Eliana Willis

CISA has released a notice urging administrators to apply updates to a variety of industrial control systems after discovering vulnerabilities in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.In the advisory, CISA said the issues were found in equipment from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing.

The equipment containing the vulnerabilities includes CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS. “Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure,” CISA explained.They provided links to each company’s patches or fixes for the issue, but they noted that GurumNetworks did not respond to their messages. CISA said organizations using GurumNetworks’ tools should contact them directly. Dr. Dennis Hackney, head of industrial cybersecurity services development at ABS Group, told ZDNet that many industrial control system owners don’t realize that their systems are full of open-source software, much like OpenDDS. “The reasons for this are multifaceted but often stem from the proprietary and tailored nature of each control system. OEMs and engineers develop solutions that are as functional as possible without adding unnecessary costs. Be warned, by their very nature, ICS are open,” Hackney explained. 

“They use connectivity called OPC which stands for Object Linking and Embedding (OLE) for Process Control, otherwise known as open process control specifications. Open refers to non-authenticated communication between computers and equipment. There are increasingly new authenticated models but that does not cover the majority of what are in operation today. The concern being, when there is a vulnerability in components like OpenDDS, there are limited options to control access and ensure quality of service due to the nature of ICS designs.” OpenDDS vulnerabilities are a concern, he added, because these applications are based on a subscription model. The vulnerabilities are also concerning because they can be exploited remotely and have a low attack complexity, he said. Like CISA’s notice, Hackney suggested that affected organizations install the latest updates, isolate systems from business IT networks, utilize firewalls, and secure remote access through VPNs. Other experts, like Netenrich principal threat hunter John Bambenek, explained that this advisory stood out because it impacts a wide variety of vendors and open-source solutions that address the data distribution layer of real-time systems. Typically, a vulnerability only impacts specific products. The fact that all involved have released updates in a coordinated fashion shows that CISA is taking its role of protecting critical infrastructure and coordinating response between many organizations seriously, Bambenek said. “While CISA has said there are no known public exploits for these vulnerabilities, this announcement will certainly drive those attackers interested in attacking these systems to develop them quickly. Affected organizations should patch quickly while there is still time,” Bambenek added.  More

The Pysa ransomware group dumped dozens of victims onto their leak site this week right after US law enforcement officials announced a range of actions taken against ransomware groups. 

More than 50 companies, universities, and organizations had their names added to the ransomware group’s leak site. The group, which also goes by the name Mespinoza, was called out by the FBI in March for specifically targeting “higher education, K-12 schools, and seminaries.” The FBI said at least 12 educational institutions across the US and UK had been hit with the ransomware. The French National Agency for the Security of Information Systems issued a similar alert one year earlier.Multiple ransomware experts questioned the timing of the leak, noting that Pysa has a penchant for waiting to add victims to their leak site. Recorded Future ransomware expert Allan Liska told ZDNet he did not think all of the victims published to the site were new.”We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published,” Liska said. “This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them the rest of the year. It is a lot of different organizations, from around the world, with no theme.” Emsisoft threat analyst Brett Callow told ZDNet that Pysa names and shames its victims weeks, or sometimes months, after the attacks take place, differentiating it from other ransomware groups. 

The reason they waited this long to leak victim information is still unclear, he said, adding that it was curious they dumped this many names all at once. A sample from the leak site.
Brett Callow
The dump came as law enforcement in the US, Europe, and other regions took forceful measures against a number of ransomware groups. US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the members of the REvil ransomware group as well as sanctions against organizations helping ransomware groups launder illicit funds.US agencies have been working with Europol, Eurojust, Interpol, and other law enforcement organizations on “Operation GoldDust” to disrupt multiple ransomware groups over the past six months. Seventeen countries have been involved in the effort, and dozens of people have been arrested across Europe in connection with ransomware groups.This all followed an operation to take down REvil’s infrastructure that led to the group closing shop for the second time. Both Callow and Liska said the timing of the Pysa’s dump was curious considering the actions being taken by law enforcement.”You can’t help but wonder whether their doing so now is in response to the news in relation to REvil — either a middle finger to law enforcement or, perhaps, an expression of confidence in case any of their affiliates are starting to get cold feet,” Callow told ZDNet. Liska echoed that it felt like Pysa was “giving the finger” to law enforcement after a bad day for ransomware groups. The FBI said in its March notice that Pysa, which was first seen in 2019, is known for exfiltrating data from victims before encrypting their systems “to use as leverage in eliciting ransom payments.”They noted that in addition to attacks on educational institutions, Pysa has also gone after foreign government entities, educational institutions, private companies, and the healthcare sector. “In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom,” the FBI said in the notice. “The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past, actors have used other methods of exfiltrating data that leaves less evidence of what was stolen.”Emsisoft released a profile of the ransomware group in July, noting that they operate with the ransomware-as-a-service business model and routinely dump stolen data “even after the victim company has paid the ransom.”They warned victims about cooperating with the group, explaining that Emsisoft’s decryption tool “can safely decrypt data encrypted by Mespinoza, provided the victim has obtained the decryption keys.””Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files,” Emsisoft researchers wrote in July. “We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.” More

Costco has sent out breach notification letters to an unknown number of victims after multiple people took to social media to complain about fraudulent charges connected to the company.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

First reported by Bleeping Computer, the letter says payment card information was compromised through a card skimming device at certain Costco locations. “We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating,” Costco said in the letter. “If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date and CVV. We recommend that you check your most recent bank and or credit card statement related to the card above for charges unauthorized by you.”The company said they discovered the card skimmer after an inspection of its pin pads and said law enforcement has been contacted. The letter added that even if victims have not seen any suspicious charges, they should still call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.

The letters come after people wrote on Twitter and Reddit that they had discovered fraudulent charges on their Costco cards and accounts. Some said they began noticing the charges after using their card at Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”Card skimmers are a persistent problem on both physical terminals and online e-commerce portals. The problem is so common that Cloudflare created a web security tool to prevent Magecart-style attacks in March.CRITICALSTART CTO Randy Watkins said these types of physical data theft is typically very isolated, noting that most card skimming devices are used on everything from gas pumps to ATMs, and are typically isolated, only posing a threat to patrons of the breached device. “The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers. Consumers should make a habit of checking card slots for any foreign devices (internal or external) before swiping their card,” Watkins told ZDNet. Armen Najarian, chief identity officer at Outseer, said the Costco breach underscores the urgency for better payment security anywhere a transaction happens. “As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes,” Najarian said.  “All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide. More

ZDNet Recommends

Google’s Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people.  Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used.  “A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild,” Apple said, crediting Google TAG researchers with reporting the flaw. See also: A winning strategy for cybersecurity (ZDNet special report).Now Google has provided more information, noting that this was a so-called “watering hole” attack, where attackers select websites to compromise because of the profile of typical visitors. The attacks targeted Mac and iPhone users.  “The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server — one for iOS and the other for macOS,” said Erye Hernandez of Google TAG.  The watering hole served an XNU privilege escalation vulnerability at that point unpatched in macOS Catalina, which led to the installation of a backdoor.

“We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” he added.  The attackers were using the previously disclosed flaw in XNU, tracked as CVE-2020-27932, and a related exploit to create an elevation of privilege bug that gave them root access on a targeted Mac.  Once root access was gained, the attackers downloaded a payload that ran silently in the background on infected Macs. The design of the malware suggests a well-resourced attacker, according to Google TAG.  “The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules,” notes Hernandez. See also: Cloud security in 2021: A business guide to essential tools and best practices.The backdoor included the usual-suspect traits of malware built for spying on a target, including device fingerprint, screen captures, the ability to upload and download files, as well as execute terminal commands. The malware could also record audio and log keystrokes.  Google didn’t disclose the websites targeted but noted that they included a “media outlet and a prominent pro-democracy labor and political group” related to Hong Kong news. More

Microsoft has flagged a relatively new style of attack, dubbed “HTML smuggling”, which is being used in email campaigns that deploy banking malware and remote access Trojans (RATs), and as part of targeted hacking attacks.HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. It’s a “highly evasive” malware delivery technique that uses legitimate HTML5 and JavaScript features warns the Microsoft 365 Defender Threat Intelligence Team. 

ZDNet Recommends

It’s a nasty trick that bypasses standard network perimeter security, such as web proxies and email gateways, since the malware is built inside the network after an employee opens a web page or attachment with the malicious HTML script. So, a company’s network can be hit even if gateway devices check for suspicious EXE, ZIP, or Office documents. SEE: A winning strategy for cybersecurity (ZDNet special report)”When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” Microsoft warns. It’s a practical attack technique because most businesses use HTML and JavaScript to run their business apps. The problem is that there’s been a recent surge in HTML smuggling attacks because cybercriminal groups behind banking malware like Trickbot, RATs and other malware are learning from state-sponsored attackers. The style of attack is notable because it’s been used by Kremlin-backed hackers – tracked by Microsoft as Nobelium. Since then, it has been adopted by cybercriminals. 

And HTML smuggling is an effective technique because the web is vital to business operations. Organizations, for example, can disable JavaScript in the browser, but it’s widely known to be an impractical approach because language is ubiquitous on the web. Microsoft has tried to tighten up Edge security with its Super Duper Secure Mode that turns off the JavaScript JIT compiler. Google also regularly fixes potent bugs in Chrome’s V8 JavaScript engine.  “Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages,” Microsoft explains. “In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection.”SEE: The IoT is getting a lot bigger, but security is still getting left behindMicrosoft has found that between July and August there was an uptick in HTML smuggling in campaigns that deliver RATs such as AsyncRAT/NJRAT.”In September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft attributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as DEV-0193,” says Microsoft.  More

US President Joe Biden on Thursday signed into law bipartisan legislation that will ban companies like Huawei and ZTE from getting approval for network equipment licences in the US. The legislation, Secure Equipment Act of 2021, will require the Federal Communications Commission (FCC) to adopt new rules that clarify it will no longer review or approve any authorisation applications for networking equipment that pose national security threats. Last year, the FCC formally designated Huawei and ZTE as national security threats, with that decision being made as the agency found that both companies had close ties to the Chinese Communist Party and China’s military apparatus. Since March, FCC commissioner Brendan Carr has made repeated calls for the legislation to be passed, saying at the time that the FCC has authorised 3,000 applications for Huawei networking equipment to be used. “Once we have determined that Huawei or other gear poses an unacceptable national security risk, it makes no sense to allow that exact same equipment to be purchased and inserted into our communications networks as long as federal dollars are not involved. The presence of these insecure devices in our networks is the threat, not the source of funding used to purchase them,” Carr said at the time. Besides Huawei and ZTE, other Chinese companies flagged as national security threats are Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. At the end of last month, the FCC also removed the authority for China Telecom to operate in the US, with the telco required to pack its bags and stop providing domestic and international services by the end of Christmas.

Citing a recommendation from the Trump-era Justice Department, the Commission said China Telecom America “failed to rebut” a series of concerns raised. “China Telecom Americas, a US subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said. With the US clampdown especially focused on Huawei, alongside other countries following suit, the Chinese tech giant reported a steep decline in its first-half revenue, with its business to the end of June reporting 320 billion yuan in sales, compared to 454 billion yuan at this time last year. In providing the financial results, rotating chair of Huawei Eric Xu said the aim of the company moving forward would be to survive sustainably.   Related Coverage More

Missouri’s Department of Elementary and Secondary Education (DESE) has apologized to the 620,000 past and present educators who had their sensitive information — including their social security numbers — exposed on the DESE certification database.

Black Friday Deals

Missouri’s Office of Administration Information Technology Services Division (OA-ITSD) and the DESE will send out letters to those affected notifying them that their personally identifiable information “may have been compromised during a recent data vulnerability incident.”The situation caused national headlines last month because the governor of the state used the incident to attack The St. Louis Post-Dispatch. Josh Renaud, a reporter from the newspaper, discovered a vulnerability in the certification database that exposed teacher data, notified the DESE, and gave them time to fix it before publishing his story. But Missouri Governor Mike Parson claimed Renaud had “hacked” the database himself and threatened legal charges against the reporter. Since being ridiculed by cybersecurity professionals — and even members of his own party — Parson has used the incident to fundraise for himself, bringing in about $85,000 thanks to an ominous video doubling down on the hacking accusations, according to the Post-Dispatch. But DESE officials, alongside members of OA-ITSD, apologized this week to the teachers who had their data exposed and offered 12 months of credit and identity theft monitoring resources through IDX. “Educators have enough on their plates right now, and I want to apologize to them for this incident and the additional inconvenience it may cause them,” said Commissioner of Education Margie Vandeven. “It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.”

The state claims it is “unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident.” But officials said that “out of an abundance of caution,” they wanted to provide teachers with some protection. Those who may have been affected by the issue can contact the IDX Call Center at 833-325-1777.DESE explained that Renaud said he was able to view the social security numbers of certain teachers “through a multi-step process” that involved accessing the certification records of at least three educators and then taking the encoded source data from that webpage and “decoding that data.””Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once. Upon verification of the threat, DESE immediately notified OA-ITSD who immediately disabled the educator certification search tool,” the state said. “The services offered through IDX will cost the state approximately $800,000. The state was able to take advantage of an existing multi-state contract with this vendor, which significantly lowered the cost for the credit and identity theft monitoring services.”Parson originally claimed during a press conference that the incident would cost the state $50 million as opposed to the $800,000 that is now being spent. Despite the ridicule Parson got from cybersecurity experts, the Missouri Highway Patrol-led investigation into the incident is still ongoing.  More