After a three-year absence from Hacker Summer Camp, I finally returned to Vegas. Two of those years were related to Covid of course. However, three years is a long time to be out of the environment and the craziness that is both Black Hat and Def Con. To say I was excited to return to Vegas and everything that both cons have to offer would be an understatement. Both cons have their place in what I do here at DecryptedTech, but it was more than just the articles and conversations about security that I enjoy, it is getting to catch up with people I only see during the con and also the prospect of meeting new people and developing new relationships.

This one goes in the “this is why patching is important” file and highlights the need to be able to quickly apply patches for critical flaws found in different devices and software. After the disclosure of a critical vulnerability tracked as CVE-2022-1388 (CVSS 9.8) that was identified in multiple versions of F5’s BIG-IP operating system complete with patches last week. We have already seen researchers develop POC code for it and now hear that attackers are actively exploiting the flaw in the wild.

Its seems that the efforts of Ukrainian hacktivists have decided to focus their efforts on a new and interesting target. In addition to other strategic targets, they have gone after one of the central portals for Russian alcohol distribution. The attack is currently manifested in the form of a distributed denial of service attack(s) targeting the portal to render it inaccessible. This means that distillers and distributors of alcoholic beverages are not able to get their products into consumers hands.

in the wild. The patch for this bug is one of 37 that are part of the monthly security release which covers multiple components in the popular mobile OS. This comes at a time when mobile banking malware is on the rise and there are also concerns around threat groups targeting phones to compromise them for use in MFA request responses.

Ransomware is a huge shadow over many businesses and individuals’ heads. It has loomed as a significant threat since the first stains hit the internet inside malicious zip files masquerading as “Xerox” documents. Since that time ransomware and the groups behind it have evolved significantly. At the top of the food chain are groups like Hive and Conti who have not only evolved their own tools but utilize strategic approaches to their organizations complete with acquisitions and, in some cases, attempted legitimate business fronts to further their activities.

It Cloud services are exceptionally popular as a cost effective and simple method to maintain common operational needs. Everything from email to fully fledged infrastructures can be maintained in the “cloud”. All of these can be accomplished at lower overall cost than trying to maintain the same systems on prem. By shifting the general operation, maintenance and even security to the cloud service provider organizations get to reduce their total ownership cost including reducing the number of skilled employees they need to keep on staff. This reduction in the total cost of ownership and maintenance is a huge item when you are trying to ensure profitability.

Yesterday we told you that the gang behind Emotet was looking to used Excel add-ins as a possible new technique to compromise systems as part of their spamming campaigns. The detected techniques were labeled as potentially being part of research and development efforts on the part of the group TA542 due to changes Microsoft is making in Office (and ones many admins already push). The R&D efforts do not stop there though as multiple security research teams are now saying they have identified another new technique associated with Emotet.

TA542 the wonderful people that brought you Emotet appears to be in the middle of a development and testing cycle on new delivery methods. According to researchers at ProofPoint the creators or the Emotet Botnet are potentially looking to find a new delivery method in response to the, long overdue, default disabling of VBA based Macros by Microsoft in their office products. Although ProofPoint seems to think this is development testing, the activity could also be part of a more targeted campaign.

The breach of IDAM group Okta in January by the self-promoting group Lapsus$ amidst other high-profile breaches and data leaks this year was a significant concern. The concern rose because when the incident first happened, Okta passed it off as an unsuccessful attempt to breach a third-party vendor’s system that had access to Okta systems. However, in March the Lapsus$ group released screenshots of internal systems including what appeared to be Okta’s superuser system.

CISA has issued another warning that SCADA/ICS systems are being targeted for attack. This time they are in the sights of Nation-State groups and with customized tools. The tools are part of follow-on activities after the initial beachhead has been established. These days gaining initial access to a network, even for infrastructure, does not seem to be a difficult task for nation-state groups.