Search This Blog

Showing posts with label CISA. Show all posts

US Government Contemplates on Launching Cyber Insurance Program to Help Private Insurance Firms

 

As cyberattacks continue to surge at a rapid pace, the US government is mulling over the creation of counterproductive incentives to help private insurance firms cover some of the costs related to catastrophic cyber incidents under the federal cyber insurance program. 

Last month, the Treasury Department and Cybersecurity and Infrastructure Security Agency (CISA) asked the representatives of multiple organizations to contemplate the requirement of a cyber insurance program and, if so, how such a program should be enforced across the country. 

Earlier this year in June, the Government Accountability Office (GAO) published a report advising Federal Insurance Office (FIO) and CISA to conduct a joint assessment to examine the federal government’s role in cyber insurance. 

The move comes after multiple private insurers were spooked by the possibility of having to cover such large losses and backed out of the market by excluding some of the most high-level cyberattacks from being covered by insurance policies. Currently, the U.S. government does not have a federally backed cyber insurance program to deal with destructive cyberattacks. 

“I think what you’re seeing is the government sort of thinking about this from their side … if they should be doing more to help companies that are hit and, if so, how should they define what the thresholds are. They’re clearly evaluating that and trying to think carefully about it right now,” stated Josephine Wolff, an associate professor of cybersecurity policy at the Tufts University Fletcher School. 

The rapid surge in cyber incidents 

Cyber attacks, specifically ransomware, have disrupted critical services and businesses globally, including schools, government offices, hospitals, emergency services, transportation, energy, and food firms. Reported ransomware payments in the United States reached over $590 million in 2021, compared to a total of $416 million in 2020. Just this summer, ransomware attacks rose 47 percent from June to July, according to a report published by cybersecurity firm NCC Group. 

According to the most recent IBM Cost of a Data Breach report, each public sector incident costs $2.07 million on average. 

The cyberattack on the Colonial Pipeline that took a 5,500-mile-long fuel transporting operation offline had a spillover effect on the wider economy. The pipeline operator paid a ransom of $4.4 million to the hackers — despite advice from law enforcement agencies that ransom demands should always be rejected. 

According to the FBI and many other agencies, paying ransoms encourages attackers to launch further cyber attacks. Some suggestions for organizations from the FBI include: 

• Keep all operating systems and software up to date 
• Enforce a user training program and phishing exercises 
• Employ strong, unique passwords for all accounts with password logins 
• Enable multi-factor authentication (MFA) for as many services as possible 
• Maintain offline (i.e., physically separate) backups of data, and examine backup and restoration frequently 
• Ensure all backup data is encrypted and immutable

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

HomeLand Justice: Government of Albania attacked by Iranian Cyber Threat Actors

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity advisory on the recent cyber operations held by the Iranian state cyber actors against the Government of Albania in July and September. 

The advisory provides a detailed timeline pertaining to activities that were detected, from the initial software access to the execution of encryption and wiper attacks. The information also included the files that the actors used for the attacks. 
 
The hackers, referred to as HomeLand Justice, who are state-sponsored Iranian advanced persistent threat (ATP) actors, attempted to paralyse public services, delete and steal governmental data, and disrupted the government’s websites and services, wreaking havoc and panic on the state.  
 
As per the agencies, the threat actors had the access to the Albanian government servers for 14 months before executing the cyber attacks that included the execution of encryption and wiper attacks. 
 
A series of cyberattacks was then launched by the threat actors, on July 17th, 2022, after conducting lateral movements, network reconnaissance, and credential harvesting from the Albanian government network, leaving an anti-Mujahideen E- Khalq (MEK) messages on the desktops.  
 
After the network defenders detected and begin responding to the ransomware activities, HomeLand Justice employed a new family ransomware ROADSWEEP, along with a variant of wiper malware, ZEROCLEAR. 
 
While claiming to have carried out these cyber attacks, on July 23rd, HomeLand Justice took to social media, demonstrating a repeated pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the information they want to be leaked. It was followed by the release of information in a .zip file or video of a screen recording with the documents. 
 
The cyber actors launched another thread of cyberattacks in September against the Albanian government, using similar TTPs and malware as the attacks made in July. The attacks were possibly done in retaliation for public attribution of the previous attack and severed diplomatic ties between the Albanian and Iranian governments. 
 
Although Albania lacks an efficient cyber defense, it is a member of NATO which can be confirmed by Appathurai's statement, “You can be sure of NATO’s continued political and practical support.” Thus, apparently, NATO will be supporting Albania with the incident to deal with immediate challenges and long-term requirements.

CISA’s vulnerabilities in KEV: Federal Agencies Have to Fix Them

 

CISA has included 6 vulnerabilities to its “Known Exploited Vulnerabilities Catalog” and has ordered the federal agencies to patch them with the help of vendor’s instructions. 

The CISA, U.S.-based cybersecurity and infrastructure security agency has given a deadline of 6th October to the government agencies to fix the security flaws that surfaced between 2010 and 2022. CISA has instructed the federal agencies to fix the newly added security vulnerabilities as per the directive. 

Exploiting the majority of the vulnerabilities that have been added to the list, gives cyber attackers local privilege escalation or admin-level access to the system, whereas the two of them permit to execution of a malicious code remotely, known as Remote Code Execution. 

These vulnerabilities that were found between the stretch of 2010 and 2022 comprise the most that were identified in 2013 and were engineered as spyware  especially for getting into the social media accounts of android users by using Tizi malware. 

The list of security flaws discovered in 2013 includes: 

  • CVE-2013-6282: it gives local privilege escalation and is used for rooting android devices.
  • CVE-2013-2597: it gives local privilege escalation and is used for overflow in Code Aurora audio driver.
  • CVE-2013-2596: it gives local privilege escalation and deals with Linux kernel integer overflow.
  • CVE-2013-2094: it gives local privilege escalation and manages Linux kernel privilege escalation. 

The CISA also added the oldest bug in KEV which was disclosed in 2010; this was the bug held responsible for spreading the Stuxnet worm, which caused a slowdown in the country’s development in the field of nuclear weapons by destroying the machines at the Natanz Uranium Enrichment Plant. 

The bug found in 2010 was named CVE-2010-2568,  it allows remote access to inject malicious code into the system. The latest security issue added to the vulnerability list was identified a month ago. It was also the only security flaw found this year. The cyber attackers exploited it and affected Trend Micro Apex One and Apex one as services. The recently identified bug was CVE-2022-40139, it was described as an improper validation issue. 

The list of all of the vulnerabilities is available publically on the official website of known exploited vulnerabilities. The directive from November 2021, “Binding operational directive 22-01”, legally states, that resolving all the vulnerabilities added by CISA and making them 'Known Exploited Vulnerabilities' is the responsibility of all federal civilian agencies to regulate a secure environment.

CISA, Microsoft Warn of Rise in Cyber-attacks From Iran

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft witnessed a massive surge of Iranian state-sponsored cyberattacks against IT services firms. In the wake of the findings, the tech giant and the eminent law enforcement body sent out alerts regarding the same. 

In 2020, the cyberattacks from state-sponsored Iranian threat actors on IT services firms were virtually non-existent, however, in 2022 the cybercrimes exceeded to 1,500, said Microsoft. 

"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks," Microsoft added. 

According to the report, the group was tracked as Phosphorus (aka Charming Kitten or APT35), compromising IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain access. 

Additionally, the organizations believed that an advanced persistent threat (APT) group sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to attack both government and private sector networks. 

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia," reads the report.  

Nation-state operators with nexus to Iran are becoming more advanced and familiar with cyberattacks to generate revenue, they are also engaging in persistent social engineering campaigns and aggressive brute force attacks. 

Researchers from Microsoft Threat Intelligence Center (MSTIC) revealed that “these ransomware deployments were launched in waves every six to eight weeks on average.” 

"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health sector, as well as Australian organizations," CISA said. 

As per the findings, the hackers systematically target prominent IT services firms worldwide including nations like the USA, the UK, United Arab Emirates, India, and so on. Microsoft further added that these attacks are examples of how nation-state actors are increasingly targeting supply chains as an indirect approach to fulfill their real motives.

Apple Offers iOS Update to Fix Vulnerabilities

Apple has patched a vulnerability that was potentially used by hackers in its iOS 12 upgrade for older iPhone and iPad models. The vulnerability was discovered by an anonymous researcher, who has received acknowledgment.

The flaw, identified as CVE-2022-32893 (CVSS score: 8.8), affects WebKit and is an out-of-bounds write problem that could result in arbitrary code execution when processing maliciously created web content, according to a document released by the firm on Wednesday.

A security vulnerability found in the platform affects users of Google Chrome, Mozilla Firefox, and Microsoft Edge as well because WebKit powers Safari and every other third-party browser accessible for iOS and iPadOS.

The security patch fixes a Safari vulnerability that might have allowed unauthorized access for users to parse maliciously created web content and execute arbitrary code. With enhanced bounds checking, the developers appear to have found a solution. Apple stated that they are already aware of a report that claims the problem may have been intentionally exploited.

Several older Apple devices, including the iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch, are compatible with the 275 MB update published to fix the vulnerability.

12.5.6, build 16H71, is the most recent version of the software. It appears to close the security flaw that the business recently fixed in the iOS 15.6.1 release, listed as CVE-2022-32893. 

After fixing two bugs in iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1 as part of updates released on August 18, 2022, the iPhone manufacturer has released a new round of patches. 

The Cybersecurity and Infrastructure Security Agency (CISA), which discovered the significant bug and gave it a CVSS rating of 8.8, also identified it and published a warning about it last month.

Although specifics about the assaults' nature are unknown, Apple confirmed in a boilerplate statement that it was aware that this problem may have been actively exploited.

On September 7, Apple will also unveil the iPhone 14 series and iOS 16. Unfortunately, iOS 16 will not be made available to users of iPhone 8. Furthermore, older iOS device owners are urged to update as soon as possible to reduce security risks.

CISA Updates its Database With 10 New Actively Exploited Vulnerabilities

 

A high-severity security vulnerability impacting industrial automation software from Delta Electronics was among 10 new actively exploited vulnerabilities that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed in its Known Exploited Vulnerabilities (KEV) Database on Friday.

FCEB agencies are required to address the vulnerabilities by the deadline in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, in order to safeguard their networks from attacks that take advantage of the flaws in the catalog.

Private firms should analyze the Catalog and fix any infrastructure weaknesses, according to experts.

The problem, which has a CVSS score of 7.8, affects DOPSoft 2 versions 2.00.07 and earlier. It is listed as CVE-2021-38406. A successful exploit of the issue could result in the execution of arbitrary code.

Delta Electronics DOPSoft 2's incorrect input validation causes an out-of-bounds write that permits code execution, according to a CISA notice. "Delta Electronics DOPSoft 2 lacks sufficient validation of user-supplied data when parsing specified project files," the alert stated.

Notably, CVE-2021-38406 was first made public as part of an industrial control systems (ICS) advisory that was released in September 2021.

It is crucial to emphasize that the impacted product is no longer being produced and that there are no security updates available to solve the problem. On September 15, 2022, Federal Civilian Executive Branch (FCEB) organizations must abide by the directive.

The nature of the attacks that take advantage of the security issue is not well known, but a recent analysis by Palo Alto Networks Unit 42 identified instances of in-the-wild assaults that took place between February and April 2022.

The development supports the idea that attackers are becoming more adept at using newly reported vulnerabilities as soon as they are made public, which encourages indiscriminate and opportunistic scanning attempts that intend to benefit from postponed patching.

Web shells, crypto miners, botnets, remote access trojans (RATs), initial access brokers (IABs), and ransomware are frequently used in a precise order for the exploitation of these assaults.

CVE-2021-31010 (CVSS score: 7.5), an unpatched hole in Apple's Core Telephony component that could be used to get around sandbox constraints, is another high-severity flaw added to the KEV Catalog. In September 2021, the tech giant corrected the flaw.

The IT giant appears to have quietly updated its advisory on May 25, 2022, to add the vulnerability and clarify that it had actually been utilized in attacks, even though there were no signs that the hole was being exploited at the time.

The iPhone manufacturer said that it was aware of a claim that this flaw might have been extensively exploited at the time of release. Citizen Lab and Google Project Zero were credited with making the finding. 

Another noteworthy aspect of the September update is the patching of CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, the company behind the Pegasus spyware, to circumvent the security measures of the operating systems.

This suggests that CVE-2021-31010 may have been linked to the previously described two issues as part of an attack chain to get past the sandbox and execute arbitrary code.



HHS Alerts Healthcare Workers on Karakurt Ransomware Group

A new wave of cyber attacks from the Karakurt ransomware gang are reported to healthcare providers. The warning came months after CISA and FBI disclosed operational technical data on the group, along with evidence of infiltration and mock ransom notes.

A dentistry practice, an assisted care facility, a supplier, and a hospital were all impacted by the attacks. The healthcare industry should continue to be on high alert and keep an eye out for any signs of compromise, experts assert. 

According to HC3, Karakurt's "massive cyberbullying efforts against victims to disgrace them are what is most alarming."

Karakurt has been seen buying stolen login details or acquiring access to users who have already been hacked through third-party intrusion broker networks in order to access victim machines.

Fortinet FortiGate SSL VPN appliances, Log4Shell, old Microsoft Windows Server instances, and outdated SonicWall SSL VPN appliances are just a few examples of the intrusion flaws the organization is known to use to get initial access.

HHS Alert 

Karakurt first emerged in late 2021, according to a warning from the Department of Health and Human Services Cybersecurity Coordination Center (HC3), they are likely connected to the Conti ransomware organization, either through a working relationship or as a side company.

Given that the Conti ransomware organization has successfully attacked more than 16 healthcare providers since early 2021, federal agencies have long issued warnings about the risk attached to the sector.

Similar to other ransomware groups, the Karakurt actors claim data theft and threaten to sell it on the dark web or make it available to the general public if their demands are not met. The ransoms range from $25,000 to $13,000,000 in Bitcoin, and the timeframes are frequently set to expire just one week after the fraudsters make contact.

According to open-source reports, Karakurt threat actors typically conduct scanning, reconnaissance, and collecting on their targets for roughly two months. The organization then makes an attempt to acquire access to documents that include private data, including Social Security numbers, medical record numbers, medical history, and information about treatments. The gang retains the data and threatens its victims until they pay, as is customary with ransomware.

The recent Karakurt campaign against Methodist McKinney Hospital in early July provided evidence of this. The actors threatened to make the allegedly stolen material available, but Methodist McKinney instead alerted patients of the incident and the ongoing inquiry into the potential data theft.


CISA Adds One Known Exploited Vulnerability to Catalog


On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed in its findings that they have discovered a high-severity vulnerability in the Zimbra email. Based on the evidence of active exploitation, the new vulnerability has now been added to its Known Exploited Vulnerabilities Catalog. 

As of present, researchers are investigating CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could allow the execution of arbitrary Memcached commands and theft of important data. 

These kinds of Vulnerabilities are very frequent and are oftenly seen, as per the data these vulnerabilities pose a higher risk to the federal enterprise. 

“Zimbra Collaboration (ZCS) allows an attacker to inject Memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries”, CISA added. 

The attack first was reported by SonarSource in June, with patches released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1. 

Before Installing Patch 9.0.0 Patch 24.1, users are recommended to consider the following: 

• Patches are accumulative. 
• Zimlet patches remove existing Zimlets and redeploy the patched Zimlet. 
• Before applying the patch, a full backup should be performed. 
• There is no automated roll-back. 
• Before using ZCS CLI commands Switch to Zimbra user. 
• Must note that you will not be able to revert to the previous ZCS release after you upgrade to the patch.  
• Understand that the installation process has been upgraded. Additional steps to install Zimbra-common-core-libs, Zimbra-common-core-jar and Zimbra-mbox-store-libs packages have been included for this patch release. 

“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria”, CISA further told.

Zero-day Exploitable Bug in Atlassian Confluence

 

Researchers are alerting the public that an important Atlassian Confluence vulnerability that was published last week is currently being aggressively exploited. 

Researchers claim that Confluence Server 7.18.0 is affected by the significant unauthorized, remote code execution vulnerability CVE-2022-26134, and they believe that both Confluence Server and Data Center versions 7.4.0 are at risk.

Atlassian advises clients to disable access to their servers using one of two methods because there are no updates available:
  • Preventing access to the internet for Confluence Server and Data Center instances.
  • Confluence Server and Data Center instances can be disabled.
The hard-coded details were published on Twitter after the real-world exploitation, which prompted the Australian software business to give it the top priority in its patching schedule.

It's important to remember that the flaw only manifests itself when the Questions for Confluence app is turned on. However, since the created account is not automatically deleted after the Questions for Confluence program has been uninstalled, doing so does not fix the problem.

Federal organizations must stop all internet access to Confluence servers by June 3. The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its 'Known Exploited Vulnerabilities Catalog' and ordered federal entities to comply.

The development also occurs in the wake of Palo Alto Networks' discovery that threat actors begin looking for weak endpoints within 15 minutes following the public announcement of a new security defect in its 2022 Unit 42 Incident Response Report.



CISA Issues Warning Regarding Active Exploitation of 'PwnKit' Linux Security Bug

 

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Linux vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning regarding active exploitation of the flaw in cyber attacks. 

The vulnerability tracked as CVE-2021-4034 (CVSS score: 7.8), first identified earlier this year in January by the American company Qualys, impacts Polkit, a feature designed for managing system-wide privileges in Unix-like operating systems. Polkit is manufactured by Red Hat, but it’s also employed by other Linux distributions. 

PwnKit, a memory corruption issue, if successfully exploited, might cause pkexec to run arbitrary code, and allow an unprivileged hacker administrative right on the target device to exploit the host. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, nearly 13 years. 

The security bug has been identified to impact the products of multiple major firms. Juniper Networks, Moxa, IBM, VMware, Siemens, and others have published advisories to elaborate on the impact of CVE-2021-4034. 

Security researchers have been warned that the threat of malicious exploitation of PwnKit is high since proof-of-concept (PoC) exploits have been available and exploitation is not difficult. 

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and ordered federal agencies to remediate all the newly listed vulnerabilities by July 18, while private firms have been requested to leverage the flaw catalog to improve their patching and vulnerability management processes.

Security experts noted that while exploitation of CVE-2021-4034 should leave traces in log files, it’s also possible to abuse the vulnerability without leaving such traces. 

In addition to the PwnKit vulnerability, CISA has added seven other flaws to its catalog, including an exploited Mitel VoIP zero-day flaw in ransomware assaults (CVE-2022-29499) and five iOS vulnerabilities (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently unearthed as having been exploited by the Italian spyware firm RCS Lab.

CVE-2021-30533, a security vulnerability in web browsers based on Chromium, is also listed in the catalog. This flaw was exploited by a malvertising hacker going by the moniker Yosec in order to deploy malicious payloads.

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.

Carrier's Industrial Access Control System has Critical Flaws

 

Carrier's LenelS2 HID Mercury access control system, which is widely used in healthcare, academic, transport, and federal buildings have eight zero-day vulnerabilities.

In a report shared by The Hacker News, Trellix security experts Steve Povolny and Sam Quinn wrote, "The vulnerabilities found to enable us to demonstrate the ability to remotely open and lock doors, manipulate alarms, and degrade logging and notification systems." 

The investigation begins at the hardware level; Researchers were able to change onboard components and connect with the device by using the manufacturer's built-in ports. 

They were able to gain root access to the device's operating system and extract its firmware for virtualization and vulnerability or other exploits using a combination of known and unique techniques. One of the issues (CVE-2022-31481) contains an unauthorized remote execution weakness with a CVSS severity rating of 10 out of 10. The following is the detailed list of flaws: 
  • Unauthenticated command injection vulnerability CVE-2022-31479. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31480.
  • CVSS 10 rated RCE vulnerability is CVE-2022-31481. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31482. 
  • An authenticated arbitrary file write vulnerability, CVE-2022-31483. 
  • Unauthenticated user modification vulnerability CVE-2022-31484.
  • Unauthenticated information spoofing vulnerability CVE-2022-31485. 
  • An authenticated command injection vulnerability, CVE-2022-31486 

Carrier has issued an alert in response to the revelation, which includes further details, mitigations, and firmware patches that consumers should apply right now. 

In locations where physical access to privileged facilities is required, LenelS2 is used to connect with more complicated building automation implementations. The following LenelS2 HID Mercury access or unauthorized access panels are affected: 
  • LNL-X2210 
  • LNL-X2220 
  • LNL-X3300 
  • LNL-X4420
  • LNL-4420 
  • S2-LP-1501 
  • S2-LP-1502 
  • S2-LP-2500, as well as 
  • S2-LP-4502 

According to a study conducted by IBM in 2021, the average cost of a physical data breach is 3.54 million dollars, with a detection time of 223 days. 

For companies that rely on access control systems to protect the security and safety of its facilities, the stakes are high. "ICS security presents unique issues," according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The increasing convergence of information technology (IT) and operational technology (OT) presents chances for exploitation that could result in catastrophic repercussions, including loss of life, economic damage, and disruption of society's National Critical Functions (NCFs)."

Consumers should be aware that while the vulnerabilities revealed recently may appear to have minimal impact created by hackers, critical infrastructure assaults have a significant impact on our everyday lives.

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.

CISA: High-Severity Flaws in Schneider & GE Digital's SCADA Software

 

Schneider Electric's Easergy medium voltage protection relays are vulnerable to several vulnerabilities, according to the advisory by US Cybersecurity and Infrastructure Security Agency (CISA). 

The agency said in a bulletin on February 24, 2022, "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay. This could result in loss of protection to your electrical network."

Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101 are affected by the two high-severity flaws. The following are the weaknesses in detail: 
  • CVE-2022-22722 (CVSS score: 7.5) - Use of hardcoded credentials that could be used to monitor and alter device traffic with the device.
  • CVE-2022-22723 and CVE-2022-22725 (CVSS score: 8.8) – A buffer overflow vulnerability that could lead to programme crashes and execution of arbitrary code by sending specially crafted packets to the relay over the network. 

Schneider Electric patched the weaknesses detected and reported by Red Balloon Security researchers Timothée Chauvin, Paul Noalhyt, and Yuanshe Wu as part of updates released on January 11, 2022. The alert comes less than ten days after CISA released another alert warning of several key vulnerabilities in Schneider Electric's Interactive Graphical SCADA System (IGSS) that, if exploited, could lead to data disclosure and loss of control of the SCADA system with IGSS running in production mode. 
 
In similar news, the US Federal Bureau of Investigation has issued a security alert for General Electric's Proficy CIMPLICITY SCADA software, alerting of two security flaws that might be exploited to expose sensitive information, gain code execution, and escalate local privileges. 

The advisories follow a report from industrial cybersecurity firm Dragos that discovered that 24 per cent of the total 1,703 ICS/OT vulnerabilities reported in 2021 had no fixes available, with 19 per cent having no mitigation, restricting operators from taking any steps to protect their systems from potential threats. 

Dragos also discovered malicious activity from three new groups that were discovered attacking ICS systems last year, including Kostovite, Erythrite, and Petrovite. Each of which targeted the OT environments of renewable energy, electrical utility, and mining and energy firms in Canada, Kazakhstan, and the United States.

CISA Warns of Critical Vulnerabilities in Airspan Networks Mimosa

 

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published Industrial Controls Systems Advisory (ICSA) warning report informing the Airspan Networks Mimosa of multiple vulnerabilities in their network. The group of cybercriminals abused the system to gain remote code execution, obtain private data, and also create a denial-of-service (DoS) condition. 

According to the technical data, the Airspan Networks Mimosa product line facilitates hybrid fiber-wireless (HFW) network solutions to the industrial service providers, and government agencies for both short and long-range broadband deployments. 

"Successful exploitation of these vulnerabilities could allow an attacker to gain user data (including organization details) and other sensitive data, compromise Mimosa's AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices," CISA said in the alert report. 

In the warning report, the CISA has detected seven flaws in the vulnerabilities, that affect the following products. 

• Mimosa Management Platform (MMP) running versions prior to v1.0.3 

• Point-to-Point (PTP) C5c and C5x running versions prior to v2.8.6.1

• Point-to-Multipoint (PTMP) A5x and C-series (C5c, C5x, and C6x) running versions prior to v2.5.4.1 

The agencies have recommended mitigating steps to the organizations and the users to update MMP version 1.0.4 or higher, PTP C5c and C5x version 2.90 or higher, and PTMP A5x and C-series version 2.9.0 or higher. CISA has also notified affected organizations to isolate control system networks from the business network, minimize network exposure, and use virtual private networks (VPNs) for remote access.

Do Not Use Single-Factor Authentication on Internet-Exposed Systems, CISA Warns

 

The US Cybersecurity and Infrastructure Security Agency (CISA) this week added single-factor authentication (SFA) to a very short list of "exceptionally risky" cybersecurity practices that could lead threat actors to target government organizations and the private sector entities. 

As per CISA, SFA (a low-security authentication method that only requires users to provide a username and a password) is “dangerous and significantly elevates risk to national security" when used for remote or administrative access to systems supporting the operation of critical infrastructure. 

“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety," CISA explained.

Cybercriminals can easily secure access to the systems that are shielded by single-factor authentication, as it is a well-known fact that passwords can be easily stolen or guessed via multiple techniques like phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, or credential dumping.

CISA advised to switch to multi-factor authentication (MFA) as this method makes it a lot harder or even impossible for threat actors to pull off a successful attack. Alongside single-factor authentication as a bad practice is the use of end-of-life (or out-of-support) software and default (or known) credentials, which CISA describes as “dangerous”. 

According to the joint research conducted by Google, New York University, and University of California San Diego, MFA can prevent 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. 

"Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” Alex Weinert, Microsoft Director of Identity Security said. 

CISA has also opened a GitHub Bad Practices discussions page in an attempt to allow IT, professionals and admins, to provide feedback and share their expertise on mitigating the risks of cyber-attacks.

Furthermore, CISA is considering adding a number of other practices to the catalog, including — 

• using weak cryptographic functions or key sizes 
• flat network topologies
• mingling of IT and OT networks 
• everyone's an administrator (lack of least privilege) 
• utilization of previously compromised systems without sanitization 
• transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks 
• poor physical controls 

"Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions. CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices,” CISA added.

Microsoft Issues an Advisory on ProxyShell Vulnerabilities

 

Microsoft this week published guidance about three vulnerabilities referred to collectively as ProxyShell days after security researchers at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were actively trying to exploit them. 

The ProxyShell vulnerabilities, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, could allow hackers to run arbitrary code on a vulnerable machine without authentication. The first two flaws were fixed in April, while the third received a patch in May.

Orange Tsai, a security researcher at consulting firm DEVCORE exploited the ProxyShell vulnerabilities to target a Microsoft Exchange server during the Pwn2Own 2021 hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences. Earlier, Orange Tsai had identified the ProxyLogon and ProxyOracle vulnerabilities in Exchange servers.

Last week, cybersecurity experts unearthed more than 1,900 unpatched systems that were exploited, and CISA issued a warning on attacks targeting Exchange servers impacted by the ProxyShell vulnerabilities.

In a blog post on Wednesday, Microsoft urged the customers to install patches as soon as possible, noting that only systems without the already issued patches are vulnerable to the attack. The company also advised users to install the latest set of updates on their Exchange servers, which would ensure they are shielded from any compromise attempts. 

“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities,” Microsoft stated.

According to the advisory, systems without either security updates are vulnerable to attacks. Furthermore, the company pointed out, Exchange servers should always be kept updated with the latest available Cumulative Update (CU) and Security Update (SU). Furthermore, Exchange servers are vulnerable if the server is running an older, unsupported CU; or those running older, unsupported CUs that have the March 2021 mitigations applied.

 “In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” the company added.

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative

 

As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.