has been used previously to address significant flaws like the Log4j and Microsoft Exchange bugs. CISA said it will continue to monitor for active exploitation with partners and provide technical assistance to agencies that are “without internal capabilities sufficient” to comply with the directive.

<![CDATA[Biden’s Cyber EO Ushered in Era of ‘Renewed Focus,’ But Challenges Remain]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/biden-s-cyber-eo-ushered-in-era-of-renewed-focus-but-challenges-remain http://duo.com/decipher/biden-s-cyber-eo-ushered-in-era-of-renewed-focus-but-challenges-remain

Just over a year after President Joe Biden signed an executive order (EO) aiming to address outdated security models and software supply-chain security, there has been a “renewed focus” on collaborative efforts around securing federal networks, said government officials during a subcommittee hearing this week.

However, federal agencies continue to grapple with overarching challenges in attracting top cyber workforce talent and building up the resources needed to respond to threats, government officials pointed out. At the same time, several lawmakers expressed concerns about agencies meeting the many deadlines set by the EO for implementing various security measures.

“Our nation is at a turning point in cybersecurity, and the executive order helped us make that turn and took important steps toward driving the change we need to see. But we have a tremendous amount of work we still have to do,” said Eric Goldstein, executive assistant director for cybersecurity with the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday. “There’s more work to do on security and IT modernization across the entire civilian federal branch.”

Government officials agreed that the EO represented a call to action and since then has spurred many collaborative efforts. These common goals have centralized around making systems more secure by implementing a zero trust model, with “key accelerants” for this effort coming in the form of CISA’s zero trust maturity model, a roadmap for agencies to reference as they transition towards a zero trust architecture, and the Office of Management and Budget’s (OMB) national zero trust strategy that gave a firm deadline for federal agencies to implement a zero trust strategy along with various other security measures.

Another top priority has been the implementation of endpoint detection and response (EDR) capabilities across federal civilian executive branch networks, which was one of the security gaps that the U.S. government specifically tried to address on the heels of the SolarWinds attack. Goldstein pointed to the expansion of EDR and CISA’s Continuous Diagnostics and Mitigation (CDM) program as a way for the agency to gain “extraordinary centralized visibility into threats and risks in federal agencies.” The cornerstone of the CDM program has been the rollout of a dashboard that displays data about devices, users, privileges and vulnerabilities, which has been leveraged by 65 agencies so far.

While CISA has only provided EDR capabilities to 15 agencies so far, Goldstein said that currently the agency is in the process of deployment across 26 agencies and they “expect to be underway” at 53 agencies within a few months.

“Not even a year and a half into the executive order, we will have EDR deployments in place underway at over half of the federal government, with more to come,” he said. “The work needs to continue.”

Christopher DeRusha, deputy national cyber director for federal cybersecurity at the Office of the National Cyber Director, and federal chief information security officer for the OMB, said that the EO has attempted to tackle both “root-cause issues” that will take longer to solve, like contract clauses, in addition to significant efforts for security measures with more immediate impact, like multi-factor authentication (MFA) and encryption.

“We picked these measures as the highest measures of priority, in terms of [applying metrics to] them, having engagements with not just CIOs and CISOs, but senior agency leaderships, meeting with deputy secretaries, tracking progress and learning about barriers to success,” said DeRusha.

Challenges Ahead

Despite progress, several lawmakers inquired about the abilities of agencies to meet deadlines set by the EO. Rep. Ritchie Torres (D-N.Y.) inquired about the number of agencies that had implemented MFA, citing a commitment by CISA that all civilian agencies would have the security measure in place by March. Goldstein, for his part, didn’t give a specific number of agencies that had implemented MFA, but said “every agency with the capacity to deploy MFA and encryption has done so in almost all cases.”

Agencies also still face resource constraints and are dealing with incident response teams overwhelmed by ransomware, business email compromise and other attacks. Goldstein said that these challenges stem from capacity and awareness issues, which the U.S. government can work through with funding and resources.

“One of the ways we need to achieve that goal of making sure we have the capacity to respond and recover, is in part by meeting the national cyber workforce challenge,” said Goldstein. “The more that we can train individuals at municipal governments, and at small and medium businesses, to have some ability to do initial analysis and triage, and then help organizations understand the steps they should take in the minutes after an attack occurs, that can have real consequences.”

The General Services Administration (GSA), for instance, has started implementing a zero trust strategy. However, David Shive, chief information officer with the GSA, stressed that the adoption of the EO’s tenants stems from investing “tons of time and energy in attracting top-notch talent.”

“Agencies should make sure cybersecurity is baked into every business plan that is developed,” said Shive. “Make sure you’re attracting top-notch talent. Make sure deep and meaningful partnerships are in place to gain the value of the larger defense communication. The last thing is, just get started.”

Moving forward, lawmakers and government officials agreed that the EO has represented a significant prioritization of cybersecurity that represents a market change over past efforts where “government focus has shifted after the headlines fade.”

“Fortunately, over the past year and a half, we have seen a renewed focus in Congress and the Executive Branch on taking the necessary steps to bring our Federal network security to where it must be,” Yvette Clarke (D-NY), chairwoman for the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee.

<![CDATA[NVIDIA Fixes Serious Flaws in GPU Driver]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/nvidia-fixes-serious-flaws-in-gpu-driver http://duo.com/decipher/nvidia-fixes-serious-flaws-in-gpu-driver

One of NVIDIA’s graphics drivers for Linux and Windows systems contains several vulnerabilities that could be used by an attacker to execute arbitrary code and, in some cases, perform guest-to-host escapes on systems running virtual machines.

The flaws are in the NVIDIA D3D10 graphics driver and the company has released an update to address them, along with several other less serious bugs. Researchers with Cisco Talos discovered the four code-execution vulnerabilities, one of which affect both Linux and Windows systems, while the fourth only affects Windows machines.

“An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file,” the Talos advisory says.

“These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.”

The cross-platform bug lies in the kernel mode layer, while the Windows-only flaws are in the DirectX11 user mode driver. The most serious flaw is a memory corruption vulnerability in the kernel mode layer.

“NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components,” the NVIDIA advisory says.

The Windows-only bugs are in three separate shader functions in the driver.

“NVIDIA GPU Display Driver for Windows contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components,” the advisory says.

The Talos researchers warn that the Windows-only bug (CVE-2022-28182) could be triggered in a couple of different ways.

“This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly),” the Talos advisory says.

<![CDATA[DoJ: Venezuelan Doctor Behind Thanos Ransomware Builder]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/doj-venezuelan-cardiologist-behind-thanos-ransomware-builder http://duo.com/decipher/doj-venezuelan-cardiologist-behind-thanos-ransomware-builder

The Department of Justice (DoJ) unsealed a criminal complaint against a 55-year-old cardiologist who allegedly designed and sold multiple ransomware tools, including Jigsaw v.2 and the Thanos builder.

Moises Luis Zagala Gonzalez, the alleged ransomware designer and a citizen of France and Venezuela, faces up to five years in prison for attempted computer intrusion and five years for conspiracy to commit computer intrusions if convicted, according to the DoJ. Zagala, who also goes by “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” currently lives in Ciudad Bolivar, Venezuela.

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” according to a statement by the United States Attorney Peace on Monday.

Jigsaw v.2, one of Zagala’s alleged early products, has the ability to steal victim passwords and credit card data and move laterally on the network. It is known for its “Doomsday counter” feature that would delete files on a timed, countdown basis. A decryptor was released for the ransomware by Emsisoft in 2019.

Starting in 2019, Zagala began to advertise the Thanos tool, which allows its users to create their own unique ransomware software that they could then use or rent for use by other cybercriminals. The Thanos tool includes features for “recovery information” where attackers could create a customized ransom note, a “data stealer” specifying the types of files that the ransomware should steal, “anti-VM” options to bypass security researchers’ testing environments and an option to make the ransomware self-delete. Attackers had the option to either buy a license to use Thanos for a short period of time, or join an affiliate program where they could receive access to the builder in exchange for a share of profits from the ransomware attacks. Zagala also posted links to news stories that described the use of Thanos by an Iranian state-sponsored hacking group to attack Israeli companies, according to the DoJ.

Court documents outlined decades of activity by Zagala dating back to 1997, when he began to get involved in “High Cracking University,” a select online community of elite hackers and reverse engineers, and spent years writing online postings about reverse engineering.

The documents also gave a glimpse into how law enforcement both kept tabs on and eventually identified Zagala, as well as some of the behind-the-scenes details into how malware tools are distributed and deployed. For instance, confidential sources with the FBI had communicated with Zagala over the years. After an FBI source in May 2020 inquired about affiliate program options for the Thanos ransomware, Zagala said that in order to set up a program the source should find people “versed… in LAN hacking” and supply them with a version of the Thanos ransomware that is configured to expire after a set period of time. He also offered the source an additional two weeks free after the source’s one-month license would expire, saying that one month “is too little for this business…sometimes you need to work a lot to get good profit.” He also revealed that he personally had anywhere from between five to a maximum of 20 affiliates at any given time, and that attackers would approach him for his tools after they had gained access to a victim network.

Most recently, on May 3, law enforcement officials conducted a “voluntary interview” with a relative of Zagala who resides in Florida and whose PayPal account was used by him to receive illegal proceeds. The unnamed individual relayed that Zagala lives in Venezuela and had taught himself computer programming, and revealed contact information for him that matched the registered email for malicious infrastructure associated with the Thanos malware.

"We allege Zagala not only created and sold ransomware products to hackers, but also trained them in their use," according to Assistant Director-in-Charge Driscoll in a statement. "Our actions today will prevent Zagala from further victimizing users. However, many other malicious criminals are searching for businesses and organizations that haven't taken steps to protect their systems - which is an incredibly vital step in stopping the next ransomware attack.”

<![CDATA[Exploitation Attempts Start for Zyxel RCE Bug]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/exploitation-attempts-start-for-zyxel-rce-bug http://duo.com/decipher/exploitation-attempts-start-for-zyxel-rce-bug

Update -- Security researchers and U.S. government officials are urging businesses to apply patches for a serious remote code execution bug in Zyxel firewall products, after exploitation attempts for the flaw were observed.

The vulnerability (CVE-2022-30525), which has a 9.8 CVSS severity score, impacts a number of Zyxel firewall product line models that are targeted for businesses, ranging from small branch to corporate headquarter deployments. While Zyxel previously released patches in April, the flaw is easy to exploit - an attacker could be unauthenticated and remote - and one day after the flaw’s May 12 public disclosure, researchers with the Shadowserver Foundation said they started seeing exploitation attempts.

"In this case what we were seeing were multiple IPs that were executing callbacks, but we did not see malware dropped," said Piotr Kijewski with the Shadowserver Foundation on Wednesday. "Now we are seeing lots of scans for the Zyxel endpoint URI, with no exploitation."

Jake Baines, lead security researcher with Rapid7, who discovered the flaw, said the impact and consequences of the vulnerability “can be quite dire” depending on how far into the internal network the Zyxel firewall can reach.

“The Zxyel firewalls affected by CVE-2022-30525 are what we typically refer to as ‘network pivot,’” said Baines. “Exploitation of CVE-2022-30525 will likely allow an attacker to establish a foothold in the victim’s internal network. From that foothold, the attacker can attack (or pivot to) internal systems that otherwise would not be exposed to the internet.”

The impacted models are vulnerable to an unauthenticated remote command injection, where attackers can leverage the administrative HTTP interface to execute commands as the ‘nobody’ user, which can allow them to establish a reverse shell.

"Exploitation of CVE-2022-30525 will likely allow an attacker to establish a foothold in the victim’s internal network."

The impacted Zyxel firewall products support zero touch provisioning, which is a feature for setting up devices that provisions them to the network automatically. The flaw stems from a specific feature within the zero touch provisioning implementation, which is a command called “setWanPortSt” that enables the remote provision to alter the IP settings of the firewall’s ports, said Baines.

“This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py,” according to Baines in an analysis. “The vulnerable functionality is invoked in association with the setWanPortSt command.”

Impacted firewall models include certain firmware versions of the USG Flex 100, 100W, 200, 500 and 700; the USG20-VPN and USG20W-VPN; and the APT 100, 200, 500, 700 and 800. The VPN series, which supports zero touch provisioning, is not vulnerable because it does not support the “setWanPortSt” command, according to Baines.

According to the Shadowserver Foundation, as of Sunday at least 20,800 potentially impacted Zyxel devices are accessible on the Internet, including 2,400 in the U.S. The majority of these affected models are in the EU, including 4,500 models in France and 4,400 in Italy. Researchers with Rapid7 pointed to more than 15,000 models visible on Shodan.

After Baines first discovered and disclosed the flaw to Zyxel in April, Zyxel released patches on April 28. On Thursday of last week, both Rapid7’s disclosure bulletin and a security advisory from Zyxel were released.

No further information has been revealed by the Shadowserver Foundation on the extent or specifics of observed exploitation attempts. Rapid7 researchers, meanwhile, said that they have not yet observed exploitation in the wild as of Monday, however, they said they continue to actively monitor the situation.

NSA director of cybersecurity Rob Joyce urged organizations to check their Zyxel firewall versions to see if they are impacted and to apply patches. Researchers with Rapid7 also recommended that businesses enable automatic firmware updates if possible, and disable WAN access to the administrative web interface of the system.

This article was updated on May 18 to add new comments from the Shadowserver Foundation.

<![CDATA[Researchers Demo Relay Attack Against Bluetooth LE Systems]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/researchers-demo-relay-attack-against-bluetooth-le-systems http://duo.com/decipher/researchers-demo-relay-attack-against-bluetooth-le-systems

Researchers have developed a new tool that can execute a novel type of relay attack against devices that perform proximity based authentication using Bluetooth LE, enabling an attacker to trick a victim device such as a laptop or smart lock or even a vehicle into unlocking.

Bluetooth LE proximity authentication is implemented in a number of different environments and products, and is designed to allow a trusted, nearby device to unlock another device. Some vehicles, including Teslas, that use mobile phones as a key use this method, as do some devices such as laptops, smart watches, and phones. Many consumer Bluetooth-enabled devices also use BLE-based proximity authentication. Relay attacks, in which a malicious device relays the authentication signal from a legitimate device, are a known issue with these systems and the typical defenses include encrypting the requests sent over the link layer and/or limiting the response time. The tool that researchers at NCC Group developed adds just 8 milliseconds of latency in the response time, which would not be enough to exceed typical rate limits.

“With further straightforward refinement of the tool, it would be possible to guarantee that the added response latency is one connection event or less for any connection interval permissible under the Bluetooth specification,” the advisory by Sultan Qasim Khan of NCC Group says.

“Real BLE devices commonly require multiple connection events to respond to GATT requests or notifications and have inherent variability in their response timing. Thus, the latency introduced by this relay attack falls within the range of normal response timing variation.”

BLE proximity authentication systems typically measure the distance of a device by the response time, so if the device is too far away from the device to be unlocked, the response time will be too long and the authentication won’t work. Relay attacks defeat this by relaying the signal from the remote device to the target device. Detecting this kind of attack can be difficult, especially under the current Bluetooth specification.

"The most reliable way to detect relay attacks is through secure ranging using time-of-flight combined with cryptographic challenge response. Unfortunately, in the current version of the Bluetooth protocol, there is no way to achieve this without adding custom baseband functionality that cannot be expected on general purpose phones. Industry efforts are underway to develop secure ranging for proximity key functionality using Ultra-Wideband for time-of-flight measurement," Khan said via email.

"For long distance relay attacks, they could also be detected through monitoring of GPS location of the phone/key fob relative to the location of the item being unlocked. However, such approaches face some obstacles due to a combination of battery life impacts, mobile OS permissions and background task policies, user privacy concerns, and the time required to obtain a precise GPS position lock."

"Documentation should make clear that relay attacks are practical and must be included in threat model."

The researchers tested the attack on a 2020 Tesla Model 3, running the attack tool on an iPhone 13 mini. The iPhone was outside of Bluetooth range of the vehicle, about 25 meters away from the car, with two relaying devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely.

“If an attacker can place a relaying device within signal range of a target BLE device (Victim Device A) trusted for proximity authentication by another device (Victim Device B), then they can conduct a relay attack to unlock and operate Victim Device B,” the advisory says.

“Neither normal GATT (Generic Attribute Profile) response latency nor successful communications over an encrypted link layer can be used as indications that a relay attack is not in progress. Consequently, conventional mitigations to prior BLE relay attacks are rendered ineffective against link layer relay attacks.”

The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group, which acknowledged the issue but said that relay attacks were a known problem with Bluetooth. Tesla officials also said that relay attacks were a known limitation of the passive entry system.

“NCC Group recommends that the SIG proactively advise its members developing proximity authentication systems about the risks of BLE relay attacks. Moreover, documentation should make clear that relay attacks are practical and must be included in threat models, and that neither link layer encryption nor expectations of normal response timing are defences against relay attacks,” the advisory says.

NCC Group has not released the tool it developed to perform this attack, but may do so in the future.

"We intend to release the tool only after further research has been conducted and disclosures with those affected vendors are complete," Khan said.

<![CDATA[Trio of Serious Bugs Fixed in SonicWall SSL VPNs]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/trio-of-serious-bugs-fixed-in-sonicwall-ssl-vpns http://duo.com/decipher/trio-of-serious-bugs-fixed-in-sonicwall-ssl-vpns

Several models of SonicWall’s SMA 1000 series appliances contain three serious vulnerabilities, including an authentication bypass and a hard-coded encryption key. The company has released an updated firmware image and is urging customers to update immediately.

The flaws affect models 6200, 6210, 7200, 7210, and 8200v of the SMA1000 SSLVPN appliances running firmware versions 12.4.0 and 12.4.1. The fixed firmware version is 12.4..1-02994.

All of the vulnerabilities are serious, but the most concerning one is CVE-2022-2282, the unauthenticated access control bypass. The affected appliances fail to check authorization for when a user tries to access a resource. An attacker who exploits this vulnerability would be able to gain access to an internal resource from an unauthenticated position.

The affected models also use a shared and hard-coded encryption key, meaning that an attacker who can discover the key could get access to any credentials encrypted with it on any affected appliance. The third vulnerability is an open redirect, which could enable an attacker to direct users to any URL.

There are no mitigations or workarounds for any of the vulnerabilities. SonicWall said in its advisory that there is no evidence that any of the flaws has been exploited in the wild yet.

“SonicWall urges impacted customers to implement applicable patches as soon as possible,” the advisory says.

The flaws do not affect the SMA 100 series appliances, remote access clients, or the SonicWall Central Management Server.

<![CDATA[Iran-Linked Threat Group Targeted U.S. Orgs in Financially Motivated Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/iran-linked-threat-group-targeted-u-s-orgs-in-financially-motivated-attacks http://duo.com/decipher/iran-linked-threat-group-targeted-u-s-orgs-in-financially-motivated-attacks

The known Iran-linked threat group, Cobalt Mirage, has been conducting ransomware and espionage attacks on U.S.-based organizations over the past few months, including a local government network and a philanthropic organization.

Cobalt Mirage (which includes elements of threat activity that have previously been reported as Phosphorus and TunnelVision) has been around for years and has focused on organizations in the U.S., Israel, Europe and Australia. The group has historically launched broad scan-and-exploit campaigns, leveraging vulnerabilities like the Microsoft Exchange ProxyShell and Fortinet FortiOS flaws (including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591), said researchers with Secureworks in a Thursday analysis.

Rafe Pilling, senior security researcher with the Secureworks Counter Threat Unit, said Cobalt Mirage’s ransomware-related activities “appear fairly experimental” because they aren't as refined or industrialized as more sophisticated ransomware groups and likely don't have the same organized crime origins.

“Cobalt Mirage campaigns have heavily relied on several widely exploitable vulnerabilities, that have appeared in the last 12 months, to enable their access,” said Pilling. “They may continue to leverage existing access that they obtained during broad exploitation campaigns, however the pool of potential victims will reduce as organizations detect their intrusions or patch the vulnerabilities they favor. The group’s future success will rely on developing additional intrusion options or waiting for the next big vulnerability to drop."

In one incident in January, the group used access obtained through the exploitation of ProxyShell vulnerabilities to enter the network of an unnamed philanthropic organization. From there, they created a webshell in order to drop three files on the web server, aiming to collect system information and set up communication with the command-and-control (C2) server.

“The threat actors then moved laterally and encrypted three user workstations with BitLocker, rendering them inaccessible to the compromised organization's staff,” said researchers. “Due to an absence of logging and forensic artifacts, the methods used to trigger BitLocker in this environment are unclear. However, other Cobalt Mirage ransomware attacks used a script to automate the attack.”

The attackers also leveraged Local Security Authority Server Service (LSASS), a Windows process that stores local usernames and passwords for authenticated users, as part of their attack. They used this service in order to derive valid credentials via brute-force cracking New Technology LAN Manager (NTLM) hashes and stealing passwords stored in plain text. They also utilized Remote Desktop Protocol (RDP) and a built-in user account (DefaultAccount) to access the compromised Exchange server in order to extract locally cached passwords. Finally, attackers sent a ransom note to a local printer, a move that researchers noted was unusual as typically ransom notes are left on device screens.

“The note includes a contact email address and Telegram account to discuss decryption and recovery,” said researchers. “This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data.”

Another attack in March, which targeted a U.S. local government organization to gain access and collect intelligence, was potentially launched through the exploitation of the Log4j vulnerabilities on victims’ VMware Horizon infrastructure as many threat actors were targeting this flaw during this timeframe, said researchers. The malicious activity, which mostly spanned a four-day period in mid-March, began with attackers using the DefaultAccount user to move laterally within the environment via RDP. Attackers then obtained access to multiple accounts and downloaded pxy.zip to several hosts to provide continuous access. Threat actors also downloaded a network scanner.

While researchers said no ransomware was downloaded in this incident, they thought attackers may be experimenting with ransomware after finding a file uploaded to the VirusTotal analysis service from Iran in December that “appears to be an unfinished attempt at ransomware.”

“CTU researchers have also observed Cobalt Mirage infrastructure hosting files related to the HiddenTear open-source ransomware family but have not observed the ransomware being deployed to targets," said researchers.

They recommended that organizations “prioritize patching high-severity and highly publicized vulnerabilities on internet-facing systems, implementing multi-factor authentication, and monitoring for the tools and file-sharing services used by Cobalt Mirage.”

<![CDATA[Decipher Podcast: Source Code 5/13]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/decipher-podcast-source-code-5-13 http://duo.com/decipher/decipher-podcast-source-code-5-13

<![CDATA[New Google Team to Help Critical Open Source Projects Improve Security]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/new-google-team-to-help-critical-open-source-projects-improve-security http://duo.com/decipher/new-google-team-to-help-critical-open-source-projects-improve-security

Google is upping its already significant investment in the security of open source software, creating a new team of developers dedicated to helping the maintainers of critical open source projects improve the security of their software. The new Open Source Maintenance Crew is an extension of the company’s ongoing effort to improve the security of the open source ecosystem and ties into the broader industry push to shore up the resilience of the projects that underpin much of the Internet.

Google announced the new team during a two-day meeting at the White House that included leaders from dozens of tech companies, the Open Source Security Foundation, and Biden administration officials. The gathering was a follow-up to a similar meeting in January in which the participants discussed the critical role that open source software plays in the industry and how best to address the challenges that maintainers face in trying to improve the security of their projects. One of the main issues is a lack of resources, both financial and human, to prevent, find, and fix systemic security weaknesses.

“Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Kent Walker, president of global affairs and chief legal officer at Google, said after the January meeting.

The size of the new Open Source Maintenance Crew team is not being made public, but given the amount of resources at Google’s disposal, it will likely be substantial. How the team will choose which open source projects to work on will depend on a number of factors.

“Criticality of an open source project is difficult to define; what might be a critical dependency for one consumer of open source software may be entirely absent for another. However, arriving at a shared understanding and framework allows us to have productive conversations about our dependencies. Simply put, we define criticality to be the influence and importance of a project,” said Abhishek Aarya, principal engineer, Google Open Source Security Team.

On the financial side, Google last year committed $10 billion over the next five years to help improve cybersecurity through a variety of programs and initiatives, including $100 million to support organizations such as the OpenSSF. Google also has supported the Open Source Insights project, which provides a dependency graph for any open source package. Now, Google is releasing the data that’s used by the project as a public Google Cloud dataset.

“This project analyzes open source packages and provides detailed graphs of dependencies and their properties. With this information, developers can understand how their software is put together and the consequences to changes in their dependencies—which, as Log4j showed, can be severe when affected dependencies are many layers deep in the dependency graph,” Google said in a blog post Thursday.

<![CDATA[IceApple Post-Exploitation Framework Deployed on Exchange Servers]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/iceapple-post-exploitation-framework-deployed-on-exchange-servers http://duo.com/decipher/iceapple-post-exploitation-framework-deployed-on-exchange-servers

Researchers are warning of a sophisticated post-exploitation framework being deployed on Microsoft Exchange server instances to perform credential harvesting and local reconnaissance on companies across the technology, academic and government sectors.

The .NET-based framework, which researchers call IceApple, contains 18 separate modules that remain under active development in order to evade detection, including capabilities for credential harvesting, file and directory deletion and data exfiltration.

As seen by these modules, which do not provide exploitation or lateral movement capabilities, post-exploitation frameworks like IceApple do not provide initial access, but are instead used to assist with malicious objectives after the attackers have already compromised the system. In some cases, researchers observed attackers using the framework in attacks after repeatedly returning to the victim's environment every ten to fourteen days, likely to ensure that access was continually maintained.

“When used shortly after an adversary gained initial access, IceApple was observed being rapidly deployed to multiple hosts to facilitate credential harvesting from local and remote host registries, credential logging on OWA servers, reconnaissance, and data exfiltration,” said researchers with Crowdstrike’s Falcon OverWatch threat hunting team in a Wednesday analysis. “OverWatch then observed adversaries returning to networks daily to continue their activity.”

While build timestamps on modules used by the framework date back to May 2021, researchers first discovered the framework in late 2021 being loaded on Exchange servers. Researchers said further investigation revealed that the adversary behind the framework has detailed knowledge of how Internet Information Services (IIS) works and is capable of targeting any IIS web application. IIS is Microsoft’s web server software used to host and provide internet-based services to the end user.

The framework was reflectively loaded through precompiled .NET assemblies into an application pool for Exchange servers. Precompiled .NET assemblies have previously been used by adversaries with existing access to a system to load additional functionalities, either via webshells or malicious IIS components.

Researchers said that they regularly discover reflectively loaded .NET assemblies of “various levels of sophistication,” from basic wrappers around Windows utilities (such as WMI) all the way up to modular frameworks with multiple levels of encryption that help to protect data both in transit and between modules. This type of malicious activity can be detected if a reflective .NET load occurs under an application or IIS application pool that does not typically perform this sort of operation, said researchers.

“While many of the assemblies… are only seen in a customer’s environment once and then never again, a few — such as IceApple — continue to be reused on target networks while showing signs that they are in active development,” said researchers.

Researchers said IceApple’s in-memory-only framework shows that the actor is prioritizing a low forensic footprint on targeted companies. In addition, its numerous modules support a wide range of capabilities, including listing and deleting directories, writing data to a file, retrieving the configuration of installed network adapters, retrieving IIS server variables, dumping credentials stored in registry keys on the infected host, executing queries against Active Directory and capturing OWA credentials.

“This is typical of long-running objectives aimed at intelligence collection and aligns with a targeted, state-sponsored mission,” said researchers.

<![CDATA[Cyberattacks Against MSPs Continue to Escalate]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/msps-caught-in-crosshairs-of-more-cyberattacks http://duo.com/decipher/msps-caught-in-crosshairs-of-more-cyberattacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with cybersecurity authorities from the UK, Australia, Canada and New Zealand, are warning that cybercriminals are increasingly targeting managed service providers (MSPs) in an attempt to compromise their downstream customers.

MSPs deliver and manage platform, software, IT infrastructure and security services, as well as providing business process and support functions for customers. They are part of a partner ecosystem made up of resellers and technology service providers that has been targeted in recent years by threat actors in cyberespionage or ransomware attacks. Because these companies store customer data and support sensitive processes, they are in a unique position where they have trusted network connectivity and privileged access to customer systems.

“Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects," according to the joint advisory on Wednesday. "The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships."

While no specific incidents were mentioned as part of the Wednesday advisory, previously actors have successfully exploited the “trusted relationships” in MSP networks in order to gain access to a large number of customers. Luke McNamara, principal analyst with Mandiant, said in recent years researchers have observed a growing focus from some cyber espionage groups - especially Chinese threat actors - on targeting the “information supply chain.”

“A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.”

"Managed service providers can be one vector into that and presents an avenue for these actors to compromise trusted partners for the purpose of conducting intrusions into multiple end targets," said McNamara. "As various espionage groups mature their capabilities, we should expect to continue to see some of these actors prioritize targets that enable them to collect at scale.”

In the well-known July Kaseya attack, attackers leveraged a vulnerability in the software of Kaseya VSA on-premises products in order to execute ransomware attacks against MSPs and their customers. In October, Microsoft warned that Nobelium (the actor behind the SolarWinds intrusion) was compromising resellers and technology service providers in order to target their delegated administrative privileges, which allows admins to delegate administrative responsibilities to partners, including the ability to add users or domains, or reset passwords. Delegated administrative privileges are infrequently audited for approved use, and oftentimes they are not disabled by a service provider or downstream customer once use has ended, making them a lucrative target for cybercriminals.

However, this is just one of many avenues attackers can leverage when targeting a service provider's environment. Due to the sheer amount data being managed, MSPs and their customers should have "transparent discussions" around how sensitive data is secured and whether MSP-customer contracts identify ownership of security roles and responsibilities, said CISA. Part of these discussions should also include a hard look at supply-chain risk across security, legal and procurement groups.

When it comes to security controls, MSPs should disable accounts that are no longer in use and enforce multi-factor authentication (MFA) on MSP accounts with access to customer environments. MSPs should also ensure that monitoring and logging controls, as well as response and recovery plans, are in place.

“These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance,” according to the advisory. “A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.”

<![CDATA[White House Adds Three Key Cybersecurity Officials]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/white-house-adds-three-key-cybersecurity-officials http://duo.com/decipher/white-house-adds-three-key-cybersecurity-officials

The nascent Office of the National Cyber Director at the White House is gaining some serious reinforcements with the addition of three new deputies, including Kemba Eneas Walden, a highly experienced cybersecurity attorney who led the anti-ransomware effort at Microsoft’s Digital Crimes Unit.

National Cyber Director Chris Inglis announced Tuesday the addition of Walden as principal deputy national cyber director, along with Neal Higgins and Rob Knake as deputy national cyber directors. Higgins, who will focus on overall national cybersecurity issues, moves to the White House from CIA, where he oversaw the agency’s cyber operations, secure global communications, and data science programs. Knake will oversee the ONCD’s budget and strategy, and like Walden and Higgins, has long experience in the federal government, having served in the Department of Homeland Security and the National Security Council during the Obama administration.

Since he took office in July 2021, Inglis has been emphasizing the need for more personnel in the ONCD to help coordinate the country’s cyber defense efforts. Inglis is the first person to hold the title of national cyber director and has been vocal about the need to expand the office’s capabilities. Adding people with the depth and breadth of experience of Waldem, Higgins, and Knake will go a long way toward accomplishing that goal.

“As we continue to build this new office, the additions of Kemba, Neal, and Rob will accelerate our efforts to protect Americans in cyberspace,” said Inglis. “Each of these leaders brings impressive experience in cybersecurity policy making to our team, and their diverse perspectives will be invaluable as we strengthen our collective defense.”

The addition of Walden is a significant one, as she brings quite a bit of experience combatting what has become one of the more pernicious threats to national security: ransomware. The Microsoft DCU’s anti-ransomware program is one of the more active such groups in the industry, and has used both technical and legal means to help disrupt ransomware operations. In 2020, the DCU helped to disrupt the Trickbot malware network, which is closely associated with the Ryuk ransomware operation. That effort included the takeover of several command-and-control domains and a copyright claim for the unauthorized use of Microsoft’s software.

Ransomware has evolved from an annoyance for individual users a few years ago into the massive national security priority it now is. Just this week, the government of Costa Rica declared a national emergency following an attack by the Conti ransomware group last month. That attack affected the country’s tax and customs platforms, along with other systems.

The Biden administration has made cybersecurity in general and ransomware specifically top priorities. Last year, the federal government formed a ransomware task force as well as a National Cryptocurrency Enforcement Team charged with disrupting payments to ransomware groups.

“Cryptocurrencies and ransomware are inextricably linked. You can't disaggregate the challenge here. They come hand in glove,” Deputy Attorney General Lisa Monaco said in October.

“That’s why we’re targeting the ecosystem that supports the ransomware economy. We’re going after the entire criminal supply chain.”

Walden, Higgins, and Knake join Inglis and Chris DeRusha, the federal CISO and deputy national cyber director for federal cybersecurity, who joined the White House in October.

<![CDATA[After Microsoft Macro Malware Crackdown, Attackers Explore New Options]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/after-microsoft-macro-malware-crackdown-attackers-explore-new-options http://duo.com/decipher/after-microsoft-macro-malware-crackdown-attackers-explore-new-options

A month after Microsoft started rolling out a plan to block macros obtained from the internet by default, threat actors are utilizing new malware delivery methods for spear-phishing attacks that decrease their reliance on malicious macros.

Ole Villadsen, senior analyst with IBM Security’s X-Force Threat Intelligence team, said that since late last year he has observed attackers increasingly introducing other types of downloaders or droppers that do not rely on macros, including XLL files, ISO images, Microsoft shortcut files and MSI files.

“These new file types have been used to distribute Emotet, Qakbot, JSSloader, and other payloads," he said. "In some cases, attackers may be experimenting with the new file types to get a sense of how well they work compared with previous approaches that rely on macros.”

In a recent low-volume Emotet campaign in April, for instance, researchers observed the attackers using XLL files, a type of dynamic link library (DLL) file that is designed to increase the functionality of Excel. The campaign exhibited marked changes from typical behaviors of the malware, which previously leveraged Microsoft Excel or Word documents that contain VBA or XL4 macros. In an April analysis, Proofpoint researchers speculated that the threat actor behind Emotet, TA542, was testing these new tactics on a small scale before deploying them at a broader level.

"In addition to Emotet, we have observed a variety of actors utilizing XLL files to stage their payloads, including those distributing other high-profile botnets or banking trojans such as Qbot and Ursnif," said Sherrod DeGrippo, vice president of threat research and detection with Proofpoint. "Though not observed since February, an unattributed threat actor also used this technique in campaigns delivering Bazaloader, a malware linked to the deployment of the high-profile ransomware Conti."

However, DeGrippo noted that macros are still being widely used, with over 1.5 million messages being observed over the past thirty days, with either a document containing macros attached or containing a URL leading to the same. In addition, researchers were already observing the regular use of a variety of techniques that bypassed “mark of the web” detection, even before Microsoft's announcement, she said.

“We have seen indications that several specific, prevalent malware families have made a bit of a pivot recently away from document downloaders to different deployment methods that bypass the changes."

In addition to XLL files, the use of ISO files are also on the rise, said DeGrippo.

"Whereas historically they may have been more closely associated with the delivery of commodity malwares such as Agent Tesla and FormBook, since the February announcement we have identified at least 7 actively tracked actor groups making use of the files as part of their delivery chain including those distributing more sophisticated malwares such as IcedID and the recently revealed Bumblebee loader," she said.

Microsoft first unveiled its plans to block macros obtained from the internet by default for several Office applications - Access, Excel, PowerPoint, Visio and Word - on devices running Windows. The move was viewed as a potential gamechanger for how attackers launch email-based attacks. Macros are programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications. However, cybercriminals have leveraged them with the end goal of delivering various malicious payloads or stealing sensitive data. Attackers would merely need to send an email to unknowing targets with an Office attachment and convince them to enable the malicious macros.

However, Microsoft’s updates now add extra measures with the goal of making this type of abuse more difficult: If users are trying to enable macros in files that are obtained from the internet, a security warning message bar tells them that Microsoft has blocked macros due to the source of the file being untrusted. End users are then pointed to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.

Sean Gallagher, senior threat researcher with SophosLabs, said researchers are seeing a definite overall decline right now in document-based droppers - though it’s hard to say if the move is permanent due to constant changes over the past year.

“We have seen indications that several specific, prevalent malware families have made a bit of a pivot recently away from document downloaders to different deployment methods that bypass the changes,” said Gallagher. “Qakbot and IcedID have moved to ISO delivery, while we’ve seen Emotet move to a Windows shortcut package that executes Powershell.”

Organizations need to be cognizant that these threats evolve constantly, said Gallagher, with attackers adjusting their tactics to find the least expensive and most effective way to drop malware.

"Defense in depth - including signature and behavior detection, reputation and network detection, software patching, and good user education about how threats work and how to spot and avoid them - is the best way to reduce the probability of a malware actor's success," said Gallagher.

<![CDATA[U.S. Offers $15M in Rewards for Conti Ransomware Group Information]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/u-s-offers-usd15m-reward-for-conti-ransomware-group-leaders-affiliates http://duo.com/decipher/u-s-offers-usd15m-reward-for-conti-ransomware-group-leaders-affiliates

The State Department is offering rewards that total $15 million for more information about the key leaders, operators or affiliates associated with the Conti ransomware group.

U.S. authorities will pay up to $10 million for information leading to the identification or location of key Conti leaders, and up to $5 million for information leading to the arrest or conviction of owners, operators and affiliates associated with the RaaS group. The FBI has called Conti the costliest strain of ransomware ever documented, with the group and its affiliates wracking up hundreds of victims over the past two years, including 1,000 victims as of January with payouts exceeding $150,000,000.

“In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals,” according to the State Department in a release. “We look to partner with nations willing to bring justice for those victims affected by ransomware.”

Conti continues to pose a formidable threat to businesses despite a self-reported security researcher in February setting up a Twitter account in late February and leaking two years worth of the group’s internal chat logs, in addition to credentials, email addresses and command-and-control (C2) server details. In April, the group launched a ransomware attack against the government of Costa Rica that the U.S. government said severely impacted the country’s foreign trade by disrupting its customs and taxes platforms.

The U.S. government has previously offered up high rewards for other ransomware groups, including rewards of up to $15 million for the DarkSide ransomware in November, as well as up to $15 million for the Sodinokibi (REvil) ransomware group, also in November. Rewards are offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), a program established in 2013 that gives the Secretary of State statutory the ability to offer rewards of up to $25 million for information leading to the arrest or conviction in any country of those participating in transnational organized crime.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that these types of rewards may indicate a shift in tactics in targeting ransomware operations.

“By taking a more proactive approach in soliciting the assistance of external researchers — and individuals potentially close to Conti's organization — they may identify useful information that would otherwise have remained unclear,” said Morgan.

<![CDATA[Exploits Emerge for Critical F5 Flaw]]> dennis@decipher.sc (Dennis Fisher) http://duo.com/decipher/exploits-emerge-for-critical-f5-flaw http://duo.com/decipher/exploits-emerge-for-critical-f5-flaw

Two separate proof-of-concept exploits are circulating for a critical remote code execution vulnerability in many versions of the F5 BIG-IP system that F5 disclosed last week, and attackers are actively scanning for vulnerable installations.

F5 released an advisory for the vulnerability (CVE-2022-1388) in the iControl REST API on May 4 and advised customers to patch immediately or apply mitigations to prevent exploitation. The bug affects versions 11-16 of BIG-IP and is fixed in version 17. Although versions 11 and 12 of BOG-IP are vulnerable, they are too old to be patched and F5 will not fix them.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only,” the advisory says.

On Friday, at least two proof-of-concept exploits were published, and data from GreyNoise shows more than 150 IP addresses already scanning for vulnerable installations. Researchers advise organizations to remove remote access to the admin interface before patching.

“Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch,” said Johannes Ullrich of the SANS Institute.

The mitigations that F5 recommends include blocking access to the vulnerable interface.

“You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured,” the advisory says.

There was a similar vulnerability in F5 BIG-IP networking boxes in 2020, and within days of the disclosure, high-level attackers began targeting vulnerable appliances. One of the groups attempting to exploit the flaw was a team affiliated with the Chinese Ministry of State Security.

Exploiting the vulnerability disclosed last week would give an attacker complete control of a target F5 appliance, with the ability to run arbitrary commands, add or delete files, or take any other actions. Researchers at Randori have developed a working exploit and also have released a one-line bash script to check for vulnerable systems.

"From an external perspective, connections made to iControl REST over HTTP are handled by a frontend Apache web server on port 443. This server is responsible for routing requests to the appropriate internal services. To reach the iControl REST service, a requested path must begin with /mgmt which will inform Apache to forward the message to an internal Jetty web server listening locally on port 8100. This Jetty web server will authenticate requests that appear to originate externally and provide a token in the form of an X-F5-Auth-Token header upon success, which must be used in all subsequent communication. If a request is received by the external Apache server with this present, Apache will assume that Jetty will verify the token value and forwards along the header," Randori said in an analysis of the bug.

"From the Jetty server’s perspective, if a request is received without the X-F5-Auth-Token, it is assumed to be administrative and only the username of the HTTP Basic header will be verified to match 'admin'. These are the credentials that were observed to be hardcoded into the application for use to send trusted requests."

<![CDATA[New Law Aims to Revamp Federal Cybercrime Tracking]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/new-law-aims-to-revamp-federal-cybercrime-tracking http://duo.com/decipher/new-law-aims-to-revamp-federal-cybercrime-tracking

President Joe Biden on Thursday signed into law a bill that aims to improve how the government tracks, measures, analyzes and prosecutes cybercrime.

The Better Cybercrime Metrics Act, which was first introduced in the Senate in August 2021, will build a system to keep tabs on cybercrime incidents with an end goal of better identifying threats and preventing attacks. The act cracks down on consistency issues around how cybercrime is both reported and tracked: While federal law enforcement agencies must report crime through the FBI per the Uniform Crime Reporting Act of 1988, federal agencies like the FBI and the Secret Service, which often have jurisdiction over cybercrimes, are not consistently reporting these numbers into federal systems, the bill's sponsors have argued. Meanwhile, state and local law enforcement reporting on cybercrime is also limited.

“By strengthening our data collection, anticipating future trends, and giving law enforcement the tools they need, we are taking common sense steps to keep the American people safe online,” said U.S. Rep. Abigail Spanberger (D-Va.), who sponsored the legislation and who is a former CIA case officer and federal agent, in a Thursday statement.

The act will require the official incident-based reporting system used by law enforcement agencies to collect and report crime data (the National Incident Based Reporting System) to establish a category for cybercrime reports from federal, state, and local officials within the next two years.

As part of the act, the Government Accountability Office (GAO) will also look at the effectiveness of current cybercrime mechanisms and specifically any disparities between reporting this type of data and other types of crime data.

“Hopefully, with this bill, it will give federal law enforcement the information it needs to be able to allocate resources to holistically combat and respond to cyber threats.”

The act will also require that cybercrime is incorporated into several existing systems used to track crime. For instance, the Department of Justice (DoJ) will be required to contract with the National Academy of Sciences to develop a taxonomy for categorizing different types of cybercrime impacting businesses and individuals, which can then be used by law enforcement in future tracking metrics. Also, the National Crime Victimization Survey will be required to incorporate questions related to cybercrime in its survey instrument.

Of note, several cybercrime tracking programs do exist, including the FBI’s well-known Internet Crime Complaint Center (IC3) that tracks internet-related crime like business email compromise, phishing attacks and romance scams. However, this act would focus on a more consistent and comprehensive mechanism for collecting and reporting cybercrime across several law enforcement agencies.

The act is also part of a greater effort by the U.S. government to increase transparency around cybersecurity incidents. The Strengthening American Cybersecurity Act of 2022, which passed the Senate in March, for instance, would give critical infrastructure entities a 72-hour reporting deadline to notify the Cybersecurity and Infrastructure Security Agency (CISA) after experiencing a cyberattack. And last year, the U.S. Securities and Exchange Commission (SEC) proposed a set of rules that would require publicly traded companies to disclose security incidents within four days after they have been discovered.

Crane Hassold, director of threat intelligence with Abnormal Security, said that the Better Cybercrime Metrics Act is a "much-needed legislation" for the U.S. government to not only understand cybercrime levels, but also to be able to adjust the level of resources needed to defend against these threats accordingly.

“One of the biggest obstacles the federal government has fighting cybercrime is that it's missing accurate, comprehensive data to understand the overall impact of cyber threats that would allow them to prioritize their efforts accordingly,” he said. “Hopefully, with this bill, it will give federal law enforcement the information it needs to be able to allocate resources to holistically combat and respond to cyber threats.”

<![CDATA[Decipher Podcast: Source Code 5/6]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/decipher-podcast-source-code-5-6 http://duo.com/decipher/decipher-podcast-source-code-5-6

<![CDATA[New Malware Framework Distributed Via Pay-Per-Install Service]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) http://duo.com/decipher/new-pay-per-install-malware-framework-under-active-development http://duo.com/decipher/new-pay-per-install-malware-framework-under-active-development

Researchers have uncovered a new malware framework that they say is fairly sophisticated and is being spread as part of the known pay-per-install (PPI) PrivateLoader malware service.

The framework, which researchers call NetDooka (due to the names of some of its components), contains multiple parts, including a loader, dropper, protection driver and a remote access trojan (RAT) with its own network communication protocol. Researchers said the malware framework’s capabilities enable it to act as an entry point for other malware.

“PPI malware services allow malware creators to easily deploy their payloads,” said Aliakbar Zahravi and Leandro Froes with Trend Micro in a Thursday analysis. “The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system, among others.”

PrivateLoader’s initial infection vector is typically via pirated software downloads. The downloader then installs the first NetDooka malware family, which is a dropper component that decrypts and executes the loader. The loader installs a kernel driver and then creates a new virtual desktop in order to execute an antivirus software uninstaller. It interacts with the uninstaller by emulating the mouse and pointer position, which also allows it to prepare the environment for executing other components.

“By understanding how these services proliferate, defenders can better recognize these campaigns and stop them from wreaking havoc on their organization’s IT stack.”

Then, another dropper is executed by the loader that executes a full-featured RAT. The RAT has multiple functionalities, including the abilities to start a remote shell, grab browser data, take screenshots and gather system information. It might also leverage the previously installed kernel driver component to protect the dropped payload, researchers said.

“With the RAT payload properly installed, malicious actors can perform actions such as stealing several critical information from the infected systems, gaining remote control access to the system, and creating botnet networks,” said researchers.

According to researchers with Intel 471, PrivateLoader sits at the front of the PPI operation, communicating with its back-end infrastructure in order to receive URLs for the malicious payloads to deploy. The malware also communicates a number of statistics, such as which payloads were launched successfully. Other payloads downloaded by PrivateLoader on the system may differ, with families like SmokeLoader, RedLine and Anubis reportedly being previously distributed via PPI services. Researchers said that the framework’s features may still vary depending on the malware version, as it is still in its development phase.

PPI malware services, which have been around for a “considerable amount of time,” occur when a malware operator provides the payment, targeting information and malicious payloads, and those who run the service then outsource the delivery.

“The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections,” said researchers with Intel 471. “By understanding how these services proliferate, defenders can better recognize these campaigns and stop them from wreaking havoc on their organization’s IT stack.”