Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE

Published May 9, 2022

Background:

CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.

Takeaway:

Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.

Mobile Subscription Trojans and Their Little Tricks

Published May 6, 2022

Background:

Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services.

Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store.

The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.

Takeaway:

Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.

Raspberry Robin Gets the Worm Early

Published May 5, 2022

Background:

Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm typically installed via a USB drive targeting organizations with ties to technology and manufacturing.

The malicious USB has an LNK file masquerading as a folder that is being activated through modification in the UserAssist registry. The actor uses compromised QNAP devices to stage malicious DLL and TOR traffic for further command-and-control (C2) communication. Raspberry Robin extensively uses mixed-case letters in its commands in an attempt to evade detection.

Takeaway:

It is crucial that your company has policies in place that forbid employees from using unknown USB drives. Identify the use of Windows Installer Tool msiexec.exe to download and execute packages in the command-line interface (CLI). Detect the Windows Open Database Connectivity utility (odbcconf.exe) loading a configuration file or DLL. Detect regsvr32.exe, rundll32.exe, and dllhost.exe making external network connections with no parameters.

Update on Cyber Activity in Eastern Europe

Published May 3, 2022

Background:

Google researchers describe five advanced groups especially active in Eastern Europe in regard to the military conflict between Russia and Ukraine.

Fancy Bear (APT28) targets Ukraine with phishing attachments delivering a new information stealer written in .Net.

Another group, Turla, attributed to Russia’s Federal Security Services (FSB), targets defense and cybersecurity organizations in Baltic states with phishing links dropping a malicious DOCX that would download a malicious PNG file.

GoldRiver (Callisto) group abuses Google and Microsoft services in their credential-stealing phishing attempts with targets including government and defense officials, journalists, NGOs and think tanks, and politicians.

Belarus-sponsored group Ghostwriter spoofed Google to target Ukraine and Facebook to target Lithuania.

Curious George, a group attributed to China’s The People’s Liberation Army Strategic Support Force (PLASSF), is targeting government, logistics, manufacturing, and military organizations in Central Asia, Russia and Ukraine, including Russia’s Ministry of Foreign Affairs.

Takeaway:

Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user interaction. It is important to teach your users basic online hygiene and phishing awareness.

Manage your threats more easily

Discover Prism

Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad

Published May 2, 2022

Background:

SentinelOne researchers describe Moshen Dragon, a China-based threat group targeting Central Asia.

Moshen Dragon abused binaries from BitDefender, Kaspersky, McAfee, Symantec, and TrendMicro. They performed a specific DLL search order hijacking attack called sideloading triad where the hijacked security software DLLs were used to decrypt and load the final payloads from the third file in the same folder.

Moshen Dragon used ShadowPad and PlugX payloads, Gunters loader, and a Local Security Authority (LSA) Notification Package (SecureFilter).

Takeaway:

The observed abuse of different anti-virus products does not directly point to their insecurity, as it shows an advanced actor utilizing known Windows design limitations.

Organizations can use behavioral monitoring capabilities to better detect anomalous behavior, detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.

UNC3524: Eye Spy on Your Email

Published May 2, 2022

Background:

Mandiant researchers detected an advanced threat group, designated as UNC3524, that targets organization networks to steal emails from IT departments, executives, and those responsible for mergers and acquisitions. In the victim networks, they target trusted systems such as load balancers, Storage Area Network (SAN) arrays, and wireless access point controllers that might be running older versions of BSD or CentOS.

These systems are often unsupported by agent-based security tools allowing attackers to stealthily deploy their QuietExit backdoor that acts as a SSH client-server. Command-and-control (C2) communication goes from an Internet-of-Things (IoT) botnet consisting mostly of LifeSize conference room camera systems. UNC3524 actors use a heavily obfuscated version of ReGeorg web-shell as a backup backdoor for re-infection, move laterally using WMIEXEC, and target selected mailboxes in either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment.

Takeaway:

Defenders should hunt for outbound SSH traffic from unknown IPs and from ports other than 22. Investigate large volumes of outbound traffic from NAS arrays and load balancers. Identify devices on your network that do not support monitoring tools, harden them, limit or block egress traffic from such devices.

REvil Ransomware Returns: New Malware Sample Confirms Gang is Back

Published May 1, 2022

Background:

The REvil (Sodinokibi, Pinchy Spider) ransomware group resumed its operations.

In October 2021, the group shut down after a law enforcement operation hijacked their Tor servers, and Russian police arrested some of its members.

At the end of April 2022, the group became active on its ransom websites listing new and old victims, and on April 29, 2022, researchers detected a new sample of their encryptor compiled from its source code that includes new changes.

The new REvil sample is highly targeted: it includes a new configuration field, ‘accs,’ with credentials for the specific victim (specified accounts and Windows domains), preventing encryption on devices outside of the intended target.

Takeaway:

It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice defense-in-depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a ransomware infection.

Russian Hackers Compromise Embassy Emails to Target Governments

Published May 1, 2022

Background:

In January-March 2022, APT29 (Cozy Bear, Nobelium, attributed to Russia’s Foreign Intelligence Service (SVR)) targeted diplomats and government entities with phishing attacks from previously compromised diplomatic email addresses.

To mask their command-and-control (C2) traffic, attackers used compromised websites and abused legitimate services such as Atlassian Trello, Firebase, or DropBox. They used a customized Cobalt Strike Beacon backdoor and a number of custom malware: BeatDrop downloader, BoomMic (VaporRage) shellcode downloader, and RootSaw (EnvyScout) dropper.

Takeaway:

Anti-phishing training should include ways to verify the authenticity of the received email such as a phone call. Network defenders advised to configure a system to explode suspicious emails in a sandbox environment, for example.

Observed Threats

APT28

The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.

APT29

The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.

Pinchy Spider

Pinchy Spider is a Russian-speaking threat group that run a Ransomware-as-a-Service (RaaS). The threat group has been active since January 2018 when they announced the GandCrab RaaS on the “exploit[.]in” forum. The GandCrab RaaS was discontinued in June 2019 in favour of the newer RaaS Sodinokibi/REvil.

CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Manage your threats more easily

Discover Prism