Summary
A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity.

This vulnerability, tracked as...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

**

****Summary**

A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity.

This vulnerability, tracked as CVE-2022-1388 is an authentication bypass vulnerability in F5's BIG-IP modules affecting the iControl REST component. BIG-IP is F5's line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks. The vulnerability has a CVSS score of 9.8 out of a possible 10 and is considered critical.

F5 discovered the vulnerability on May 4, 2022 and has subsequently released a security advisory and patches, along with a subsequent advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA).

Cisco Talos is closely monitoring the recent reports of exploitation attempts against CVE-2022-1388 and strongly recommends users issue patches to affected systems as soon as possible.

**Vulnerability details and ongoing exploitation**

The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices. This vulnerability aims to target the iControl REST service with a path under "/mgmt" and relies on the specification of the X-F5-Auth-Token in the HTTP Connection header.

The vulnerability was assigned a CVSSv3 score of 9.8 out of 10. Cisco's Kenna Risk Score for CVE-2022-1388 is rapidly increasing jumping from 33 to 50 out of 100 in a 24-hour period and we expect the score to increase substantially as the vulnerability is exploited.

Over the last several days, proof-of-concept (PoC) exploit code has been circulating on Twitter and GitHub, underscoring the variety of ways the vulnerability can be exploited.

It is worth noting that even though most PoCs in the wild rely on the execution of commands through the "/mgmt/tm/util/bash", the vulnerability affects everything below the "/mgmt" path, which means other exploits may be developed. An adversary could also obfuscate their exploit code to avoid detection.

At the moment, Talos telemetry shows several verticals being scanned with the education sector seeing a slight increase. However, this is a developing situation and there are no indications that this activity is targeted.

Researchers are also noting that CVE-2022-1388 can be leveraged to drop web shells for prolonged backdoor access.

**Guidance and mitigation**

Given the severity of this vulnerability and that exploitation details have already been widely shared publicly, we strongly advise organizations to install available patches immediately and remove access to the management interface over the public internet. If organizations are unable to install updates, apply the mitigations provided by F5, which are listed below:

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface
*   Modify the BIG-IP httpd configuration

Please refer to F5's security advisory for additional guidance and to determine if your product and version are known to be vulnerable. Security firm Randori has also provided a one-line bash script that BIG-IP users can use to check whether CVE-2022-1388 is exploitable on their instances.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower Threat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

For guidance on using Cisco Secure Analytics to respond to this threat, please click here.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos provides the following Snort coverage for CVE-2022-1388:

*   Snort 2 SIDs: **59735**
*   Snort 3 SIDs: **300131**

**IOCs**

Below is a sample of attacker IPs, according to our telemetry:

5\[.\]189\[.\]191\[.\]107  
29\[.\]104\[.\]233\[.\]152  
41\[.\]79\[.\]198\[.\]18  
45\[.\]61\[.\]139\[.\]143  
45\[.\]79\[.\]171\[.\]157  
51\[.\]159\[.\]66\[.\]249  
52\[.\]74\[.\]130\[.\]60  
53\[.\]85\[.\]187\[.\]67  
58\[.\]213\[.\]200\[.\]67  
64\[.\]39\[.\]106\[.\]34  
64\[.\]39\[.\]108\[.\]98  
64\[.\]39\[.\]98\[.\]152  
64\[.\]39\[.\]98\[.\]159  
64\[.\]39\[.\]98\[.\]196  
64\[.\]39\[.\]98\[.\]227  
64\[.\]39\[.\]98\[.\]40  
66\[.\]254\[.\]159\[.\]252  
66\[.\]94\[.\]126\[.\]14  
68\[.\]183\[.\]202\[.\]236  
69\[.\]24\[.\]129\[.\]229  
72\[.\]166\[.\]5\[.\]40  
72\[.\]167\[.\]51\[.\]207  
79\[.\]18\[.\]33\[.\]4  
81\[.\]69\[.\]58\[.\]15  
82\[.\]80\[.\]33\[.\]200  
87\[.\]20\[.\]54\[.\]33  
88\[.\]226\[.\]109\[.\]164  
91\[.\]36\[.\]121\[.\]76  
94\[.\]177\[.\]118\[.\]79  
103\[.\]144\[.\]149\[.\]206  
103\[.\]144\[.\]149\[.\]49  
103\[.\]177\[.\]174\[.\]34  
104\[.\]208\[.\]85\[.\]237  
104\[.\]244\[.\]72\[.\]174  
107\[.\]189\[.\]29\[.\]64  
109\[.\]205\[.\]176\[.\]248  
113\[.\]23\[.\]27\[.\]104  
113\[.\]67\[.\]10\[.\]13  
119\[.\]140\[.\]78\[.\]118  
12\[.\]172\[.\]214\[.\]26  
120\[.\]170\[.\]212\[.\]254  
120\[.\]245\[.\]25\[.\]3  
121\[.\]196\[.\]223\[.\]32  
122\[.\]161\[.\]50\[.\]64  
122\[.\]75\[.\]182\[.\]121  
124\[.\]160\[.\]154\[.\]32  
128\[.\]199\[.\]16\[.\]44  
132\[.\]145\[.\]21\[.\]77  
137\[.\]184\[.\]236\[.\]99  
139\[.\]99\[.\]149\[.\]66  
141\[.\]11\[.\]28\[.\]89  
141\[.\]11\[.\]28\[.\]97  
144\[.\]202\[.\]124\[.\]151  
144\[.\]202\[.\]59\[.\]76  
144\[.\]76\[.\]251\[.\]214  
145\[.\]215\[.\]56\[.\]53  
149\[.\]28\[.\]147\[.\]208  
150\[.\]230\[.\]38\[.\]225  
156\[.\]146\[.\]34\[.\]98  
157\[.\]245\[.\]115\[.\]135  
157\[.\]245\[.\]200\[.\]184  
157\[.\]245\[.\]206\[.\]99  
159\[.\]89\[.\]182\[.\]71  
161\[.\]35\[.\]156\[.\]235  
161\[.\]35\[.\]158\[.\]59  
161\[.\]35\[.\]209\[.\]168  
161\[.\]35\[.\]232\[.\]12  
163\[.\]143\[.\]106\[.\]199  
163\[.\]32\[.\]193\[.\]116  
164\[.\]90\[.\]205\[.\]93  
167\[.\]172\[.\]83\[.\]249  
167\[.\]172\[.\]83\[.\]250  
167\[.\]172\[.\]83\[.\]251  
167\[.\]99\[.\]225\[.\]132  
172\[.\]104\[.\]15\[.\]189  
172\[.\]70\[.\]126\[.\]146  
172\[.\]70\[.\]131\[.\]167  
172\[.\]70\[.\]131\[.\]47  
172\[.\]70\[.\]222\[.\]71  
172\[.\]81\[.\]129\[.\]138  
174\[.\]138\[.\]22\[.\]187  
175\[.\]107\[.\]236\[.\]67  
178\[.\]62\[.\]228\[.\]64  
180\[.\]236\[.\]169\[.\]125  
181\[.\]214\[.\]206\[.\]31  
185\[.\]147\[.\]212\[.\]58  
185\[.\]212\[.\]61\[.\]84  
185\[.\]239\[.\]226\[.\]177  
186\[.\]80\[.\]52\[.\]118  
188\[.\]68\[.\]61\[.\]6  
189\[.\]37\[.\]76\[.\]246  
189\[.\]46\[.\]90\[.\]233  
193\[.\]29\[.\]15\[.\]143  
194\[.\]163\[.\]164\[.\]206  
194\[.\]163\[.\]185\[.\]138  
194\[.\]195\[.\]219\[.\]144  
194\[.\]195\[.\]86\[.\]50  
194\[.\]233\[.\]171\[.\]91  
194\[.\]233\[.\]77\[.\]245  
194\[.\]5\[.\]73\[.\]6  
196\[.\]65\[.\]108\[.\]171  
198\[.\]211\[.\]120\[.\]110  
198\[.\]252\[.\]101\[.\]110  
204\[.\]195\[.\]115\[.\]184  
206\[.\]189\[.\]200\[.\]122  
207\[.\]180\[.\]241\[.\]85  
208\[.\]71\[.\]210\[.\]1  
209\[.\]58\[.\]170\[.\]164  
210\[.\]92\[.\]18\[.\]153  
212\[.\]102\[.\]50\[.\]210  
217\[.\]252\[.\]7\[.\]13  
223\[.\]187\[.\]119\[.\]114  
223\[.\]72\[.\]39\[.\]119  
226\[.\]137\[.\]152\[.\]105  
250\[.\]100\[.\]25\[.\]148  
253\[.\]240\[.\]199\[.\]27  
103\[.\]85\[.\]25\[.\]79  
156\[.\]34\[.\]23\[.\]233

Threat Advisory: Critical F5 BIG-IP Vulnerability

Researchers say a hacker is selling access to quality malware for chump change.

Researchers say a hacker is selling access to quality malware for chump change.

For about the price of a cup of Starbucks latte, a hacker is renting out a remote access trojan designed to backdoor targeted networks.

Dubbed as Dark Crystal RAT (or DCRat), the malware is being peddled online to hackers in Russian by a lone rookie malware writer with a penchant for cut-rate pricing.

“DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at ($6) for a two-month subscription, and occasionally dips even lower during special promotions,” according to BlackBerry researchers who published their findings on Monday.

  
BlackBerry said sales of the budget RAT are being facilitated by the cybercriminal that goes by the name “boldenis44” or “crystalcoder.”

Capabilities of the RAT include a “stealer/client executable”, a single PHP page, which serves as the command-and-control endpoint and an administrator tool.

**A Breakdown of DCRat**

DCRat is, in some ways, amateurish, researchers assert. “There are certainly programming choices in this threat that point to this being a novice malware author,” they wrote.

“The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine,” BlackBerry wrote.

JPHP, they noted, is an easy-to-use language aimed at novice developers of desktop games. “The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.”

In another odd quirk, researchers note, is the malware author “implemented a function that displays a randomly generated number of ‘servers working’ and ‘users online’ that are meant to appear as statistics in the background of the administrator tool. It could be that they are trying to make their tool appear more popular, or that they just didn’t know how to implement an accurate counter and have employed a pseudo-counter in the meantime as a placeholder.”

However, in most respects, DCRat punches well above its weight.

Along with the stealer, command-and-control interface and administrator tool, the malware is highly customizable, demonstrating a higher level of attempted sophistication. The modular architecture allows RAT customers to create and share their own plugins.

“DCRat’s modular architecture and bespoke plugin framework make it a very flexible option,” the researchers wrote, “helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.”

Customization prevents DCRat from growing stale, even after three years. That, and the constant care and attention its author gives it. “The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.” The researchers noted a particular case in 2020, when Mandiant published an in-depth look at the DCRat client. “Just days after this report was released,” to combat the unwanted attention, “the malware author shifted distribution of the RAT to a new domain.”

**Is DCRat an Outlier or an Omen?**

Current is about $7 for a two-month lease. For a year, $33 and for a lifetime subscription $63.

Researchers speculate the low price is because the criminals behind the malware are just looking for attention. “It could be that they’re simply casting a wide net,” the researchers theorized, “trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income.”

It remains to be seen whether DCRat will be an outlier on cybercrime forums, or a new precedent. The implications could be significant. If effective malware is as cheap as a cup of coffee, how many more people might be lured into trying it out? And how much more capable might their attacks be?

“The biggest, flashiest threat groups might get their name in lights,” the researchers concluded, “but they aren’t necessarily the cybercriminals that keep security practitioners up at night.”

Low-rent RAT Worries Researchers

This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.

Heads up for network administrators with F5’s BIG-IP family of networking devices in their environment: There is a new security update available for the newly disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created working exploits, so administrators need to move quickly and secure their networks before the attackers come knocking.

According to security researcher Kevin Beaumont, attackers are already trying to exploit the flaw and and dropping webshells. The vulnerability is "trivial" to exploit, Horizon3 said on Twitter. Horizon3 is among the several groups that have already developed a working exploit.

The critical flaw (with a score of 9.8 under the Common Vulnerability Scoring System) affects the BIG-IP iControl REST authentication component, F5 said on May 4. If exploited, remote adversaries can bypass authentication and execute commands with elevated privileges. They could target this vulnerability to gain initial access to the network and move laterally to access other devices on the network.

Considering that BIG-IP devices are widely used in enterprise environments and serve the role of a load balancer, application firewall, and full proxy, this flaw potentially opens enterprise networks to a variety of attacks. Adversaries would be able to steal corporate data, install cryptominers, download and install malware and backdoors, or even disrupt normal business operations by launching a ransomware attack.

**Assessment: Is Your Organization Impacted?**  
BIG-IP is used by 48 of the Fortune 50, F5 says, and there are more than 16,000 instances of BIG-IP discoverable by Shodan. However, the vulnerability affects the management interface, so the vulnerable devices are the ones where the management interface is exposed to the Internet. According to Rapid7 lead security researcher Jacob Baines, that puts the number of affected BIG-IP devices closer to 2,500.

Administrators can execute the following one-line bash command from Randori to determine if their instance of BIG-IP is exploitable (replace the ADDRESS with the host IP in order to execute the command):

HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm \\
--insecure \\
-H "Authorization: Basic YWRtaW46" \\
-H "X-F5-Auth-Token: 1" \\
-H "Connection: X-Forwarded-Host, X-F5-Auth-Token" \\
-H "Content-Length: 0" | grep -q "\\"items\\":\\\["; then printf "\\n\[\*\] $HOST is vulnerable\\n"; else printf "\\n\[\*\] $HOST doesn't appear vulnerable\\n"; fi

The command's output would be either a _\[\*\] 192.168.255.2_ (for example) _is vulnerable_ or _\[\*\] 192.168.255.2 doesn't appear vulnerable_ message.

**Apply the Security Update**  
F5 has released security updates for BIG-IP for the following firmware versions:

*   BIG-IP versions 16.1.0 to 16.1.2
*   BIG-IP versions 15.1.0 to 15.1.5
*   BIG-IP versions 14.1.0 to 14.1.4
*   BIG-IP versions 13.1.0 to 13.1.4

There is no security update being released for firmware versions 11.x and 12.x (11.6.1 to 11.6.5 and 12.1.0 to 12.1.6) as they are no longer supported. Administrators should upgrade to a newer version as soon as possible.

**Apply Mitigations Where Needed**  
F5 released three mitigations for those cases where the BIG-IP devices cannot be updated right away. The mitigations are intended to be a temporary measure — administrators should apply the update, or in the case of an unsupported firmware version, to upgrade to the newer version, as soon as possible.

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface
*   Modify the BIG-IP httpd configuration

How to Check if Your F5 BIG-IP Device Is Vulnerable

Only a few days after the release of the patch for a vulnerability in F5 BIG-IP, exploits were developed and are now being deployed.
The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.

The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.

**F5 BIG-IP**

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

**The vulnerability**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a CVSS score of 9.8 out of 10.

F5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on online searches there are some 2,500 devices exposed to the Internet.

**Exploits**

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.

Exploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.

The researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks.

**Mitigation**

A list of vulnerable products and versions can be found in the F5 KB article. Experts recommend to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

*   Block iControl REST access through the self IP address
*   Block iControl REST access through the management interface
*   Modify the BIG-IP httpd configuration

For future use, this F5 BIG-IP Security Cheatsheet is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.

Please note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.

Stay safe, everyone!

Update now! F5 BIG-IP vulnerability being actively exploited

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike.
"Unlike the well-funded, massive Russian threat groups crafting custom malware [...], this remote access Trojan (RAT) appears to be the work of

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike.

"Unlike the well-funded, massive Russian threat groups crafting custom malware \[...\], this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget," BlackBerry researchers said in a report shared with The Hacker News.

"In fact, this threat actor's commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums."

Written in .NET by an individual codenamed "boldenis44" and "crystalcoder," DCRat is a full-featured backdoor whose functionalities can be further augmented by third-party plugins developed by affiliates using a dedicated integrated development environment (IDE) called DCRat Studio.

It was first released in 2018, with version 3.0 shipping on May 30, 2020, and version 4.0 launching nearly a year later on March 18, 2021.

Prices for the trojan start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription, figures which are further reduced during special promotions.

While a previous analysis by Mandiant in May 2020 traced the RAT's infrastructure to files.dcrat\[.\]ru, the malware bundle is currently hosted on a different domain named crystalfiles\[.\]ru, indicating a shift in response to public disclosure.

"All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz\[.\]guru, which also handles some of the DCRat pre-sales queries," the researchers said.

Also actively used for communications and sharing information about software and plugin updates is a Telegram channel which has about 2,847 subscribers as of writing.

Messages posted on the channel in recent weeks cover updates to CryptoStealer, TelegramNotifier, and WindowsDefenderExcluder plugins, as well as "cosmetic changes/fixes" to the panel.

"Some Fun features have been moved to the standard plugin," a translated message shared on April 16 reads. "The weight of the build has slightly decreased. There should be no detects that go specifically to these functions."

Besides its modular architecture and bespoke plugin framework, DCRat also encompasses an administrator component that's engineered to stealthily trigger a kill switch, which allows the threat actor to remotely render the tool unusable.

The admin utility, for its part, enables subscribers to sign in to an active command-and-control server, issue commands to infected endpoints, and submit bug reports, among others.

Distribution vectors employed to infect hosts with DCRat include Cobalt Strike Beacons and a traffic direction system (TDS) called Prometheus, a subscription-based crimeware-as-a-service (CaaS) solution used to deliver a variety of payloads.

The implant, in addition to gathering system metadata, supports surveillance, reconnaissance, information theft, and DDoS attack capabilities. It can also capture screenshots, record keystrokes, and steal content from clipboard, Telegram, and web browsers.

"New plugins and minor updates are announced almost every day," the researchers said. "If the threat is being developed and sustained by just one person, it appears that it's a project they are working on full-time."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Sound Alarm on DCRat Backdoor Being Sold on Russian Hacking Forums

marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.

Simple rofi based bookmark manager

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

Minimal bookmark manager

**Install**

    $ pip install marcador
    

**Usage**

CLI interface

    $ marcador --help
    
    Usage: marcador [OPTIONS] COMMAND [ARGS]...
    
    Options:
      --version
      --help     Show this message and exit.
    
    Commands:
      add
      bookmarks
      delete
      rofi
      server
    

**Rofi interface**

    $ marcador rofi
    

**Thanks**

This project is heavily inspired by buku

**Screenshots**

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for marcador-0.17.tar.gz**

Hashes for marcador-0.17.tar.gz

Algorithm

Hash digest

SHA256

8686a731a06b1d003c68cd547ed5616704a851be4370d7282864966154337740

MD5

bb015b1c85d3f2c0edfc65ff27a40371

BLAKE2-256

2e4a417881800cf26100bd147a0c85a95e2ad614e05853e2170585fbebcc8d41

CVE-2022-28470: marcador

Three tech giants used World Password Day to announce their commitment to a passwordless future using FIDO Alliance standards.
The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

> In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

**Microsoft, Google, and Apple**

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

**FIDO2**

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

**Will it work?**

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

> \[I am concerned about\] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

Google, Apple, and Microsoft step hand in hand into a passwordless future

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices.
"The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices.

"The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol," Trend Micro said in a report published Thursday.

PrivateLoader, as documented by Intel 471 in February 2022, functions as a downloader responsible for downloading and installing additional malware onto the infected system, including SmokeLoader, RedLine Stealer, Vidar, Raccoon, GCleaner, and Anubis.

Featuring anti-analysis techniques, PrivateLoader is written in the C++ programming language and is said to be in active development, with the downloader malware family gaining traction among multiple threat actors.

PrivateLoader infections are typically propagated through pirated software downloaded from rogue websites that are pushed to the top of search results via search engine optimization (SEO) poisoning techniques.

"PrivateLoader is currently used to distribute ransomware, stealer, banker, and other commodity malware," Zscaler noted last week. "The loader will likely continue to be updated with new features and functionality to evade detection and effectively deliver second-stage malware payloads."

The framework, still in its development phase, contains different modules: a dropper, a loader, a kernel-mode process and file protection driver, and a remote access trojan that uses a custom protocol to communicate with the command-and-control (C2) server.

The newly observed set of infections involving the NetDooka framework commences with PrivateLoader acting as a conduit to deploy a dropper component, which then decrypts and executes a loader that, in turn, retrieves another dropper from a remote server to install a full-featured trojan as well as a kernel driver.

"The driver component acts as a kernel-level protection for the RAT component," researchers Aliakbar Zahravi and Leandro Froes said. "It does this by attempting to prevent the file deletion and process termination of the RAT component."

The backdoor, dubbed NetDookaRAT, is notable for its breadth of functionality, enabling it to run commands on the target's device, carry out distributed denial-of-service (DDoS) attacks, access and send files, log keystrokes, and download and execute additional payloads.

This indicates that NetDooka's capabilities not only allow it to act as an entry point for other malware, but can also be weaponized to steal sensitive information and form remote-controlled botnets.

"PPI malware services allow malware creators to easily deploy their payloads," Zahravi and Froes concluded.

"The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware

The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S.
"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing

The China-based threat actor known as **Mustang Panda** has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S.

"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing the group's evolving modus operandi.

The group is known to have targeted a wide range of organizations since at least 2012, with the actor primarily relying on email-based social engineering to gain initial access to drop PlugX, a backdoor predominantly deployed for long-term access.

Phishing messages attributed to the campaign contain malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto compromised machines.

Also observed are phishing messages tailored to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan.

The findings follow a recent report from Secureworks that the group may have been targeting Russian government officials using a decoy containing PlugX that disguised itself as a report on the border detachment to Blagoveshchensk.

But similar attacks detected towards the end of March 2022 show that the actors are updating their tactics by reducing the remote URLs used to obtain different components of the infection chain.

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.

"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor