Information Technology

F5 Networks has pushed out patches to tackle four critical vulnerabilities in BIG-IP, one of which can be exploited for unauthenticated remote code execution (RCE) attacks. 

The enterprise networking provider’s BIG-IP applications are enterprise-grade, modular software suites designed for data and app delivery, load balancing, traffic management, and other business functions. 
F5 says that 48 out of Fortune 50 companies are F5 customers. Governments, telecoms firms, financial services, and healthcare providers are counted among clients. 
F5’s security advisory, published on Wednesday, describes seven security flaws impacting BIG-IP and BIG-IQ deployments. 
The worst are CVE-2021-22986 and CVE-2021-22987 which have been issued CVSS severity scores of 9.8 and 9.9, respectively. 
CVE-2021-22986 is an unauthenticated RCE impacting the BIG-IP management interface. 
“The vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services,” F5 says. “This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.”

CVE-2021-22987 also impacts Appliance mode while BIG-IP’s Traffic Management User Interface (TMUI) is running. Authenticated users able to access TMUI can exploit the bug to execute arbitrary commands, tamper with files, and disable services. 
“Exploitation can lead to complete system compromise and breakout of Appliance mode,” F5 added. 
Alongside these security flaws, F5 has also tackled CVE-2021-22991 and CVE-2021-22992, critical buffer overflow bugs impacting the Traffic Management Microkernel (TMM) and Advanced WAF/ASM virtual servers. The vulnerabilities have both been awarded a severity score of 9.0.
Three other vulnerabilities have also been resolved; CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990 — issued CVSS scores of 8.8, 8.0, and 6.6 — which could be exploited for the purposes of remote command execution in TMUI components. 
Kara Sprague, senior VP of F5’s Application Delivery Controller (ADC) business unit, said “the bottom line is that [the vulnerabilities] affect all BIG-IP and BIG-IQ customers and instances.”
“We urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” the executive added. 
The vulnerabilities have been patched in BIG-IP versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 also impacts BIG-IQ and is fixed in versions 8.0.0, 7.1.0.3, and 7.0.0.2.
14 unrelated CVEs were also announced. 
The US Cybersecurity and Infrastructure Security Agency (CISA), which issued an emergency directive last week commanding federal agencies to tackle actively-exploited Microsoft Exchange Server vulnerabilities, recommended that these security issues are dealt with promptly. 
In July 2020, F5 patched a remote code execution vulnerability in BIG-IP, tracked as CVE-2020-5902, which was awarded a rare CVSS severity score of 10.0. 
Discovered by Mikhail Klyuchnikov, a researcher with Positive Technologies, the bug impacted BIG-IP’s TMUI and allowed unauthenticated attackers to remotely compromise TMUI interfaces. 
Only a few days after disclosure, threat actors began launching attacks against internet-facing BIG-IP builds. F5 warned at the time that “if TMUI [is] exposed to the internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hacking and cyber-espionage groups around the world are attempting to exploit recently disclosed zero-day vulnerabilities in Microsoft Exchange Server, before the window of opportunity closes as organisations apply updates to protect against attacks.
Microsoft first became aware of the vulnerabilities in January and security patches were released on March 2 to tackle them, with organisations urged to apply them as soon as possible.

More Coverage

Tens of thousands of organisations around the world are thought to have been affected by cyberattacks targeting Microsoft Exchange, which Microsoft cybersecurity researchers have attributed to to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
But Hafnium isn’t the only APT group looking to exploit unpatched Exchange vulnerabilities: researchers at cybersecurity company ESET have detected at least 10 hacking groups attempting to compromise email servers around the world.
Winniti Group, Calypso, Tick, LuckyMouse (APT27) and others have been spotted scanning for vulnerable servers with intent to compromise.
ESET’s analysis has flagged the presence of webshells – malicious scripts that allow remote control of a server by a web browser – on over 5,000 unique servers in more than 115 countries.

Many of these webshells have only been detected over the past week, as cyber attackers stepped up their operations before many organisations fully applied the patch to their networks.
“After the patch, we’ve seen a big uptick and believe that several attackers started doing mass scanning. They probably wanted to compromise as many servers as possible before the patches are deployed on the mail servers that are most interesting for them,” Matthieu Faou, malware researcher at ESET, told ZDNet.
Most of the hacking groups identified by the researchers are cyber-espionage operations, while one is a cryptocurrency-mining malware operation.
The groups identified by ESET are unlikely to be the only cyber attackers seeking to exploit the zero days before patches are fully applied, so it’s vital that organisations apply the Exchange Server updates to protect their networks from being exploited by hackers.
“First, organisations should patch. Then they should carefully check for any trace of compromise by reviewing logs and making sure that no webshell is installed on their servers,” said Fauo.
SEE: Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
It’s also recommended that organisations consider restricting access to their networks from the open internet, providing an additional hurdle for unwanted intruders.
“They should also consider making their Exchange server accessible only to their users and not to the whole internet – via the use of a VPN, for example. Microsoft Exchange is a very complex application. As such, it is possible that other flaws will be discovered in the next years, and protecting it behind a VPN allows time to patch the application before it’s actually exploited,” Fauo added.
MORE ON CYBERSECURITY More

Sky ECC has denied that the encrypted messaging platform has been compromised by European law enforcement. 

Sky ECC advertises itself as a secure, end-to-end encrypted service and the “most secure messaging platform you can buy.” The vendor offers a subscription and either Android and iOS handsets that are paid for in Bitcoin (BTC) and shipped worldwide. 
According to Europol, there are approximately 170,000 Sky ECC users and roughly three million messages are sent via the platform on a daily basis. In total, over 20% of the Sky ECC user base is said to be located in Belgium and the Netherlands. 
On March 10, Europol announced that together with various law enforcement agencies in Belgium, France, and the Netherlands, it has been possible to “unlock the encryption” of Sky ECC. 
The law enforcement agency said that since roughly mid-February, chat sessions established between approximately 70,000 users have been monitored, leading to a “large number of arrests” in a crackdown on March 9. House searches and seizures took place across Belgium and the Netherlands and the mobile phones of suspects were seized.
“The continuous monitoring of the illegal Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals,” Europol says. “This has resulted in the collection of crucial information on over a hundred planned large-scale criminal operations, preventing potential life-threatening situations and possible victims.”
In July 2020, the UK’s National Crime Agency (NCA) seized the servers of EncroChat, an encrypted platform that the NCA says was used to coordinate criminal activity. 

Over 700 arrests were made at the time. According to Europol, following the seizure, many EncroChat users then moved over to Sky ECC. 
Sky ECC has pushed back against Europol’s claims, referring to a Dutch police press release that is accompanied by a photo allegedly showing the app in use on a mobile device. 
The vendor claims that the image — which appears to relate to a device advertised on the skyecc.eu domain, rather than .com — is the work of an “imposter” and a “disgruntled” former reseller. 
Sky ECC says that the “crack or hack” of its encrypted communication software are “false allegations.” 
Furthermore, Sky ECC CEO Jean-François Eap said in a statement that the company has not been contacted by the authorities “in connection with any investigations currently being reported,” and “the confusing references to Sky ECC instead of skyecc.eu are very damaging.”
“We know that someone has been passing themselves off as an official reseller of Sky ECC for some time and we have been trying to shut it down through legal channels for almost two years,” Eap commented.
Instead, the vendor claims a malicious phishing application is being distributed under the Sky ECC name, with the implication being that law enforcement has been able to monitor messages sent via the unauthorized app, rather than the official version. Sky ECC claims this app has been illegally created, modified, and side-loaded onto devices.  
However, the company also noted “temporary interruptions in connection with its servers” on March 8.
“All Sky ECC phones purchased directly from Sky ECC or its authorized distributors remain secure,” the vendor added. “We continue to stand by our promise of secure devices, secure networks and secure communications.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Senators are concerned that they are yet to hear a convincing argument as to why the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 has omitted definitions for the categories of offences it would be used for by two of Australia’s law enforcement bodies.
The Bill, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new computer warrants for dealing with online crime.
The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.
With representatives from the Department of Home Affairs, the AFP, ACIC, and Australian Signals Directorate facing the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the Bill, Labor Senator Kristina Keneally on Wednesday sought to confirm whether the Bill would not be used to target low-level offences.
“What I’m seeking to understand here … the Bill outlines a number of crimes — child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft, and fraud, assassinations, and the distributions of weapons — as the examples of the crimes that would be prosecuted,” she asked.
“What safeguards beyond just pointing to capacity constraints or the good intentions of government can you point to that would assure this committee that these three warrants would not be used for other types of crime, other categories of crime … considered by the community to be lower level offences?”
Keneally pointed to previous legislation, such as the Telecommunications (Interception and Access) Act 1979 (TIA Act), and noted the PJCIS has yet again been asked to take at face value that the latest legislation under consideration would not extend to minor offences despite hearing similar arguments in the past in relation to the TIA Act.

It was previously revealed that three councils in NSW, one in Queensland, the RSPCA, the Environment Protection Authority, and state coroners, to name a few, accessed metadata under Section 280 of the Telecommunications Act 1997.
The Communications Alliance previously labelled this as “examples of entities that have managed to subvert the intended scope of the legislation”.
“There’s the safeguards built into the legislation. If you look at data disruption warrant for example, the issuing officer has to be satisfied that the activities authorised for the warrant are justified and proportionate with regard to the offences being targeted,” AFP deputy commissioner Ian McCartney said.
Keneally was not convinced that in a few years’ time it wouldn’t emerge that the warrants were issued for a range of other offences, like they were with the data retention legislation, simply because they attract a three-year threshold.
Pointing to the scenario of an outlaw motorcycle gang, Police commissioner Reece Kershaw said in such a situation, with the peripheral and crime-adjacent activities, it makes it very difficult “if you’re going to attack the outer perimeter of these organised crime networks” to narrow down or define the scope.
“These powers will assist us to dismantle those networks, especially now,” he said.
Home Affairs Electronic Surveillance Reform Taskforce acting first assistant secretary Andrew Warnes said one of the first considerations of the ATT member or eligible judge when granting a warrant would be the nature and gravity of the conduct constituting the kinds of offences in relation to which the information would be obtained.
“We’ve then also added additional safeguards to say, ‘That’s not enough just to go and get a warrant because an offence is three years’, it has to be of such the nature and gravity in terms of the conduct constituting those offences, that information can be sought,” Warnes explained.
“And then they have to give consideration to whether the access to that data will assist in the collection of intelligence, that is actually then relevant to the protection, detection, frustration of those offences and the intelligence value of that.”
The approver, Warnes said, would also have to make sure that what is authorised by the warrant is proportionate to the likely intelligence value of any information sought to be obtained. They would also have to consider whether the information could be garnered using alternative or less intrusive means.
“All of that together makes it very difficult to envisage a circumstance where you could have an offence that is subjectively considered not serious three-year offence,” he continued.
Keneally said she heard similar assurances when the TIA Act was being probed.
“It does raise a question to me as to why the government is not willing, if they are, if you are upfront in saying we are not going to use these powers to investigate subjectively low-level offending, why that can’t be prescribed in legislation to give the community that assurance,” she said.
MORE ON THE ‘HACKING’ BILL More

The New South Wales Police Force has teamed up with Australia’s major telcos — Telstra, Optus, and TPG — to launch a national SMS geo-targeting alert system to enhance the search for “high-risk” missing persons across the state.
Using the new system, mobile devices in defined areas where police hold grave concerns for the missing person will be sent alerts, a brief description, and information on how to report any sighting of the individual.
NSW Police Force stated the system would be used in cases when a “high-risk” person is missing, which include cases involving people with dementia, children with disabilities, and young people who go missing in large crowds.
“Police always act as quickly as possible to find anyone who is reported missing and this tool will mean the public will be able to assist almost immediately,” Minister for Police David Elliot said.
“The community should never underestimate the crucial role they can play in potentially saving someone from harm and if you receive this message we ask that you keep your eyes out and help police to reunite someone with their loved ones.”
Telstra, Optus, and TPG will roll out the tool by using the existing emergency framework.
“We’re thrilled to be assisting the NSW Police Force Missing Persons Registry with the ability to notify the community in critical missing persons cases and hope it will help our first responders make some happy reunions,” Telstra Enterprise chief customer officer John Ieraci said.

The system was first introduced by states and territories after the 2009 Victorian Black Saturday bushfires where alerts within specific areas were sent in the event of likely emergency situations, such as flood, bushfire, or other extreme weather conditions.
Extending the use of the system to missing persons was established following a review of the state’s police operations that led to the establishment of the Missing Persons Registry and the implementation of new systems and procedures that came into effect in July 2019.
The introduction of such a tool comes at a time when several concerns are being raised about the legislative framework that governs Australia’s intelligence community and the power that they could potentially hold over entities such as those in telecommunications. Some that are currently under the microscope include the pending Critical Infrastructure Bill, Online Safety Bill, and the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.
Related Coverage More

The federal government has provided advice on how to counter ransomware in Australia, encouraging the use of multifactor authentication and urging businesses to keep software up to date, archive data and back-up, build in security features to systems, and train employees on good cyber hygiene.
The advice was provided in Locked Out: Tackling Australia’s ransomware threat, which is a 14-page document [PDF] prepared by the Cyber Security Industry Advisory Committee. It’s touted by the Department of Home Affairs as “[building] awareness for all Australians and their businesses on the current ransomware threat landscape”.
“Ransomware attacks today present a major threat to Australian organisations,” the paper declared. “In 2020, cyber criminals conducted successful attacks on major Australian organisations at a volume never before experienced.”
The paper presents case studies on attacks, such as the one experienced by Toll last year, in addition to advice on how to protect against ransomware attacks.
“Early detection of a ransomware attack is paramount to minimising impact,” it says.
It also says many of the most impactful ransomware attacks could have been avoided with foundational cybersecurity controls and good cybersecurity hygiene.
“For small businesses, which make up 93% of employing businesses in Australia and provide employment for nearly 45% of Australia’s workforce, the challenge is different,” it continued.

“They don’t have chief security officers, an IT team. or possibly even an IT qualified team member, which is understandable when over half employ less than four people.
“All businesses have valuable data and systems they need to protect. It is vital that they establish strong foundational controls and practice good cybersecurity hygiene practices.”
The paper then pointed readers to the Australian Cyber Security Centre’s (ACSC) not-so essential Essential Eight controls for mitigating cyber attacks.
Dipping its toes into cyber insurance, the paper stated that the critical takeaway is organisations should see cyber insurance as one component of a holistic cybersecurity program, not as a replacement for one.
Two Labor shadow ministry members last month called for a national ransomware strategy focused on reducing the number of such attacks on Australian targets. Shadow Minister for Home Affairs Kristina Keneally and Shadow Assistant Minister for Communications Tim Watts declared that due to ransomware being the biggest threat facing Australia, it was time for a strategy to thwart it.
On Thursday, Watts called the government’s ransomware paper a missed opportunity.
“While Labor welcomes the government’s acknowledgement of the ransomware problem, this report falls short of acknowledging the scale of the AU$1 billion problem,” he said.
“Instead of using the opportunity to launch a debate about the role government can play in shaping the calculus of ransomware gangs sizing up Australian organisations, the Morrison government continues its approach of playing the blame game.”
To Watts, it’s not good enough to tell businesses to defend themselves by “locking their doors to cyber-criminal gangs”.
“As the Australian Cyber Security Centre has warned, ransomware gangs are employing increasingly sophisticated organisational models and pressure tactics to reap record illicit profits,” he said.
Such response, Watts said, was particularly disappointing in the face of the state-backed Hafnium campaign against Microsoft Exchange servers.
“Thousands of Australian servers are potentially vulnerable to a further wave of ransomware attacks exploiting this vulnerability and potentially financially devastating Australian businesses,” Watts continued. “The Morrison Government must do more to actively tackle the ransomware threat and develop a National Ransomware Strategy.”
Following the Microsoft Exchange Server hack, Assistant Minister for Defence Andrew Hastie on Wednesday asked Australian organisations to take immediate steps to urgently patch vulnerable systems.
“The ACSC has identified a large number of Australian organisations yet to patch affected versions of Microsoft Exchange, leaving them exposed to cyber compromise,” Hastie said.
“Australian organisations cannot be complacent when it comes to cybersecurity, which is why all users of Microsoft Exchange are being urged to patch their vulnerable systems.”
Watts called the government’s response delayed.
“Issuing a media release seven days after the vulnerability is disclosed is the cyber equivalent of telling people to shut the gate after the horse has bolted,” he added.
HERE’S MORE More

Cyberattacks targeting healthcare are putting patients at unnecessary risk and more must be done to hold the cyber criminals involved to account, warns the CyberPeace Institute, an international body dedicated to protecting the vulnerable in cyberspace.
The healthcare industry has been under increased strain over the past year due to the impact of the COVID-19 pandemic, which has prompted some cyber criminals to conduct ransomware campaigns and other cyberattacks.

More on privacy

Faced with a ransomware attack, a hospital might pay the cyber criminals the ransom they demand in return for the decryption key because it’s perceived to be the quickest and easiest way to restore the network – and, therefore, the most direct route to restoring patient care.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
That doesn’t stop the incident being traumatic for staff, who might suddenly find themselves unable to be involved in procedures, while patients may get sent to other hospitals for treatment – something that could prove risky if time is a factor. But even months on from a cyberattack, patient care can remain affected.
“There’s a real-time impact and a long-lasting impact,” Stéphane Duguin, CEO of the CyberPeace Institute, told ZDNet.
“When hospitals and healthcare are hit by ransomware, what is the quality of care you could hope for in these entities like six months afterwards, or one year afterwards? It’s quite concerning because you have more chance to get care of less good quality, if you go into this hospital with a condition, the care might take longer than it did before an attack,” Duguin said.

Because of this, the CyberPeace Institute paper, entitled ‘Playing with Lives’, argues that cyberattacks on healthcare are attacks on society as a whole, potentially creating threats to human life – particularly when campaigns are targeting hospitals and healthcare organisations during a pandemic.
One of the key reasons why cyber criminals target healthcare is because it’s often based around what the report describes as “fragile digital infrastructure”. Healthcare networks are complex because of the variety of specialist devices connected to them. They’re also vulnerable because of the amount of legacy infrastructure on the network, which might not even be supported with security updates.
It was the continued use of legacy infrastructure across the network that left the UK’s National Health Service (NHS) so vulnerable to the WannaCry ransomware attack. Although a patch was available before the incident, the nature of healthcare meant it was difficult to shut down sections of the network in order to apply the update.
The use of legacy infrastructure is tied to what the report describes as a “resource gap” in healthcare, which means that cybersecurity in the sector is under-financed, making it hard to distribute the necessary resources to fully protect hardware and software across the network.
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
Ultimately, cyber criminals are carrying out campaigns like ransomware attacks because they’re seeking easy money; extorting funds from hospitals whose networks have been compromised provides a means of gaining exactly that.
Unfortunately, ransomware gangs rarely face consequences for their actions, and Dunguin argues that governments and law enforcement should put more resources into bringing cyber-criminal gangs to justice.
“Government should also play a part in reducing the number of attacks by going after criminal groups and making sure that it’s not a risk-free crime for cyber criminals,” he said.
MORE ON CYBERSECURITY More

A new analysis on the state of cybersecurity in K-12 schools across the US has revealed a record-breaking number of security incidents in 2020. 

On Wednesday, during the K-12 Cybersecurity Leadership Symposium, the research, titled “The State of K-12 Cybersecurity: 2020 Year in Review,” was released. 
The 25-page report is the result of work between the K12 Security Information Exchange, led by Doug Levin as National Director, and the K-12 Cybersecurity Resource Center. 
The independent research focuses on the infrastructure supporting primary and secondary-level education in the United States. 
Last year, students and teachers worldwide were forced to abandon the classroom and shift to remote learning platforms without warning. This disruption continues, and while the report acknowledges the “heroic” efforts of IT staff, the analysis also says that “school district responses to the COVID-19 pandemic also revealed significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.”
“Indeed, the 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents,” the report says. “Moreover, many of these incidents were significant: resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”
The K-12 Cyber Incident Map, as shown below, cataloged 408 school incidents across the year that have been publicly disclosed. These include student and staff data breaches, ransomware outbreaks, phishing and social engineering, denial-of-service (DoS) attacks, and more. 

K-12 incident rates have increased by 18% year-over-year. The most common cybersecurity incident was a form of data breach, followed by DoS and ransomware. In many data breach cases, sensitive information belonging to staff and students were compromised. 
“Other” incidents include website defacement, unauthorized email account access, and remote class invasions — also known as Zoombombing. 

Incidents increased the most during summer and fall, most likely due to the increased reliance by schools on technology to keep lessons on track. The research also notes that as school staff became remote employees, device and account privileges may have increased, creating a larger attack surface for threat actors. 
“School districts should revisit their contingency plans for continuity of operations during emergencies, with a focus on IT systems used in teaching and learning and district operations,” the report notes. “While no one can predict whether another global pandemic will close schools to in-person learning, important lessons can and should be drawn from this experience to ensure that if such an event (or something like it) occurs again in the future, districts are better prepared.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More