Information Technology

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a critical bug in F5’s Big-IP software that is being actively exploited. The network and application delivery firm on May 4 disclosed a critical authentication bypass affecting the iControl REST component in multiple versions of its Big-IP software. The bug, tagged as CVE-2022-1388, had a CVSSv3 severity score of 9.8 out of 10 in part because of its ease of exploitation. 

ZDNet Recommends

Within days of F5’s advisory, security researchers saw potential attackers scanning for vulnerable F5 system admin interfaces exposed on the internet.      SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesRon Bowes at security company Rapid 7 expects exploitation attempts to increase because the bug is easy to exploit. Also, exploit code that provides root access to affected devices is publicly available.However, Bowes reckons there are only about 2,500 F5 BIG-IP devices exposed on the internet based on a shodan.io search.Affected organizations should patch the critical F5 Big-IP bug swiftly. Palo Alto Networks says that on Wednesday it observed over 2,500 scanning and active exploitation attempts within just 10 hours. “We observed this signature triggered 2,552 times between 4:47 and 14:00 UTC on May 10. We were able to analyze 2,151 packets that triggered the signature and observed both vulnerability scanning activity and active exploitation attempts,” the security firm’s Unit 42 group said.  CISA notes that F5 BIG-IP contains a missing authentication in critical function vulnerability that can allow for remote code execution, creation or deletion of files, or disabling services.The F5 bug is the only new addition this month to CISA’s Known Exploited Vulnerabilities Catalog. Federal civilian agencies are expected to apply the F5 patch by 31 May under CISA’s binding operational directive. However, it recommends organizations beyond the scope of the directive apply the patch too. In March, CISA ordered agencies to fix 95 and 66 bugs, many of them older bugs in what appeared to be a massive clean up effort. It added seven bugs in April and five more last week. More

A warning from international cybersecurity agencies has urged IT service providers and their customers to take action to protect themselves from the threat of supply chain attacks.  The cybersecurity agencies warn that Russia’s invasion of Ukraine has increased the risk of cyberattacks against organisations around the world. But they also suggest a number of actions that IT and cloud service providers, along with their customers, can take to protect networks from supply chain attacks, where attackers gain access to a company that provides software or services to many other companies.”As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks,” said Jen Easterly, director of US’s Cybersecurity and Infrastructure Security Agency (CISA). 

“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organisations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain,” she added. SEE: A winning strategy for cybersecurity (ZDNet special report)The warning comes from the UK’s National Cyber Security Centre (NCSC), CISA, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), along with the National Security Agency (NSA), and Federal Bureau of Investigation (FBI). Steps that can be taken to prevent initial compromise include hardening remote access VPN solutions and defending against brute force password-spraying attacks by ensuring users use strong passwords and ensuring that accounts are defended with multi-factor authentication.  Organisations should also make sure they’re able to defend against phishing attacks by having appropriate tools in place to filter out spam emails, as well as educating staff on how to detect potentially malicious messages. It’s also vital for organisations to monitor their networks and ensure that that logging processes are recorded, as this can help to detect and disrupt suspicious activity and prevent an incident in the first place – as well as being able to build a story of what happened if attackers do breach the network. It’s recommended that logs are stored for at least six months, because some cyberattacks can take months to detect. Among other things, it’s also recommended that IT suppliers and their customers should apply security updates as soon as possible, in order to prevent potential intruders from being able to exploit known vulnerabilities to gain access to the network.  It’s also vital for suppliers and customers to be transparent about cyber risks and they should clearly define who is responsible for managing systems securely. For example, a customer should fully understand that applying security updates from a supplier is their responsibility and they could be at risk of cyberattacks if they don’t follow best-patching procedures. SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesNot only are supply chain attacks a vital tool in cyber campaigns by hostile nation states, it’s also possible for cyber criminals to breach supply chains for the purposes of ransomware and other malware attacks because they know supply chains are such a vital part of the business ecosystem. “Managed service providers are vital to many businesses and, as a result, a major target for malicious cyber actors,” said Abigail Bradshaw, head of the Australian Cyber Security Centre. “These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods. Effective steps can be taken to harden their own networks and to protect their client information,” she added. The advice was issued on the second day of the NCSC’s Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the threat of global cyber threats. “We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that,” said Lindy Cameron, CEO of the NCSC. “Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.” MORE ON CYBERSECURITY More

Elon Musk has said that Russian attempts to jam or otherwise hack the Starlink satellite communications network have been thwarted so far, but these efforts continue – and are ramping up. The Starlink and Tesla chief was responding to a news story about how the European Union and the US with its Five Eyes partners were blaming the Russian military for a cyberattack on Viasat’s KA-SAT network earlier this year. 

Networking

The attack occurred on February 24, one hour before Russian military invaded Ukraine. It caused communication outages across public authorities, businesses and users in Ukraine, and also affected users in several EU member states, the EU said in its statement.SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the webViasat last month confirmed modem-wiping malware knocked out very small-aperture terminals (VSAT) on Viasat’s fixed broadband service in Ukraine and parts of Europe connected to its KA-SAT satellite network. Posting a link to a story about the Viasat attack, Musk noted on Twitter: “Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but they’re ramping up their efforts.”After Russia’s invasion of Ukraine damaged the country’s internet infrastructure, Ukraine’s vice prime minister and minister of digital transformation Mykhailo Fedorov requested help from Musk, who responded by sending Starlink terminals to the country, and has faced attempts to jam or hack the network since.Earlier this month, Fedorov said there were around 150,000 active users of Starlink per day in the country. “This is crucial support for Ukraine’s infrastructure and restoring the destroyed territories,” he said.Satellite communication has become a key tool, but also a key target for hacking attacks. The National Security Agency (NSA) has updated its advice for satellite operators and their customers to protect networks from cyberattacks for espionage and disruption.”The recent U.S. and European Union public statements noted the Russian military launched cyberattacks against commercial satellite communications to disrupt Ukrainian command and control in February 2022,” the NSA said on Tuesday. “This cyber activity against Ukraine further underscores the risk to VSAT communications for both espionage and disruption.”A month before Viasat’s multi-day outage in Europe, the NSA released recommendations, aimed at US government agencies, to protect VSAT communications because they often aren’t encrypted in transit. The NSA warned that VSAT’s virtual network separation “cannot be trusted to provide access control, separation, or confidentiality of sensitive information” and recommended the use of VPNs for confidential VSAT communications.The updated advisory from the NSA remains largely the same but includes a new passage acknowledging EU and US attribution to Russian military attacks on VSATs. “According to a recent U.S. and European Union statements, the Russian military launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.”  The activity disabled VSATs in Ukraine and across Europe, including tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide internet services to private citizens, it adds.  It is extremely rare for the EU to attribute a cyberattack to a third nation. However, it has applied EU-wide sanctions to individuals in North Korea, Russia and China for their roles in past cyberattacks on European countries, albeit several years after attacks like WannaCry and NotPetya took place.SEE: These are the problems that cause headaches for bug bounty huntersAs foreign policy think tank German Institute for International and Security Affairs (SWP) highlighted in a study of recent cyberattacks, that attribution at the EU level is difficult, partly because only some EU member nations – such as Sweden, the Netherlands, Estonia, Austria, France and Ger­many – have the technical capability or political will to do so. Also, under the guidelines of the EU’s 2017 cyber diplomacy toolbox, the EU has refrained from attributing cyberattacks to third states because it is a sovereign political decision for each member state. SWP looked at several recent cyberattacks, including WannaCry and NotPetya from 2017, Operation Cloud Hopper in 2016, the 2015 Bundestag hack, and the 2018 attack on the Organization for the Prohibition of Chemical Weapons. “While the Five Eyes intelligence alliance (con­sisting of the US, the UK, Canada, Australia and New Zealand) coordinates its attribution and public naming and shaming in a manner which has a high media impact, the coordination processes in the EU 27 are naturally slower: months, if not years, pass between a cyber incident and the implementation of sanctions,” SWP argued.The EU said the Russian military attack on Viasat’s network was “contrary to the expectations set by all UN Member States, including the Russian Federation, of responsible State behaviour and the intentions of States in cyberspace.” More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: Getty Images
Elon Musk has described Twitter’s decision to permanently suspend former US President Donald Trump from the social media platform as a “morally bad decision” and “foolish in the extreme”, adding that he would reverse the ban. “I would reverse the permanent ban,” said Musk at the Financial Times conference. He added that banning Trump was “a mistake because it alienated a large part of the country” and that it “it didn’t end Trumps voice”, rather it only amplified it among the right, which is why the ban was “morally wrong and flat-out stupid”.”Now, that doesn’t mean that somebody gets to say whatever they want to say if they say something that is illegal or otherwise just destructive to the world then should be perhaps a passive timeout, a temporary suspension, or that particular tweet should be made invisible or have very limited traction,” he said.”But I think permanent bans just fundamentally undermine trust in Twitter as a town square where everyone can voice their opinion.”Read: Twitter founder Jack Dorsey regrets playing a role in centralising the internet According to Musk, who struck a deal last month to buy Twitter for $44 billion, his views are shared by Twitter founder Jack Dorsey.  Twitter made the decision to permanently suspend Trump’s account on 8 January 2021 after he published inflammatory tweets that encouraged rioters to attack the US Capitol. Musk also noted during the FT conference that Twitter needs to be “much more even-handed”. “It currently has a strong left bias because it’s based in San Francisco … this fails to build trust into the rest of the United States and also perhaps in other parts of the world,” he said. See also: No, Elon, Twitter will never be a platform for ‘Free Speech’ Musk also envisions that his plans for Twitter will revolve around building trust by making the platform’s algorithm open-source. “I would literally put the Twitter algorithm on GitHub and say, ‘Hey, anyone want to suggest changes to this? Please go ahead’,” he said. “You really want transparency to build trust and any sort of adjustments to tweets or any human intervention with any account on Twitter should be highlighted as a Twitter person took the following action with your account or with this tweet, so that you’re not sitting there in the dark wondering, ‘Why did this tweet not get any attention?'” The remarks by Musk follows a similar message he delivered when he announced his billion-dollar deal with Twitter where he described “free speech” as the “bedrock of a functioning democracy, and that “Twitter is the digital town square where matters vital to the future of humanity are debated”. Despite Musk’s stand for free speech, a filing revealed last week that he is happy to get the Twitter deal done with the backing of noted bastions of repression, Qatar and Saudi Arabia.   Related Coverage More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Ukrainian flag waving over Parliament in Kyiv, Ukraine.
Image: Getty Images
The Five Eyes nations consisting of the United States, United Kingdom, Australia, New Zealand, and Canada, as well as the European Union and Ukraine have pinned Russia for a series of cyber incidents leading up to the invasion of Ukraine. Pulling up short of absolutely attributing the attack, the UK said it was “almost certain” that Russia caused the Viasat outage in February that began an hour before the invasion of Ukraine commenced. “Although the primary target is believed to have been the Ukrainian military, other customers were affected, including personal and commercial internet users. Wind farms in central Europe and internet users were also affected,” the UK said. The UK added tens of thousands of Viasat terminals were rendered inoperable thanks to the attack. The United States said Russia had deployed multiple families of wiper malware including WhisperGate against the Ukrainian government and private sector networks. “In the months leading up to and after Russia’s illegal further invasion began, Ukraine experienced a series of disruptive cyber operations, including website defacements, distributed denial-of-service attacks, and cyber attacks to delete data from computers belonging to government and private entities — all part of the Russian playbook,” the US said. The Canadian attribution further pinned Russia for targeting Ukraine’s banking sector in February, historically exploiting the big SolarWinds vulnerability of 2021, going after Canadian COVID vaccine research, and interfering in Georgia’s parliamentary elections in 2020. “Russian government cyber actors have compromised a number of Ukrainian civilian entities since October 2021 that would be involved in crisis response activities, including networks related to emergency services, energy, transport and also communications,” the Australian government said. New Zealand said it would be sanctioning eight individuals and entities involved in the attacks and “Putin’s campaign of disinformation”. “President Putin’s propaganda machine is in full swing, spreading lies and false information to justify Russia’s illegal invasion,” NZ Foreign Minister Nanaia Mahuta said. “Today’s announcement reflects our complete rejection of Putin’s narrative and his attempts to mislead the international community.” For its part, Ukraine said Russia had been attacking its cyberspace for eight years. “Russia has launched at least several malware families upon Ukraine since the beginning of the year: WhisperGate/WhisperKill, CaddyWiper, Hermetic Wiper, Industroyer2, DoubleZero, etc,” it said. “Russia uses cyberattacks to create a humanitarian disaster in Ukraine, since hackers are trying to disrupt operation of the energy sector, emergency services, communications, logistics. “Russian hackers pose a threat not only to Ukraine, but to the whole world.” Related Coverage More

Docker Desktop is an easy-to-use Docker container integrated development environment (IDE). It includes Docker Engine, Docker CLI client, Docker Compose, Docker Content Trust, Kubernetes, and Credential Helper. With it, you can easily build and share containerized applications and microservices. There’s only been one problem: It hasn’t been available for the Linux desktop.

Read this

What is Docker and why is it so darn popular?

Docker is hotter than hot because it makes it possible to get far more apps running on the same old servers and it also makes it very easy to package and ship programs. Here’s what you need to know about it.

This isn’t like a Windows game or Mac photo-editing program, where you can see why there isn’t a Linux version. Docker and containers live on Linux in production. But, at long last, and many Docker developers’ requests, Docker is delivering a Docker Desktop for the Linux desktop.Besides making it easier to build Docker containers, the Docker Desktop for Linux dashboard makes it easier for developers to manage containers, images, and volumes. It also provides: A unified Docker experience across all major operating systems.Seamless Kubernetes integration.The Docker Desktop UI provides insights into the Docker processes running locally on your machineIn addition, like the Docker Desktop for Mac and Windows, Docker Desktop for Linux includes Docker Extensions. These enable you to add complementary development tools. Docker has announced support from 14 launch partners. These include JFrog, Red Hat, Snyk, and VMware. Why? Docker CEO Scott Johnston explained, “The large, complex cloud-native tools landscape presents a challenge for developers, who need the right tool for the right job, right now.” Docker Extensions enables developers to quickly discover and start using the tools they need for their apps and not waste time searching, downloading, configuring, evaluating, and managing tools.”In particular, Docker Desktop Extension for JFrog Xray enables developers to automatically scan Docker Containers for vulnerabilities and violations early in the development process. In a statement, JFrog’s VP of Developer Relations, Stephen Chin, said, “We’re thrilled to extend our partnership and integrations with Docker to now include JFrog Xray for vulnerability scanning, forensics, and compliance capabilities. “When software supply chain attacks are on the rise, we’re glad we can empower developers to have greater insight into any exposures, early, so they can engage the necessary teams for timely response and remediation – saving downtime, and avoiding loss of trust from end customers.”The JFrog Docker Desktop Extension integration enables developers to:Monitor and audit the security of software encapsulated in Docker containersIdentify vulnerable artifacts inside Docker containers prior to deployment and once they are in productionConduct enhanced forensic investigations that provide a complete view of software security incidentsGet up and running quickly with an easy connection within the JFrog Platform to the Docker Desktop application.Docker claims that thanks to its increased investment in its product development tools, development teams release 13X more frequently, ramp productivity with new technologies in 65% less time, and compress the mean-time-to-remediation (MTTR) of security vulnerabilities by 62%. To get started with Desktop for Linux, visit the Docker docs to find the relevant instructions for your distro of choice. While Docker is providing Deb and RPM packages, it initially specifically supports Ubuntu, Debian, and Fedora. There’s also an experimental package for ArchLinux. There will soon be a 64-bit Raspberry Pi OS version.All-in-all, this makes Docker Desktop much more competitive with SUSE Rancher Desktop, May the best container IDE win!

ZDNet Recommends

The best Linux Foundation classes

Want a good tech job? Then you need to know Linux and open-source software. One of the best ways to learn is via a Linux Foundation course. More

Boston: Red Hat Enterprise Linux (RHEL) has been the Linux for business for a generation now. Today, RHEL touches more than $13 trillion of the global economy. Remember when people used to think Linux couldn’t handle big business? Ha! With the release of RHEL 9 at the Red Hat Summit in Boston, Red Hat improved its offerings from the open hybrid cloud to bare metal servers to cloud providers and the farthest edge of enterprise networks. 

RHEL 9 Customers want better security, and Red Hat will deliver it. Beyond the usual RHEL hardening, testing, and vulnerability scanning, RHEL 9 incorporates features that help address hardware-level security vulnerabilities like Spectre and Meltdown. This includes capabilities to help user-space processes create memory areas that are inaccessible to potentially malicious code. The platform provides readiness for customer security requirements as well, supporting PCI-DSS, HIPAA, and more.Specific security features:Smart Card authentication: Users can make use of smart card authentication to access remote hosts through the RHEL web console (Sudo, SSH, etc.).Additional security profiles: You can improve your security intelligence gathering and remediation services such as Red Hat Insights and Red Hat Satellite with security standards such as PCI-DSS and HIPAA.Detailed SSSD logging: SSSD, the enterprise single-sign-on framework, now includes more details for event logging. This includes time to complete tasks, errors, authentication flow, and more. New search capabilities also enable you to analyze performance and configuration issues.Integrated OpenSSL 3: It supports the new OpenSSL 3 cryptographic frameworks. RHEL’s built-in utilities have been recompiled to utilize OpenSSL 3.SSH root password login disabled by default: Yes, I know you ssh into your server with root passwords all the time. But it’s never been a smart idea.  By default, RHEL  won’t let you do this. Yes, this is annoying, but it’s even more annoying to hackers trying to log in as `root` using brute force password attacks. All-in-all, this is a win in my book.In this release, Red Hat also introduces Integrity Measurement Architecture (IMA) digital hashes and signatures. With IMA, users can verify the integrity of the operating system with digital signatures and hashes. With this, you can detect rogue infrastructure modifications, so you can stop system compromises in their tracks.Red Hat is also adopting, via Kubernetes, Sigstore for signing artifacts and verifying signatures. Sigstore is a free software signing service that improves software supply chain security by making it easy to sign release files, container images, and binaries cryptographically. Once signed, the signing record is kept in a tamper-proof public log. The Sigstore will be free to use by all developers and software providers. This gives software artifacts a safer chain of custody that can be secured and traced back to their source. Looking ahead, Red Hat will adopt Sigstore in OpenShift. Podman and other container technologies.This release has many new edge features. These include:Comprehensive edge management, delivered as a service, to oversee and scale remote deployments with greater control and security functionality, encompassing zero-touch provisioning, system health visibility and more responsive vulnerability mitigations all from a single interface.Automatic container roll-back with Podman, RHEL’s integrated container management technology. This automatically detects if a newly-updated container fails to start. In this case, it then rolls the container back to the previous working version.The new RHEL also includes an expanded set of RHEL Roles, These enable you to create specific system configurations automatically. So, for instance, if you need RHEL set up just for Postfix, high-availability clusters, firewall, Microsoft SQL Server, or a web console, you’re covered.Besides roles, RHEL 9 makes it easier to build new images: You can build RHEL 8 and RHEL 9 images via a single build nod. It also includes better support for customized file systems (non-LVM mount points) and bare-metal deployments. If you’re building Universal Base Image (UBI) containers, You can create them not only with standard UBI images but with micro, minimal, and init images as well. You’ll need a fully subscribed RHEL 9 container host to do this. This enables you to pull additional RPMs from the RHEL 9 repositories. RHEL now uses cgroup2 containers by default: Podman, Red Hat’s drop-in daemonless container engine replacement for Docker, uses signature and short-name (e.g., ubi8 instead of registry.access.redhat.com/ubi8/ubi) validation by default when pulling container images. And, of course, Red Hat being Red Hat, RHEL 9 Beta ships with GCC 11 and the latest versions of LLVM, Rust, and Go compilers. Looking ahead, Python 3.9 will also be RHEL 9’s default version of Python.Thinking of the console, the new RHEL also supports kernel live patching from the console. With this, you can apply patches across large, distributed system deployments without having to write a shell program. And, since it’s live patching, your RHEL instances can keep running even as they’re being patched.Put it all together, and you get a solid business Linux for any purpose. Usually, we wait before moving from one major release to another. This time you may want to go ahead and jump to RHEL 9 sooner than later. The release will be available next week. More

The number of ransomware attacks has gone down in recent months because sanctions against Russia are making it harder for cyber criminals to organise attacks and receive ransom payments, Rob Joyce director of cybersecurity at the National Security Agency (NSA) has revealed. Ransomware attacks have long been a major cybersecurity issue for organisations around the world, affecting computer networks running critical infrastructure, hospitals, businesses and more. Some of the most significant ransomware events of the last year have hit targets in the United States, including the Colonial Pipeline ransomware attack, which restricted gas supplies for large parts of the country – and resulted in a ransom payment of millions of dollars being paid to cyber criminals. “Ransomware is a huge aspect of where we learned cybersecurity is national security. And we’re seeing the criminal element push through and impacting not only the businesses, but all the way into governments and society at large,” said Joyce, speaking at the National Cyber Security Centre’s (NCSC) Cyber UK event in Newport, Wales.SEE: A winning strategy for cybersecurity (ZDNet special report) Many of the most notorious l ransomware gangs are suspected to run out of Russia – and Joyce suggested that sanctions against Russia because of the invasion of Ukraine are making life difficult for cyber criminals based in the country, which has led to a reduction in attacks, at least for now. “One interesting trend we see is, in the last month or two ransomware is actually down. There’s probably a lot of different reasons why that is, but I think one impact is the fallout of Russia-Ukraine,” said Joyce.”As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them less effective – and ransomware is a big part of that,” he added. But even if there’s been a reduction in ransomware attacks, it doesn’t mean the issue has suddenly disappeared – as evident by the number of organisations which continue to fall victim to ransomware attacks.In many cases, victims of ransomware attacks still feel as if they’ve got no choice but to pay a ransom to cyber criminals for the decryption key required to retrieve their encrypted files – despite warnings from cybersecurity agencies and the authorities that this only encourages further ransomware attacks.There are steps which organisations can take to improve cybersecurity and bolster their defences against ransomware and other cyber attacks. Some of the steps recommended by the NCSC include applying security patches and updates in a timely manner to stop cyber criminals exploiting known vulnerabilities and to roll-out multi-factor authentication to all users to provide an extra barrier against intrusions.It’s also recommended that organisations are aware of who and what is on their networks so suspicious activity can be detected quickly, that businesses regularly backup their data and that an incident response strategy should be in place, so that should the worst happen, there’s a plan about what to do. MORE ON CYBERSECURITY More