Bear Security – Security News for Week of May 1st, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of May 1st, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
FBI / CISA / DHS Issue Warning About Russian Attacks
The Federal Bureau of Investigation (FBI), Cybersecurity & Infrastructure Security Agency (CISA), and Department of Homeland Security (DHS) collectively released an alert regarding the ongoing cyber operations of the Russian Foreign Intelligence Service (SVR).
In the alert, they advice that cyber actors for the SVR, also known as Advanced Persistent Threat 29, will continue to seek intelligence from US and foreign entities through cyber exploitation. Gaining access and persistence, using a range of methods such as password spraying attacks, leveraging zero-day vulnerabilities, and malware known as WELLMESS, along with commercial tools such as mimikatz and cobalt strike.
The SVR is currently known for targeting government networks, think tanks, policy analysis organizations, and information technology companies. However, some of their behavior has been observed by various groups suggesting they are targeting broader, or that other groups are using similar attack methods.
The alert outlines several useful recommendations such as enforcing MFA on internal systems, ensuring reporting of AV and endpoint monitoring solutions, monitoring script executions, and watching for credential disclosure or misuse. Read more on CISA.gov.
Microsoft Discloses 25 Critical Memory Allocation Flaws that Impact IoT/OT Devices
Microsoft published on their MSRC blog that Section 52, their Azure Defender for IoT security research group, has uncovered a series of critical memory allocation vulnerabilities named “BadAlloc”.
These vulnerabilities, which total 25 different CVE’s, exist in the device’s standard memory allocation functions spanning real-time operating systems, embedded software development kits, and the C standard library implementations. The exploitation of the vulnerabilities enables adversaries to bypass security controls to execute malicious code or cause a system crash. This can be a major issue for any organization that utilizes IoT and OT devices.
Read Microsoft’s Research on the MSRC Blog or view the CISA advisory of impacted devices.
Apple MacOS Has Severe Flaw That Bypasses Security Controls
If you use Apple MacOS, you’ll want to update immediately. Motherboard is reporting that security researchers found a flaw in MacOS that seems to have been introduced in version 10.15, that allows hackers to bypass the security controls on MacOS and take over a victim’s computer. This includes being able to bypass features such as Gatekeeper, File Quarantine, and app notarization requirements. Even worse, malware authors have already been exploiting it in the wild as a zero-day.
While a potential victim still had to execute a malicious file to get exploited, MacOS would fail to show any alert, prompt, or block the file from running, allowing it to be successful and leaving the user unaware.
Apple released a patch to address this in version 11.3 of MacOS Big Sur and they have also deployed rules to detect malware abusing the bug to its anti-virus app XProtect.
Click to read Apple’s patch update information or to read the technical details of the security bypass on Objective-See.
Python 3.8+ Vulnerability for Improper IP Address Input Validation
Sick.Codes posted on Friday a Zero-Day that affects Python 3.8 through 3.10, that improperly validates IP addresses. This results in allowing unauthenticated remote attackers to perform indeterminant SSRF, RFI, and LFI attacks on programs that rely on the standard libraries.
Currently, it is planned that this vulnerability will be addressed in the next release. For full details on the vulnerability, click here.
F5 Vulnerable to Kerberos KDC Spoofing
F5 Networks is in the news again per reporting by thehackernews.com, this time being found vulnerable to Kerberos KDC Spoofing. This bypass vulnerability impacts the F5 Big-IP application delivery services and allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager, thereby bypassing security policies and gaining unfettered access to sensitive workloads. Researchers also report that in some cases, it can be used to bypass authentication to the Big-IP admin console as well.
F5 Networks has released patches to address the weakness for versions between 12.1.6 to 15.1.3, but a patch for version 16.x is expected at a future date, and they recommend customers review their security advisory to assess their exposure and get details on mitigations. Recommendations include configuring MFA or deploying an IPSec tunnel between affected systems and Active Directory.
Read the research on this conducted by SilverFort by clicking here, or view the F5 advisory on the KDC Spoofing vulnerability.
Researchers Uncover Stealthy Linux Malware
Researchers from Wihoo 360 Netlab has reportedly uncovered a stealthy Linux malware that has been undetected for at least 3 years. The malware dubbed RotaJakiro targets x64 based Linux systems and runs a different path of execution to establish persistence based on whether the user it infects is root or non-root, and uses rotate encryption. It uses a multitude of encryption algorithms to encrypt the resource information and for its C2 communication.
A total of 12 functions have been identified that can gather device metadata, steal sensitive information, carry out file operations, and download and executing plugin-ins retrieved from its C2 server. So far only 4 samples have been found, going as far back on VirusTotal to 2018. The embedded C2 domains appear to have been registered in 2015.
Researchers are still unsure of the purpose and how many infections this malware has had, but they did identify similarities between RotaJakiro and the Torii botnet.
Read the full story on thehackernews.com or the research by Wihoo 360 Netlab.
Europol Dismantles Emotet Botnet
SC Magazine reported that last Sunday, Europol concluded their three-month-long process of dismantling the Emotet botnet. A time-activated DLL that was sent to victim machines starting back in January began to delete the malware from the systems. This comes after the FBI performed a similar activity back in January.
While this essentially removes the backdoor, this doesn’t address any secondary malware downloaded by Emotet onto target systems during the time it was infected. Administrators should still look for signs of secondary infections if they identify they were infected with Emotet.
Read the full story over on SC Magazine.
Ransomware Extortion Demands Getting Higher in 2021
Cyberscoop is reporting that Coveware, a ransomware response firm, is warning that the average demand for a digital extortion payment increased in the first quarter of 2021 to around $220k. The median payment jumped as well from around $49k to $78k. A majority of the ransomware attacks also involved the theft of corporate data, with 77% of them including the threat to publish stolen data, up 10% from prior.
While this is the experience of one firm, it suggests that ransomware groups and their methods of extortion will continue to increase this year while governments look at ways to get them under control.
Read the full story over on Cyberscoop.
Story Updates From Prior Episodes…
HashiCorp’s Private Code-Signing Key Exposed from CodeCov Breach
This is a story that is an update regarding the breach of Codecov. The register is reporting that HashiCorp has confirmed that their private code-signing key was exposed as part of the Codecov breach. Attackers could have used the stolen key to modify HashiCorp products while signing them with a genuine key but so far there is no evidence of such use, and they have validated existing releases, revoked the exposed key, and resigned their downloads with a new key.
As mentioned last week, we can expect to hear more as the investigation into the Codecov breach is ongoing. Read the full story over on The Register.
U of M Tries to Apologize, Gets Rejected
This update regards the ongoing work by the University of Minnesota to resolve what led to them being banned from contributing to the linux kernel. ARS Technica reported that the university posted a nearly 800-word open letter last Saturday that was called “more of a wait, you don’t understand” than an actual apology. Ongoing responses from the university appear to only be further failing to address the concerns The Linux Foundation and Kernel maintainers noted. The university instead opting for language that suggests the school is sole-focused the idea that policy wasn’t breached regarding research while using reasoning as to what qualifies as human research which seems exceptionally narrow and is not in alignment with more modern-day considerations.
Read the full article over on ARS Technica or the latest letter posted by the school.
That’s all for this week’s security news. Come back every Saturday for the next rendition or check it out over on YouTube or on podcast. Have a good week everyone!