At a glance.
- VMware patches vulnerabilities.
- CISA warns that F5 BIG-IP vulnerabilities are undergoing exploitation.
- Fraudulent liquidity mining.
- CMS vulnerabilities patched.
- Texas Department of Insurance clarifies data incident.
- NATO cyber leaders meet.
- An overview of Russian info ops in Ukraine.
VMware patches vulnerabilities.
VMware yesterday addressed issues in several of its products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. That these are more significant than the ordinary run of patches may be seen by the way the US Cybersecurity and Infrastructure Security Agency (CISA) has discussed them. Alert (AA22-138B), "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control" warns that "malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination." The Alert adds, "CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied." US Federal civilian agencies have until next Monday to identify and remediate the issues, and they're required to report completion no later than Tuesday.
F5 BIG-IP vulnerabilities undergoing active exploitation.
Yesterday CISA also issued Alert (AA22-138A) "Threat Actors Exploiting F5 BIG-IP CVE-2022-1388," which warned that the flaw was being exploited in the wild, and advised users to either upgrade F5 BIG-IP software to patched and supported versions, or, should that not be immediately feasible, to implement the three temporary mitigations F5 has provided:
- "Block iControl REST access through the self IP address,"
- "Block iControl REST access through the management interface," and
- "Modify the BIG-IP httpd configuration."
Fraudulent liquidity mining.
Sophos describes the way the threat of fraudulent liquidity mining is shaping up in decentralized finance systems. "Legitimate liquidity mining exists to make it possible for decentralized finance (DeFi) networks to automatically process digital currency trades," Sophos explains, and criminals are using social engineering to abuse such systems to defraud cryptocurrency investors of their holdings.
More loosely regulated than conventional cryptocurrency exchanges, which use market makers and seek to ensure that sufficient reserves are on hand to back trades, DeFi exchanges use Automated Market Makers (AMMs). Sophos explains that "Smart contracts built into the DeFi network have to rapidly determine the relative value of the currencies being exchanged and execute the trade. Since there is no centralized pool of crypto for these distributed exchanges to pull from to complete trades, they rely on crowdsourcing to provide the pool of cryptocurrency capital required to complete a trade—a liquidity pool." Liquidity pool tokens, ("LP tokens") are used to represent the portion of the liquidity pool an investor contributed. But unethical DeFi operators can cancel the tokens (or simply not create a pool to back them in the first place), and this, Sophos observes, offers "ample opportunity for digital Ponzi schemes, fraudulent tokens, and flat-out theft."
CMS vulnerabilities disclosed and patched.
Texas Department of Insurance clarifies facts surrounding its data incident.
The Texas Department of Insurance (TDI) has sent around a fact sheet that clarifies a data incident the agency sustained earlier this year: "In January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because we couldn't rule out access, we took steps to notify those who may have been affected." While data could have been accessed by unauthorized personnel, TDI has investigated and found that, "There is no evidence to date that there was a misuse of information."
The following sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
NATO cyber coordinators meet.
NATO's national coordinators for cybersecurity met yesterday in Brussels, the Hill reports, the first time such a group has convened. The meeting was prompted by the Russian war against Ukraine, and the ways in which it's altered the strategic landscape. "Allies have expressed concern that cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent," a NATO press release said. "NATO is a strong platform to share information, to exchange national approaches and responses, as well as to consider possible collective responses. Allies are also providing practical support to partners, including Ukraine."
Russian information operations surrounding the invasion of Ukraine.
Mandiant this morning published an overview of the Russian information operations it's tracked during the run-up to Russia's war against Ukraine, through the actual invasion, and continuing until now. Senior Analyst Alden Wahlstrom, one of lead authors of this report, said that the research sought to exhibit "how known actors and campaigns can be leveraged or otherwise refocused to support emerging security interests, including large-scale conflict. For years, analysts have documented that Ukraine, a key strategic interest of Russia's, is a testing ground for Russian cyber threat activity that they may subsequently deploy elsewhere. Now, we witness how pro-Russia actors have leveraged the assets and campaign infrastructure developed over time (in whole or part) to target Ukraine.”
The operations exhibit a mixture of disinformation and disruptive attacks (mostly ransomware, wiper malware disguised as ransomware, and nuisance-level distributed denial-of-service attacks). Defacement of Ukrainian government websites began as early as January 14th of this year, with messages claiming theft and subsequent deletion of data. "The defacements likely coincided with the January deployment of destructive tools PAYWIPE, an MBR wiper disguised as ransomware, and the SHADYLOOK file corrupter against Ukrainian government and other targets." February 23rd, the eve of the invasion proper, saw a repetition of this style of attack. In this case the defacements "coincided with destructive attacks against Ukrainian government targets using the NEARMISS master boot record (MBR) wiper and PARTYTICKET wiper disguised as ransomware." And during the war itself, on March 16th a deepfake video of Ukrainian President Zelenskyy appearing to announce surrender to Russia was distributed over compromised Ukrainian news sites. This incident coincided with another wiper attack: "On the same day, Mandiant identified the JUNKMAIL wiper targeting a Ukrainian organization. The malware was configured via a scheduled task to execute approximately three hours before Zelenskyy was scheduled to deliver a speech to the U.S. Congress."
Some familiar threat actors have been in evidence. APT28 (Fancy Bear, the GRU) has been behind much of the Russian activity, and the allied Ghostwriter operators of Belarus's satellite intelligence and security services have also been active in the Russian interest. The Internet Research Agency, well-known as an election-meddling troll farm, seems also to have resurfaced as "Kiber [that is, Cyber] Force Z," and resumed influence and amplification operations. And there have been the usual covert media outlets working under inauthentic personae.
The report concludes by offering its take on the outlook for influence campaigns aligned with Russian goals. Russian operators can be expected to continue to push disinformation, with a probable assist from their satellite services in Belarus. China and Iran serve as allies of convenience, retailing Russian themes when it serves those regimes' longstanding anti-Western strategic goals.