Vulnerability in BIG-IP exploited to erase data
On May 4th, F5 fixed, among others, a vulnerability affecting BIG-IP devices (CVE-2022-1388 CVSSv3 9.8), which could allow an unauthenticated attacker with network access to the BIG-IP system, via proprietary IP addresses or an admin port, to execute arbitrary commands, delete or create files, or disable services.
The severity of the flaw at the time raised the need for patching, and multiple security researchers warned of the possibility that proofs of concept could be released without delay.
Since then, massive exploitation has been reported, mainly to download webshells that allow initial access to networks, to steal SSH keys, and to enumerate system information. On the other hand, researchers at the SANS Internet Storm Center have warned of the detection in their honeypots of several attacks that execute the
rm -rf /* command on BIG-IP devices.
This command is focused on deleting all files, including the configuration files that allow the device to function properly, as the exploit gives the attacker root privileges on the devices’ Linux operating system.
This type of attack has also been confirmed by security researcher Kevin Beaumont, who warns about the disappearance of multiple Shodan entries from this type of device.
* * *
Microsoft fixes three 0-day vulnerabilities
Microsoft has published its monthly security bulletin for the month of May in which it has fixed a total of 75 flaws, including 3 0-day vulnerabilities. One of them is being actively exploited, and 8 critical vulnerabilities that could allow remote code execution or privilege escalation on the vulnerable system.
The actively exploited 0-day, categorized as CVE-2022-26925, is a spoofing vulnerability in Windows LSA, which could be exploited by an unauthenticated attacker by calling a method on the LSARPC interface and forcing the domain controller to authenticate via the Windows NT LAN Manager (NTLM) security protocol.
According to its discoverer, security researcher Raphael John, this flaw is being exploited and appears to be a new attack vector for PetitPotam, an NTLM relay attack discovered in July 2021.
The other two 0-day flaws correspond to a denial-of-service vulnerability in Windows Hyper-V (CVE-2022-22713) and a flaw in the Magnitude Simba Amazon Redshift ODBC driver (CVE-2022-29972, also known as SynLapse). Microsoft recommends applying the security updates as soon as possible.
* * *
CNPIC warns of a possible cyber-attack on critical infrastructures
Spain’s National Centre for the Protection of Critical Infrastructure and Cybersecurity (CNPIC) has sent a security warning to companies considered to be critical infrastructures in the country.
In this way they have been alerted to the risk of a possible cyber-attack on companies in critical sectors such as energy, communications and finance, among others.
This alert implies that companies should take extreme precautions and protection mechanisms within their IT infrastructure in order to be able to deal with a possible cyber-attack in a preventive manner, and to avoid a possible disruption of services that could affect the functioning of services.
The specific type of threat that could cause the possible cyber-attack, as well as the attribution, is not known at this stage, although the aim seems to indicate the disruption of strategic services.
* * *
Database with nearly 21 million VPN users exposed
Researchers at vpnMentor have reported a leak on Telegram of a Cassandra database containing 21 million unique records of VPN service users. The file, initially traded on the dark web in 2021, was reportedly shared for free via the messaging app as of 7 May.
A total of 10GB of information includes user data from free VPN services known as GeckoVPN, SuperVPN and ChatVPN. The exposed data reportedly includes usernames, emails, personal names, countries, billing details, randomly generated password strings, and account validity period.
The researchers who analysed the database emphasised two things:
- that 99.5 per cent of the accounts were Gmail addresses, indicating that it is possible that this database is only a fragment of the compromised data;
- and that the passwords were hashes, salt or random passwords, suggesting that each one is different, making the task of cracking them more complicated.
* * *
New Nerbian RAT distribution campaign
Researchers at Proofpoint have detailed a malware distribution campaign they have named Nerbian RAT (Remote Access Trojan), after a reference to the fictional location (Nerbia) in the novel Don Quixote in one of the malware’s functions.
It is a new RAT that uses multiple libraries written in Go, a programming language widely used for malware development, and includes multiple components aimed at evading detection.
In the campaign observed, the World Health Organization (WHO) is being impersonated in malspam mails containing alleged information related to COVID-19.
These mails include an attached Word document whose enabling of macros will trigger the download of a .bat file that is responsible for executing a PowerShell command to connect to the “Command & Control”.
As a result, the executable that acts as a dropper for Nerbian RAT will finally be downloaded. The campaign has reportedly been active since 26 April and is said to have been directed primarily against entities in Italy, Spain and the UK.