Warning: Undefined variable $comments_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 527

2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts

Newly discovered vulnerabilities in F5 Networks' BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets.
BIG-IP is the umbrella for F5's various software and hardware products for application delivery and security.
The Central Manager is the hub where organizations can manage all of their BIG-IP Next instances and services.
In a new report, Eclypsium revealed five bugs affecting the Next Central Manager.
Two have been assigned CVEs and patched by the vendor.
The other three were not assigned CVEs, though they could allow attackers to gain access to and manipulate admin accounts.
Attackers can inject into an OData query filter parameter and leak sensitive data such as password hashes for admin accounts that can be used to escalate privileges.
This only works if the device's configuration has the Lightweight Directory Access Protocol enabled.
This classic SQL injection vulnerability works irrespective of any configurations and allows for the same sensitive data leakage.
Eclypsium also pointed to three further issues in the Central Manager, which could allow attackers to wreak even more havoc.
Three More Bugs Having gained access to the Central Manager via either of the two aforementioned bugs, an attacker might choose to abuse a server-side request forgery flaw, which Eclypsium found would allow them to call any API method at all on any BIG-IP Next device.
Methods already available on BIG-IP Next devices would allow them to create new accounts not visible from the Central Manager.
In this way, even if an administrator takes various steps to, say, implement patches or reset their own password, the secret attacker account will persist on any targeted device.
There are also two issues relating to admin accounts themselves.
The first is that admin passwords are protected with relatively weak bcrypt hashes, which today's brute-force tools can break.
The second problem is that authenticated admins can reset their passwords without knowing their prior passwords.
In theory an intruder could change the password to their liking and cause any number of further consequences from there.
None of these post-intrusion bugs have been assigned CVEs or patched.
The Problem With Edge Devices Centralized management platforms are a godsend for attackers.
Organizations also need to be aware and adjust accordingly to visibility limitations in the individual devices these solutions protect.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 09 May 2024 21:15:29 +0000

Cyber News related to 2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts

10 Best IT Asset Management Tools - 2025 - What is Good?What Could Be Better?Atera can seamlessly service and monitor Linux, Mac, and Windows systems.Sometimes, when deploying an update, patch management will fail.Using an administrator terminal, keep an eye on IT asset activity remotely.The ...
5 months ago Cybersecuritynews.com

Five best practices for securing Active Directory service accounts - Windows Active Directory (AD) service accounts are prime cyber-attack targets due to their elevated privileges and automated/continuous access to important systems. To support software-specific functions, service accounts require elevated permissions ...
6 months ago Bleepingcomputer.com

2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts - Newly discovered vulnerabilities in F5 Networks' BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets. BIG-IP is the umbrella for F5's various software and hardware ...
1 year ago Darkreading.com

CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
1 year ago Securityboulevard.com APT29

Critical Start Asset Visibility helps customers become more proactive within their security program - Critical Start launched their Asset Visibility offering. As part of an MCRR strategy, Asset Visibility helps customers become more proactive within their security program, helping them uncover assets that need protection, validate that the expected ...
1 year ago Helpnetsecurity.com

CrowdStrike Enhances Cloud Asset Visualization to Accelerate Risk Prioritization - The massive increase in cloud adoption has driven adversaries to focus their efforts on cloud environments - a shift that led to cloud intrusions increasing by 75% in 2023, emphasizing the need for stronger cloud security. As organizations increase ...
1 year ago Crowdstrike.com

CyberCrime & Doing Time: Identification Documents: an Obsolete Fraud Countermeasure - When I'm talking to bankers and other fraud fighters, I often mention how easy it is for a criminal to obtain a Drivers License bearing any information they desire. In the new case, Brianna Mills, a 28-year old bank teller in Loganville, Georgia ...
1 year ago Garwarner.blogspot.com

Fake and Stolen X Gold Accounts Flood Dark Web - A surge of fake or stolen X Gold accounts has been flooding marketplaces and forums both on the surface web and the dark web over the past year, according to CloudSEK. Threat actors have used multiple techniques to forge or steal X Gold accounts ...
1 year ago Infosecurity-magazine.com

Hackers Flood Dark Web Markets With Hijacked X Gold accounts - In the age of social media, verification badges hold significant power. On Twitter, the coveted blue tick signifies legitimacy and influence, commanding increased trust and engagement from followers. With the platform's recent monetization of ...
1 year ago Cybersecuritynews.com

Over 15,000 hacked Roku accounts sold for 50¢ each to buy hardware - Roku has disclosed a data breach impacting over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions. BleepingComputer has learned there is more to this attack, with threat actors ...
1 year ago Bleepingcomputer.com

Threat Actors Leveraging Modified Version of SharpHide Tool To Create Hidden Registry - Threat actors have been utilizing a modified version of the SharpHide tool to create hidden registry values, significantly complicating detection and deletion efforts. [+] SharpDelete by Andrew Petrus - Tool to delete hidden registry values ...
6 months ago Cybersecuritynews.com

Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security - Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity. For the second straight month, ...
1 year ago Darkreading.com CVE-2024-20674 CVE-2024-20700 CVE-2024-21307 CVE-2024-21318 CVE-2023-21310 CVE-2023-36036 CVE-2024-20653 CVE-2024-20698 CVE-2024-20683 CVE-2024-20686

Enzoic for AD Lite Data Shows Increase in Crucial Risk Factors - The 2023 data from Enzoic for Active Directory Lite data from 2023 offers a revealing glimpse into the current state of cybersecurity, highlighting a significant increase in risk factors that lead to data breaches. The free password auditor has been ...
1 year ago Securityboulevard.com

Defusing the threat of compromised credentials - In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts. Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials. Attackers ...
1 year ago Feedpress.me

Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security - “Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level ...
4 months ago Krebsonsecurity.com

Warning: Undefined array key "host" in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 364

Warning: Undefined variable $domain_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 466

CVE-2023-46253 - Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitrary file write vulnerability in the backup restore feature which allows an authenticated attacker to gain remote code execution (RCE). ...
1 year ago

Ordr launches OrdrAI CAASM+ to provide asset visibility with AI/ML classification - Ordr has launched its new OrdrAI CAASM+ product, built on top of the OrdrAI Asset Intelligence Platform. For years, Ordr has been solving asset visibility and security challenges in the world's most demanding environments, including healthcare, ...
1 year ago Helpnetsecurity.com

Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
1 year ago Darkreading.com Hunters

Fraudsters make $50,000 a day by spoofing crypto researchers - Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X. To lure potential victims, the scammer uses a breach on major ...
1 year ago Bleepingcomputer.com

Bastille Raises $44M Series C Investment Led by Goldman Sachs Asset Management - PRESS RELEASE. Santa Cruz, CA - Jan. 25, 2024 - Bastille Networks, Inc., a leading supplier of wireless threat intelligence technology to high-tech, banking, and the intelligence community, is pleased to announce a Series C investment of $44 million, ...
1 year ago Darkreading.com

Exploring the Phenomenal Rise of Ethereum as a Digital Asset - In this exploration, we delve into the multifaceted layers of Ethereum's meteoric rise, dissecting the technological breakthroughs, the vibrant community dynamics, and the pivotal moments that have propelled it to the forefront of the digital asset ...
1 year ago Hackread.com Inception

MITRE Launches AADAPT Framework to Detect and Respond Attacks on Asset Management Systems - MITRE Corporation has launched the Adversarial Actions in Digital Asset Payment Technologies (AADAPT™) framework, a comprehensive knowledge base designed to help organizations detect and respond to sophisticated attacks targeting digital asset ...
1 month ago Cybersecuritynews.com

Cybercriminals Exploit X Gold Badge, Selling Compromised Accounts on Dark Web - Organizations could obtain the coveted gold check mark through a monthly subscription. The report reveals that hackers are capitalizing on this feature by selling compromised accounts, complete with the gold verification badge, on dark web ...
1 year ago Cysecurity.news

CVE-2022-29238 - Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden False` only prevented listing the contents of hidden ...
3 years ago

CSO's Guide: Water-Tight Account Security For Your Company - In today's escalating threat landscape, account takeover and credential compromise remain top attack vectors for data breaches. CSOs must mandate and implement robust account security to protect critical assets. This comprehensive guide examines ...
1 year ago Securityboulevard.com