Article Details

US and UK govts warn: Russia scanning for your unpatched vulnerabilities. Also, phishing's easier over the phone, and your F5 cookies might be unencrypted, and more. in brief If you need an excuse to improve your patching habits, a joint advisory from the US and UK governments about a massive, ongoing Russian campaign exploiting known vulnerabilities should do the trick. In a joint release [PDF] by the US National Security Agency, FBI, Cyber National Mission Force and UK National Cyber Security Centre (NCSC), the agencies warned that hackers linked to Russia's Foreign Intelligence Service (SVR) have been aggressively looking for targets of opportunity of late.  The group behind the campaign is none other than APT29, the same crew that pulled off the SolarWinds hack. In other words, this is a serious threat. "SVR cyber operators consistently scan Internet-facing systems for unpatched vulnerabilities," the agencies said. "This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems." A list of 24 CVEs that the Russians have been relying on is included in the advisory, some of which you'll definitely recognize, like CVE-2023-20198, a privilege escalation bug in Cisco iOS software, or CVE-2023-42793, a rather nasty bug in JetBrains TeamCity software. The advisory also lists out some potential remedies, aside from the obvious one of installing all your security patches, for reducing one's attack surface.  The agencies suggest properly configuring systems to eliminate unnecessary open ports or default credentials, disabling internet-accessible services on everything that doesn't need it and baselining all devices to get an idea of what irregularities look like, among other things. "All organisations are encouraged to bolster their cyber defences: take heed of the advice set out within the advisory and prioritise the deployment of patches and software updates," said NCSC director of operations Paul Chichester. Phone-assisted phishing scams are on the rise When it comes to scams, time is a flat circle: With more and more employees trained to recognize phishing messages, scammers are returning to making phone calls to initiate social engineering attacks. According to threat researchers at Intel 471, so-called "telephone-oriented attack delivery" (TOAD) is becoming a popular alternative to all-digital phishing and relying on a clicked link or opened document, and with good reason: It's way easier to get someone to trust you when you can talk to them. "These are powerful attack combinations that leverage the implicit trust people often assign to strangers who assume authority over the phone," Intel471 said, and scammers are taking notice. "We have observed a sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls and other fraud-oriented social-engineering attempts." Time to start training employees on how to avoid yet another type of scam, beginning with this rule: don't download remote control software just because someone emails you a phone number and claims to be from IT. Good luck.  Please encrypt your F5 cookies, begs CISA Those running a F5 Big-IP Local Traffic Manager module are hereby advised to take a moment to reconfigure their system to encrypt persistent cookies, or face their being used to enumerate network devices. CISA said that it had observed threat actors making use of unencrypted persistent cookies stored on F5 Big-IP LTMs for this purpose. From there, the agency warns attackers have been using the data they glean to identify additional network resources and exploit vulnerabilities on machines on an enumerated network. The agency is urging everyone to use an F5 Big-IP device to encrypt all persistent cookies, which is made easier by a tool F5 has released to help. Called Big-IP iHealth, it "evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices," and it wouldn't be a bad idea to install and run it as soon as possible.  GitLab customers advised to patch critical flaw now GitLab Dedicated customers can ignore this, but if you're using the Community or Enterprise editions, it's time to get patching.  The popular DevOps platform released versions 17.4.2, 17.3.5 and 17.2.9 for both the CE and EE versions of GitLab to address eight security vulnerabilities, including a critical one that allows for running CI/CD pipelines on arbitrary branches.  That vulnerability (CVE-2024-9164; CVSS 9.6) was patched alongside issues allowing for an attacker to trigger pipelines as another user, a server-side request forgery vulnerability in the GitLab EE analytics dashboard, and others.  If you haven't yet, take the time. While those patches are installing, sign up for GitLab's email patch notifications, or subscribe to the RSS feed of the same. Google, partners launch scam signal clearinghouse Google, the Global Anti-Scam Alliance (GASA) and the DNS Research Federation (DNSRF) have teamed up on a new project they hope will make it easier to profile and track scams online.  The Global Signal Exchange will be administered by GASA and the DNSRF, with Google providing its own threat intelligence data, and the hope that others will throw their threat intelligence hats in the ring, too. "GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services," Google said in a press release. "The goal is to create a user-friendly, efficient solution that operates at an internet-scale, and is accessible to qualifying organizations."  Among the data that Google will include is the information gathered through its priority flagger program that identified potential violations of Google's product and service policies. The tech giant said it compiled more than 100,000 malicious shopping URLs and ingested more than one million scam indicators as part of the program.  Oh, and all that juicy data will live on Google Cloud, naturally.