A selection of this week’s more interesting vulnerability disclosures and cyber security news. For a daily selection see our twitter feed at #ionCube24. Another day and another cyber heist. Not much to say really…

That’s right all, it’s time for the latest MITRE Engenuity ATT&CK® evaluation. As we have come to expect each year, Elastic — along with other security vendors — are evaluated by MITRE Engenuity, a tech foundation that brings MITRE research to the public. The evaluation focuses on emulating techniques from the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to assess vendor protection capabilities.

On Wednesday 30th March 2022, news was disclosed online about an unauthenticated RCE zero-day vulnerability in Spring Core, a framework for building modern Java-based enterprise applications.

Organizations today are pressured to keep their IT applications and infrastructure up and running and minimize their downtime. While this has always been a critical goal, it’s become harder to achieve with modern architectures, such as microservices, containerization, edge computing, hybrid-cloud deployments and the newer development methods such as agile DevOps techniques.

“Never click unexpected links!” Ever hear someone yell this? Virtually every person in tech has a healthy suspicion of random links; it is for a good reason. Every now and then there are huge leaks from industry leaders as a result of a targeted campaign. One of the most reliable ways to “phish” someone, or exfiltrate their credentials, is to abuse an open redirect vulnerability in a safe-looking website and redirect the victims to a malicious one.

On Thursday, March 31st a patch for a widely used Java framework called the Spring Framework was given the designation CVE-2022-22965 with a CVSS Score of 9.8. That’s bad news for a lot of companies that make use of this framework for delivery of their web applications, services and APIs. This is a remote code execution (RCE) vulnerability and the ease of exploitation is partly why it has earned a 9.8 out of 10 on the CVSS Score.

On March 29, 2022, details of a zero-day vulnerability in Spring Framework (CVE-2022-22965) were leaked. For many, this is reminiscent of the zero-day vulnerability in Log4j (CVE-2021-44228) back in December 2021.

From the factory floor to online shopping, the benefits of automation are clear: Larger quantities of products and services can be produced much faster. But automation can also be used for malicious purposes, as illustrated by the ongoing software supply chain attack targeting the NPM package repository. By automating the process of creating and publishing malicious packages, the threat actor behind this campaign has taken things to a new scale.

As the conflict in Eastern Europe continues, the Splunk Threat Research Team (STRT) is constantly monitoring new developments, especially those related to destructive software. As we have showcased in previous releases in relation to destructive software and HermeticWiper, malicious actors modify their TTPs in order to become more effective and achieve their objectives.

CrowdStrike data science researchers recently explored and experimented with the use of Bidirectional Encoder Representation from Transformers (BERT) for embedding command lines, focusing on anomaly detection, but without detailing the model itself. Diving deeper into that research, CrowdStrike researchers explain the reasons for using BERT for command line representation and how to train the model and assess its performance.