Cyber Security Headlines – May 13, 2022

Google will use mobile devices to thwart phishing attacks

Google this week announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys such as Google’s Titan Security Key. Google is bundling the Titan capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into. Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent, including challenging users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into.

(Dark Reading)

CISA urges organizations to patch actively exploited F5 BIG-IP vulnerability

Following on with one of the main stories of the week, CISA has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild. The flaw, assigned the identifier CVE-2022-1388 (CVSS score: 9.8), concerns a critical bug in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to execute arbitrary system commands. “An attacker can use this vulnerability to do just about anything they want to on the vulnerable server,” Horizon3.ai said in a report. This includes making configuration changes, stealing sensitive information and moving laterally within the target network, as well as being able to completely erase targeted servers as part of destructive attacks to render them inoperable by issuing an “rm -rf /*” command that recursively deletes all files.

(The Hacker News)

Kick China off social media, says tech governance expert

Samir Saran is president of Delhi-based think tank Observer Research Foundation (ORF), a commissioner of The Global Commission on the Stability of Cyberspace, and a member of Microsoft’s Digital Peace Now Initiative. Speaking at the Black Hat Asia conference, Saran said China’s Communist Party sees tech as a means of exerting control and uses social media to deliberately interfere in the affairs of other nations, while simultaneously banning other nations access to its digital public square, and preventing its own citizens from venturing into global cyberspace inhabited by those of other countries. “Mischief abroad is the business model for Chinese tech,” he said.

(The Register)

Windows updates for May cause AD authentication failures

Microsoft is investigating a known issue causing authentication failures for some Windows services after installing updates released during the May 2022 Patch Tuesday. This comes after Windows admins started sharing reports of some policies failing after installing this month’s security updates with “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.” errors. The issue impacts client and server Windows platforms and systems running all Windows versions, including the latest available releases (Windows 11 and Windows Server 2022). A patch for the patch is upcoming.

(Bleeping Computer)

Thanks to our episode sponsor, Datadog

Break down silos between DevOps and Security teams to enable collaboration and strengthen the security of your environment. In this on-demand webinar, hear from one of Datadog’s engineers on how teams can speed up investigations by assessing security and observability data using Datadog’s unified platform to reduce security threats by detecting vulnerabilities.
Watch the on-demand webinar now to learn how to get full-stack security for your production environment at datadoghq.com/ciso/

Iranian cyberspy group launching ransomware attacks against US

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports. In November 2021, a joint advisory from government agencies in the US, UK, and Australia warned of Iranian state-sponsored attacks targeting critical infrastructure and other organizations through the exploitation of Fortinet FortiOS vulnerabilities and a Microsoft Exchange ProxyShell bug. In a report in December 2021, Microsoft noted that Charming Kitten was showing high interest in acquiring exploits targeting the Log4j vulnerability, to modify and use them in new attacks. In January 2022, the APT was observed using a new PowerShell backdoor. Secureworks, which tracks the cyberespionage group as Cobalt Mirage, reported yesterday that the group appears to have turned to financially-motivated attacks, including the deployment of ransomware.

(SecurityWeek)

APT gang ‘Sidewinder’ goes on two-year attack spree across Asia

It has in fact conducting almost 1,000 raids deploying increasingly sophisticated attack methods. According to Kaspersky’s global research and analysis team, speaking yesterday at the Black Hat Asia conference, SideWinder mostly targets military and law enforcement agencies in Pakistan, Bangladesh and other South Asian nations. Its expanded activities include new obfuscation techniques for the Javascript it drops into .RTF files, .LNK files, and Open Office documents. Kaspersky has observed unique encryption keys deployed across over 1,000 malware samples sourced from the group.

(The Register)

Novel ‘Nerbian’ trojan uses advanced anti-detection tricks

A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found. Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.

(ThreatPost)

Texas man gets 5 years for stealing 38,000 PayPal account credentials

Marcos Ponce, 37, of Austin, also was ordered to pay $1.4 million in restitution, according to a Justice Department press release. Court documents in the case show that from at least November 2015 until November 2018, Ponce and his co-conspirators established buyer accounts on an illegal online marketplace which sold stolen payment account credentials along with complementary personal identification information. Prosecutors contend that Ponce and his co-conspirators developed social engineering techniques so they could dupe third parties into accepting money transfers from the compromised PayPal accounts before transferring the money into accounts they controlled.

(Cyberscoop)