In this post we discuss how an account with two-factor authentication could be bypassed if the password were breached.

The Splunk Threat Research Team (STRT) has been heads-down attempting to understand, simulate, and detect the Spring4Shell attack vector. This post shares detection opportunities STRT found in different stages of successful Spring4Shell exploitation. At the time of writing, there are two publicly known CVEs: CVE-2022-22963, and CVE-2022-22965. The Splunk Security Content below is designed to cover exploitation attempts across both CVEs.

It’s been a bad month for RubyGems vulnerabilities. Critical CVE-2022-29176 was issued May 8, 2022, and another critical CVE-2022-29218 was discovered less than a week later, on May 11. This new vulnerability would allow for a takeover of new versions of some platform-specific gems under certain circumstances.

Trustwave SpiderLabs is tracking a new critical-rated vulnerability (CVE-2022-1388) affecting F5 BIG-IP network devices. Threat actors are reported to be actively exploiting this vulnerability in the wild. F5 disclosed and issued a patch for CVE-2022-1388 on May 4. We are diligently watching over our clients for exposure and associated attacks and working closely with our clients to ensure that mitigations are in place.

Editor’s note: This is the latest in a series of posts we have planned over the next several weeks where we explore topics such as network monitoring in Kubernetes, using sidecars to sniff and tunnel traffic, show a real-world example of detecting malicious traffic between containers, and more! Please subscribe to the blog, or come back for more each week.

Corporate credential theft is a targeted effort and makes FTSE 100 companies credentials particularly attractive to cybercriminals with accelerated digital transformation (BYOD and hybrid working). Once an attacker gets hold of stolen user credentials and passwords, they can sell the credentials in the cybercrime underground or use them to compromise an organization’s network, bypassing security measures and threaten the credibility and integrity of the institution.

On May 6, 2022, a critical CVE was published for RubyGems, the primary packages source for the Ruby ecosystem. This vulnerability created a window of opportunity for malicious actors to take over gems that met the following criteria: Because RubyGems provides data dumps that include a lot of information, it is unfortunately relatively simple to create an automated mining process for these criteria.

Remediating vulnerabilities efficiently is the cornerstone of a great vulnerability management program. Prioritizing becomes paramount as resources are often limited. Sometimes teams might pinpoint specific vulnerability types that are particularly risky for their attack surfaces, such as a misconfigured Amazon S3 bucket or even a new XSS vulnerability. Users can now filter the /Vulnerabilities view by title, such as a specific type of XSS or even the CVE name.

On Wednesday, May 4, 2022, F5 disclosed a critical-severity vulnerability impacting the iControl REST authentication of BIG-IP systems being tracked as CVE-2022-1388. If successfully exploited, the vulnerability could lead to Authentication Bypass, which could allow a threat actor to execute arbitrary system commands, perform file actions, and disable services on BIG-IP. BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffic SDC are not impacted by CVE-2022-1388.

CVE-2022-30278 is a reflected cross-site scripting (XSS) vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files.