The Good, the Bad and the Ugly in Cybersecurity – Week 47

The Good

U.S. officials have finally arrested and charged long-wanted suspected cyber criminal Vyacheslav Penchukov, a Ukrainian national they allege acted as a ringleader of JabberZeus – one of the most notorious cybergangs on record.

According to the FBI, the JabberZeus gang has stolen upwards of $70 million in both the United States and across Europe in recent years. The crime group leveraged banking trojan Zeus malware and botnets to collect bank account numbers, PIN numbers, passwords, RSA SecureID tokens, and other personal information. After JabberZeus gained access to victims’ bank accounts and drained their funds, the money was then transferred out of the U.S. through a network of mule accounts. JabberZeus has been known to target small to medium-sized entities including businesses, municipalities, and churches.

This arrest comes as a result of U.S. law enforcement playing out the long game. Having been closely monitored by cybercrime analysts as early as 2009, Penchukov (aka “Tank”) was arrested by the Swiss Federal Office of Justice (FOJ) when he eventually travelled to Geneva last month. Penchukov’s extradition to the U.S. was approved this week.

Penchukov has been charged with conspiracy to participate in racketeering activity, bank fraud, conspiracy to commit computer fraud and identity theft, and aggravated identity theft together with eight other suspects. Another alleged member of JabberZeus, Maksim Yakubets (aka “Aqua”), currently has a $5 million bounty on his head offered by the FBI as reward for information leading to his arrest and conviction.

The Bad

This week, security researchers disclosed multiple vulnerabilities and bypass methods found in multi-cloud and application delivery firm F5’s BIG-IP and BIG-IQ devices. The flaws, if successfully leveraged, could compromise affected systems running a customized distribution of CentOS.

Researchers say the two vulnerabilities could be exploited to achieve remote access. CVE-2022-41622 (CVSS 8.8) is assigned to flaws in BIG-IP and BIG-IQ vulnerable to unauthenticated remote code execution via cross-site request forgery (CSRF). CVE-2022-41800 (CVSS 8.7) describes a bug in the appliance mode, iControl REST, which makes it vulnerable to authenticated remote code execution (RCE) via RPM spec injection.

Attackers exploiting the flaws could gain persistent root access to a device’s management interface though this would require an administrator to visit a malicious website while in an active session. F5 explained that the vulnerabilities cannot be exploited without an attacker having first moved past existing barriers using unknown mechanisms. Needing such specific criteria to exist, F5 notes that these methods would be very difficult to exploit, but could lead to complete compromise should it occur.

So far, the company is not aware of any incidents involving these vulnerabilities, though a detailed proof of concept has since been released. Impacted customers have been advised by F5 to request and install the hotfix specific to their product version.

The Ugly

Concerns over the prevalence of the Log4Shell RCE vulnerability continue nearly a year after its initial disclosure. CISA and the FBI reported this week than an unnamed Iranian-backed APT actor used Log4Shell to compromise a U.S. Federal Civilian Executive Branch (FCEB) organization over a period of months.

A CISA investigation found that as early as February 2022, the threat actor exploited the notorious vulnerability in an unpatched VMware Horizon server to install XMRig crypto mining software. Then, shifting laterally into the domain controller (DC), they compromised credentials and implanted Ngrok reverse proxies on several hosts to establish persistence in the FCEB agency’s network.

The joint advisory urged all organizations using VMware systems that were not immediately patched or mitigated with workarounds to assume breach and begin threat hunting efforts after patching against Log4Shell.

Log4Shell is a critical vulnerability allowing an attacker to run unauthorized code on an affected server, access parts of a network that is not connected to the internet, and move laterally across a network to access internal systems storing sensitive data. Scoring a 10 on NIST’s severity scale, Log4Shell is as critical as a vulnerability can get and it continues to be abused by various threat actors since it first made global headlines in December 2021.

Late last year, CISA had issued warnings that the vulnerability had the potential to affect an unprecedented number of devices. In June of this year, the Cyber Safety Review Board (CSRB) published a formal review of the December Log4j event remarking that the endemic flaw “remains deeply embedded in systems” and that “organizations should be prepared to address Log4j vulnerabilities for years to come”.