Search This Blog

Showing posts with label Vulnerabilities. Show all posts

Fixing Insecure Operational Technology That Threatens the Global Economy

 


Considering the widespread technology leading to cyberattacks, the demand for work to safeguard the systems and networks also increases. Many techniques have been developed for protecting bits and bytes of computer networks, yet no such method has been discovered for strengthening the physical framework which handles the world’s economy. 

In many countries, operational technology (OT) platforms have largely polluted traditional physical infrastructures as they have been able to computerize their entire physical infrastructure, whether it is buildings, bridges, trains, and cars, or the industrial equipment and assembly lines that work hard to generate an economy's wealth. Even after so many updates in the tech world, if there is any cyberattack with new technology on things like planes or beds, it will be completely whimsy. There is a definite requirement to take proper care and actions to avoid destructive damage caused due to such attacks.  

Consider, for instance, a scenario in which our country's northeast regions are left without heat in the middle of a brutal cold snap. This is the result of an attack on an energy plant. If such an attack was carried out, imagine the enormous amount of hardship that would be caused and even death - as homes would turn dark, businesses would lose customers, hospitals would have trouble operating, and airports would be shut down. 

The first idea was that this kind of cyber threat could be a prime target for physical infrastructure when the Stuxnet virus emerged over a decade ago. At least 14 industrial sites, including a uranium enrichment plant in Iran, were infected by a malicious threat known as Stuxnet, which inserted malware into the software. 

Built-in vulnerabilities 

Operational technology manufacturers have always had a problem in which they did not design their products with security in mind when they developed them. Thus, trillions of dollars worth of OT assets are incredibly vulnerable today, which has led to tremendous financial losses. Almost all the products in this category are designed to use microcontrollers that communicate over controller area networks (CANs), which are insecure. 

As well as for passenger vehicles and agricultural equipment, the CAN protocol is used in an extensive range of other products, such as medical instruments and building automation systems. However, it does not include mechanisms for supporting secure communications. Additionally, it lacks authentication and authorization. When a CAN frame is sent, it does not involve any information about the sender's address hence the recipient's address cannot be determined from the CAN frame. 

Thus, there has been a considerable increase in the vulnerability of CAN bus networks to malicious attacks, as a consequence, especially with the expansion of the cyberattack landscape. We, therefore, need to come up with more advanced approaches and solutions to better secure CAN buses and protect vital infrastructures to better secure them. 

As we examine what can happen if a CAN bus network is compromised, let us first examine what might happen if we consider what this security should look like. Several microprocessors are interconnected by a CAN bus. They act as a communication channel that is shared by all of them. The CAN bus makes it possible for several systems within an automobile. For example, to communicate seamlessly over a common channel. The CAN bus allows the engine system, combustion system, braking system, and lighting system to operate seamlessly in communicating.

However, hackers can still send random messages in compliance with the protocol and interfere with CAN bus communication because it is inherently insecure. Consider the havoc that would ensue if even a small-scale hack of an automated vehicle occurred, transforming these cars into a swarm of potentially lethal objects, causing an unimaginable amount of disaster and mayhem. 

As much as the automotive industry is facing the challenge of designing a well build, embedded security mechanism to protect CAN, the challenge is that it must achieve high fault tolerance while keeping costs low. Ultimately, these startups will be able to defend all our physical assets, including planes, trains, and manufacturing systems from cyberattacks. 

How OT Security Would Work 

How would such a company look if it existed? By intercepting data from the CAN and deconstructing the protocol, this kind of application could enrich and alert anomalous communication traffic traversing the OT data bus. This is ranging the CAN. An operator of high-value physical equipment, having such a solution installed, would be able to gain real-time, actionable insight into anomalies and intrusions within their systems - and hence would be better equipped to thwart any cyberattacks that may occur. 

Usually, this type of company comes from the defense industry, but it can also come from other sectors. As well as having the potential to examine various machine protocols, it will also have a lodged data plane with deep foundational technology. 

A $10 billion-plus opportunity can easily be created with the right team and support. Protecting the physical infrastructure of our country is one of the most imperative obligations that we have. Hence, there is a clear need for new solutions, concentrated on hardening critical assets against cyberattacks, which can provide a practical solution to the problem.

Recovery From Ransomware Attack Continues At CHI Health

 


On Tuesday, CommonSpirit Health, one of the country's biggest health systems, told an unspecified "IT Security Incident" that affected multiple regions, has disrupted hospital operations across the nation. As a security measure, a few systems were taken offline in the wake of the attack which also forced patients' procedures to be rescheduled. 

In the case of a ransomware attack, malware is typically infected onto the computer by someone manually loading the infected software. This is done by clicking on a malicious link in an email or on a website. Infected software can be downloaded either manually or through malicious links embedded in emails or sites. There is a goal behind the attack, which is to take control of computer systems or files to disable them.

As soon as the attackers gain access to the network they will be able to demand a ransom. This money is then exchanged for the encryption key from the organization.

A statement issued by CHI Health on Wednesday night noted that CommonSpirit "took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care upon learning about the ransomware attack. In addition to providing our patients, employees, and caregivers with relevant updates regarding the ongoing situation, we continue to provide the highest level of care for patients. Despite this, we remain committed to maintaining the highest level of patient care and apologize for any inconveniences this matter may have caused."

CHI Health has said that some appointments and procedures have had to be rescheduled or delayed since the attack was reported at the beginning of October; this is due to the unexpected nature of the attack.

There have been reports in recent years that hospitals are following protocols if there are system outages. This includes taking certain records offline including national health records. Additionally, they are taking steps to mitigate disruptions and maintain continuity of care in the wake of an outage.

"To support and assist our team with further investigation and response work, we have engaged leading cybersecurity experts as well as notified law enforcement, and we are conducting a comprehensive forensic investigation to ensure full functionality and to reconnect all of our systems," the hospital told. 

Some patients have expressed frustration with the CommonSpirit Health attack, which some patients say has led to doctors using paper charts instead of computers. This can be a frustrating experience. Making appointments and getting prescriptions from the doctor are some of the challenges that need to be addressed.

According to the Omaha World-Herald, Edward Porter, a diabetic from Omaha, was unable to reorder sensors for his continuous glucose monitor because CHI Health's systems are currently offline, posing a problem with reordering the sensors for his insulin pump.

Under the employer-provided medical insurance that he uses, the devices are considered durable medical equipment the policy. As a general rule, he gets them at a CHI Health pharmacy which is specialized in handling these kinds of devices. Buying them out-of-pocket would cost at least $75 per person, which is an expense that he has not budgeted for, and will not be able to afford.

Neither Common Spirit nor any of its affiliate companies have announced publicly whether the attack has affected all 1,000 care facilities in 21 states, which include 140 hospitals. Additionally, the hospital has not commented on whether any personal or medical data of the patients was compromised as well.

Evidently, the attack has affected the healthcare sector in a significant way; according to Brett Callow, a threat analyst with cybersecurity service provider Emsisoft, it might be the biggest-ever attack ever experienced by a hospital. 

Malware Campaign Targets Job Seekers With Cobalt Strike Beacons

 



A social engineering campaign is exploiting a years-old remote code execution vulnerability in Microsoft Office to deploy Cobalt Strike beacons and target job seekers. 

According to a report published on Wednesday by Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer, an evidential payload that was discovered, appears to be a leaked version of a Cobalt Strike beacon.

Beacon configuration consists of commands that can be used to inject arbitrary binaries directly into processing queues. A high reputation domain is configured on the beacon, exhibiting the redirection technique to disguise the beacon's traffic.

There have been some malicious activity, discovered a year ago in August 2022, that attempts to exploit the vulnerability CVE-2017-0199, which is a remote code execution vulnerability in Microsoft Office that allows an attacker to take control of an affected system remotely.

Phishing emails, which come from New Zealand's Public Service Association, a trade union based in the country, are one of the entry vectors for the attack, containing a Microsoft Word attachment containing job-related lures for positions in the U.S. government and Public Service Association, an American union. For Cisco Talos, the Cobalt Strike beacons are far from the only malware samples that are being deployed, because the company has also observed that the Redline Stealer and Amadey botnet executables are being used as payloads at the other end of the attack chain to deliver the malware samples.

A cybersecurity expert noted that the attack was highly modularized, adding that Bitbucket repositories were used to host malicious content. As a result of the Bitbucket repositories hosting the malicious content, the attack launched the download of the malware executable that was responsible for installing the Cobalt Strike DLL beacon, a harmful piece of code that attackers could potentially use in the future to exploit the computer.

There are several attack sequences that can be executed in Bitbucket. These involve exploiting the obfuscated VB and PowerShell scripts stored in the repository to deliver an assault script to the beacon, which is hosted from a different Bitbucket account.

"This campaign is a well-known example of how a threat actor employs a technique of generating and executing a malicious script in the system memory of the victim as a means of attacking the system." the researchers said.

"Organizations should be constantly vigilant on the Cobalt Strike beacons and should implement layered defense capabilities to thwart the attacker's attempts at the earliest stage in the infection chain so as to thwart the attack's progress."

New vulnerabilities in Dataprobe are Invading The Devices Remotely

 

Researchers from Team82 uncovered critical flaws in Dataprobe’s iBoot power distribution unit. As a result of the flaws, the threat actors were able to control and cut off the electric power to the systems or other connected devices, potentially impacting the targeted firms.
 
Team82 is the research division of Claroty, an industrial cybersecurity firm, that found seven vulnerabilities. One of these vulnerabilities is responsible for granting access to malicious actors invading systems to execute some malicious source codes.
 
The iboot power distribution unit is a cloud service that allows its users real-time control of the outlets from any location through web interfaces, Telnet, and SNMP.
 
According to Census Report 2021, over 2000 power distributing units were connected to the internet, with Dataprobe devices accounting for 31% of the total.
 
The iBoot power distribution unit was mentioned in the report by Team82, which can be managed remotely through web interfaces if the device is not connected directly to the internet, or through a cloud-based infrastructure that allows access to the device's management page if the device is not directly connected to the internet.
 
Cyber attackers exploited this feature and gained access to platforms such as web connections and the cloud to remotely exploit vulnerabilities. Such exploitation of the vulnerabilities also permitted the attackers to bypass Network Address Translation (NAT) and firewalls and invade businesses through smart connectivity channels.
 
The CISA, U.S.-based cybersecurity and infrastructure security agency, circulated an advisory to the organization, which included information about these seven vulnerabilities, such as the deployment of these critical flaws all across the world, including in the manufacturing sector. 
 
The CVE identifier assigned to the seven vulnerabilities is CVE-2022-3183 through CVE-2022-3189. The issue involves OS command injection, path traversal, sensitive information exposure, improper access control, incorrect authorization, and server-side request forgery (SSRF).
 
A new firmware version of the issue has been released by the vendors, 1.42.06162022, to describe the problem. There was a recommendation from Dataprobe for all users to update the firmware to the latest version and also to disable the Simple Network Management Protocol (SNMP), which is used to monitor the network.

Secure Boot Vulnerabilities Impact Bootloaders, Systems Compromised


About Secure Boost Bugs

Bootloaders that were in majority of the systems made in the last 10 years have been impacted by Secure Bost bypass vulnerabilities. 

Secure Boot is a mechanism made to prevent a device's boot process from threats, to bypass it will allow an attacker to execute arbitrary code before the operating system can load. 

It allows installation of stealthy and persistent malware. The Secure Boot vulnerabilities were found in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders. 

As per Eclypsium (company) bootloaders are found in almost every device made in the past 10 years, this includes ARM and x86-64 devices.

How does the bugs work?

The CryptoPro Secure Disk and Eurosoft bootloader bugs contain signed UEFI shells, the hackers are able to bypass Secure Boot by exploiting built-in capabilities. For these security loopholes, one can easily exploit automated startup scripts. 

According to Eclypsium the bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers. 

In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. To exploit any of these bugs, a hacker must have admin or root privileges on the targeted Linux and Windows system. 

But the company said that there are many ways to get these permissions on a device. The flawed bootloaders are signed by Microsoft. As per an advisory issued by the CERT/CC at Carnegie Mellon University, the tech giant has been working with vendors to address the flaws and it has restricted the certificates linked with the affected bootloaders. 

"In 2020, Eclypsium disclosed the existence of a vulnerability named BootHole, which affected all operating systems that used the GRUB2 bootloader with Secure Boot. Some vendors rushed to release patches in response to BootHole, but they caused many systems," says Security Week. 


CISA Adds One Known Exploited Vulnerability to Catalog


On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed in its findings that they have discovered a high-severity vulnerability in the Zimbra email. Based on the evidence of active exploitation, the new vulnerability has now been added to its Known Exploited Vulnerabilities Catalog. 

As of present, researchers are investigating CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could allow the execution of arbitrary Memcached commands and theft of important data. 

These kinds of Vulnerabilities are very frequent and are oftenly seen, as per the data these vulnerabilities pose a higher risk to the federal enterprise. 

“Zimbra Collaboration (ZCS) allows an attacker to inject Memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries”, CISA added. 

The attack first was reported by SonarSource in June, with patches released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1. 

Before Installing Patch 9.0.0 Patch 24.1, users are recommended to consider the following: 

• Patches are accumulative. 
• Zimlet patches remove existing Zimlets and redeploy the patched Zimlet. 
• Before applying the patch, a full backup should be performed. 
• There is no automated roll-back. 
• Before using ZCS CLI commands Switch to Zimbra user. 
• Must note that you will not be able to revert to the previous ZCS release after you upgrade to the patch.  
• Understand that the installation process has been upgraded. Additional steps to install Zimbra-common-core-libs, Zimbra-common-core-jar and Zimbra-mbox-store-libs packages have been included for this patch release. 

“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria”, CISA further told.

SolarWinds Alerted About Attacks Targeting Web Help Desk Instances

 

SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations. 

SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more." 

Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts. SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report. 

A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted." 

Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance: 
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6 
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1 
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1 
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8 

According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.

SquirrelWaffle Adds a Spin of Fraud to Exchange Server Malspamming

 

Squirrelwaffle, ProxyLogon, and ProxyShell are being utilized against Microsoft Exchange Servers to conduct financial fraud via email hijacking. Sophos researchers revealed that a Microsoft Exchange Server that had not been fixed to safeguard it against a set of serious vulnerabilities identified last year was used to hijack email threads and disseminate malspam. 

On March 2, 2021, Microsoft released emergency updates to address zero-day vulnerabilities that could be exploited to take over servers. At the time, Hafnium, an advanced persistent threat (APT) group, was constantly exploiting the bugs, and other APTs swiftly followed suit. Despite the fact that the ProxyLogon/ProxyShell flaws are now widely known, some servers remain unpatched and vulnerable to assaults. 

Sophos has described an instance that combined Microsoft Exchange Server vulnerabilities with Squirrelwaffle, a malware loader that was first discovered in malicious spam operations last year. Malicious Microsoft Office documents or DocuSign content tacked on to phishing emails are frequently used to spread the loader. Squirrelwaffle is frequently used to fetch and execute CobaltStrike beacons via a VBS script if an intended victim has permitted macros in the compromised documents. 

According to Sophos, the loader was used in the recent campaign once the Microsoft Exchange Server had been compromised. By hijacking existing email threads between employees, the server of an undisclosed organisation was utilised to "mass distribute" Squirrelwaffle to internal and external email addresses. 

Email Hijacking can take a variety of forms. Social engineering and impersonation, such as an attacker posing as an executive to dupe accounting departments into signing off on a fraudulent transaction, or sending email blasts with links to malware payloads, can disrupt communication channels. The spam campaign was utilized to disseminate Squirrelwaffle in this example, but attackers also extracted an email thread and used the internal knowledge contained within to execute financial fraud. Customer information was obtained, and a victim organization was chosen. The attackers generated email accounts using a domain to reply to the email thread outside of the server, using a technique known as typo-squatting to register a domain with a name that was very similar to the victim. 

Sophos explained, "To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department. In fact, the additional addresses were also created by the attacker under the typo-squatted domain." 

The attackers attempted for six days to divert a legitimate financial transaction to a bank account they owned. The money was about to be processed, and the victim escaped the attack only because a bank involved in the transaction realized the transfer was most likely fake. 

Matthew Everts, Sophos researcher commented, "This is a good reminder that patching alone isn't always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven't left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection."

Kafdrop Flaw Exposes Data from Kafka Clusters to the Whole Internet

 

Spectral researchers uncovered a security flaw in Kafdrop, a popular open-source UI and administrative interface for Apache Kafka clusters that has been downloaded over 20 million times. Companies affected include significant worldwide companies as well as smaller organisations in healthcare, insurance, media, and IoT — in short, everyone who uses Kafdrop with Apache Kafka. 

Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications, including eight of the world's ten largest banks, the 10 largest global insurance companies, and eight of the world's ten key telecom providers. Kafka is commonly used to process and store logs, financial transactions, and private user data. It also powers consumer-centric data pipelines that process real-time actions, events, and behaviour. Kafka is cloud-native, with the ability to scale from small to massive cloud-based clusters. It is also highly scalable and tolerant. 

“We can’t name any of the companies whose clusters we discovered, as we don’t want to give threat actors the edge, but these flaws are exceptionally widespread,” said Dotan Nahum, CEO at Spectral. “Furthermore, since Kafka serves as a central data hub, threat actors with assistance from a flawed Kafdrop, can infiltrate and exfiltrate data and manage the cluster as they see fit. They can connect as a Kafka subscriber to cause further havoc across the entire network.” 

The Kafdrop security flaw not only exposes secrets in real-time traffic, but it also discloses authentication tokens and other access details that allow hackers to contact enterprises' cloud providers, like as AWS, IBM, Oracle, and others, where Kafka clusters are frequently placed. Kafdrop also provides insights into the layout and topology of a cluster, disclosing hosts, topics, partitions, and consumers, as well as the sampling and downloading of live data and the creation and removal of topics. 

“Misusing Kafdrop allows threat actors to access the nervous system of an entire company, revealing customer data, transactions, medical records, internal system traffic, etc. Immediate mitigation is critical,” said Nahum. 

When the flaw was discovered, Spectral promptly provided an authentication code addition back into Kafdrop. Spectral proposes that enterprises scan not only code, but also configuration, infrastructure, and data horizontally across the whole SDLC to defend themselves from such security blunders that lead to breaches.

Magecart Attacks Surge in the Wild

 

According to a Cyberpion study, several of the world's top corporations in retail, finance, healthcare, power, and many other industries, including Fortune 500, Global 500, and governments, are struggling to avoid Magecart assaults. Magecart is a term used to describe a type of cyber attack wherein cybercriminals compromise third-party code (typically Javascript that runs in browsers) to grab, or scrape, details such as credit card information from web applications (e.g., online checkout software) or webpages that incorporate the code. 

Over the previous two years, the researchers examined over 30,000 flaws and discovered huge shortcomings in existing security platforms and mechanisms for detecting and mitigating Magecart assaults. 

There have also been significant gaps in firms revealing to their customers' security vulnerabilities or exploits happening throughout their digital supply chains, putting all linked organizations at risk of a breach. 

“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. 

“Victims are often the last to know as it’s only later that organizations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises, in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.” 

Alongside Web, skimming has also been on the surge. It is indeed a danger to online businesses and customers, with cyberattacks significantly affecting firms such as British Airways and Ticketmaster in 2018, Forbes in 2019, as well as local US government portals and messaging app Telegram in 2020. 

At least one of the top five firms in a variety of industries – retail, insurance, financial services, pharma, media, security, and others – were discovered to be susceptible or exploited. And over 1000 online stores are exposed, putting their consumers at risk of being skimmed. Many of the most widely circulated worldwide newspapers were discovered to be susceptible, frequently via their main page. 

Some weak or mistreated businesses deploy anti-Magecart solutions, however, they may be circumvented. Vendor architecture exposes numerous other linked businesses to Magecart, but suppliers frequently fail to notify customers early enough so that preventative action may be taken. In one example, a major internet advertising network impacted 15 worldwide insurance firms, as well as hundreds of smaller businesses.

Critical vulnerability found in Intel processors used in many laptops, IoTs

Positive Technologies specialists discovered a new vulnerability in Intel Pentium, Celeron and Atom processors on the 2016, 2017 and 2019 platforms Apollo Lake, Gemini Lake and Gemini Lake Refresh, which was designated CVE-2021-0146. It can be used to access encrypted files, espionage and circumvent copyright protection.

According to experts, “CVE-2021-0146 vulnerability allows testing or debugging modes in several lines of Intel processors. This may allow an unauthenticated user with physical access to gain elevated privileges in the system.”

Vulnerable processors are used in many netbooks, Internet devices (IoT) based on Intel processors (from household appliances and smart home systems to cars and medical equipment).

“One example of a real threat is lost or stolen laptops containing confidential information in encrypted form. Using this vulnerability, an attacker can extract the encryption key and gain access to information inside the laptop,” said the company's specialist Mark Ermolov.

According to the expert, the vulnerability is due to the presence of over-privileged debugging functionality that is not properly protected. To avoid such problems and prevent the possibility of bypassing the built-in protection, manufacturers should take a more careful approach to ensure the security of debugging mechanisms.

In addition, the availability of information about the end-users, for example, about the subjects of the critical infrastructure of the Russian Federation can be very dangerous.

According to Pavel Korostelev, head of the product promotion department of the Security Code company, the discovered problem in Russia is potentially dangerous only for super-important systems that are of interest to Western intelligence services. Ordinary users, according to him, should not worry.

Positive Technologies also notes that in order to eliminate the detected vulnerability, it is necessary to install UEFI BIOS updates published by the end manufacturers of laptops or other devices.

Magniber Ransomware Group now Shifted to Exploiting Internet Explorer Flaws

 

The Magniber ransomware group is now infecting users and encrypting their devices via two Internet Explorer vulnerabilities and fraudulent advertising. CVE-2021-26411 and CVE-2021-40444 are the two Internet Explorer vulnerabilities, both with a CVSS v3 severity score of 8.8. 

The first, CVE-2021-26411, is a memory corruption bug that may be triggered by visiting a skillfully constructed website. It was resolved in March 2021. The second flaw, termed CVE-2021-40444, is essentially a remote code execution flaw in Internet Explorer's rendering browser engine. This has an 8.8 rating as well.

Magniber was caught breaching Windows servers in August exploiting the 'PrintNightmare' vulnerabilities, which took Microsoft a considerable time to fix because of their impact on printing. According to Tencent security experts who discovered "new" payloads, the most recent Magniber activity focused on attacking Internet Explorer vulnerabilities utilising malvertising that distributes exploit kits. 

One probable reason for this trend is that Microsoft has substantially solved the 'PrintNightmare' vulnerabilities over the last four months, and the news has been widely broadcasted, compelling administrators to implement security upgrades. Another reason Magniber may have chosen Internet Explorer vulnerabilities is that they are remarkably easy to exploit, relying merely on the recipient's willingness to open a file or webpage to activate them. 

Targeting an old, unpopular browser like Internet Explorer may appear weird. However, according to StatCounter, IE still accounts for 1.15 per cent of worldwide page views. Although this is a small fraction, StatCounter monitors approximately 10 billion page views every month, equating to 115,000,000 page views by Internet Explorer users. 

Furthermore, because Firefox and Chromium-based browsers, such as Google Chrome and Microsoft Edge, use an auto-update system that immediately protects users from known vulnerabilities, it is much more difficult to target them. 

About the Magniber group 

The Magniber group is notorious for exploiting security flaws in order to get access to computers and spread ransomware. They started their operations in 2017, and they are considered the successors of the Cerber ransomware.

Initially, they primarily targeted victims in South Korea. The gang then expanded its activities to other Asian nations such as China, Singapore, and Malaysia. Magniber's reach has grown to the point that it now affects exclusively Asian businesses and organizations. 

The Magniber ransomware has been under active development since its release, and its payload has been totally rebuilt three times. Because it is yet uncracked, there is no decryptor available to assist users to recover any data that have been encrypted by this strain. 

Lastly, because Magniber does not follow the trend of file-stealing and double-extortion, their assaults are confined to file encryption.

Google Releases New Android Fixes, Warns Users of Dangerous Zero Day Vulnerabilities

 

Google recently released its monthly security patches for Android with patches for 39 flaws, which also includes a zero-day vulnerability which it said is currently being exploited in the open in targeted, limited attacks. Known as CVE-2021-1048, the zero-day vulnerability is known as a use-after-free vulnerability in the kernel that can also be exploited for local escalation privileges. These vulnerabilities can be dangerous as they can allow an attacker to get access or reference memory once it has been freed, which leads to a 'write what where' situation resulting in the implementation of arbitrary code to get access over the target's device. 

There are hints that CVE-2021-1048 may be under restricted, specific exploit, said the company in its November notification without unveiling any technical information of the flaw, the nature of the exploit, and attackers' identity that may have exploited the vulnerability. Security patches also fixed two other RCE (critical remote code execution) flaws, CVE-2021-0918 and CVE-2021-0930, in the device component, allowing remote threat actors to launch malicious codes with the assistance of privileged mechanisms via sending a specifically built transmission to attack victim targets. 

"Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required," reports the hacker news. As per the latest Google security patches, it identified a total of six zero-day vulnerabilities from January 2021 in the android devices. 

Google says security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung. To know in detail about Google's security patches released recently, readers can visit Google's source website. Stay updated with Cy Security to know more.

InHand Networks Routers Could Expose Many Organizations to Remote Attacks

 

Researchers uncovered many major vulnerabilities in InHand Networks industrial routers that might expose numerous enterprises to remote attacks, and no patches appear to be available. Researchers from industrial cybersecurity firm OTORIO identified the issues in IR615 LTE routers made by industrial IoT solutions supplier InHand Networks over a year ago. The company has offices in China, the United States, and Germany, and its products are sold worldwide. Siemens, GE Healthcare, Coca-Cola, Philips Healthcare, and other large corporations are among InHand's customers, according to the company. 

OTORIO researchers detected 13 vulnerabilities in the IR615 router, according to a report issued last week by the US Cybersecurity and Infrastructure Security Agency (CISA). The list contains high-severity improper authorization and cross-site scripting (XSS) vulnerabilities, as well as critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues. 

Cisco also addressed dozens of vulnerabilities in its IOS software in 2020, including a dozen security vulnerabilities affecting its industrial routers and switches. Cisco released its semi-annual security advisory bundle for IOS and IOS XE software. The warnings included 25 vulnerabilities that were classified as critical or high severity. Hundreds of other advisories for high- and medium-severity problems affecting IOS and other software were also published by the firm. 

Coming back to InHand Networks, CISA warned that threat actors might use the flaws to gain complete control of the devices and intercept communications in order to acquire sensitive data. 

Thousands of internet-exposed InHand routers have been discovered as vulnerable to assaults, according to OTORIO, however, exploitation via the internet requires authorization to the router's web management portal. An attacker might use default credentials to enter into the device or use brute-force assaults to obtain login credentials. The router's weak password policy and a vulnerability that can be used to enumerate all valid user accounts facilitate brute-force assaults.

“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, a penetration tester at OTORIO.

“The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”

Data of 200,000 Shareholders Exposed due to a Vulnerability in the BrewDog App

 

BrewDog allegedly leaked the personal identifying information (PII) of around 200,000 shareholders for the better part of 18 months, according to experts. BrewDog "declined to inform their shareholders and asked not to be named" in the investigation that revealed the system vulnerabilities, according to PenTestPartners. 

The Scottish brewery incorporated a hard-coded Bearer authentication token associated with API endpoints targeted for BrewDog's mobile applications, according to the cybersecurity company. 

These tokens were delivered, however, this verification step was skipped because it was hardcoded to be activated after a user entered their credentials, providing access to an endpoint. 

Members of PenTestPartners, who also happened to be BrewDog stockholders, added one another's customer IDs to API endpoint URLs. During testing, they discovered that without an appropriate identification issue, they could access the PII of Equity for Punks stockholders. 

Identities, birth dates, email addresses, gender identities, contact information, prior delivery addresses, shareholder numbers, shares owned, referrals, and other information were all available in the leak. The customer IDs, however, were not regarded as "sequential." 

"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!" Hard-coding authentication tokens, according to PenTestPartners, are a failure to fulfill these criteria since some of the PII exposed falls within the GDPR security banner. 

The bug has been there since March 2020, since BrewDog's app version 2.5.5 introduced hard-coded tokens. However, BrewDog's team was unaware of the vulnerability for a long time and failed to protect their token system in later releases.

The problem was eventually resolved in version 2.5.13, which has been released on September 27, 2021. BrewDog, on the other hand, elected not to reveal anything significant in the release's changelog announcement. 

"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure." 

BrewDog also told that: "BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO." 

However, the corporation will also have to notify the UK's data protection officer due to the type of personal information exposed, as PII falls under GDPR, which is still in effect in the country.

Research shows that 91.5% Malware in Q2 2021 Appeared Over Encrypted Connections

 

According to the recent WatchGuard data, 91.5 percent of malware originated via encryption techniques during Q2 2021. This represents a significant increase compared to the previous quarter, implying that any organization that does not examine encrypted HTTPS traffic at the periphery is overlooking 9/10 of all malware. 

The study also showed worrisome increases in file-less malware threats, a substantial increase in ransomware, and a massive increase in network cyber attacks. “With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” said Corey Nachreiner, CSO at WatchGuard. 

AMSI.Disable.A appeared in the leading malware segment for the very first time in Q1 and quickly rose to the forefront this quarter, ranking second overall by volume as well as first for cumulative encoded attacks. This malware family employs PowerShell techniques to leverage various Windows security flaws, but what makes it particularly intriguing is its evasive technique. 

AMSI.Disable.A employs code capable of deactivating the Antimalware Scan Interface (AMSI) in PowerShell, enabling it to avoid script-security screening while carrying out its malware payload completely unnoticed. Within the first six months of 2021, malware observations believed to have originated from scripting engines such as PowerShell already have managed to reach 80% of last year's overall script-initiated attack volume, representing a significant increase compared to the previous year. 

In the following quarter, the said number increased by another million, indicating an aggressive course that emphasizes the evolving importance of keeping perimeter security along with user-focused safeguards. Whereas overall ransomware detections on endpoints fell from 2018 to 2020, the trend reversed in the first half of 2021, with the six-month total finishing just short of the full-year total for 2020. 

The Colonial Pipeline attack on May 7, 2021, demonstrated unequivocally that ransomware will be here to stay. The breach, which was the top security incident of the quarter, demonstrates how cybercriminals are not only targeting the most essential services – such as hospitals, industrial control, and infrastructure – but also seem to be intensifying attacks against such elevated targets. 

One of the most notable examples was a 2020 vulnerability within the popular online scripting language PHP, however, the other three aren't. A 20ll Oracle GlassFish Server vulnerability, a 2013 SQL injection flaw in the medical records application OpenEMR, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge are among them. Even though they are all out of date, they all pose a danger if not patched. 

Although it's an old attack vector that has hopefully been fixed in most systems, those who are yet to patch will be in for a huge shock if an attacker manages to get to it before they do. A very relatively similar RCE security flaw, CVE-2021-40444, hit the headlines earlier this month when it was purposefully abused in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. 

Malware designed to target Microsoft Exchange servers and generic email clients to install remote access trojans (RATs) in highly sensitive locations has recently increased. It's most probably because Q2 was the second consecutive quarter in which remote employees and learners reverted to either hybrid offices and educational environments or normally functioning on-site behavior. 

Strong security consciousness and monitoring of departing communications on gadgets that aren't essentially connected directly to the connected devices is advised in any event – or location.

Unpatched Dahua Cameras are Prone to Authentication Bypass Vulnerabilities

 

Two authentication bypass vulnerabilities exist in unpatched Dahua cameras, and a proof-of-concept exploit released on 7th October makes the case for upgrading urgent. Both CVE-2021-33044 and CVE-2021-33045 are authentication bypass weaknesses that can be remotely exploited during the login process by sending specially crafted data packets to the target device. 

This comes a month after Dahua issued a security advisory urging owners of vulnerable models to update their firmware, but given how often these devices are forgotten after initial setup and installation, it's possible that many of them are still running an old and vulnerable version. The list of impacted models is long and includes several Dahua cameras, including some thermal cameras. 

IPVM confirmed in 2019 that numerous Dahua cameras had a wiretapping vulnerability, based on tests and information from Dahua. Even if the camera's audio was turned off, an unauthenticated attacker could still listen in. 

An emergency investigation was conducted by the Dahua Security Team and the R&D Team, with the following preliminary findings: 

 • Unauthorized download vulnerability in video chat - This vulnerability no longer exists after code reworking because the relevant functional modules were refactored. Some EOL products would have posed a threat to security.

 • Replay attack vulnerability: This was a newly discovered vulnerability that had affected several Dahua products. 

Dahua spokesperson Tim Shen said, "Dahua uses the secure login authentication method “Digest” by default, but in order to be compatible with early devices, we also retain support for the login authentication method with insufficient security. This vulnerability just exploits these insecure login authentication methods." 

The flaw was initially reported to Dahua in May of 2019. Tenable Research Engineer Jacob Baines discovered a vulnerability within an Amcrest (Dahua OEM) camera's firmware (PoC here, CVE-2019-3948), allowing unauthenticated access to the audio stream. 

The Chinese surveillance camera provider Dahua Technology has been barred from doing business and selling products in the United States since October 2019, when it was added to the US Department of Commerce's 'Entity List.' However, tens of thousands of Dahua cameras are still in use around the country, and some of them may not be readily apparent. Many cameras marketed in the United States under American or Canadian brands use Dahua hardware and even software, according to a new revelation from The Intercept.

Every tenth significant IT system in Russia is infected with malware

 According to Rostelecom-Solar research, every 10th critical information infrastructure (CII) in the Russian Federation is compromised by malware. Even hackers with low qualifications are able to attack most of these IT networks: a significant part of the detected vulnerabilities have existed for more than 10 years, but organizations have not prevented them.

Vladimir Drukov, director of the Cyber Attack Monitoring and Response Center at Rostelecom-Solar, associates the presence of vulnerabilities in CII with the fact that the process of regular software updates has not yet been established in more than 90% of companies.

Kaspersky Lab experts agreed with the findings of the study. According to Anton Shipulin, Lead Business Development Manager at Kaspersky Industrial CyberSecurity, cybersecurity is still at a low level in most CII facilities.

"In terms of data protection, a large number of CII objects are currently in a "depressing situation", and there are no serious hacker attacks on them "by happy accident", but it is only a matter of time," added Fedor Dbar, Commercial Director of Security Code.

In addition, the number of hosts with the vulnerable SMB protocol has almost doubled. It is a network protocol for sharing files, printers, and other network resources that is used in almost every organization. Such vulnerabilities are particularly dangerous, as they allow hackers to remotely run arbitrary code without passing authentication, infecting all computers connected to the local network with malware.

The main problem in internal networks is incorrect password management. Weak and dictionary passwords that allow an attacker to break into an organization's internal network are extremely common. Password selection is used by both amateur hackers and professional attackers.

Moreover, the pandemic has also significantly weakened IT perimeters. Over the past year, the number of automated process control systems (APCS) available from the Internet has grown by more than 60%. This increases the risks of industrial espionage and cyber-terrorism.


Northeastern University Team Finds New Ways to Detect Bugs in its Research

A research team at Northeastern University finds vulnerabilities and code defects. It does it by detecting when a programmer uses various code snippets to carry out the same tasks. Consistent and repeatable programming is said to be one of the best ways in software development, it has also become more crucial as the development team grows in size every day. Today, Northeastern University's research team reveals that finding irregular programming, code snippets that carry out the same tasks but in unique ways, can also help in finding bugs and potential vulnerabilities. 

The team presented a paper at USENIX Security Conference last year, researchers used machine learning to detect bugs. It first identified code snippets that carried out the same functions, later compared the codes to find irregularities. Known as "Functionally Similar yet Inconsistent Code Snippets" aka FICS, the program detected 22 new bugs after investigating QEMU and OpenSSL open-source projects." From basic bugs such as absent bounds checking to complex bugs such as use-after-free, as long as the codebase contains non-buggy code snippets that are functionally similar to a buggy code snippet, the buggy one can be detected as an inconsistent implementation of the functionality or logic," said the experts. 

Expert Mansour Ahmadi, research associate at Northeastern University says that they don't intend to change other methods of static analysis with this research, however, they want to give developers an idea about addition tool in their infantry which can be used to analyze code and find bugs. Mr. Ahmadi currently works at Amazon as a security engineer. An earlier different approach uses static analysis, when faced with an issue or had to be encountered with a rule to find the pattern. 

For instance, if a system has previously found a variant of a bug, these approaches are likely to fail in finding the bug. However, with accurate implementations of code snippets with similar functions, the FICS method can easily find the bug. According to Mr. Ahmadi, " While we were acknowledged by the developers for our findings, the developers did not proceed to assign CVEs to them as they believe the bugs are not exploitable."

Microsoft Finds Critical Code Execution Bugs In IoT, OT Devices

 

Recently, world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred. 

The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft's researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. 

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research team noted. 

"…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.

There is a long list of appliance that get affected by the BadAlloc vulnerabilities: 

• Amazon FreeRTOS, Version 10.4.1 
• ARM Mbed OS, Version 6.3.0 
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 
• ARM mbed-uallaoc, Version 1.3.0 
• Cesanta Software Mongoose OS, v2.17.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3 
• Apache Nuttx OS, Version 9.1.0 
• Media Tek LinkIt SDK, versions prior to 4.6.1 
• Google Cloud IoT Device SDK, Version 1.0.2 
• Micrium OS, Versions 5.10.1 and prior 
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior 
• Linux Zephyr RTOS, versions prior to 2.4.0 
• NXP MCUXpresso SDK, versions prior to 2.8.2 
• NXP MQX, Versions 5.1 and prior 
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB 
• Redhat newlib, versions prior to 4.0.0 
• Texas Instruments SimpleLink MSP432E4XX 
• Texas Instruments CC32XX, versions prior to 4.40.00.07 
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 
• Windriver VxWorks, prior to 7.0 
• Uclibc-NG, versions prior to 1.0.36 
• TencentOS-tiny, Version 3.1.0 

Reportedly, as soon as the security flaw was found out into the system the research unit reported it to the CISA and the vendors.