This month’s SWK Cybersecurity News Recap will dive into the recent BIG-IP critical vulnerability discovered in May 2022 along with a few other exploits of note from within the past year. Additionally, cyber warfare activities are continuing to progress around the Ukraine conflict as the full extent of both sides’ offensive capabilities continues to be revealed. Continue reading below to learn more about some of the top cyber news stories from April to May of this year:
F5 BIG-IP Vulnerability Rated 9.8/10 Severity
On May 4, 2022, F5, Inc. released a security advisory alerting customers of a critical vulnerability that affects their entire BIG-IP family of software and hardware products, the former between all versions 11.6.1 and 16.1.2. This was followed by a release from CISA to the public and the exploit being added to the Common Vulnerabilities and Exposures (CVE) list as CVE-2022-1388 with severity rating of 9.8 out of a possible 10. The reason for this is that the bug itself is in the authentication protocol between BIG-IP modules and would allow an attacker to effectively take direct control of all devices in the system externally.
Ability to Take Control of Devices
The vulnerability potentially affects Internet-facing networks with BIG-IP components, according to comments from multiple security researchers and experts, specifically if the user management interface is exposed to a digital connection. An attacker that can connect to the network can “execute arbitrary system commands, create or delete files, or disable services,” via a remote code execution (RCE) and essentially do what they want with any connected devices and applications. This includes locking down all storage with ransomware, as well as copying and deleting the files to enforce extortion attempts.
Security researchers were able to provide proof of concept (PoC) of simple exploits around the vulnerability almost immediately that required less than a handful of executions to complete, and malicious activity on the CVE was soon observed in the wild. The extent of networks impacted is still being debated, however, with predictions running from a range of 16,000 to 2600 BIG-IP users. Talk to your IT team ASAP to discover if you are using any affected devices (or reach out to SWK Technologies) and follow the recommendations provided by F5 here.
Other Critical Vulnerabilities of the Past Year
CISA released a report on the top 15 most exploited vulnerabilities of 2021 as observed by the security agencies of the “Five Eyes”, the informal name for a semi-official intelligence-sharing alliance of mainly English-speaking nations (US, Canada, UK, Australia and New Zealand). The top critical vulnerability exploits were:
- Log4Shell (designed for CVE-2021-44228)
- ProxyShell (attacks CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065)
- ProxyLogon (exploits CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207)
The full report can be read here.
What is a Web Shell?
As the names indicate, Log4Shell and ProxyShell are examples of exploit commands hackers create to generate programs called “web shells,” which leverage vulnerabilities to insert code that gives a remote attacker access. Once a web shell is interjected into a system’s outer layer, the bad actor uses the Internet-facing connection to execute further commands until they can get to what they want, such as accessing files or taking control of devices. The BIG-IP vulnerability, for example, has already seen several web shells being developed to exploit at the time of this writing.
Microsoft released fixes for its latest vulnerabilities across several products Tuesday, where the publisher launches updates to address cybersecurity and other issues. As solutions in the Windows, 365 and Azure families are some of the most widely-used of their respective categories worldwide, Microsoft is constantly having to stay ahead of exploits developed to take advantage of any bugs that fall through the cracks.
Ransomware has seen another uptick in the first half of 2022, with two attacks in particular destabilizing whole institutions – one a 157 year-old HBCU in Illinois and the other the entire government of Costa Rica.
Costa Rican State of Emergency
New Costa Rican president Rodrigo Chaves declared a state of emergency in early May 2022 as his government continued to respond to a series of cyber attacks that had impacted their web systems since earlier in April. The first breach targeted the Ministry of Finance but soon spread to other institutions, shutting down the public sector’s digital services and significantly disrupting the private sector. The perpetrators are attempting to hold the government’s computer systems and data hostage for a $10 million ransom.
HBCU Lincoln College Closes After Attack
As of May 13, 2022, Lincoln College, founded in Illinois in 1865, has shut down in the aftermath of a ransomware attack that occurred December 2021. COVID-19 complications had significantly impacted the school and its enrollment rates, but the breach exacerbated their financial issues past the breaking point as it disrupted their technology systems long enough to dry up their ROI even once they were restored. With projections after the attack indicating they could not make up for the shortfall, they were forced to close their doors – the first recorded instance of an American institution being taken down by ransomware in history.
REvil and Conti Gangs Return?
The attacks on Costa Rica and Lincoln reflects a resurgence of prolific nation-backed hackers in Russia and Iran, including those that had ostensibly been shut down such as REvil and Conti. It was the latter that is suspected in the Costa Rican government hack, prompting the US State Department to offer a $10 million reward for information of the gang’s leadership, with an added $5 million bounty for anyone involved in a past or planned future Conti operation.
US Efforts in Cyber War
As intelligence continues to be revealed on the extent of cyber warfare activity around the Ukraine conflict, the US government and allies are doubling down on accusations against Russian for these attacks as well as reinforcing digital defenses both at home and in Ukraine.
Support for Ukraine
The State Department issued a statement May 10 reaffirming cybersecurity support for Ukraine’s government and listed the extent of the resources provided, including direct cooperation by the FBI, CISA, the Department of Energy and other agencies.
NATO Cyber Wargames
In April 2022, participants from several NATO and allied nations took part in the Locked Shields exercise, which is essentially a cybersecurity variant of the alliance’s regular wargames. This year’s operations featured more contemporary scenarios copied directly from suspected Russian cyber attacks, including a focus on financial systems.
The UK and EU officially accused Russia of perpetrating the attack that took down the KA-SAT satellite network, which disrupted communications in Ukraine as well as across the rest of Europe. The Russian Federation still continues to deny its involvement, however.
Get More Cybersecurity News Updates
Keep an eye on the evolving cybersecurity situation – from new regulations to fallout from the ongoing conflict – by staying up to date on the latest news with SWK Technologies. If you have any questions or concerns in particular, feel free to reach out to us and have a conversation with one of our experts.
Contact SWK here to learn more about the current state of cybersecurity, recent updates in the field and what you can do to protect your business from cyber attack.
Reach Out to Us Anytime