Risky Biz News: Zyxel firewalls and VPN devices come under attack

In other news: Italy fends off Russian cyberattacks during Eurovision, and academics install malware on turned-off iPhones.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Threat actors are exploiting a vulnerability in Zyxel enterprise firewall and VPN devices to gain access to (still) unpatched systems and install web shells for future intrusions.

The attacks started days after security firm Rapid7 published details and a Metasploit module for CVE-2022-30525, an unauthenticated command injection vulnerability in some of Zyxel's top-of-the-line enterprise products. Affected devices include the ATP and USG FLEX firewall series and Zyxel enterprise VPN line.

It took only two days after the Rapid7 report for attacks to be detected, according to researchers from Shadowserver Foundation, who spotted the first attacks over the weekend.

With only two days of notice, it is very likely that most of the 20,000 Zyxel devices vulnerable to this bug and which are connected to the internet are still unpatched and open to attacks. With a CVSSv3 severity score of 9.8/10, network administrators are advised to update their equipment as soon as possible, as these types of devices have often been on the menu for cybercrime groups. In the past, VPNs and firewalls from vendors like Citrix, Palo Alto Networks, Fortinet, and SonicWall have often been used as gateways into corporate networks by ransomware gangs.

Breaches and hacks

Ransomware in Zambia: The Central Bank of the Republic of Zambia said it suffered a cybersecurity incident on May 9 that crippled some of its services. Sources tell Risky Business News that the incident was an attack carried out by the Hive ransomware gang. In a tweet on Friday, the bank said that it recovered from the attack and that "affected systems have since been restored."

Anonymous in Sri Lanka: A report from Rest of World highlights that attempts from the Anonymous hacktivist collective to support the societal protests in Sri Lanka last week have resulted in the group hacking government portals and leaking the personal data of the same people they were trying to protect, exposing them to a huge risk of falling victims to spam, malware, and cybercrime.

Italy, Russia, Eurovision: Italian police said on Sunday that it blocked cyberattacks by pro-Russian hacktivist group Killnet that attempted to disrupt the final and semifinals of the Eurovision song contest, Reuters reported. This year's contest was held in Turin, Italy.

Another cheat maker hacked: The data from GTA Oline cheat maker Paragon Cheats has entered the public domain and has been indexed in the Have I Been Pwned website. The cheat maker shut down last year after disclosing the hack. This marks the second cheats website that leaks into the public domain this month after Aimware's data also began circulating a few weeks ago.

General tech and privacy

Install malware on a turned-off iPhone: A team of German academics published a paper last week in which they documented how attackers could load malware onto a Bluetooth chip that is executed while an iPhone is turned off. The attack is possible because Apple leaves the iPhone's Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) chips running while iOS is turned off, even in Low-Power Mode (LPM). The attack appears to be possible because of "undocumented LPM features introduced in iOS 15," and the research team recommended that Apple add a hardware-based switch to disconnect the battery while iOS is off for users needing additional security.

OpenVPN is fingerprintable: A team of US academics says they've identified three methods to fingerprint network traffic generated by OpenVPN, the most popular protocol for commercial VPN services today. The research team said that by observing byte patterns, packet size, and server responses, they were able to accurately detect around 85% of all test OpenVPN traffic, opening the door for full-scale traffic censoring in adversarial networks. The paper [PDF] will be formally presented later this year at the USENIX security conference.

Silent Firefox security update: Mozilla appears to have silently pushed Firefox 100.0.1 as a security update. According to tech blog Ghacks, this version improves Firefox's security sandbox on Windows devices. Sophos' Naked Security blog believes Mozilla pushed this update as a last-minute improvement ahead of the Pwn2Own 2022 Vancouver security conference, scheduled to take place later this week.

SDDL summary: Microsoft's Raymond Chen has published a brief summary of the various versions of the Security Descriptor Definition Language (SDDL) and how it changed over the years.

Government, politics, and policy

ICS-CERT tool release: The DHS ICS-CERT team open-sourced last week two additional plugins for its ICSNPP tool that can be used as plugins for the Zeek network security monitoring framework and parse ICS specific protocols like S7Comm and Genisys. The release means that security teams can now monitor for signs of malicious traffic on ICS-specific protocols.

New EU cybersecurity rules: EU member states have passed a new directive on Friday that enforces a tougher set of cybersecurity incident reporting rules for crucial sectors, such as energy, transport, healthcare, and digital infrastructure. This new directive—called NIS2—replaces the older cybersecurity reporting framework NIS and widens reporting rules from large operators to mid-sized companies as well. Member states will have 21 months to incorporate the provisions into their national law.

Singapore: The Singapore government launched last week a safety rating scheme for online shops based on their anti-scam measures, ZDNet's Eileen Yu reported. The rating system goes from one to four ticks, depending on how many anti-scam systems shops have running.

Cybercrime and threat intel

Ruso-Ukrainian war leaks: Threat intelligence firm DarkOwl has published a report reviewing the recent wave of data leaks that have originated from pro-Russian and pro-Ukrainian hacktivist groups. According to the company, 90% of the leaks are related to targets in Russia.

Conti goes off the rails: After the Costa Rican government has declined to pay the ransom demand to recover systems affected by an attack by the Conti ransomware gang, the group posted a message on their leak site last Friday urging citizens to "organize rallies so that they would pay us as soon as possible," and even suggested that Costa Ricans get a new government.

IMDS, again: After Mandiant published a report earlier this month detailing an attack where a threat actor abused the AWS IMDS API to move laterally inside compromised AWS infrastructure, the SANS team has published a breakdown of the IMDS API so that blue teams can understand how it can be abused and what can be done to protect servers. The IMDS API is typically used inside AWS customer deployments for debugging purposes.

Sysrv expands targeting: The Sysrv botnet has expanded its targeting capabilities to go after apps written in the Spring Java Framework and websites running WordPress, Microsoft reported last week. The end goal of their attack has been and continues to be to deploy cryptocurrency-mining malware.

Malware technical reports

Ukraine wipers: Recorded Future has published a technical overview of the nine different disk wipers that have hit Ukraine since the start of the war. Per the company, none of the wipers share code similarities, and they also didn't contain any network connectivity functionality that would permit them to steal victim data, confirming that their purpose was targeted destruction.

KurayStealer: Uptycs published a report last week on KurayStealer, a new malware builder sold on underground cybercrime forums that can be used to harvest passwords and screenshots from infected hosts and upload the stolen data to Discord servers.

Syk Crypter: Morphisec has published a report on an attack that uses Discord to distribute a .NET loader (DNetLoader) and a .NET crypter (SYK Crypter) to victims.

Bumblebee: After reports from NCC and Proofpoint, we have another analysis of the new Bumblebee malware from OALABS.

APTs and cyber-espionage

Operation RestyLink: NTT Security published a report on Friday on an APT campaign targeting Japanese companies this spring. The company has not attributed the campaign to any specific APT group.

Vulnerabilities and bug bounty

Unavailable for days: Nozomi Networks have helped Siemens fix a vulnerability in its building automation systems (BAS) and HVAC systems that could have crashed systems for days in a row. The vulnerability was considered dangerous because some fire alarms and temperature management systems could be taken offline in critical locations.