By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Mustang Panda deploys a new wave of malware targeting Europe

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products.
Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.
Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of

Cloud security and application delivery network (ADN) provider F5 on Wednesday released patches to contain 43 bugs spanning its products.

Of the 43 issues addressed, one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.

Chief among the flaws is CVE-2022-1388, which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of authentication check, potentially allowing an attacker to take control of an affected system.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," F5 said in an advisory. "There is no data plane exposure; this is a control plane issue only."

The security vulnerability, which the company said was discovered internally, affects BIG-IP products with the following versions -

*   16.1.0 - 16.1.2
*   15.1.0 - 15.1.5
*   14.1.0 - 14.1.4
*   13.1.0 - 13.1.4
*   12.1.0 - 12.1.6
*   11.6.1 - 11.6.5

Patches for the iControl REST authentication bypass flaw have been introduced in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not vulnerable to CVE-2022-1388.

F5 has also offered temporary workarounds until the fixes can be applied -

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface
*   Modify the BIG-IP httpd configuration

Other notable bugs resolved as part of the update include those that could permit an authenticated attacker to bypass Appliance mode restrictions and execute arbitrary JavaScript code in the context of the currently logged-in user.

With F5 appliances widely deployed in enterprise networks, it's imperative that organizations move quickly to apply the patches to prevent threat actors from exploiting the attack vector for initial access.

The security fixes come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new flaws to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation -

*   **CVE-2021-1789** - Apple Multiple Products Type Confusion Vulnerability
*   **CVE-2019-8506** - Apple Multiple Products Type Confusion Vulnerability
*   **CVE-2014-4113** - Microsoft Win32k Privilege Escalation Vulnerability
*   **CVE-2014-0322** - Microsoft Internet Explorer Use-After-Free Vulnerability
*   **CVE-2014-0160** - OpenSSL Information Disclosure Vulnerability

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability

All active GitHub users who contribute code will be required to enable at least one form of two-factor authentication by the end of 2023.

Security experts have been banging the multifactor authentication (MFA) drum for years, encouraging users to move away from solely relying on the username/password combination to secure their most sensitive accounts. Now GitHub is done with encouraging: By the end of 2023, all users who contribute code to GitHub-hosted repositories must have one or more forms of two-factor authentication (2FA) enabled, the company says.

Zero-day attacks and sophisticated exploits are scary, but social engineering and credential theft pose bigger headaches for enterprise defenders. User credentials grant attackers full access to the application and the associated data, or in case of a code repository like GitHub, visibility into source code as well as the ability to maliciously modify the code.

"This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code," says Mike Hanley, GitHub's CSO. The downstream effects of an attacker seizing control of a popular code repository is staggering, as "it can be downloaded tens of thousands of times, or hundreds of thousands of times," he says.

Attacks against the software supply chain jumped by more than 300% in 2021, Aqua Security said in January.

GitHub’s decision increases the complexity of account takeovers, says Andrew Hay, COO at LARES Consulting. "It has been proven time and time again that multifactor authentication provides an additional layer of protection to a user's account without exponentially complicating the login process," he says.

**Raising the Bar  
**Considering the sheer number of developers and active repositories on GitHub.com, this move has the potential to significantly enhance the security of the software supply chain. The company says the shift to 2FA will impact 83 million developers.

Hanley has said in the past that GitHub’s sheer size puts the company in a strong position to boost the security of the entire software ecosystem. By implementing new security features, GitHub is raising the bar on things developers and project maintainers have to do.

"Strong password management, privileged access security, and MFA will make it difficult for attackers to be successful at gaining an initial foothold," says Joseph Carson, chief security scientist and advisory CISO at Delinea. "This will likely force them to look for an easier target elsewhere."

**Move to Mandatory Enrollment  
**GitHub has offered 2FA in some form since 2013. Recognizing that attackers are increasingly targeting JavaScript packages on the npm registry, GitHub enrolled all the maintainers of the top 100 npm packages with mandatory 2FA back in February. Even so, adoption has lagged. Currently, only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA on their accounts, the company says.

The numbers are dismal but not wholly unexpected. Back in 2018, Google noted that seven years after introducing 2FA for Gmail, less than 10% of active accounts had enabled the feature. More than three-quarters (78%) of organizations with Microsoft Active Directory (AD) currently do not employ MFA for their user accounts, Microsoft said in its quarterly Cyber Signals report earlier this year. Microsoft has said repeatedly that "99.9% of breaches would be prevented if you just implemented MFA."

GitHub has taken other steps to improve security beyond relying on just the username and password. Earlier, GitHub deprecated basic authentication for Git operations and GitHub’s REST API, and now require email-based device verification. Since March, all npm accounts require enhanced login verification. The company launched 2FA for GitHub Mobile on iOS and Android back in January.

GitHub will allow multiple methods, including hardware security keys and mobile push notifications approved directly from the GitHub app.

GitHub already gives enterprise customers the ability to require developers to use 2FA to access enterprise repositories. When enforcement takes effect, there may be some issues if GitHub winds up removing users who do not have 2FA enabled from enterprise repositories, Hay notes. "It may lead to some calls to the support desk if a user finds that they can no longer access the code repositories they once had access to," he says.

**Delayed Enforcement  
**The shift to mandatory 2FA will occur in phases. All maintainers of the top 500 packages will be enrolled in mandatory 2FA on May 31. Maintainers of high-impact npm packages — which GitHub defined as those with more than 500 dependents or one million weekly downloads — will be enrolled in mandatory 2FA in the third quarter of 2022. The long lead time — more than a year out — will help GitHub "make sure we get this right" in terms of ensuring the user experience with the command line and the web interface, Hanley says.

Carson notes that recent advancements have made MFA "far less burdensome" to users. The most common mistake in enterprise deployments is to add MFA to existing authentication schemes rather than strengthening (and potentially replacing) them. MFA should be used to make logging in more efficient, as well as more secure.

"It is important to make authentication easier and the experience positive where possible," Carson says. "Otherwise users will find ways around the security control making them much weaker."

GitHub to Developers: Turn on 2FA or Lose Access

Operation CuckooBees uncovered the state-sponsored group's sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.

China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country's "Made in China 2025" modernization initiative.

"Global manufacturers are targets of Chinese state-sponsored threat groups," says Assaf Dahan, senior director and head of threat research at Cybereason. "Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts."

Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There's also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says

“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing," he says. "Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”

**Winnti Stung by CuckooBees**  
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.

Researchers from Cybereason stumbled upon the threat group's latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.

The researchers dubbed the investigation "Operation CuckooBees," because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.

"Operation CuckooBees was a 12-month investigation focused on Winnti Group's global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers," Dahan says.

**New Tools, Rare Abuse of Windows CLFS Mechanism**  
Cybereason's investigation also revealed fresh aspects of the group's technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.

The new tools include one called DeployLog, made for deploying the threat group's namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.

One notable aspect of Winnti group's new campaign, according to Cybereason, is the threat actor's use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.

"The CLFS mechanism is rather obscure and is still undocumented by Microsoft," Dahan notes. "The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for." He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.

"It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes," he says.

Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.

**The Evolving Winnti Attack Chain**  
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.

"To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor," Dahan says.

Once in, Cybereason observed the attackers adopting what it described as a "house-of-cards" approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.

"If for some reason, one component is missing or gets detected – the entire thing would fall apart," Dahan says.

The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.

"The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack," he explains. "You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run."

China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack

Microsoft's stand-alone version of Defender for SMBs promises to help SecOps teams automate detection, response, and recovery.

Microsoft has released a stand-alone version of Defender for Business for small-to-midsize businesses (SMBs), which the company says will provide endpoint security on par with that of a large enterprise. 

A Microsoft survey found that 70% of SMBs are worried about the business risk that cybersecurity poses, and while 80% of SMBs said they have antivirus protection, 93%  still have concerns about cybersecurity threats. 

Microsoft said Defender for Business can help automate the protection, detection, and response tasks that can bog down SecOps 

"Automated investigation and remediation are a huge part of the product," Adam Atwell, cloud solutions architect at consulting firm Kite Technology Group, said in a statement. "It's just happening in the background. Defender for Business makes our security so simple."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Releases Defender for SMBs

In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. It sends a large amount of data through ajaxmsg to carry out DOS attack.

CVE-2022-28940: 0day/新华三magicR100存在DOS攻击漏洞分析.md at main · zhefox/0day

In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.

**12 years of experience**

On the eCommerce market

**60,000+ live shops**

From SMB to Enterprise  
10,000+ new stores every year

**150+ partners**

From 40+ countries

**1,500+ integrations**

Plugins, themes, language packs

**250,000+ members**

Community worldwide

**3,000,000+ downloads**

And the number is still growing

**For every size and type of business**

**Small and medium business**

Quickly launch and scale your online store with rich built-in functionality: integration with payment and shipment services; warehouse managing; marketing and SEO tools; and mobile-friendly stores.

**Enterprise business**

Use multi-vendor and multi-store functionality (B2B and B2C). Get the maximum advantage of enterprise-grade performance. Easy integration and limitless customization opportunities.

**Global business**

A flexible system to fit your demands: GDPR; multi-currencies and multi-languages; regional taxes and laws support; management of multiple international stores; integration with local services and suppliers.

**Why nopCommerce**

**Absolutely free**

No transaction fee.  
No monthly fees.  
No hidden fees.

**PCI DSS compliant**

Meet all security requirements for all kinds of businesses

**Unlimited customization**

You’re not limited by our built-in functionality because we’re open-source

**Great Support**

Our team and our community is always here to help you

**Testimonials**

If you are a .NET developer looking for an eCommerce platform you should consider nopCommerce. It is both a great extensible eCommerce platform and supports the latest versions of .NET

Scott Hunter,  
Director of Program Management for the .NET Platform at Microsoft (USA)

nopCommerce is a fantastic open-source, stable, and super extensible eCommerce platform based on cross-platform .NET Core! It's perfect for any size business.

Scott Hanselman,  
Principal Community Architect, Microsoft (USA)

Besides having a rich out-of-the-box functionality, the platform is also flexible in terms of additional customization and gives an opportunity to integrate with different corporate systems, which made it a perfect fit for us.

Boris Kulaev,  
Head of eCommerce Harman RUS CIS

Read case study

With nopCommerce we are able to create the optimal eCommerce system according to our customer’s needs. The modern and sophisticated backend of nopCommerce allows fast and simple configuration of the shop.

José Lopez,  
CEO of JMC Software AG (Switzerland)

Play case study

We like nopCommerce because it’s a platform with a very well-structured architecture that enables its modification greatly since it’s open-source. nopCommerce can be easily adapted to cover the needs of every one of our customers.

Eduardo Adame,  
General Director of Tecnofin (Mexico)

Play case study

As a platform, nopCommerce supports us very well because the architecture is very good. We needed a secure, Microsoft-compatible solution for a customer that was multi-store capable and nopCommerce fitted this description best.

Tobias Derucki,  
Managing Partner at Innovapps (Germany)

View the testimonial

I would recommend nopCommerce because it has an easy-to-use interface and you don’t have to be an IT-master to use it. You can be a marketing professional, create the content, manage the pricing and categories, and do it very easy.

Dana Koman,  
Marketing Manager of TACO Metals (USA)

View the testimonial

**Our clients**

*   
*   
*   
*   
*   
*   
*   
*   

**Integrated with all services**

**Create a successful store with nopCommerce!**

CVE-2022-27461: Free and open-source eCommerce platform. ASP.NET based shopping cart.

An incorrect access control issue in Sandboxie Classic v5.55.13 allows attackers to cause a Denial of Service (DoS) in the Sandbox via a crafted executable.

**What happened?**

The details of this bug have been sent to @DavidXanatos by email on March 21. This issue only serves to track the fixing (that is, if this is confirmed to be a real bug) progress publicly.

In short, I've found a bug in Sandboxie that presumably lets an attacker break out of the sandbox. This has yet to be confirmed by the developers, though.

**To Reproduce**

Described in the email.

**Expected behavior**

Sandboxed programs should not be allowed to escape.

**What is your Windows edition and version?**

Windows 10 Home 20H2 (19042.1466) 64-bit

**In which Windows account you have this problem?**

A local or Microsoft account without special changes.

**Please mention any installed security software**

Built-in realtime protection in Windows 10

**What version of Sandboxie are you running?**

Sandboxie Classic v5.55.13 64-bit

**Is it a regression?**

_No response_

**List of affected browsers**

_No response_

**In which sandbox type you have this problem?**

I only reproduced it with Sandboxie Classic.

**Is the sandboxed program also installed outside the sandbox?**

No, it is not installed in the real system.

**Can you reproduce this problem on an empty sandbox?**

I can confirm it also on an empty sandbox.

**Did you previously enable some security policy settings outside Sandboxie?**

_No response_

**Crash dump**

_No response_

**Trace log**

_No response_

**Sandboxie.ini configuration**

_No response_

**Sandboxie-Plus.ini configuration (for Plus interface issues)**

_No response_

CVE-2022-28067: Sandbox breakout bug (details omitted) · Issue #1714 · sandboxie-plus/Sandboxie

Also adds support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage.

WALTHAM, Mass. , May 4, 2022 /PRNewswire/ -- Uptycs, provider of the first cloud-native security analytics platform enabling cloud and endpoint security from a common solution, announced today new cloud infrastructure entitlement management (CIEM) capabilities that strengthen its cloud security posture management (CSPM) offering. In addition, Uptycs announced CSPM support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage. These new capabilities provide Security and Governance, Risk, and Compliance teams with continuous monitoring of cloud services, identities, and entitlements so they can better reduce their cloud risk.

"Disparate cloud security solutions only deliver pieces of the picture, leaving Security teams unaware of new risks in a fast-changing cloud environment," says Ganesh Pai, CEO and co-founder of Uptycs. "As organizations scale out their cloud footprints—including across multiple public cloud providers—they need new types of security controls, especially in the realm of cloud identity and entitlement. Uptycs provides a unified platform for CSPM and CWPP that gives Security teams a holistic and fully integrated platform for securing their cloud resources, workloads, and infrastructure."

As they add cloud accounts, resources, and infrastructure, the number of user and machine identities grows exponentially. The majority of these identities have more access than they need to do their jobs, posing a serious risk if an attacker is able to steal credentials. According to Gartner, more than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted.1 In addition, Gartner estimates that "by 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020."2

With new cloud identity and entitlement analytics capabilities in Uptycs, Security and Governance teams can solve these challenges:

*   **Monitor least privilege -** Continuously monitoring cloud infrastructure to spot identity misconfiguration and permissions gaps so they can move toward least-privilege access, minimizing the damage that can be caused by privilege escalation.
*   **Measure identity risk and governance posture -** Measuring the overall identity risk posture for cloud accounts based on factors such as root account configuration, credentials rotation, possibility of privilege escalation, and credential exposure.
*   **Harden cloud IAM policies -** Continuously analyzing cloud IAM policies and creating risk profiles so that teams can prioritize their efforts on tuning the most risky policies.
*   **Map identities and relationships -** Visually map relationships across accounts, rank connections based on riskiness, and show the impact a user can have on an asset or critical service.
*   **Detect and investigate identity misuse -** Show top cloud IAM principals and services denied based on specific time windows, enabling users to drill down into trends for a specific user/service and spot any anomalies from the regions based on historical data.

The cloud identity and entitlement analytics capabilities are generally available today for AWS as an add-on for the Uptycs CSPM offering. Uptycs' broader CSPM support for GCP and Azure (inventory, audit, compliance, and threat detection) is generally available.

1 Gartner, "Managing Privileged Access in Cloud Infrastructure," Paul Mezzera, December 7, 2021

2 Gartner, "Innovation Insight for Cloud Infrastructure Entitlement Management, Henrique Teixeira, Michael Kelley, Abhyuday Data, June 15, 2021

**About Uptycs  
**Uptycs provides the first cloud-native security analytics platform that enables endpoint and cloud security from a single platform. The solution provides a unique telemetry-powered approach to address multiple use cases—including Extended Detection & Response (XDR), Cloud Workload Protection (CWPP), and Cloud Security Posture Management (CSPM). Uptycs enables security professionals to quickly prioritize, investigate, and respond to potential threats across a company's entire attack surface. A free trial of Uptycs can be requested at www.uptycs.com/free-trial.

Tag

#microsoft