By Jon Munshaw.
The one big thing
A critical vulnerability in F5’s BIG-IP software continues to dominate security headlines and haunt defenders. Though we released coverage for this vulnerability last week, attackers are still exploiting it in the wild. Security researchers at the SANS Institute recently discovered adversaries exploiting the vulnerability to try and completely wipe some Linux systems. The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2022-1388 to its list of known vulnerabilities and gave federal agencies until May 30 to patch for the issue.Why do I care?
The continuous warnings around this vulnerability show how truly widespread and potentially dangerous it is. Due to the nature of this vulnerability, and adversary could exploit it and obtain root privileges in the Linux operating systems powering BIG-IP devices. While most attackers seem to be using it to gain an initial foothold on a system, this also opens the door to an attacker running specific commands to delete files on the system, including ones that are required for the operating system to function correctly.
So now what?
Cisco Secure products have several ways of detecting exploitation of this vulnerability and defending against it. F5 also has a patch available for the vulnerability, which should be implemented immediately. If users are not able to patch for some reason, Talos, CISA and F5 all recommend blocking iControl REST access through the self IP address and management interface.
Other news of note
The quantum computing race is on. This week, U.S. officials said they believe America will be the first country to harness the power of quantum computing, outpacing rivals like China. It’s widely believed that quantum computers will break current encryption technologies. This means the U.S. also has to develop new encryption standards, which has interested privacy experts. Though the National Security Agency has had backdoors into encryption methods in the past, the agency says that will not be the case for whatever standard the U.S. develops to combat quantum computing. (CyberScoop, Bloomberg)
U.S. officials released a warning this week that North Koreans are posing as remote workers and hiding their true identities to apply for jobs with cryptocurrency-related companies. These individuals eventually aim to get onto corporate networks and steal currency for the North Korean government. While many of the adversaries are based in North Korea, others are operating out of China, Russia, Africa and South East Asia. North Korean state-sponsored actors have been finding different ways to steal virtual currency for years, mainly in the name of funding the country’s weapons program. (BBC, U.S. Department of Treasury)
Western governments and security experts continue to sound warnings about potential cyber attacks from Russian state-sponsored groups. Although there have not been any major public attacks as expected when Russia invaded Ukraine, there has been a sustained effort to improve Russia’s standing in the war. Finland and Sweden’s application to join the NATO military alliance also raised the possibility that Russia could respond with a cyber attack. Albeit more low-stakes, Russian actors also tried to disrupt the semifinals and finals of the Eurovision Song Contest in Italy last week, a contest that Ukraine eventually won. (Reuters, The Hill, BBC)
Can’t get enough Talos?
- Talos Takes Ep. #96: Takeaways from victim chats with two ransomware groups
- Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver
- Ransomware: How executives should prepare given the current threat landscape
- Threat Roundup for May 6 - 13
Upcoming events where you can find Talos
NorthSec 2022 (May 19 – 20, 2022)
Montreal, Canada
REcon (June 3 – 5, 2022)
Montreal, Canada
RSA 2022 (June 6 – 9, 2022)
San Francisco, California
Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426
MD5: a841c3d335907ba5ec4c2e070be1df53
Typical Filename: chip 1-click installer.exe
Claimed Product: chip 1-click installer
Detection Name: Win.Trojan.Generic::ptp.cam
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
0 Comments