Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware.

The botnet variant is being called Sysrv-K by Microsoft Security Intelligence researchers that posted a thread on Twitter revealing details of the botnet variant.

Researchers said criminals behind Sysrv-K have programmed their bot army to scan for instances of the flaws in WordPress plugins as well as a recent remote code execution (RCE) flaw in the Spring Cloud Gateway (CVE-2022-22947).  
  
“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947. Once running on a device, Sysrv-K deploys a cryptocurrency miner,” said Microsoft Security Intelligence in a tweet.

> We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.
> 
> — Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022

The Spring Cloud is an open-source library that eases the process of developing the JVM application for the cloud and the Spring Cloud Gateway provides a library for building API Gateways for Spring and Java.

The CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library and an attacker can perform remote code execution (RCE) on unpatched hosts. The flaw affected the VMware and Oracle products and it has been marked as critical by both the vendors.

****Working of Sysrv-K****

The Microsoft security intelligence team warned that Sysrv-K can gain control of the web servers by scanning the internet for various vulnerabilities to install itself. The vulnerabilities range from RCE to an arbitrary file download and path traversal to remote file disclosure.

The security researcher at Lacework Labs and Juniper Threat Labs observed two main components of malware that is to spread itself across networks by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner (used for mining Monero) following a surge of activity in March 2021.

The new feature of Sysrv-K is that it scans for WordPress config files and their backups to steal credentials and gain access to the webserver. Apart from this “Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot” Microsoft added.

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet” the Microsoft security intelligence team reported.

Microsoft advised the organizations to secure internet-facing Linux or Windows systems, timely apply security updates, and protect credentials. “Microsoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behavior and payloads,” they added.

The critical RCE, Worms, and 6 Zero-days including (CVE-2022-22947) were faced by Microsoft in January 2022.

Sysrv-K Botnet Targets Windows, Linux

Maintainers of open source software (OSS) will gain additional security tools for their own projects, while the developers who use OSS — and about 97% of software does — will gain more data on security.

The maintainers of thousands of critical open source projects and the developers who build on the foundation of that code will both benefit from 10 security initiatives launched late last week by the Linux Foundation, the Open Source Security Foundation (OpenSSF), and 37 technology companies, the groups said — including tech bigwigs Amazon, Google, and Microsoft.

During a second summit of software industry professionals and government officials, the organizations committed to supporting a 10-step plan to shore up open source maintainers, provide tools to improve software security, and secure the software supply chain. 

The Open Source Software Security Mobilization Plan groups the 10 steps into three broad initiatives: securing open source software production, improving the discovery and remediation of vulnerabilities, and speeding the ecosystem's time to patch.

To show their commitment, a group of companies has pledged $30 million of the estimated $150 million needed to fund all 10 initiatives for the first two years, Brian Behlendorf, general manager of the OpenSSF, said during a press conference on Thursday. This initial $30 million comes from Amazon, Ericsson, Google, Intel, Microsoft, and VMWare.

"We realize that \[$150 million\] is a meaningful amount," he said. "It is an amount more than any one open source developer has, or even most open source projects. But when compared to the cost of remediating a major vulnerability out there, like we have seen in the last few years, it is a drop in the bucket — a very small ounce of prevention to spend for many, many pounds of cure."

The 10-step plan calls for educating and certifying developers in secure programming, creating and maintaining security metrics for the top 10,000 OSS components, promote digital signing of software releases, and replacing non-memory-safe languages, such as C and C++, with more modern alternatives, such as Go and Rust. The plan also calls for improving the discovery of vulnerabilities and their remediation by funding a team of experts to assist open source projects during incidents, provide advanced security tools, fund third-party reviews, and coordinate sharing of data to determine the most critical components.

The intent is to improve security without increasing workload, the open source foundations stated in the report.

"\[A\]ll forms of investment and intervention should be focused on delivering new value to OSS maintainers — from making it easier to adopt practices that enhance the security and integrity of their work, to funding activities like third party code reviews that most projects struggle to afford to perform on their own," the report stated. "Any investments or policies that place additional burdens on developers, increase their personal or professional liability for working on code, or issue unfunded mandates upon them, would struggle for adoption and potentially inhibit further advancements in open source software."  

**Developers & Maintainers to See More Tools  
**The main focus of the $150 million effort will be to produce tools, training. and services for developers and maintainers to create more secure software. Already, some tools have been released as part of the efforts of the OpenSSF and other supporters, such as Google. 

Google, for example, released a tool known as AllStars that automatically vets GitHub projects to flag any anomalies, which could indicate a security issue in the maintenance of the project. The company has also released a system, Scorecard, for rating projects in 18 different areas to give them a security rating. Google and the Linux Foundation, meanwhile, released a tool, sigstore, to help verify the integrity of software supply chains.

Such efforts are extremely important to reduce the impact of security efforts on developers' work, Stephen Chin, vice president of developer relations at software supply chain security firm JFrog, said in a statement.

"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises," he said. "Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen."

Even more important than the tools are that the efforts create standards that allow interoperability between tool sets, Dan Lorenc — CEO and co-founder at Chainguard and a co-creator of sigstore — said in a statement.

"Interoperability is the linchpin in securing software throughout the supply chain," he said, adding: "These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project, nor do they have dedicated staff to understand and integrate all of these tools."

**Gaining Momentum for Open Source Security Support  
**OpenSSF has already made a number of announcements of initiatives that will likely become components of the industry's approach to supporting the creation and maintenance of a more secure software supply chain. Earlier this year, for example, the group announced the Alpha-Omega Project, which aims to secure the most critical software by providing tools and support to maintainers. In March, the OpenSSF and the Laboratory for Innovation Science at Harvard announced four lists of 500 open source projects deemed most critical in two major ecosystems, the JavaScript-based Node Package Manager (NPM) and non-NPM frameworks.

In October, the OpenSSF announced that 16 premier members — including Amazon, Cisco, Facebook, Fidelity, Google, Microsoft, and Red Hat — along with 15 general members had  committed $10 million to expand and support the organization.

The broad base of support shows that open source security is a problem that affects every business using software, Brian Fox, CTO at Sonatype, said in a statement.

"It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today," he said. "It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone."

Open Source Security Gets $150M Boost From Industry Heavy Hitters

The White House and tech industry pledge $150 million over two years to boost open source resiliency and supply chain security.

Marking the one-year anniversary of President Biden's Executive Order on Improving the Nation's Cybersecurity, the Linux Foundation and the Open Source Software Security Foundation joined with 90 private-sector executives and government leadership to create a 10-point plan to improve the security of open source software. 

The plan has three primary goals — secure open source software production, improve vulnerability discovery and remediation, and shorten ecosystem patching response time — according to the announcement. 

The Open Source Software Security Mobilization Plan proposes 10 specific streams of investment in open source security including: education, risk assessment, digital signatures, memory safety, incident response, better scanning, code audits, data sharing, SBOMs, and improved software supply chain. The plan outlines the need for about $150 million in additional funding over the next two years. Amazon, Google, Ericsson, Intel, Microsoft, and VMware have pledged an initial investment of $30 million between them.

"What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it," Brian Behlendorf, executive director, Open Source Security Foundation (OpenSSF), said in a statement announcing the group's new initiative. **"**The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux, OpenSSF Champion Plan to Improve Open Source Security

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

All Vulnerability Reports

**CVE-2022-22971: Spring Framework DoS with STOMP over WebSocket**  
**Severity**

Medium

**Vendor**

Spring by VMware

**Description**

A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

**Affected VMware Products and Versions**

Severity is medium unless otherwise noted.

*   Spring Framework
    *   5.3.0 to 5.3.19
    *   5.2.0 to 5.2.21
    *   Older, unsupported versions are also affected

**Mitigation**

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.20; 5.2.x users should upgrade to 5.2.22. No other steps are necessary. Releases that have fixed this issue include:

*   Spring Framework
    *   5.3.20
    *   5.2.22

**Credit**

This vulnerability was responsibly reported to VMware by David Delbecq and Rémy Vermeiren from HMS Industrial Networks, Business Unit Ewon, R&D Department - Software.

**References**

*   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**History**

2022-05-11: Initial vulnerability report published.

CVE-2022-22971: CVE-2022-22971 | Security

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

All Vulnerability Reports

**CVE-2022-22970: Spring Framework DoS via Data Binding to MultipartFile or Servlet Part**  
**Severity**

Medium

**Vendor**

Spring by VMware

**Description**

A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

**Affected VMware Products and Versions**

Severity is medium unless otherwise noted.

*   Spring Framework
    *   5.3.0 to 5.3.19
    *   5.2.0 to 5.2.21
    *   Older, unsupported versions are also affected

**Mitigation**

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.20; 5.2.x users should upgrade to 5.2.22. No other steps are necessary. Releases that have fixed this issue include:

*   Spring Framework
    *   5.3.20
    *   5.2.22

**Credit**

This vulnerability was responsibly reported to VMware by Rob Ryan from Adobe Inc. Related variations were also reported by WeBin Lab of Dbappsecurity and by Vivek Sharm from Arcesium.

**References**

*   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

**History**

2022-05-11: Initial vulnerability report published.

CVE-2022-22970: CVE-2022-22970 | Security

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.
Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35,

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.

Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).

"Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.

The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicized flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and using them as a conduit to move laterally and activate the ransomware.

However, the exact means by which the full volume encryption feature is triggered remains unknown, Secureworks said, detailing a January 2022 attack against an unnamed U.S. philanthropic organization.

Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target's VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

"The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," the researchers concluded.

"While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks

The stealthy, feature-rich malware has multistage evasion tactics to fly under the radar of security analysis, researchers at Proofpoint have found.

The stealthy, feature-rich malware has multistage evasion tactics to fly under the radar of security analysis, researchers at Proofpoint have found.

A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.

Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.

The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from “Nerbia,” a fictional place from the novel _Don Quixote_, researchers said.

Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain and the United Kingdom, they said.

“The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19,” researchers wrote, noting that the messages are a throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic.

Sample emails shared in the post are sent from email addresses attempting to appear as if they coming from the WHO, such as who.inter.svc@gmail\[.\]com and announce@who-international\[.\]com, and use as their subject line WHO or World Health Organization.

The messages include safety measures related to COVID-19 as well as attachments that also include “covid19” in their names but are actually Word documents containing malicious macros.

When macros are enabled, the document reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with COVID-19. Macros-enablement also spurs the document to execute an embedded macro that drops a file that performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit executable file called UpdateUAV.exe written in Go, researchers wrote.

Go is becoming “an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use,” they noted.

****Complexity and Evasion****

The Nerbian RAT “leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries,” researchers wrote.

Indeed, the malware shows sophistication, working in three distinct phases. It starts with the aforementioned malicious document spread via phishing and then moves on, as described, to the UpdateUAV.exe dropper. The dropper performs various environment scans, such as anti-reversing and anti-VM checks, before executing the Nerbian RAT.

Eventually, the RAT itself is executed via an encrypted configuration file, with “extreme care” taken to ensure data to command-and-control (C&C) is encrypted by sending it over Secure Sockets Layer (SSL), which evades inspection by network-scanning tools, researchers observed.

In addition to communication with C&C, other typical RAT things that the malware can do include keylogging and screen capture, but with its own particular flair, they said. The RAT’s keylogger stores keystrokes in encrypted form, while its screen-capturing tool works across all OS platforms.

****Extreme Vetting****

Perhaps the most complex evasion functionality in the three-stage process is what happens before the dropper executes the Nerbian RAT. The dropper performs an extensive vetting of the compromised host and will stop execution if it encounters any of a number of conditions, researchers aid.

These conditions include: the size of the hard disk on the system is less than a certain size, i.e., 100GB; the name of the hard disk, according to WMI , contains “virtual,” “vbox” or “vmware;” the MAC address queried returns certain OUI values; or if any of a number of reverse engineering/debugging programs are encountered in the process list, researchers said.

The dropper also halts execution if the DumpIt.exe, RAMMap.exe, RAMMap64.exe or vmmap.exe memory analysis/memory tampering programs are present in the process list; and if  the amount of time elapsed execution specific functions is deemed “excessive”—which would suggest debugging–by a time measurement function present in the dropper.

However, despite all this complexity to ensure the RAT isn’t detected on its way to a victim’s machine, “the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX–which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” researchers noted.

Researchers also found it easy to infer most of the functionality of both the RAT and the dropper due to the strings in the code referring to GitHub repositories that expose partial functionality of both the dropper and the RAT, they said.

Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks

Lincoln College is the first US college or university ransomware affected so badly that it could not cope and had to close shop.
The post College closes down after ransomware attack appeared first on Malwarebytes Labs.

Lincoln College, one of the few rural schools in Illinois, said that it will permanently close on Friday, May 13, after 157 years, partly due to the impacts of the COVID-19 pandemic and partly due to a long recovery after a ransomware attack in December 2021. The institution notified the Illinois Department of Higher Education and Higher Learning Commission and posted a goodbye note on its website.

> “Lincoln College has survived many difficult and challenging times – the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more, but this is different. Lincoln College needs help to survive.”

The institution struggled during the ongoing pandemic and a December 2021 ransomware attack only challenged it further. Lincoln said the attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections”.

> ” All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”

The closing of a US college or university marks another first in ransomware attack history. Director of Research and Education Networks Information Sharing and Analysis Center (ISCA) Kim Milford told NBC News, which first broke the story, that a school closing only underscores the toll a ransomware attack can take on its victim. “I feel really bad for Lincoln College and wish there was some way we could help, but it can be a very expensive proposition when you’re hit by ransomware,” she said.

**How to avoid ransomware attacks**

1.  **Require the use of multi-factor authentication (MFA)**. It might feel like a bother, but MFA is relatively easy to set up, and it doesn’t disrupt normal day-to-day activities.
2.  **Install security software on all systems.** Use one that offers multiple layers of protection against online threats, especially ransomware.
3.  **Patch as soon as you can.** Universities rely on various software for various tasks. Keeping it all up-to-date means cybercriminals can’t exploit existing and known flaws.
4.  **Promote awareness for all faculty members and staff.** Educating university employees to help them understand their part in protecting the university from cyberattacks is essential. Remember that this is every faculty, school staff, and students’ responsibility, not just the people in IT.
5.  **Back up your files.** When it comes to ransomware attacks, this is one of the pieces of advice we give out. But as we found out, you have to know how to back things up properly. This episode of our Lock and Code podcast is worth a listen, where Matt Crape, technical account manager of VMWare, to learn more about why backups fail us when we need them the most.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

If you want to read more about how to protect yourself from a ransomware attack, or how to recover if you are in the midst of one, download our Ransomware Emergency Kit.

Tag

#vmware