US State Department outlines coordinated government effort to provide Ukraine with cybersecurity intelligence, expertise, and resources amid invasion.

The US State Department today announced a coordinated effort between several government agencies to provide Ukraine with the cybersecurity technical expertise, resources, and threat intelligence necessary to protect the electrical grid and Internet access as Russia continues to wage war on the country. 

US agencies assisting with Ukraine's cybersecurity defenses include the following:

*   The **Federal Bureau of Investigation (FBI)** has shared information it has on cyberattacks planned against Ukraine.
*   The **US Agency for International Development (USAID**) has provided service providers with hands-on technical support for the government's cybersecurity defense, and handed over 6,750 communications devices, including data terminals and satellite phones, to key infrastructure operators.
*   The **Department of Energy** is helping integrate Ukraine's electrical grid with the European Network of Transmission system Operators for Electricity (ENTSO-E), which includes meeting cybersecurity and resiliency requirements. 
*   The **Cybersecurity and Infrastructure Agency (CISA)** is working on providing technical details to the appropriate Ukrainian authorities. 

The announcement added that prior to the February 2022 Russian invasion, the US had already provided Ukraine with more than $40 million in what it calls "cyber capacity development." 

"The U.S. government's efforts, closely coordinated with private sector and international partners, support Ukraine’s network defenders and telecommunications professionals, who continue to defend Ukrainian networks and repair infrastructure, often at direct risk to their lives," the State Department's fact sheet said. "The United States condemns actions that block or degrade access to the Internet in Ukraine, which sever critical channels for sharing and learning information, including about the war."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Pledges to Help Ukraine Keep the Internet and Lights On

COVID-19 and a December 2021 cyberattack combined to put the future of Abraham Lincoln's namesake college in peril.

The home page of Lincoln College in Illinois says the impact of COVID-19 followed by a crippling December 2021 cyberattack have combined to force the institution to close its doors after 157 years. 

The permanent closure is set to take effect on May 13 — unless Lincoln College receives what the statement calls "... a transformational donation or partnership to sustain Lincoln College beyond the current semester." 

Although the school says no personal identifying information was stolen, the cyberattack, which lasted for more than three months, shut down the school's student recruitment, retention, and fundraising operations. NBC News reported that Lincoln was hit with a ransomware attack. 

“Lincoln College has been serving students from across the globe for more than 157 years,'" said David Gerlach, president of Lincoln College, in the statement. “The loss of history, careers, and a community of students and alumni is immense.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lincoln College Set to Close After Crippling Cyberattack

Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.

**Woburn, MA – May 10, 2022 —** Kaspersky researchers have revealed that the number of attacks exploiting numerous vulnerabilities in Windows Print Spooler have risen noticeably over the past four months. While Microsoft regularly releases patches for its Print Spooler, a software that manages the printing process, cybercriminals continue to actively exploit its vulnerabilities giving them the opportunity to distribute and install malicious programs on victims’ computers that can steal stored data.

Over the past year, various vulnerabilities in Windows Print Spooler have been discovered. By abusing them, cybercriminals have been able to take control of servers and victims’ machines, even without a special admin access.

The most well-known vulnerabilities are CVE-2021-1675 and CVE-2021-34527 (aka PrintNightmare), which were discovered in late June 2021. PrintNightmare was accidentally published by researchers as a proof of concept (PoC) exploit for a critical Windows Print Spooler vulnerability. The exploit was quickly removed from GitHub, however, some users had already managed to download it and then republished it. In late April 2022, a highly severe vulnerability (tracked as CVE-2022-22718) was also discovered in Windows Print Spooler. Microsoft had already issued a patch against this threat but the attackers were still able to exploit this vulnerability and gain access to corporate resources.

Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022. Moreover, Kaspersky experts detected that roughly 31,000 of these hits occurred during the last four months, from January to April. This suggests that vulnerabilities in Windows Print Spooler remain a popular attack route for cybercriminals, which means users need to be aware of any patches and fixes that Microsoft releases.

_The global statistics on detections of attacks exploiting Windows Print Spooler vulnerabilities from July 2021 to April 2022_

The exploitation of vulnerabilities in Windows Print Spooler has hit numerous countries with the number of overall attacks still growing. From July 2021 to April 2022, nearly a quarter of detected hits came from Italy. After Italy, users in Turkey and South Korea were the most actively attacked. Kaspersky researchers also discovered that over the past four months attackers were most active in Austria, France and Slovenia.

_TOP 5 countries being targeted by attacks exploiting Windows Print Spooler vulnerabilities from July 2021 to April 2022_

_“Windows Print Spooler vulnerabilities are a hotbed for emerging new threats,”_ said Alexey Kulaev, security researcher at Kaspersky. _“We anticipate a growing number of exploitation attempts to gain access to resources within corporate networks, accompanied by a high-risk of ransomware infection and data theft. Through some of these vulnerabilities, attackers can gain access not only to victims’ data but also to the whole corporate server. Therefore, it is strongly recommended that users follow Microsoft’s guidelines and apply the latest Windows security updates.”_

To protect yourself from cybercriminals’ attacks through vulnerabilities in the Windows Print Spooler, Kaspersky recommends:

*   Installing patches for new vulnerabilities as soon as possible. Once downloaded, threat actors can no longer abuse the vulnerability.
*   Performing a regular security audit of your organization’s IT infrastructure to reveal any gaps and vulnerable systems.
*   Using a protection solution for endpoints and mail servers with anti-phishing capabilities to decrease the chance of infection through phishing attempts.
*   Using dedicated services that can help fight against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages, before attackers achieve their goals.
*   Installing anti-APT and EDR solutions, enabling threat discovery and detection, along with investigation and timely remediation of incidents’ capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within the Kaspersky Expert Security framework.

Cybercriminals Are Increasingly Exploiting Vulnerabilities in Windows Print Spooler

New research-focused division focused on advancing innovation in the field of security operations.

EDEN PRAIRIE, MN – May 10, 2022 – Arctic Wolf®, a global leader in security operations, today announced the launch of Arctic Wolf Labs, a new research-focused division focused on advancing innovation in the field of security operations.

Security and IT teams are consistently under-resourced and overburdened, unable to keep up with the thousands of alerts they receive each day, let alone find the time or proper resources to conduct their own threat research or develop new detection techniques needed to outpace today’s well-resourced threat actors. Continuing the paradigm shift that Arctic Wolf is driving to make effective Security Operations achievable for organizations of virtually any size, the mission of Arctic Wolf Labs is to develop cutting-edge technology and tools that are designed to enhance the company’s core mission to end cyber risk, while also bringing comprehensive security intelligence to Arctic Wolf’s customer base and the security community-at-large.

Leveraging the more two trillion security events the Arctic Wolf Security Operations Cloud ingests, parses, enriches, and analyzes each week, Arctic Wolf Labs will be responsible for performing threat research on new and emerging adversaries, developing advanced threat detection models, and driving improvement in the speed, scale, and detection abilities of Arctic Wolf’s solution offerings.

The Arctic Wolf Labs team will bring together Arctic Wolf’s security and threat intelligence researchers, data scientists, and security development engineers with deep domain knowledge in artificial intelligence (AI), security R&D, as well as advanced threat offensive and defensive methods and technologies. The team will be led by Daniel Thanos, a seasoned security R&D executive with more than 20 years of experience overseeing security product development, threat intelligence, and AI research teams for innovative start-ups, large industrial companies, and organizations in the telecommunications and financial services industries.

“The extensive size of the data lake created by Arctic Wolf’s Security Operations Cloud represents a significant opportunity for Arctic Wolf to be disruptive in the areas of threat intelligence, security research, and artificial intelligence,” said Daniel Thanos, vice president, Arctic Wolf Labs. “Innovation is a core value at Arctic Wolf, and with the creation of Arctic Wolf Labs we are further extending our commitment to creating technology and solutions that we believe will secure customers today, as well as in the future.”

“The Arctic Wolf Security Operations Cloud fuels a powerful data and automation flywheel. As more customers use our solutions, the network effects of our AI-enabled data pipeline continuously enhance our threat detection and prevention capabilities,” said Dan Schiappa, chief product officer, Arctic Wolf. “The research that Daniel and the Arctic Wolf Labs team intend to conduct we believe will be instrumental in further accelerating this flywheel, helping enable our customers to stay ahead of threat actors and their novel attack techniques.”

The formation of Arctic Wolf Labs builds upon the recent contributions Arctic Wolf has made to cybersecurity research community, which includes the creation of open-source deep scan tools used by organizations worldwide to understand the impact of the critical Log4Shell and Spring4Shell vulnerabilities, as well as the publication of threat research that details the innerworkings of major ransomware and e-crime groups.

To learn more about Arctic Wolf Labs, visit arcticwolf.com/labs

**Additional Resources:**

*   Join the conversation with Arctic Wolf on Facebook, Twitter, LinkedIn, and YouTube
*   Visit arcticwolf.com to learn more about our security operations solutions
*   If you're ready to get started, request a demo, get a quote, or conduct a Security Operations Maturity Assessment
*   Want to join Arctic Wolf's Partner Program? Apply today

**About Arctic Wolf:**

Arctic Wolf® is a global leader in security operations, delivering a premier cloud-native security operations platform designed to end cyber risk. Powered by threat telemetry spanning endpoint, network, and cloud sources, the Arctic Wolf® Security Operations Cloud ingests and analyzes more than two trillion security events a week across the globe, enabling critical outcomes for security use cases and optimizing customers’ disparate security solutions. The Arctic Wolf® Platform delivers automated threat detection and response at scale, and empowers organizations of virtually any size to establish world-class security operations with the push of a button.

For more information about Arctic Wolf, visit arcticwolf.com or follow us on Twitter, LinkedIn, or Facebook.

Arctic Wolf Launches Arctic Wolf Labs Focused on Security Operations Research and Intelligence Reporting

The Dark Crystal remote access Trojan (aka DCRat) breaks a few stereotypes, with coding done by a solo developer, using an obscure Web language and offering it at a frighteningly low price.

A bargain-basement, $5 price tag on a 3-year-old remote access Trojan (RAT) has concerned some security researchers, who see the move as signs of a possible race to the bottom in terms of pricing — or that new, disrupting developers are entering the cybercriminal market.

According to an analysis of the malware by software and security firm BlackBerry, an extremely low-cost variant of the malware known as the Dark Crystal RAT (aka DCRat) appears to be the brainchild of a sole Russian developer. The creator wrote the code in the popular C#, but also coded the administrative server in the relatively obscure JPHP, a clone of the PHP Web language that runs on a Java virtual machine. The malware platform has become popular with entry-level hackers but has many of the features — such as a modular architecture and custom plug-ins — of better-known programs.

The malware may only be a niche threat, but the development of new — albeit, minor — attack tools highlights the fact that companies need to be vigilant, says Jim Simpson, director of threat intelligence at BlackBerry.

"Nothing makes it especially dangerous — it is another thing to be aware of and take the usual precautions over," he says, adding that companies should make sure that their end users are trained on spotting and reporting suspicious emails and that multifactor authentication is deployed. "It is likely someone, seeing a gap in the market for a cheaper toolset, created something that would work for people looking to fill that need."

Yet the low, low price of the software has rung some warning bells for researchers. In the world of legitimate software, open source and free is the name of the game, but profit-minded cybercriminals offering bottom-of-the-barrel pricing is an anomaly, the researchers said.

"This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven," the BlackBerry researchers stated in the analysis. "It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income."

Simpson notes that a lone-wolf operator has lower operating costs and overhead, so that could lead to lower prices. In addition, while the original price had been set at 500 rubles, the devaluation of the Russian currency led the developer to set the latest prices in US dollars. 

"If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported, but DCRat seems to break that rule in a way that’s deeply perplexing," the researchers said. "This RAT's code is being improved and maintained daily. If the threat is being developed and sustained by just one person, it appears that it’s a project they are working on full-time."

**Inside the World of the Dark Crystal (RAT)  
**The Dark Crystal malware first appeared at least as early as 2018, with the program written in Java, according to a May 2020 analysis by incident response firm Mandiant. In 2019, the developer added a customized plug-in frameworks and redesigned the program using C#. In 2020, the program had at least 50 different commands and had caught the attention of incident responders, according to Mandiant's analysis.

The DCRat malware has three different components: A malicious program that runs on the compromised systems, a single webpage written in PHP that acts as the command-and-control interface, and the administrator tool written in JPHP, an uncommon programming language typically used by beginning programmers interested in games. The use of JPHP is likely because the developer is conversant in that programming language rather than because of any specific advantage, BlackBerry's Simpson says.

"The client itself is now .NET based," he says. "It’s only the admin panel — server-side — that is developed in JPHP, and it’s unlikely chosen for its obfuscation, more likely for its ease of development and portability between operating systems."

The evolution of DCRat fits right in with the trend of groups moving to create their own infrastructure, with the goal of turning access, compromise, and ransomware into services. While some remote access platforms — such as the industrial control system (ICS)-focused Pipedream — are the product of teams sponsored by nation-states, others come from smaller groups of cybercriminal operators that are focused on staying ahead of defenders and reverse engineers, just like DCRat.

The REvil malware, for example, has returned from the dead, after international investigators and law-enforcement agencies disrupted the group and Russia arrested some of the group's members. A recent ransomware sample and reconstituted infrastructure suggest that someone, or some group, with connections to the previous operators are now reviving the ransomware-as-a-service (RaaS) offering.

While DCRat's cut-rate malware does not measure up to many threats, the attack tool is frequently being improved, and threat-intelligence analysts should keep an eye on its evolution, the BlackBerry team noted.

5-Buck DCRat Malware Foretells a Worrying Cyber Future

Company delivers new vulnerability management offering to help resource-constrained organizations combat increasing attacks on mission-critical SAP applications .

BOSTON, May 10, 2022 – Onapsis, the leader in business-critical application cybersecurity and compliance, today announced the release of Onapsis Assess Baseline. In a world where business-critical applications are under attack every day, this new offering accelerates organizations’ abilities to kickstart their SAP vulnerability management programs by better aligning with the SAP Security Baseline.

The exponential growth of targeted ransomware and the increased threat of cyber warfare due to global conflict means that organizations must re-evaluate how they secure their most critical systems. Amid this evolving, more aggressive threat landscape, companies struggle to keep up with patching the growing number of vulnerabilities exploited by threat actors to gain access to their business-critical applications. Onapsis Assess Baseline empowers companies of any size to accelerate time-to-value by simplifying deployment with a new SaaS-based, zero-footprint model and focusing on a core, targeted set of critical vulnerabilities as first steps on their journey to ensure cybersecurity, compliance, and availability of their SAP applications. When organizations are ready to take on more, Onapsis Assess Baseline offers easy expansion to additional scope for vulnerability management as well as capabilities for continuous threat monitoring and application security testing.

**Key Organizational Benefits with Onapsis Assess Baseline:**

Reduce Implementation Overhead with an Accelerated Deployment: Whether in their own cloud, on-premises, or through Onapsis’ SaaS platform, Assess Baseline offers quick deployment and implementation with zero footprint scanning.

Accelerate Time-to-Value for SAP Vulnerability Management: Onapsis SaaS users can scan with Assess Baseline against the SAP-recommended security baseline requirements for an organization’s SAP systems within hours. The scans deliver powerful context around critical vulnerabilities, instructions on how to mitigate, and confidence that patches were applied, saving valuable resource time.

Technology that Scales and Grows When You’re Ready: Deploy where you want. Scan across the entire SAP landscape. Start small and target the most critical systems first, get them aligned to a baseline, and then expand the security scope across the organization on your terms.

“Securing business-critical applications has always been challenging, but there’s a larger bullseye on the backs of organizations today - more than ever before - as sophisticated threat actors increasingly target Enterprise Resource Planning (ERP) systems,” said Mariano Nunez, CEO of Onapsis. “We have successfully helped the world’s largest and most sophisticated organizations integrate their business applications into their cybersecurity and compliance programs. Now, Assess Baseline makes it easy for customers who are getting started with their SAP application security programs to quickly and effectively jumpstart protecting the applications that power their businesses.”

The Onapsis Platform secures the critical SAP applications that keep the global economy running. The platform is purpose-built to deliver impactful vulnerability management, advanced threat detection, custom code inspection, and automated compliance that enables global organizations to accelerate their business and digital transformation initiatives. The Onapsis Platform is deeply informed by the latest threat intelligence and security guidance from the Onapsis Research Labs. This market-leading team has discovered more than 800 zero-day vulnerabilities and is responsible for multiple critical global CERT alerts.

“Today’s threat landscape requires a holistic approach to securing business-critical SAP applications such as ERP software,” said Steve Biskie, national ERP risk and automation services leader with RSM US LLP.

“It is exciting to see Onapsis continuing to innovate its solutions to assist companies on their security maturity journey. The new Baseline license can help pave the way for more organizations to have an entry point into vulnerability management for SAP applications that could help keep their critical data and applications safe and compliant.”

Attending the SAP Sapphire conference? Visit the Onapsis booth to learn more: #PA219

To schedule a time to speak with an Onapsis expert while at Sapphire, please visit: https://onapsis.com/sapphire-22

**About Onapsis**

Onapsis protects the business-critical applications that run the global economy, from the core to the cloud. The company’s cybersecurity and compliance solution offering, The Onapsis Platform, uniquely delivers vulnerability management, threat detection and response, change assurance, and continuous compliance for business-critical applications from leading vendors such as SAP, Oracle, Salesforce, and other SaaS platforms.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany and Buenos Aires, Argentina, and proudly serves more than 300 of the world’s leading brands, including 20% of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies, and 3 of the top 10 oil and gas companies.

The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM, PwC, and KPMG — making Onapsis solutions the standard in helping organizations protect their cloud, hybrid, and on-premises business-critical information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us at https://onapsis.com/.

Onapsis Announces New Offering to Jumpstart Security for SAP Customers

How can you safeguard your organization amid global conflict and uncertainty?

Cybersecurity has always been a moving target. Most recently, a two-year global pandemic and the war in Eastern Europe have heightened the risk of cyberattacks, prompting President Joe Biden to urge US companies to "harden \[their\] cyber defenses immediately."

Consider the current cybersecurity landscape. In 2021, US businesses weathered a 17% increase in data breaches from 2020. Also in 2021, organizations experienced the highest average cost of a data breach in 17 years at $4.24 million, up almost 10% from the previous year. Common attack vectors include compromised credentials, phishing, and cloud misconfiguration. Now, modern warfare has been redefined to include cyber warfare.

As CISO, your job is to ensure there are controls and processes in place to help mitigate risk to the organization, and the current global instability has upped the risk ante for all organizations. You have already been working to identify and prioritize risks from fraudulent SMS, phishing emails, ransomware attempts, breaches, distributed denial-of-service (DDoS) attacks, fake landing pages, and more. But how can your organization double down on cybersecurity to stay one step ahead of the curve?

Based on this current global landscape, it is time for CISOs to rethink their strategies.

**1\.** **Realize that the security playbook has changed — at least for now.  
**The landscape has changed, and the playbook must change, as well. Previously, we've seen cybercriminals focus on ransomware or phishing attempts — attacks focused on monetary incentives. If we think about potential nation-state activity, we will see fewer financially motivated attacks and more attempts to disrupt or shut down specific services or networks, including DDoS attacks.

Rather than infiltration and breaches, we will see more backbone-level attack attempts (think ISP and uptime) that affect availability and continuity. This could also extend to major cloud providers and Internet resources. Bad actors may focus on resources that allow people to continuously share and exchange free-flowing information — including services tied to the economy. Their aim is to affect, disrupt, and destabilize continuity, preventing major organizations from delivering value. There is also the potential for more "strategic viability" cyberattacks against critical infrastructure systems, such as those driving power generation or electricity production.

In the past, we saw more concealed interaction. In other words, prior attempts were cloaked; one host country could launch an attack from another unwitting host. Now, the cloak is gone, and there is less effort to conceal attacks.

**2**. **Make visibility a priority.  
**Organizations need the appropriate controls and mechanisms in place to "see" where specific traffic and requests come from so they can start making the difficult decisions about where they will allow traffic to come from.

This is not just about enabling safe access, but also creating the ability to control the flow of traffic and requests to your company and assets. You need to drill down into activity across your platforms and assess everything from a geolocation perspective. Have you deployed technology that allows you to actively contextualize traffic patterns based on what's happening globally? If several major service providers experience an outage, can this be attributed to global interference at a nation-state level? If, when, and how will this affect your organization? Can you detect if a nation-state threat actor targets your organization, and, if so, can you trace the exact location and source? Also, keep in mind that criminal hacking groups can work closely with nation-states, which makes a proxy attack possible.

**3**. **Keep your security controls under control.  
**As CISO, you should maintain an updated risk register. This risk register should identify threats, outline the probability they will affect your organization, and present the overall potential impact. This framework, which should be broken down into sections that align with various business units and stakeholders (such as infrastructure, internal systems, and Web applications) should help you prioritize identified risks.

You should also be up to date on cybersecurity compliance regulations, standards, frameworks, and certifications (such as GDPR, ISO 27001, PCI-DSS, and FIPS, SOC) that ensure the security, processing integrity, and privacy of sensitive data. Security controls, specifically, encompass data encryption, network firewalls, password policies, network access control, and more.

Keep in mind that new standards may be imposed by your host/home government amid ongoing conflict. This could affect, for example, who you allow to access your platforms. The security and IT teams will be tasked with using existing controls or leveraging them in an alternative capacity to meet new government mandates — mandates that may apply internally to a company or companies that operate with them. You may be called upon to prevent traffic from geo-specific locations to better safeguard customer data or to fulfill an applicable restriction from a governing body. Also, your organization's customers may ask if you have can block or deny access to your platform based on a certain region.

**Conclusion  
**When it comes to cybersecurity, no one person can control all the variables — especially variables at a global level. In addition to your usual risk mitigation efforts, you should be prepared to adopt new policies and processes — depending on the "temperature" of global events. If cybersecurity is a moving target, it's moving even faster now. Organizations that reinforce their defenses (and prepare for additional safeguards) will have the best playbook for pre-empting and preventing new types of fraud, breaches, and hacks.

Mastering the New CISO Playbook

The end-to-end cybersecurity 5G testing lab will help identify and prevent cyberattacks on 5G networks.

Nokia has opened the Advanced Security Testing and Research (ASTaR) lab, an end-to-end 5G testing lab focused on cybersecurity.

ASTaR will use and develop “cutting-edge tools and techniques” to assess the security resilience of 5G networks, as well as their associated software, hardware, and applications, the phone maker says. The testing lab will also take advantage of the in-house security research capabilities available via Nokia Bell Labs to identify emerging threat vectors.

As the rollout of 5G networks kick into high gear, security is an ever-constant concern. The sheer number of endpoints and extensive use of open source software in 5G-capable devices and applications will open up more avenues of attack. The goal for this testing lab is to go beyond looking at individual network elements and focus on the “larger context of network use and abuse scenarios,” the company says.

These assessments will help Nokia work with other security experts to identify potential vulnerabilities targeting 5G networks. Nokia will also partner with operator, enterprise, and government customer to consider attack scenarios against networks and observe how security measures fare against real security incursions.

The lab, based in Dallas, is capable of testing products from both Nokia and its partners against real-world attack scenarios. Nokia says the ASTaR lab is the first of this kind of cybersecurity testing facility in the US.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nokia Opens Cybersecurity Testing Lab

This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.

Heads up for network administrators with F5’s BIG-IP family of networking devices in their environment: There is a new security update available for the newly disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created working exploits, so administrators need to move quickly and secure their networks before the attackers come knocking.

According to security researcher Kevin Beaumont, attackers are already trying to exploit the flaw and and dropping webshells. The vulnerability is "trivial" to exploit, Horizon3 said on Twitter. Horizon3 is among the several groups that have already developed a working exploit.

The critical flaw (with a score of 9.8 under the Common Vulnerability Scoring System) affects the BIG-IP iControl REST authentication component, F5 said on May 4. If exploited, remote adversaries can bypass authentication and execute commands with elevated privileges. They could target this vulnerability to gain initial access to the network and move laterally to access other devices on the network.

Considering that BIG-IP devices are widely used in enterprise environments and serve the role of a load balancer, application firewall, and full proxy, this flaw potentially opens enterprise networks to a variety of attacks. Adversaries would be able to steal corporate data, install cryptominers, download and install malware and backdoors, or even disrupt normal business operations by launching a ransomware attack.

**Assessment: Is Your Organization Impacted?**  
BIG-IP is used by 48 of the Fortune 50, F5 says, and there are more than 16,000 instances of BIG-IP discoverable by Shodan. However, the vulnerability affects the management interface, so the vulnerable devices are the ones where the management interface is exposed to the Internet. According to Rapid7 lead security researcher Jacob Baines, that puts the number of affected BIG-IP devices closer to 2,500.

Administrators can execute the following one-line bash command from Randori to determine if their instance of BIG-IP is exploitable (replace the ADDRESS with the host IP in order to execute the command):

HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm \\
--insecure \\
-H "Authorization: Basic YWRtaW46" \\
-H "X-F5-Auth-Token: 1" \\
-H "Connection: X-Forwarded-Host, X-F5-Auth-Token" \\
-H "Content-Length: 0" | grep -q "\\"items\\":\\\["; then printf "\\n\[\*\] $HOST is vulnerable\\n"; else printf "\\n\[\*\] $HOST doesn't appear vulnerable\\n"; fi

The command's output would be either a _\[\*\] 192.168.255.2_ (for example) _is vulnerable_ or _\[\*\] 192.168.255.2 doesn't appear vulnerable_ message.

**Apply the Security Update**  
F5 has released security updates for BIG-IP for the following firmware versions:

*   BIG-IP versions 16.1.0 to 16.1.2
*   BIG-IP versions 15.1.0 to 15.1.5
*   BIG-IP versions 14.1.0 to 14.1.4
*   BIG-IP versions 13.1.0 to 13.1.4

There is no security update being released for firmware versions 11.x and 12.x (11.6.1 to 11.6.5 and 12.1.0 to 12.1.6) as they are no longer supported. Administrators should upgrade to a newer version as soon as possible.

**Apply Mitigations Where Needed**  
F5 released three mitigations for those cases where the BIG-IP devices cannot be updated right away. The mitigations are intended to be a temporary measure — administrators should apply the update, or in the case of an unsupported firmware version, to upgrade to the newer version, as soon as possible.

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface
*   Modify the BIG-IP httpd configuration

How to Check if Your F5 BIG-IP Device Is Vulnerable

Some mobile apps are being weaponized with Trojans that secretly sign Android users up for paid subscription services.

Several Android mobile Trojans are circulating in the wild that surreptitiously sign users up for paid services and take a cut for the scammers from the money that is billed. Many of these are getting around Google Play's official app store security measures.

Researchers from Kaspersky who have been tracking these most recent so-called "fleeceware" threats for the past several months say the malware is often capable of bypassing bot detection mechanisms on sites for paid services, and can even subscribe unsuspecting mobile device users to the scammers' own non-existent services.

The malware is often hidden within otherwise benign mobile applications such as healthcare apps, photo editors, and popular games on Google's Play mobile app store and other stores. The weaponized apps keep resurfacing almost as quickly as they are detected and removed, Kaspersky said.

Many of the applications ask for permission to access the user's notifications and messages. If those permissions are granted, the malware then intercepts and hijacks messages containing confirmation codes for their subscription, therefore leaving the users unaware they had just been subscribed to a paid service.

In a report, Kaspersky highlights four of the most widely spread Trojans in this category that it has observed in recent months — Jocker, MobOk, GriftHorse.l, and Vesub. The vendor estimates a startling 70% of Android device users had encountered subscription Trojans such as these at some point.

**Four of the Worst**  
Kaspersky identifies MobOk as the most active of the four threats. The malware was first spotted within an infected app on Google Play, but more recently it has been seen getting distributed as a payload of Triada — another mobile Trojan often hidden within preinstalled system apps on some smartphones. Kaspersky says it has observed the malware on the APK Pure Android mobile app store, hidden inside what the vendor described as a widely used modification of WhatsApp Messenger.

Once installed on a system, MobOk works by opening a subscription page to a paid service in an invisible window. If the malware has been granted access to the user's notification service, it intercepts any confirmation code that the paid service might send to the device and uses that to confirm the subscription. One feature that sets MobOk apart from the other mobile Trojans is its ability to solve CAPTCHAs on subscription sites, Kaspersky says. A plurality of the MobOk infections that the vendor observed were in Russia, followed by India and Indonesia.

Jocker, meanwhile, is malware that Kaspersky recently found hidden within messaging apps, blood pressure monitoring software, document scanning apps, and other products on Google Play. Jocker is a long-known mobile threat that continuously changes up its tactics to continue to infiltrate the official app store.

In many cases scammers download legitimate versions of these apps from Google's app store, then insert Jocker code into it and re-upload them to the store under a different name, Kaspersky says. The malware was coded to remain dormant during Google's app vetting process but to become active when the application goes live. Like MobOk, Jocker too is designed to intercept text messages or notifications containing confirmation codes and using them to sign users up for paid subscription services without their knowledge.

The current version of the malware uses a staged download process — involving four files — to install the final component of the malware on end-user systems. It adopted the technique to try to avoid malware-detection mechanisms, Kaspersky notes. Researchers from the company observed the malware being used most frequently against Android users in Saudi Arabia, Poland, and Germany.

Vesub, meanwhile, is mobile malware that Android users can encounter on unofficial app stores. The malware is hidden within spoofed versions of popular game apps that actually contain no legitimate functionality. When installed, the malware straightaway attempts to start subscribing users to paid services, while all that a user sees is a window suggesting that the app is still loading. Like most subscription Trojans, Vesub works only if it has been granted permission to access text messages or notifications. Kaspersky found the malware to be predominant in Egypt, Thailand, and Malaysia.

And finally, GriftHorse.l is different from the other malware in that it subscribes users to the malware author's own paid services, such as apps that promise to take users on a weight-loss plan for a fee. Users who sign up for these plans often do so without realizing that they are signing up for a service with periodic payments and automatic billing, Kaspersky says.

Richard Melick, director of threat reporting at Zimperium, says malware such as these should not be considered a consumer-only threat. "Organizations of all sizes must start realizing that there is no such thing as a consumer-only threat in the world of BYOD," he said, in emailed comments. "Each time Jocker and other long-standing malware go through an update, they continue to put critical data, services, and attack surfaces at risk."

Security teams need to ensure they have the same kind of security architecture for mobile endpoints as they have for traditional devices.

Both Google and Apple have implemented numerous measures over the years to prevent scammers from uploading malware to their respective mobile app stores. While the measures have helped limit malicious apps to a certain extent, security vendors have continued to find malware on these stores on a regular basis. Just last month, for instance, Google scrambled to remove at least six applications masquerading as legitimate antivirus tools that were in reality being used to drop a banking Trojan called SharkBot. Check Point estimated the malware tools were downloaded more than 15,000 times before Google removed them from Google Play.

Source

DARKReading