Public Entities & Ransomware, Colonial Pipeline Fine, Nvidia’s LHR Limiter, & BIG-IP – PSW #740

Announcements

• Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

• We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

1. 1. Colonial Pipeline facing $1,000,000 fine for poor recovery plans
2. 2. Release of Technical Report into the AMD Security Processor
   This sounds bad: "We identified an implementation issue, a TOCTOU vulnerability in the firmware, where the caller mode is checked a while after the command is pulled from the mailbox. This window gives a malicious kernel sufficient time to submit a BIOS command with address pointing to SMRAM, switch to SMM, and bypass the context check. A “boomerang” attack where a ring-0 attacker tricks the ASP into corrupting SMM memory, leading to privilege escalation." - I am speculating, but this could lead to a Secure Boot bypass...
3. 3. Microsoft fixes new NTLM relay zero-day in all Windows versions
   https://flip.it/pRS_t9
4. 4. Docker Desktop for Linux finally arrives
   https://flip.it/kDRm_x
5. 5. Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) – Microsoft Security Response Center
6. 6. Biden signs cybercrime tracking bill into law
7. 7. Your Phone May Soon Replace Many of Your Passwords – Krebs on Security
8. 8. Costa Rica Declares State of Emergency Under Sustained Conti Cyberattacks
   Yikes, the US is offering a reward: "The Ministry of Finance was one of the initial targets on April 18, but other Costa Rican government agencies were also affected, including the Ministry of Labor and Social Security; the Ministry of Science, Innovation, Technology and Telecommunications; the National Meteorological Institute, and more. "
9. 9. DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
   Perhaps the most devastating attack of all: "Ukrainian hacktivists took down Russia’s central alcohol distribution platform called Unified State Automated Alcohol Accounting Information System or EGAIS, with DDoS attacks launched on May 2nd and 3rd."
10. 10. Lincoln College Set to Close After Crippling Cyberattack
    I feel like COVID and ransomware were two factors but other factors may be at play that led to the college shutting down.
11. 11. F5 BIG-IP Remote Code Execution – Exploitalert
    Also, you want to read this post on HTTP hop-to-hop headers, as the exploit uses this technique: https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers (in what looks like it tells the proxy to remove the X-F5-Auth-Token header, which likely is what leads to the auth bypass)
12. 12. Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability
    This is dead easy to exploit: "the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system." See the exploit above...Unauthenticated command injection via POST request, yikes!
13. 13. BPFDoor?—?an active Chinese global surveillance tool
    This is really slick: "It allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the existing port 443, and the implant can be reached over the webapp port (even with the webapp running). This is because it uses a BPF packet filter."
14. 14. Computer Account Relaying Vulnerabilities Part 2 – Praetorian
15. 15. Diving into pre-created computer accounts – TrustedSec
    hinging on the old, like I can't believe this was/is a thing: "when you pre-create computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, the password for the computer account becomes the same as the computer account in lowercase. For instance, the computer account DavesLaptop$ would have the password daveslaptop."
16. 16. Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver
    Disabling AV is a thing for sure: "Utilizing the HashDB API service from OpenAnalysis, we were able to recover the clear-text strings corresponding to the hardcoded CRC64 checksums of the latter sample mentioned above. The list contains process names from well-known AV and EDR vendors, which include, amongst others, processes names from SentinelOne®, Cylance®, Avast®, Carbon Black®, Sophos®, McAfee®, and Malwarebytes®. "
17. 17. Nvidia’s LHR limiter has been bypassed, enabling full mining performance
    Proof that limiting will almost always be bypassed (okay, so always), but it appears not to have much impact: "Considering how bad the crypto market has been doing lately (Ethereum's price is currently half of its peak) and the improved availability and price of graphics cards, this news will probably not affect the market too much. With most cards, you'd need close to a year to break even, while Ethereum's transition to the Proof-of-Stake algorithm is expected to happen this year."
18. 18. Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus
    "Specifically, the shortcomings are rooted in a socket connection handler in the kernel driver that could lead to privilege escalation by running code in the kernel from a non-administrator user, potentially causing the operating system to crash and display a blue screen of death (BSoD) error."
19. 19. North Carolina Becomes First State to Prohibit Public Entities from Paying Ransoms
    Is this a good thing? - "North Carolina’s new law, which was passed as part of the state’s 2021-2022 budget appropriations, prohibits government entities from paying a ransom to an attacker who has encrypted their IT systems and subsequently offers to decrypt that data in exchange for payment. The law prohibits government entities from even communicating with the attacker, instead directing them to report the ransomware attack to the North Carolina Department of Information Technology in accordance with G.S. 143B?1379."

Josh Marpet

Executive Director at RM-ISAO

Larry Pesce

Product Security Research and Analysis Director at Finite State

https://www.finitestate.io/

1. 1. U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors
2. 2. F5 BIG-IP confirmations
   Can confirm. Real world devices are being erased this evening, lots on Shodan have stopped responding. twitter.com/BleepinCompute…
3. 3. Critical F5 BIG-IP vulnerability exploited to wipe devices
4. 4. Flight Aborted After Eerie Pictures Mysteriously Sent To Passengers’ Phones
5. 5. Russia’s RuTube knocked out for second day by Victory Day cyber attack

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

1. 1. F5 warns of critical BIG-IP RCE bug allowing device takeover
   F5 has released a security advisory warning users of a critical vulnerability (CVE-2022-1388) affecting its iControl REST component, which could be exploited by unauthenticated attackers to take complete control of targeted systems.
2. 2. North Carolina Becomes First State to Prohibit Public Entities from Paying Ransoms
   North Carolina passed a new law that prohibits government entities from paying ransom to attackers who have infiltrated and encrypted their IT systems, making it the first U.S. state to formally prohibit ransom payments.
3. 3. Google addresses actively exploited Android flaw in the kernel
   Google released the May security bulletin for Android, 2022-05-05 security patch level, which fixed an actively exploited Linux kernel flaw. Google has released a patch to address a privilege escalation vulnerability (CVE-2021-22600) identified in January that affects the Linux Kernel and is being actively exploited in the wild.
4. 4. Thousands of Borrowers’ Data Exposed from ENCollect Debt Collection Service
   An ElasticSearch data-storage server exposed on the internet in February 2022 belonging to Bangalore, India-based debt collection platform ENCollect that contains sensitive financial information related to loans from financial services firms in Africa and India. According to the UpGuard researchers who found the exposed server, the server contains 5.8GB of data and more than 1.6 million records.
5. 5. Seeing hack attacks on the rise, Israel orders telecoms to erect ‘cyber Iron Dome’
   Israel's National Cyber Directorate has instructed communications firms operating in Israel to increase their cyber security posture in an effort to create a defensive cyber "umbrella" that authorities hope will be as effective as the country's Iron Dome missile defense system.
6. 6. Distributor of Agricultural Equipment Hit by Ransomware Attack
   Duluth, Georgia-based agricultural equipment manufacturer and distributer AGCO has revealed that it suffered a ransomware attack on May 5 that forced it to shut down parts of its IT system in order to stop the attack from spreading throughout its network.
7. 7. FBI: Losses From BEC Scams Surpass $43 Billion
   The FBI says BEC and EAC losses reported between June 2018 and December 2021 have surpassed $43 billion globally.
8. 8. Data breach Discovered at IKEA Canada impacts 95,000 Customers
   IKEA says it has notified the Office of the Privacy Commissioner of Canada that it experienced a data breach during which hackers managed to gain access to personally identifiable information (PII) belonging to some 95,000 Canadian customers.

Matt Alderman

VP, Product at Living Security