Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Source newsletter (May 19, 2022) — Why I'm missing the days of iPods and LimeWire

By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#vulnerability#mac#windows#apple#linux#cisco#git#backdoor

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I always tell myself I’m going to back up somewhere and never do. The iPod doesn’t have any charge at the moment, and I still need to hop on eBay to buy one of those flat chargers for it to even start the backup process. So no, I’m sure I’ll never get around to backing it up and recycling the device.

But that doesn’t make it any less painful to hear that Apple is going to stop making iPods altogether. I’m a longtime iPod user and have owned everything from the original “stick of gum” iPod shuffle, to the tiny, square iPod nano that clipped to my backpack and made me think I was really cool, along with pretty much every other iteration of the nano.

The news of the iPod’s end got me thinking about how far the threat landscape has come. We all have a supped-up iPod in our pockets now that connects to the internet at a moment’s notice and is one risky click away from someone stealing your banking app password. It used to be that when I wanted new music, I would have to plug the iPod into my parents’ Mac at home and connect to the internet, and then pray that whatever perilous download I was grabbing from uTorrent or LimeWire wasn’t going to download a virus. Most of the time, I thankfully landed on a somewhat legitimate version of a Slayer album.

Nowadays, attackers have even come up with ways to install malware on your iPhone even when it’s powered down — that was never an issue in the heyday of the iPod!

Though in my walk down memory lane, I did learn that some classic iPods shipped in 2006 contained Windows malware known as “RavMonE.exe,” an early example of why everyone should have at least a base anti-virus enabled.

I’ll miss the days of the iPod, when I didn’t have to worry about malware following me in my backpack or briefcase. But I don’t miss having to illegitimately listen to Slayer, I’ll gladly pay the $10 a month for Spotify to avoid having to hope a file from “xX_metalhead420Xx_” doesn’t have malware in it.

**The one big thing **

A critical vulnerability in F5’s BIG-IP software continues to dominate security headlines and haunt defenders. Though we released coverage for this vulnerability last week, attackers are still exploiting it in the wild. Security researchers at the SANS Institute recently discovered adversaries exploiting the vulnerability to try and completely wipe some Linux systems. The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2022-1388 to its list of known vulnerabilities and gave federal agencies until May 30 to patch for the issue.

**Why do I care? **

The continuous warnings around this vulnerability show how truly widespread and potentially dangerous it is. Due to the nature of this vulnerability, and adversary could exploit it and obtain root privileges in the Linux operating systems powering BIG-IP devices. While most attackers seem to be using it to gain an initial foothold on a system, this also opens the door to an attacker running specific commands to delete files on the system, including ones that are required for the operating system to function correctly.

**So now what? **Cisco Secure products have several ways of detecting exploitation of this vulnerability and defending against it. F5 also has a patch available for the vulnerability, which should be implemented immediately. If users are not able to patch for some reason, Talos, CISA and F5 all recommend blocking iControl REST access through the self IP address and management interface.

Other news of note

The quantum computing race is on. This week, U.S. officials said they believe America will be the first country to harness the power of quantum computing, outpacing rivals like China. It’s widely believed that quantum computers will break current encryption technologies. This means the U.S. also has to develop new encryption standards, which has interested privacy experts. Though the National Security Agency has had backdoors into encryption methods in the past, the agency says that will not be the case for whatever standard the U.S. develops to combat quantum computing. (CyberScoop, Bloomberg)

U.S. officials released a warning this week that North Koreans are posing as remote workers and hiding their true identities to apply for jobs with cryptocurrency-related companies. These individuals eventually aim to get onto corporate networks and steal currency for the North Korean government. While many of the adversaries are based in North Korea, others are operating out of China, Russia, Africa and South East Asia. North Korean state-sponsored actors have been finding different ways to steal virtual currency for years, mainly in the name of funding the country’s weapons program. (BBC, U.S. Department of Treasury)

Western governments and security experts continue to sound warnings about potential cyber attacks from Russian state-sponsored groups. Although there have not been any major public attacks as expected when Russia invaded Ukraine, there has been a sustained effort to improve Russia’s standing in the war. Finland and Sweden’s application to join the NATO military alliance also raised the possibility that Russia could respond with a cyber attack. Albeit more low-stakes, Russian actors also tried to disrupt the semifinals and finals of the Eurovision Song Contest in Italy last week, a contest that Ukraine eventually won. (Reuters, The Hill, BBC)

**Can’t get enough Talos? **

  • Talos Takes Ep. #96: Takeaways from victim chats with two ransomware groups
  • Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver
  • Ransomware: How executives should prepare given the current threat landscape
  • Threat Roundup for May 6 - 13

**Upcoming events where you can find Talos ****NorthSec 2022 (May 19 – 20, 2022)
Montreal, Canada ****REcon (June 3 – 5, 2022)
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week **

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 MD5: 93fefc3e88ffb78abb36365fa5cf857c Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426
MD5: a841c3d335907ba5ec4c2e070be1df53 Typical Filename: chip 1-click installer.exe
Claimed Product: chip 1-click installer
Detection Name: Win.Trojan.Generic::ptp.cam

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A Detection Name: Trojan.GenericKD.33515991

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa MD5: df11b3105df8d7c70e7b501e210e3cc3 Typical Filename: DOC001.exe Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c MD5: a087b2e6ec57b08c0d0750c60f96a74c Typical Filename: AAct.exe
Claimed Product: N/A Detection Name: PUA.Win.Tool.Kmsauto::1201

Related news

U.S. Agencies Warn of Iranian Hacking Group's Ongoing Ransomware Attacks

U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Vulnerability Management news and publications #2

Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]

Economic Downturn Raises Risk of Insiders Going Rogue

Insiders could become more vulnerable to cybercrime recruitment efforts, new report says.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

CISA: Unpatched F5 BIG-IP Devices Under Active Attack

Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.

F5 BIG-IP iControl Remote Code Execution

This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.

F5 BIG-IP vulnerability is now being used to disable servers

At least one group of threat actors is using the recently patched vulnerability in F5 BIG-IP to wipe the file system of vulnerable devices. The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.

CISA Urges Organizations to Patch Actively Exploited F5 BIG-IP Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild. The flaw, assigned the identifier CVE-2022-1388 (CVSS score: 9.8), concerns a critical bug in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to

Threat Advisory: Critical F5 BIG-IP Vulnerability

Summary A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. This vulnerability, tracked as... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Hackers Actively Exploit F5 BIG-IP Bug

The bug has a severe rating of 9.8, public exploits are released.

How to Check if Your F5 BIG-IP Device Is Vulnerable

This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.

F5 BIG-IP Remote Code Execution

F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.

Update now! F5 BIG-IP vulnerability being actively exploited

Only a few days after the release of the patch for a vulnerability in F5 BIG-IP, exploits were developed and are now being deployed. The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

TALOS: Latest News

Malicious QR Codes: How big of a problem is it, really?