Media Coverage

Interpol’s African Bureau of Cybercrime Operations report ranks Morocco as the African country most affected by Banking Trojans and Stealers. It is also the second most affected country by Ransomware on the continent. The African Cybercrime Operations Bureau of the International Criminal Police Organization (Interpol) recently unveiled its Africa Cyber Threat Assessment Report for the year 2022. A document that provides an overview of cyber threat trends in the African region. It shows that Morocco is the African country most affected by banking Trojans and Stealers, according to data from Trend Micro, a world leader in enterprise cloud security solutions, XDR and cybersecurity platform. The Interpol report even mentions 18,827 detections in the kingdom, which puts it ahead of South Africa (6,560 malware detections), Nigeria (5,366), Cameroon (1,462) and Algeria ( 691).  Banking Trojans and Stealers can be installed manually or remotely using techniques such as emails containing malicious links or attachments.  The report also revealed that the most prevalent banking Trojans and Stealers are Zbot and Fareit. The former accounts for 67.67% of all detections in the region, while the latter accounts for 15.39%.  The report also ranks Morocco in second place when it comes to Ransomware. Quoting Shadowserver, a non-profit security organization that collects and analyzes data on malicious activity on the Internet. South Africa is the country most targeted by these attacks. The country accounts for 42% of all detected attacks. It is followed by Morocco where 8% of the attacks took place, Botswana and Egypt (6%) as well as Tanzania and Kenya (4%). The kingdom is also cited for “online scams and extortion”. 

After worldwide scans, security researchers have discovered over 400,000 potentially vulnerable Windows systems. Security patches are available.

Windows admins should quickly take care of a ” critical ” vulnerability in the Microsoft Message Queuing Service (MSMQ) in Windows and Windows Server. If attacks are successful, attackers could execute malicious code and completely compromise systems. The vulnerability (CVE-2023-21554) was closed on Patchday in April . As a prerequisite for attacks, the MSMQ server must be active, which is not the case by default. However, the service is often activated in the course of Exchange installations, so the gap should not be underestimated. To check if systems are vulnerable, admins should check if the “Message Queuing” service is running and listening on TCP port 1801. According to a warning from Microsoft, Windows 10, 11 and many Windows server versions such as 20H2 are affected. Message Queuing is a messaging infrastructure and development platform. Message queuing applications can use this to communicate with PCs that may be offline. The service is designed to guarantee message delivery. Checkpoint security researchers discovered the vulnerability . According to them, attackers would only have to send their exploit code to TCP port 1801 of MSMQ servers to trigger an attack. Patch now! According to scans by Shadowsever, the MSMQ service is publicly available on over 400,000 Windows systems worldwide. If these systems are not yet patched, attackers could strike. The majority of these can be found in Hong Kong with 160,000 instances. In the US, there are around 57,000. Almost 8,000 systems are publicly accessible in Germany.

Check Point Research recently discovered three vulnerabilities in the Microsoft Message Queuing service, a service that enables asynchronous communication between applications (such as systems that are sometimes offline). While MSMQ is not enabled by default and the bugs have been fixed since last Patch Day, hundreds of thousands of systems still appear to be vulnerable. The bugs have been assigned the codes CVE-2023-21554 , CVE-2023-21769 , and CVE-2023-28302 , with a score of 9.8 and 7.5 points out of 10 twice, respectively. The former is called QueueJumper and is categorized as critical given its high rating. This is because attackers can use modified MSMQ packets to execute malicious code on MSMQ-enabled systems. CPR recommends applying appropriate security updates as soon as possible. If this is not possible, system administrators should verify that the Message Queuing service is being used and that TCP port 1801 is open. Check Point has determined that this is the case for more than 360,000 systems. According to Shadowserver, there are no less than 403,000 vulnerable configurations, the vast majority of which are based in Hong Kong, South Korea and the US.

One of the things we do at VulnCheck is n-day analysis. That can include analysis of well-known, deeply researched, and widely exploited vulnerabilities. When we tackle that type of issue, we aim to learn something new, novel, or, at the very least, interesting. We recently took that approach analyzing CVE-2022-1388. CVE-2022-1388 is an authentication bypass vulnerability affecting F5 Big-IP products. When CVE-2022-1388 was disclosed in May 2022, there were only a few thousand internet-facing affected systems. But there was no stopping the infosec hype train. Multiple research organizations published redacted proof of concepts, Kevin Beaumont was tweeting about honeypot exploitation, randoms were dropping exploit screenshots, and reporters were mistaking jokes about an inside job for reality. Eventually, most of the speculation and fear-mongering were put to bed by an excellent deep-dive analysis from Horizon3.ai. When all the hype died down, the vulnerability was quite well-known. It’s been featured in research write-ups. There’s a Metasploit module, and Greynoise tag. Shadow Server identifies the vulnerability in their honeypot network. It was even named one of the [top vulnerabilities in 2022, and added to the CISA KEV Catalog. What more could be said about this vulnerability? Well, if you don’t look, you’ll never know.

Rivian Automotive, Inc. (NASDAQ: RIVN) today announced it has hired Mike Johnson as its Chief Information Security Officer (CISO). Johnson joins Rivian from Fastly where he was CISO for over 3 years, securing the network and platform of the edge cloud company. Johnson’s cybersecurity career spans more than 25 years, starting with prototyping intrusion detection systems for battlefield networks. Prior to Fastly, he served as ride-sharing company Lyft’s first CISO. Before Lyft, he spent nine years at Salesforce in various roles, ultimately building and growing their world class Detection and Response organization. Johnson currently serves on the Board of Directors for the non-profit Shadowserver Foundation, which gathers and analyzes data on malicious Internet activity. He also co-hosts the CISO Series podcast and is a frequent guest on industry podcasts.

Diane Lye, Chief Information Officer, Rivian, said:
“Mike brings an impressive track record of building and leading Cybersecurity programs across multiple different industries and is a thought-leader in this rapidly evolving space. I am delighted that he has chosen to join Rivian at this time in our growth.”

Rivian designs, develops, and manufactures category-defining electric vehicles and accessories and sells them directly to customers in the consumer and commercial markets. 

You can’t say IBM didn’t warn us. On Jan. 26, 2023, Big Blue warned us of multiple security vulnerabilities in its ultrafast Aspera Faspex file transfer software. In particular, CVE-2022-47986, with a Common Vulnerability Scoring System (CVSS) critical rating of 9.8, is as bad a security hole as you can get. Making matters worse, the bug’s discoverers, security company Assetnote published a blog post on the Aspera Faspex vulnerability a week later. In it, they explained how an unauthenticated attacker could exploit it to execute arbitrary commands. Now in an ideal world, this would just be a good teaching moment. In it, they explain how a remote attacker can exploit a YAML deserialization flaw for arbitrary code execution using specially crafted API calls to a now obsolete API call Guess what? We don’t live in such a world. The non-profit Shadowserver Foundation Internet group reported seeing exploitation attempts in early February. The security company Rapid7 reported that it had discovered multiple exploitation incidents, including its use in the Linux and Windows IceFire ransomware campaign. This is a classic example of a solved security problem being ignored by administrators until it blew up in their faces. Specifically, IBM has identified affected products as Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability is addressed in version 4.4.2 Patch Level 2. So you need to immediately update your software to the latest patch level to safeguard your systems. That’s it, kids.

Finding Exploitation Attempts To identify potential exploitation attempts, look at your logfiles in the default directory: /opt/aspera/faspex/log. If you see anything about the PackageRelayController#relay_package, look closely and treat it suspiciously. 

Fresh warnings are sounding about the risk posed to users of unpatched IBM-built enterprise file transfer software as ransomware-wielding attackers continue to launch exploit attempts. The IBM Aspera Faspex file-exchange application is a widely adopted enterprise file-exchange application with a reputation for being able to secure and quickly move large files. Security experts warn that a flaw patched in the software by IBM on Dec. 8, 2022, which can be used to sidestep authentication and remotely exploit code, is being actively abused, including by multiple groups of attackers wielding crypto-locking malware. While the flaw was patched in December, IBM didn’t appear to have immediately detailed the vulnerability – one of many – fixed in that update. In a Jan. 26 security alert, IBM said that the flaw, designated CVE-2022-47986 and given a base CVSS score of 9.8, “could allow a remote attacker to execute arbitrary code on the system … by sending a specially crafted obsolete API call.” Malicious activity tracking group Shadowserver on Feb.13 warned that it was seeing active, in-the-wild attempts to exploit CVE-2022-47986 in vulnerable versions of Aspera Faspex. Software developer Raphael Mendonça reported Feb. 16 that a group called BuhtiRansom was “encrypting multiple vulnerable servers with CVE-2022-47986.” Buhti is a relatively new ransomware group that Palo Alto’s Unit 42 threat intelligence group has seen using crypto-locking malware written in the Go language that infects Linux systems. Targeting file transfer software or appliances is not a new tactic for ransomware groups. 

A critical bug in IBM’s popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch. Months after IBM released a patch for the critical vulnerability, it’s being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California. The vulnerability exists in Faspex’s version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale. Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986. In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

Threat actors are targeting multiple known software vulnerabilities in IBM Aspera Faspex file transfer service. One vulnerability, CVE-2022-47986, is a pre-authentication YAML deserialization vulnerability in the Ruby on Rails code that is ranked 9.3 in severity. Aspera Faspex is used by large organizations, including American Airlines and BT Sport.  IBM published an advisory for multiple security issues found in the platform on Jan. 26, which includes CVE-2022-47986. The flaw in Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a threat actor to remotely execute arbitrary code on the system. The advisory also included a system update that removed the obsolete API call. However, some organizations may have failed to promptly patch the vulnerability, leaving the bug open to exploit. According to Rapid7 research, details on the vulnerabilities and a working proof-of-concept code were publicly released in February. Since that time, researchers have observed multiple reports of exploitation of these flaws, including an ongoing IceFire ransomware campaign. The threat actors behind IceFire malware previously focused on targeting Windows platforms but have since expanded their targets to include Linux devices. The group follows other “big-game hunting” ransomware families, such as double extortion, large enterprise targets, persistence mechanisms, and the deletion of log files to evade analysis. Previously known exploits date as far back as Feb. 13. ShadowServer data shows there are approximately 50 servers still unpatched. Unpatched vulnerabilities have led to a host of exploits, particularly in the last six months. The Fortra GoAnywhere MFT managed file transfer application is the latest target. Data from February estimated that over 1,000 on-premises instances were vulnerable to the remote code injection bug. Since that time, Clop ransomware actors have claimed multiple victims, including 1 million patients tied to Community Health Systems in Tennessee. The attacks mirror earlier exploits of the Accellion File Transfer Application

Whilst we did have a few cool new modules added this week, one particularly interesting one was a Fortinet FortiNAC vulnerability, CVE-2022-39952, that was added in by team member Jack Heysel. This module exploits an unauthenticated RCE in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7 to gain root level access to affected devices. This bug has seen active exploitation in the wild from several threat feeds such as ShadowServer at https://twitter.com/Shadowserver/status/1628140029322362880, so definitely patch if you haven’t done so already.