Search This Blog

Showing posts with label IoT devices. Show all posts

Several Security Breaches Exploited by Zerobot Botnet


FortiGuard Labs discovered a special botnet named Zerobot that was seen in the field spreading by exploiting nearly twenty security flaws in IoT devices or other programs.

Prior to downloading a script for further propagation, Zerobot targets multiple vulnerabilities to obtain access to a device. Zerobot targets several different architectures, such as i386, amd64, arm, mips, mips64, mipsle, ppc64, ppc64le, riscv64, and s390x. Zero is the filename used to save the bot.

On November 18, 2022, the malware made its first public appearance, mostly affecting Windows and Linux-powered computers.

Prior to November 24, the first one was simply equipped with the most fundamental features. The newest version now has a 'selfRepo' module that allows it to replicate itself or infect more endpoints using various protocols or security holes.

The bot connects the remote command-and-control (C2) server after infecting the machine and waits for further instructions. There are 21 exploits in Zerobot.This includes flaws affecting,  Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, FLIR AX8 thermal imaging cameras, Zyxel firewalls, TOTOLINK routers, and F5 BIG-IP.

"The botnet includes a variety of modules, including assaults for various protocols, self-replication, and self-propagation. This also uses the WebSocket protocol to connect with its command-and-control server." Researcher Cara Lin from Fortinet FortiGuard Labs remarked.

The Go programming language was used to create the new botnet  Zerobot. The WebSocket protocol is used for communication. Users should be alert to this new danger, update any compromised systems connected to their network, and aggressively deploy updates as soon as they become available.

Evolution of Malware and Its Ever-Expanding Landscape


Whether you are a large corporation or just a regular user, the internet can be deadly. And although digital technologies offer new opportunities, fraudsters are becoming increasingly skilled at exploiting them.

CrowdStrike's 2022 Global Threat Report indicates that there were 82% more ransomware-related data breaches in 2017 than there were in 2016. Iranian hackers who are supported by the government were recently uncovered to have spied on people using phoney VPN apps. Phishing operations are frequently the easier method to strike, like the current one that targeted shoppers over Black Friday. 

All of these assaults have one thing in common: malicious software that is able to get past one or more devices' security measures and harm the users of those devices. That is what is referred to as malware in technical lingo. 

You might be tempted to believe that all you need to do to protect your data is download one of the top antivirus programmes. However, the reality is more complicated when it comes to really safeguard your device from infection. 

Because malware can take many different forms, your security strategy must also be varied. A simple mix of protection software is not the best defence against malware, either. Before you can defeat an adversary, you must understand it. Knowledge and safety measures are the first lines of defence! 

Most Typical Forms of Malware 

Ransomware: When it infects a device, it encrypts the data and systems of the users, making it impossible to access them until a ransom is paid. It frequently spreads through malicious files, and it typically targets companies rather than individuals. 

Spyware: As its name implies, this category of software tries to gather information for secretly monitoring users. Keyloggers are a type of spyware that, for instance, tracks user activity. Spyware frequently accesses devices using both fraudulent and real apps. 

Trojans: These are programmes that appear to be trustworthy while secretly carrying out malicious attacks on users' systems. They can be discovered in a variety of software programmes, such as games or other well-known apps, as well as an attachment to a malicious email. 

Mitigation Tips 

Because there are many various types of malware on the internet that behave differently, an effective defence against it needs to be varied to protect your device from all potential threats. Here are some recommendations you might want to adopt on a regular basis. 

Use a reliable antivirus 

It goes without saying that every user should have a trustworthy antivirus programme installed on their devices, including antivirus for Mac. This is because, before installation, it will ensure that all files and programmes are clean of malware. You may schedule routine scans and adjust monitor settings simultaneously based on your requirements. Just be aware that some malware may manage to evade its control. 

Maintain software updates 

Attacks are frequently launched by cybercriminals using OS and app vulnerabilities. In order to reduce hazards, it is crucial to maintain your system and software updated. To ensure that you don't miss any changes, enable automatic updates. 

Frequently backup your data 

We talked about the risk that cyberattacks like ransomware or file-wiper software pose to your data. While the latter instantly delete all the content on your device, the former frequently prevents you from regaining control of your data even after you agree to pay. Therefore, the best line of defence in case you become targeted is to periodically back up your contents on an external hard drive or encrypted cloud storage. 

Pay attention to warning signs 

Malware may infiltrate your device even if you take precautions and download the proper protection software. In these situations, your chances of reducing the hazards increase with the speed of your response. To find a cure for any sickness, you must pay close attention to the symptoms. These include emails that are sent without your knowledge, your device stalling or crashing, programmes running on their own, an unexpectedly full hard disc, and more.

IoT Security: A Major Concern for Businesses Worldwide


As technology continues to evolve and more industries across the globe become connected, understanding the security challenges linked with the industrial internet of things (IoT) deployments is increasingly important. 

Businesses planning to roll out a manufacturing or industrial IoT initiative, or link existing technology for automated and remote monitoring or access, will need to consider all of the potential threats and attack vectors linked with those decisions. The most common security challenges with industrial IoT security are as follows: 

Security Breach Via Old Systems 

The surge in the volume of IoT apps has made it easier for malicious hackers to identify vulnerabilities to infiltrate organizational data. The operation of multiple IoT devices through the same internet connection makes it easier for attackers to exploit them as a point of illegal access to other resources. This lack of network segmentation can be devastating, as one successful assault on an IoT device can open the door to attackers to siphon sensitive data. 

To safeguard IoT-powered enterprises from data breaches, it’s important to boost the security of the devices with a hardware-based VPN technology and execute a real-time monitoring solution that will continuously scan and report the behavior of the linked devices. 

DDoS Attack 

The hackers can target businesses' endpoint devices by flooding them with overwhelming traffic so that they cannot complete the work they were intended to do. 

For example, when an industrial thermostat is linked to unprotected internet, a coordinated DDoS attack on the entire system could lead to system downtime. One of the best ways to mitigate this type of IIoT threat is to safeguard internet connection with a firewall. 

Device Spoofing  

In IIoT, a device spoofing assault is launched when the hackers pose themselves as a legitimate device to send information between businesses' centralized network and the IIoT endpoint device. For example, the hacker can pose a trusted IoT sensor to send back false information that could alter an organization’s manufacturing process. However, this risk can be mitigated by employing a hardware-based security solution.

Device Theft 

Another common issue, particularly with devices out in the field, is the theft of the physical devices themselves. This threat increases when endpoint devices are storing critical data that may cause concern if that information is stolen by the attackers. 

To minimize the threat, it’s necessary to avoid storing sensitive information on endpoint devices and use cloud-based infrastructure to store critical data. 

Data Siphoning 

The smooth deployment of data by endpoint devices can be blocked via an eavesdropping attack. What the hacker does here is eavesdrop on the network traffic from the endpoint device to secure access to collected data. 

The industries most impacted by this type of IoT attack are the health, security, and aerospace industries. To mitigate the threat, organizations must have a security policy ensuring that all transmitted data is adequately encrypted using the best encryption software. 

“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing,” Robert M. Lee, CEO at Dragos Incorporation raised a concern regarding organizations' security. 

“There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture, they thought they did in order to make sure their manufacturing environment is reliable.”

Boost Your Internet-Linked Cameras Security Before It’s Too Late


The smart security camera is a great device for keeping an eye on our homes, whether for package deliveries, critters searching our garbage cans, or intruders snooping around our homes. But an Internet-linked camera without robust security might be an easy target for hackers, potentially allowing a stranger to spy on your home. 
According to the 2021 Statista Global Consumer Survey, 28 percent of U.S. consumers are worried that hackers could spy on them via their smart home devices. 

Last year in March, a hacking group claimed they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., securing access to live feeds of 150,000 surveillance cameras inside Tesla factories and warehouses, Equinox gyms, Cloudflare offices, hospitals, jails, schools, police departments, and Verkada’s own offices. 

Methodology to Hack Security Cameras 

The common way to hack security cameras is through a technique called “credential stuffing.” Malicious actors employ usernames and passwords from other data breaches to secure access to accounts. The combination of large data breaches, such as those at Equifax and Target, and individuals reemploying the same password across multiple online services make the job easy for intruders. 

Earlier this year in January, New York Attorney General Letitia James reported that the credential stuffing scheme compromised more than 1.1 million accounts in cyberattacks at 17 well-known firms. These included online retailers, restaurant chains, and food delivery services. 

This type of hack doesn’t need to infiltrate a firm’s security camera system, so every brand is at risk. “These companies aren’t technically at fault,” stated Fred Garcia, who manages CR’s privacy and security testing for home security cameras. “Most companies offer a two-factor authentication system that acts as an extra deterrent against attacks like this. But there is more that these companies could do, like encouraging people to use that added security feature by default.” 

The other sophisticated technique employed by hackers is the modification of security camera settings. Sneaky hackers won’t want you to know they’re in your network, hence, they’ll quietly change your password. Some overconfident hackers might even alter your camera name to “Change your password” or “Upgrade your firmware” as a sign of mockery and disrespect. 

How to Safeguard Your Privacy 

While no system is impervious to cyber attacks, some safety measures can mitigate the risks of being hacked and safeguard your privacy in the case of a hack. 

• Employ cameras from reputable manufacturers, whether they are part of a professionally monitored security system or a DIY device. 
• Keep your camera’s firmware up to date. 
• Use security cameras with high-level, end-to-end encryption. 
• Use complex passwords that cannot easily be guessed (in particular, avoid using passwords you already use for other online accounts). 
• Employ two-factor authentication.

Security Challenges for your Internet Linked Devices


The security of IoT devices has been a major cause for concern over the past few years. Due to easy access from any part of the globe IoT devices are vulnerable to multiple cyberattacks. Malicious hackers can use this access to siphon private data or disrupt or damage the device. 

In this article, we will take a look at some best techniques to enhance the securing of your IoT devices. 

Why is IoT security so important? 

There is no doubt that IoT devices have helped users in making their life comfortable. By using smart devices, you can make your coffee ready for when you get up and get your oven to heat your dinner up for when you get home, and even keep an eye on the house while you're away all from your smartphone. 

Additionally, organizations are using IoT devices for data gathering, edge computing, real-time insights, and measurement abilities. However, with this level of growth comes the inevitable security concerns. Hackers mainly employ the following attacks to secure access to IoT devices: 

• Malware assault: Threat actors employ malware attacks to insert malicious code into an IoT device and take advantage of its vulnerabilities. This type of attack can infect the device and allow unauthorized access to it.
• Cyber Attack: In these types of assaults, an intruder secures access to a user’s IoT device by abusing security bugs in the system.
• Data Leak: Data breach occurs when a threat actor siphons data from an IoT device or system. This mainly occurs when the data stored on an IoT device is not properly secured or when it is mistakenly made available online. 

IoT security concerns 

IoT devices face multiple security challenges that pose a threat to individuals and organizations using them. This includes improper management of device-related security threats, which primarily emerge because these devices don’t get regular updates. 

Moreover, weak credentials and default passwords make devices susceptible to brute force attacks or password hacking. The use of IoT botnets for mining cryptocurrency also risks the confidentiality, integrity, and availability of data in IoT devices. 

Mitigation Tips 

First and foremost, there is no one-size-fits-all solution when it comes to guarding IoT systems, as the nature of these devices and their connections makes them susceptible to a variety of assaults. However, there are a number of best practices that can assist in limiting the risk of malicious actors exploiting the IoT system. 

1. Control access: Execute a secure network architecture and only allow authorized IoT devices you know to join the network and limit those devices’ access. 

2. Monitor your network: Have a real understanding of what "normal" activity looks like. Make sure you deploy device security measures such as firewalls and intrusion detection/prevention systems (IDPs) to protect against unauthorized activity on your devices. 

3. Automate your response time: Limit the time you are exposed to by employing an automated response. If through monitoring, you unearth that a connected device is vulnerable, an automatic follow-up to contain and repair the issue will greatly reduce the risk of exposure. 

4. Stop using public Wi-Fi: When you're accessing your IoT network via your laptop or smartphone, avoid using Wi-Fi networks offered in coffee shops and hotels, or any other public place. 

5. Enable Encryption: One of the most important steps you can take to ensure the security of your IoT devices is to enable encryption. Encryption protects your devices from unauthorized access, and it also helps to protect the data that is stored on them.

Critical Bug Identified in Kingspan TMS300 CS Water Tank Management System


Malicious hackers can remotely exploit a critical vulnerability in a water tank management system utilized by organizations in over 40 countries worldwide, and the manufacturer has not shown any inclination towards fixing the bug. 

The compromised product is designed by the water and energy wing of Kingspan building materials firm headquartered in Ireland. The Kingspan TMS300 CS water tank management system employs multiple mediums including screen, web server, application, online portal, or email to offer information on its products. It features wired and wireless multi-tank level measurements, alarms, and internet or local network connectivity. 

 Kingspan security bug

Earlier this week, Maxim Rupp, a researcher at CISA published an advisory regarding the product impacted by a critical vulnerability due to the lack of adequately implemented access-control guidelines, which allows an unauthenticated hacker to view or alter the product’s settings. 

The vulnerability paves a path for a hacker to access the product’s settings without verifying, and by merely searching for specific URLs. These URLs can be identified by browsing the web interface or via a brute force attack, the researcher explained. The flaw tracked as CVE-2022-2757 has received a CVSS score of 9.8. 

The malicious hacker attacker can exploit the security bug to alter various settings, including ones related to sensors, tank details, and alarm thresholds virtually from any part of the world, as long as they have access to the device’s web interface, Rupp explained. 

According to CISA, the impacted product is used worldwide in the water and wastewater systems sector, and it seems that the exploited settings could allow a hacker to cause some disruption in the targeted organization. 

“Kingspan has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Kingspan customer support for additional information,” the researcher added. 

Mitigation Tips 

CISA has provided the following recommendations for minimizing the threat posed by these types of vulnerabilities. 

• Limit network exposure for all control system devices and/or systems, and ensure they are not reachable from the Internet. 
• Locate control system networks and remote devices behind firewalls and isolate them from enterprise networks. 
• If necessary, employ secure methods, such as Virtual Private Networks (VPNs), to access the devices.

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users


A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.

Due to New Router Flaws, Beastmode Botnet Has a Greater DDoS Potential


Beastmode (or B3astmode), a Mirai-based decentralized denial-of-service (DDoS) botnet, has extended its list of exploits to include three new ones, all of which target various models of Totolink devices.

Totolink is a well-known electronics sub-brand of Zioncom which recently published firmware patches to address three critical-severity flaws. DDoS botnet programmers wasted little time in adding these holes to their arsenal to take advantage of the window of opportunity before Totolink router customers installed the security patches. Beastmode has gained control of vulnerable routers, giving it access to hardware resources it can use to execute DDoS attacks.

The following is a list of vulnerabilities in TOTOLINK routers: 

  • CVE-2022-26210 (CVSS 9.8) - A command injection vulnerability that could be used to execute arbitrary code. 
  • CVE-2022-26186 is a vulnerability that affects computers (CVSS score: 9.8) TOTOLINK N600R and A7100RU routers are vulnerable to a command injection vulnerability. 
  • CVE-2022-25075 to CVE-2022-25084 (CVE-2022-25075 to CVE-2022-25084) (CVSS scores: 9.8) - A buffer overflow vulnerability has been discovered in certain TOTOLINK routers, resulting in code execution.  

CVE-2021-4045 is used to target the TP-Link Tapo C200 IP camera, which the researchers haven't seen in any other Mirai-based campaign. For the time being, the exploit has been implemented incorrectly and does not operate. "Device users must still update its camera software to correct this issue," the researchers suggest, citing indications of continued development. 

Although the flaws affect different devices, they all have the same effect: they allow the attacker to insert commands to download shell scripts via the wget command and infect the device with Beastmode. The shell scripts differ depending on which devices have been infected and which exploit has been used.

The vulnerabilities were not the only ones introduced to the Beastmode botnet; its creators also added the following previous bugs:

D-Link is affected by CVE-2021-45382, a remote code execution bug. DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L are the DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. 
  • CVE-2021-4045 — Unauthenticated remote code execution bug in the TP-Link Tapo C200 IP camera. 
  • CVE-2017-17215 —  Unauthenticated remote code execution problem in Huawei HG532
  • CVE-2016-5674 — Remote execution of arbitrary PHP code through the log argument in the Netgear ReadyNAS product line.
Ensure to deploy the available security updates which correct the vulnerabilities mentioned above to prevent Mirai versions from seizing control of any router or IoT devices. Totolink users should go to the vendor's download center, choose the device model, and download and install the most recent firmware version available. 

A slow internet connection is one of the symptoms if your router has been exploited. Additional indicators include the device heating up more than usual, inability to get into the administration panel, changing settings, or an unresponsive device, which a typical user is likely to overlook.

Researcher Release Report on Internet of Things and Malware Security

With the fast usage of IoT devices, also becoming a lucrative target for threat actors, the reason being these devices are equipped with higher processing power and capability of running a fully functional OS, recent studies aim to better malware research to decrease potential security risks. These results were brought out by a group of researchers from IRISA (Research Institute of Computer Science and Random Systems) at the Annual Computer Security Applications Conference (ACSAC). 

"Electromagnetic emanation that is measured from the device is practically undetectable by the malware," academicians Duy-Phuc Pham, Damien Marion, Matthieu Mastio, and Annelie Heuser said in their research paper. "Therefore, malware evasion techniques cannot be straightforwardly applied unlike for dynamic software monitoring. Also, since a malware does not have control on outside hardware-level, a protection system relying on hard]ware features cannot be taken down, even if the malware owns the maximum privilege on the machine," they further mentioned. 

The aim is to get benefits from the side channel information to find out flaws in emissions when they deviate from earlier observed paths and raise an alarm if a malicious pattern emulating the virus is observed in contrast to the device's normal behavior. The process doesn't require any modifications on selected systems, the framework given in the paper allows finding and classifying stealthy malware like kernel-level rootkits, DDoS (distributed denial of service) attacks, ransomware and, other variants. 

The process takes place in three stages, side-channel stage involves measuring electromagnetic emanations while performing thirty different malware and executing video, music, camera, and picture-related tasks for training convolutional neural network (CNN) model for categorizing real-world malware samples. "By using simple neural network models, it is possible to gain considerable information about the state of a monitored device, by observing solely its electromagnetic emanations," the report says.

Honeypots Experiment Discloses What Attackers Seek From IoT Devices


To understand why threat actor targets specific devices, researchers at the National Institute of Standards and Technology (NIST) and the University of Florida conducted a three-year-long honeypot experiment involving simulated low-interaction IoT devices of diverse sorts and locations. The honeypot was intended to create a fairly diverse ecosystem and gather the data to determine the aim of the opponent. 

According to researchers, IoT (Internet of Things) devices, which include tiny internet-linked gadgets like cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and more, constitute an expanding business. Over 40-billion of these devices are expected to be linked to the Internet by 2025, providing network access points or computing resources that can be used in unauthorized encryption or as part of DDoS assaults. 

Server farms, a vetting system, and data collection and processing infrastructure were among the three components of the honeypot ecosystem designed by researchers. The researchers installed Cowrie, Dionaea, KFSensor, and HoneyCamera, which are off-the-shelf IoT honeypot emulators to create a diverse ecosystem.

The researchers designed their appearances to look like actual devices on censys and Shodan, two specialized search engines that find the internet-linked services. The following were the three primary types of honeypots: 

• HoneyShell – Emulating Busybox 
• HoneyWindowsBox – Emulating IoT devices running Windows 
• HoneyCamera – Emulating various IP cameras from Hikvision, D-Link, and other devices. 

The trial yielded data from 22.6 million hits, with the vast majority targeting the HoneyShell honeypot. The various actors used comparable attack patterns because their objectives and means of achieving them were identical. 

For example, the majority of attackers implement commands such as “masscan” to scan for open doors and“/etc/init.d/iptables stop” to deactivate the firewalls. In addition, many attackers execute "free -m", "lspci grep VGA", and "cat /proc/cpuinfo", all three aiming to gather hardware information about the target device.

Interestingly, nearly a million hits were discovered when the “admin / 1234” username-password combination was tested, suggesting that the credentials are overused in IoT devices. In terms of end goals, the researchers unearthed that the HoneyShell and the HoneyCamera honeypots were targeted mainly for DDoS recruitment and were frequently infected with a Mirai version or a coin miner.

“Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots,” reads the research paper. “This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination.”

Laptops, Vehicles and Medical Gadgets Could all be Vulnerable to an Intel Chip Flaw


Intel Processors have a vulnerability that could compromise laptops, vehicles, and embedded systems, according to researchers. The vulnerability (CVE-2021-0146) allows unauthorized users with physical access to gain elevated privileges on the system by enabling testing or debugging modes on multiple Intel processor lines.

In terms of scope, the vulnerability affects the Pentium, Celeron, and Atom processors of the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms. Laptops, mobile devices, embedded systems, medical equipment, and a range of internet of things (IoT) offerings are all powered by these chips. 

“According to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla’s Model 3,” Positive Technologies noted in a writeup. 

Mark Ermolov, Dmitry Sklyarov (both from Positive Technologies), and Maxim Goryachy (an independent researcher) discovered the bug, which received a score of 7.1 out of 10 on the CVSS vulnerability-severity scale.

“One example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,” says Mark Ermolov. “Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect." 

This vulnerability is especially problematic since it makes it easier to recover the root encryption key used in Intel PTT (Platform Trust Technology) and Intel EPID (Enhanced Privacy ID) technologies in systems designed to prevent unlawful copying of digital information. For digital rights management, a number of Amazon e-book models, for example, use Intel EPID-based protection. An intruder might use this flaw to steal the root EPID key from a device (e-book), then use Intel EPID technology to download electronic contents in file form, copy, and distribute them, according to Ermolov.

Manufacturers should be more cautious in their approach for providing security for debug mechanisms in the future to minimize difficulties and probable bypassing of built-in protection, according to researchers.

Microsoft Finds Critical Code Execution Bugs In IoT, OT Devices


Recently, world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred. 

The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft's researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. 

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research team noted. 

"…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.

There is a long list of appliance that get affected by the BadAlloc vulnerabilities: 

• Amazon FreeRTOS, Version 10.4.1 
• ARM Mbed OS, Version 6.3.0 
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 
• ARM mbed-uallaoc, Version 1.3.0 
• Cesanta Software Mongoose OS, v2.17.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3 
• Apache Nuttx OS, Version 9.1.0 
• Media Tek LinkIt SDK, versions prior to 4.6.1 
• Google Cloud IoT Device SDK, Version 1.0.2 
• Micrium OS, Versions 5.10.1 and prior 
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior 
• Linux Zephyr RTOS, versions prior to 2.4.0 
• NXP MCUXpresso SDK, versions prior to 2.8.2 
• NXP MQX, Versions 5.1 and prior 
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB 
• Redhat newlib, versions prior to 4.0.0 
• Texas Instruments SimpleLink MSP432E4XX 
• Texas Instruments CC32XX, versions prior to 
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 
• Windriver VxWorks, prior to 7.0 
• Uclibc-NG, versions prior to 1.0.36 
• TencentOS-tiny, Version 3.1.0 

Reportedly, as soon as the security flaw was found out into the system the research unit reported it to the CISA and the vendors.

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack

Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

Interview with Waylay: Power of Automation to Everyone?


On 8th January, E-Hacking News conducted an interesting interview with Waylay. The guest speaker for the interview was Mr. Veselin Pizurica, CTO & Co-Founder, Waylay. The company helps to connect IoT solutions to IT systems, empowering them to build new applications faster and better than ever before.

Q1. Can you please tell us about “Waylay” as a company? 
Waylay is a technology company that builds automation software for the Internet of Things. Our platform is used by enterprises to develop new digital solutions with IoT, IT, and OT data in the most flexible way. We have about fifty enterprise customers from Australia, Japan, Europe to the US. We are expanding to the US with a physical presence because we’ll like to get better support for our US customers. Today we are more focused on OEM technology meaning we work as an invisible layer, where other companies can buy our software that integrates our automation technology with their solutions. 

Q2. In what industries Waylay is useful for? What type of customers may be interested? 
In the context of IoT, one has two approaches – either go for a vertical approach or being a platform-neutral player where other customers create their own solutions based on automation technology. In this regard, we are the latter case. Our customers are either in the smart buildings or HVAC connected appliances or even B2C. Our technology is used mostly in manufacturing spaces, smart buildings as well as HVAC. The reason for customers being interested in Waylay is because we are a cloud-capable platform as well. We have built a unique set of interfaces that work on top of all other cloud technology in a way that the bigger automation players can replicate the same use case in different clouds. 

Q3. Do you integrate with the existing HVAC system? What if an end customer wants to integrate into your dashboard, how do they do it? Do they need to put a specific IoT controller for this? 
What we have done is to create a kind of convergence layer that integrates to other IoT clouds or IoT systems in such a way that we put in just data for a variety of different systems. In other words, we are just saying we’ll create a bridge layer that can integrate with our system. Secondly, many of these HVACs are not connected and they will never be connected. Our technology offers the opportunity to integrate with other IoT systems. We are not enforcing our connectivity on our customers; we are rather saying whatever we have already we’ll create a layer that will enable us to get data in our systems 

Q4. Do you directly work with OEM (Original Equipment Manufacturer)? If so, do you have a development kit for OEM? What are the types of OEM you work with? 
We do actually. If you have the HVAC suppliers/manufacturers they, face a couple of different problems and none of them are actually trivial. So, basically what we offer is a sort of total automation that enables experts from both sides of the story (machine learning builders and machine learning experts) to bring them on one platform to be able to do total automation. The next thing you could do is offer new services; people are actually renting machines as a service rather than actually selling them. For instance, if you like to rent a machine as a service then your absolute interest is that the machine operates with optimum settings. 

Q5. IoT awareness is so low in many countries, will Waylay contribute positively to increase awareness in the IoT space? 
There are various angles to answer this question. First, IoT is something that people have been talking about for a long time. In a B2C context, if you buy any device, one or the other way, it is connected, it’s just that people are not aware of that. In smart home automation, it is already happening. In industries, things are much more complicated as there is a lot of different technology. Now, awareness also depends on the countries, some people are more eager to try things than others. In industries, the very first problem is connectivity, it not only depends on the use case vertical but also on the country. The thing with IoT is, it’s already happening but not at the same pace (compared to other technologies). What makes our company very confident is eventually, everything will be connected, it’s just that the pace of adoption in some countries is slower than others. 

Q.6 Your blog talked about “Waylay’s Digital Twin Revolutionizes Provisioning in Industrial IoT.” Please tell us more about it. 
When we talk about Digital Twins, we are talking about the digital representations of the objects. It can mean different things to different people. “In an ideal world, all equipment would be connected. In reality, millions of legacy machines are locked out of Industry 4.0 solutions because of the prohibitive cost of retro-fitting them.” 

Q.7 How has Waylay helped to bring a change in Digital Industry? 
Our goal is to bring the power of automation to everyone. Waylay believes that automation liberates human intelligence, cuts down costs, and increases value creation.

Active Cypher: Great Deal of Orchestration of Our Intelligence in AI into Existing Systems

Active Cypher: The company is built upon a socially responsible fabric, that provides information security for individuals and corporations in an increasingly complex digital age. The guest speaker for the interview was Mr. Michael Quinn, CEO, and Mr. Caspian Tavallali, COO Active Cypher. Active Cypher’s Ransom Data Guard utilizes a combination of Active Cypher’s proprietary encryption orchestration, smart AI, and advanced endpoint protection. 
Please tell us about your company Active Cypher? 

I am Michael Quinn, CEO of Active Cypher. We are a data protection company; we have an ethos within a company that the data needs to be able to protect itself wherever it is created. We have built a product line that offers those capabilities of protection against ransomware attacks through protecting data at the file level in the server environment and in the cloud. What our product allows us to do is be crypto agile. We can work with numerous encryption schemes. Once we are installed we basically back out of the situation and allow the client to run and trust their own data. 

Your company talked about game-changing software “Ransom Data Guard” that will protect organizations against ransomware threats. Please describe more about it. 
What we developed is a capability where understanding what ransomware has to do in order to take control of the device in a user environment. We built a product just before the Covid-19 and work from home culture started and we realized that people are using shared environments on the same device at home. So we basically allow the organization to encrypt the data down to the device level and protect it. The ransomware protection that we provide basically allows us to manage the files in such a way that they are not accessible to external sources like ransomware. We put this product along with our cloud fortress product to make sure that we were meeting compliance regulations. What we found after working with the law firms is we allow the companies to meet compliance through this capability if the product was ransomed or even if it was exfiltrated because we encrypt the data so the actual data itself is useless. On the ransomware side, the beauty of it is we allow a lot of flexibility in how the data can be stored and used. 
Besides ransomware protection, what are the other solutions Active Cypher provides? 
We do a great deal of orchestration of our intelligence in AI into existing systems, we integrate into Microsoft tools as well as we have APIs that can write to any of the tools that are out there. We don’t bring in to replace anything or add to anybody’s burden, we integrate into it with our information.  
Let’s say somebody opens a doc. file or they load up a doc. file which has an exploit. How do you handle that? 

If somebody uploads an exploit or malware and when it’s opened, because of the process we use to interrogate the document for its integrity, we will stop any process that is trying to intervene with the environment and we’ll put a warning out. What will happen is you’ll get an alert from us, let’s say you open up a “wannacry” as an example, you will get a screenshot saying “your device has been ransomed.” The reality is you can still open all your files. What we do is, with our cloud fortress product, we do a real-time backup. 
At a time when hospitals and medical institutions are struggling with Covid-19, how has Active Cypher protected them from ransomware threats? 

In most of the hospitals and medical environments, their IT staff lacked the sophistication to understand what was happening. Earlier, the attackers were not really trying to damage the data, they were trying to ransom it and return it. Now what the attackers are doing is, that they are actually getting into the environment and not going after the data because most of the hospitals have upgraded their capabilities along with using our products. Now, the hackers are attacking the IoT (internet of things) at the device level, which is more life-threatening. What we have done to help healthcare institutions is basically putting a “Data Guard” which is the stand-alone ransomware product on devices. 
How do you handle the GDPR (General Data Protection Regulation) and Privacy requirements when it’s the home environment? 

With “Data Guard,” the way the product is designed, it can be installed on a consumer device. In that environment it allows people to protect what they have like personal data or business data that they have on their device is protected. And that’s the simplicity of Data Guard, is the fact that it protects your device and the files on it and ensures that ransomware can’t launch successfully.  
With cyberattacks rising, is there any advice you can give to our readers on cybersecurity? 

Everybody has to be aware, you don’t have to be afraid. With the stress of work, particularly with this remote work environment, the user has to be more diligent. So, ease of use and awareness are probably the keys to maintaining good data hygiene.

Internet of Things (IoT): Greater Threat for Businesses Reopening Amid COVID-19 Pandemic


Businesses have increasingly adopted IoT devices, especially amid the COVID-19 pandemic to keep their operations safe. Over the past year, the number of IoT devices employed by various organizations in their network has risen by a remarkable margin, as per research conducted by Palo Alto Networks' threat intelligence arm, Unit 42. 
While looking into the current IoT supply ecosystem, Unit 42 explained the multi exploits and vulnerabilities affecting IoT supply chains. The research also examined potential kinds of motivation for exploiting the IoT supply chain, illustrating how no layer is completely immune to the threat.  

The analysis of the same has been reported during this year's National Cybersecurity Awareness Month (NCSAM), which is encouraging the individual's role in protecting their part of cyberspace and stressing personal accountability and the significance of taking proactive measures to strengthen cybersecurity. 
The analysis also noted that supply chain attacks in IoT are of two types – through a piece of hardware modified to bring alterations in a device's performance or from software downloaded in a particular device that has been affected to hide malware. 
While highlighting a common breach of ethics, the research mentioned the incorporation of third-party and hardware components without making a list of the components added to the device. The practice makes it hard to find how many products from the same manufacturer are infected when a vulnerability is found on any of the components. Additionally, it also becomes difficult to determine how many devices across various vendors have been affected in general, by the vulnerability.

"The main goals for cyberespionage campaigns are maintaining long-term access to confidential information and to affected systems without being detected. The wide range of IoT devices, the access they have, the size of the user base, and the presence of trusted certificates make supply chain vendors attractive targets to advanced persistent threat (APT) groups..." the report stated. 
"In 2018, Operation ShadowHammer revealed that legitimate ASUS security certificates (such as “ASUSTeK Computer Inc.”) were abused by attackers and signed trojanized softwares, which misled targeted victims to install backdoors in their system and download additional malicious payloads onto their machines." 
While putting things in a cybercrime perspective, the report noted - "The potential access and impact of compromising a large number of IoT devices also make IoT vendors and unprotected devices popular choices for financially motivated cybercriminals. A NICTER report in 2019 shows close to 48% of dark web threats detected are IoT related. Also in 2019, Trend Micro researchers looked into cybercriminals in Russian-, Portuguese-, English-, Arabic-, and Spanish-speaking marketplaces and discovered various illicit services and products that are actively exploiting IoT devices." 
The report stressed the need to "enlist" all the devices connected to a certain network as it will help in identifying devices and their manufacturers, enabling administrators to patch, monitor, or even disconnect the devices when needed. There are instances when all the vulnerable devices are unknown in the absence of a complete list, therefore it is imperative to have complete visibility of the list of all the connected devices in order to defend your infrastructure. 

Vulnerabilities with AvertX IP security cameras

Palo Alto Networks Unit 42, this February found three vulnerabilities present in AvertX IP cameras in their latest version.

These three vulnerabilities were found in models HD838 and 438IR of AvertX used as outdoor surveillance cameras with object-detection and infrared and technology built-in. The users can store the recordings both in the cloud on a Network Video Recorder (NVR) or in a memory card.

The three vulnerabilities that were found and confirmed by AvertX were:

CVE-2020-11625: User enumeration 

Faulty web user interface (UI) login attempts lead to varied results when the account doesn't exist that could enable attackers to use brute force attacks.

 CVE-2020-11624: Weak password requirements 

The software does not require users to change from the default password. When the user tries to login with the default password the pop shows 'password has been changed' but lets the user login.

 CVE-2020-11623: Exposed dangerous method or function 

An exposed UART interface exists that could be exploited by an attacker with physical access to the UART and change diagnostic and configuration functionalities.

 The Impact of these Vulnerabilities

The attackers can use a brute force attack by gaining legitimate accounts as the vulnerability allows to collect valid usernames and once the username is accessed it is easy to gain the password via brute force attack.

Since the camera can be accessed by using the default password- can easily make your camera and machine compromised. And the default password can be as easily accessed by reading a user manual, as a result, can connect to Iot devices.

Physical access to UATR ( universal asynchronous receiver-transmitter) can allow the attacker to change configurations, modify them, or even shut the camera down.

 The company AvertX, analyzed the faults and vulnerabilities and have released a patch with proper modifications and removed the UATR connector as well as changed the interface in the later produced batches.
2020 Unit 42 IoT Threat Report showed that security cameras make 5% of Interest Of Things (IoT) devices all over but they cover 33% of security issues related to IoT devices.

Bot List Containing Telnet Credentials for More than 500,000 Servers, Routers and IoT Devices Leaked Online

This week, a hacker published a list on a popular hacking forum containing Telnet credentials for over 515,000 servers, home routers and IoT (Internet of Things) "smart" devices. The massive list which reportedly was concluded by browsing the whole internet in search of devices that left their Telnet port exposed, included IP addresses of all the devices, username and password for the Telnet service and a remote access protocol that can be employed to control devices over the internet.

After scanning the Internet in search of devices exposing their Telnet port, the hacker attempts to use either factory-set default usernames and passwords or custom but guessable combinations, as per the statements by the leaker himself.

These lists, generally kept private – are known as 'bot lists' that are built after hackers scan the Internet and then employed them to connect to the devices and install malware. Sources say that although there have been some leaks in the past, this one is recorded as the biggest leak of Telnet passwords till date.

As per the reports of ZDNet, the list was made available online by one of a DDoS-for-hire (DDoS booter) service's maintainer. There's a probability that some of these devices might now run on a different IP address or use other login credentials as all the leaked lists are dated around October-November 2019. Given that using any of the listed username and password to access any of the devices would be illegal, ZDNet did not use it. Therefore, they were not able to comment on the validity of these credentials.

A security expert in the field of IoT, requesting for anonymity, tells that even if some of the listed credentials are invalid by the time for devices now have a new IP address or password. However, the listings still hold a lot of value for a skillful and talented attacker who can possibly use the present information in the list to identify the service provider and hence update the list with the current IP addresses.

Certain authentic and verified security researchers are given access to the list of credentials as they volunteered for it.

IoT Devices Fall Prey to Attacks up to 10 Crore by Hackers

With more than 40 lakh attacks on IoT (Internet of Things) devices, India is among one of the Top 10 Victims Countries lists in the world. This can be a disappointment for Tech Freaks and companies that have just begun using IoT devices but don't consider protecting their IoT devices such as smart cameras. Hackers didn't even flinch while penetrating the systems. That's how simple the breakthrough was.

Simple methods like password guessing are used for getting the entry in IoT devices. Some sufferers of these attacks set passwords as naive as 'Admin.' And now, India has made it to the index of the top 10 countries that fell prey to IoT attacks in 2019. As shocking as the disturbance was, all of these hacks have happened in just the first half of the year. Nevertheless, it's ironical that India wasn't on this list at the same time last year. That is how distressing the circumstance has become.

In a study titled, 'IoT: A Malware Story,' Kaspersky, a cybersecurity company, says "There is an immense explosion in smart technologies like routers and smart cameras but people hardly care to guard them against cyber invasions, cyber safety solutions." This is due to a massive number of attacks happening in the first half of the year 2019. “Kasperky's honey pots (used as baits by the company to lure hackers) caught 10.5 crore invasions on IoT gadgets from 276,000 different IPs in contrast to 12 million invasions arising from 69,000 IPs in the very time previous year,” said its report.

The increase of IoT gadgets and lack of knowledge on cyber safety make this a sweet harvest for hackers. Invasions on IoT gadgets traversed 10-crore line in the first half of 2019, 9 times the number of attacks happened in the year 2018 at the same time. The Honey pots used as baits to catch the hackers have obtained fascinating knowledge about the manner of working of the hackers. Fortunately, the invasions on IoT gadgets are not complicated. However, lack of knowledge leads to attacks on IoT gadgets. Clicking on vulnerable links in IoT systems, hackers have sharpened their drives to ship into IoT devices and make a profit.

Around 25 million Home Voice Assistants vulnerable to hacking globally


According to a cybersecurity report of McAfee, over 25 million voice assistants which are connected  IoT(internet of things ) devices at home globally are at huge risk of hacking.

Raj Samani, McAfee Fellow and Chief Scientist at McAfee said “ Most IoT devices are being compromised by exploiting rudimentary vulnerabilities, such as easily guessable passwords and insecure default settings”

He further added that “From building botnets, to stealing banking credentials, perpetrating click fraud, or threatening reputation damage unless a ransom is paid, money is the ultimate goal for criminals,”

The hackers around the world are exploiting basic vulnerabilities of IoT devices like easily guessable passwords, weak security settings, exploitation through voice commands.

According to the “Mobile threat report” from McAfee, there has been a 550 percent increase in security vulnerabilities related to fake apps in the second half of 2018.

According to the report “"Most notably, the number of fake app detections by McAfee's Global Threat Intelligence increased from around 10,000 in June 2018 to nearly 65,000 in December 2018,"

 Gary Davis, Chief Consumer Security Evangelist at McAfee said "The rapid growth and broad access to connected IoT devices push us to deliver innovations with our partners that go beyond traditional anti-virus. We are creating solutions that address real-world digital security challenges,"

McAfee and Samsung are now in partnership to secure Samsung Galaxy S10 devices from a malicious hacking attempt