Information Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on severe vulnerabilities impacting Rockwell Automation controllers. Rockwell Automation provides industrial digital and automation solutions, including digital twin solutions, engineering products, and factory floor optimization hardware.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On March 31, CISA pointed customers to two recent advisories, “ICSA-22-090-05: Rockwell Automation Logix Controllers” and “ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer,” which detail severe vulnerabilities in controller products. The first advisory describes CVE-2022-1161, a vulnerability assigned a CVSS severity score of 10.0, the highest possible. The bug impacts a range of CompactLogix, Compact GuardLogix, ControlLogix, FlexLogix, DriveLogix, and SoftLogix controllers. According to the advisory, the vulnerability can be triggered remotely with low attack complexity. “Successful exploitation of this vulnerability may allow an attacker to modify user programs,” the US agency says. “A user could then unknowingly download those modified elements containing malicious code.”The second bug, tracked as CVE-2022-1159 and issued a CVSS ‘high’ severity score of 7.7, impacts Studio 5000 Logix Designer in ControlLogix, GuardLogix, and Compact GuardLogix controllers. This vulnerability requires an attacker to secure administrator access on a workstation running Studio 5000 Logix Designer first, but if they achieve this, they can inject controller code “undetectable to a user.”The vulnerabilities were reported by Claroty cybersecurity researchers Sharon Brizinov and Tal Keren. Claroty has compared the exploitation of these security issues to Stuxnet, as stealthy code could be operating without an engineer being aware of any tampering. “Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks,” the team commented. “Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered.”Rockwell has published advisories (1,2) on the vulnerabilities with steps toward mitigation. Earlier this week, the US agency added a further 66 vulnerabilities to the Known Exploited Vulnerabilities Catalog federal agencies are instructed to remediate. The bugs currently under active exploitation in the wild include issues in networking kits, security appliances, and browsers. In February, CISA published an online guide containing free guidance and tools on incident response. The service also includes tips for organizations looking to reduce their risk exposure. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Matt Cardy/Getty Images
The Australian government has cancelled the SkyGuardian armed drone program for the Royal Australian Air Force. The funding is being redirected to the newly-announced REDSPICE cybersecurity and intelligence program. REDSPICE, the Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers program, is a flagship component of the federal Budget announced on Tuesday. The program aims to double the staffing levels of the Australian Signals Directorate (ASD) over the next four years, creating some 1,900 new jobs. The total program budget is AU$9.9 billion over the next decade, boosting both offensive and defensive cyber capabilities. “This is the biggest ever investment in Australia’s cyber preparedness,” said Treasurer Josh Frydenberg. However in Senate Estimates on Friday, defence officials confirmed that little of this is new money. Of the AU$9.9 billion total, only AU$4.2 billion is budgeted to be spent over the four-year forward estimates period through to 2025–2026. And of that amount, only around AU$588.5 million is new funding. A big chunk of the existing funding will come from the now-cancelled project AIR 7003, a planned AU$1.3 billion program to develop an armed remotely piloted aircraft system. In November 2019, the government had confirmed that defence’s preferred platform was the General Atomics MQ-9B SkyGuardian, a variant of the Predator B drone known in the UK as the Protector. AIR 7003 had been scheduled for government consideration in the current 2021-22 financial year. According to Asia Pacific Defence Reporter, General Atomics had proposed developing a multi-national service hub in Adelaide. “The company has probably spent around $30 million on the project over a decade and is unlikely to recover a single cent,” wrote editor Kym Bergmann. “The scant information available indicates that Defence Minister Peter Dutton has asked the Department to identify projects that need to be cancelled to free up funds to hire more personnel, particularly in support of the cyber security announcement.” According to defence officials, around AU$10 million had been spent on AIR 7003 before its cancellation. The remainder of REDSPICE funding comes from other cancelled projects. This includes about AU$3 billion of “both unapproved and approved” funding which had been allocated to the now-cancelled Attack-class submarines, the SEA 1000 Future Submarine Program, and around AU$236 million for “an ICT remediation project around modernisation and mobility”. Funds also come from previously planned ASD projects which have now become part of REDSPICE. Witnesses before Estimates on Friday morning were unable to shed any light on where the name REDSPICE came from. Related Coverage More

Apple has released updates for many of its operating systems, fixing vulnerabilities that the tech giant says may be under active exploitation. Affecting macOS, iOS, and iPadOS is CVE-2022-22675, a bug in the audio and video decoder which allows an application to run arbitrary code with kernel privileges. The fix is contained in iOS 15.4.1 and iPadOS 15.4.1, which is available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and 7th gen iPod touch. The iOS release also fixed a battery drain issue. The second fix, released only for macOS Monterey, was CVE-2022-22674 which allows an application to read kernel memory. “An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation,” Apple said in a typically small advisory. “Apple is aware of a report that this issue may have been actively exploited.” Earlier this year, Apple also released iOS 15.3.1 due to the threat of an actively exploited remote flaw. In that instance, simply visiting a web page could lead to arbitrary code execution. Related Coverage More

Home Affairs Secretary Mike Pezzullo has called on the private sector to work more closely with the federal government when it comes to cybersecurity as there is certain information that only government agencies are capable of uncovering. “We’ve got a superpower over here — like a Marvel superpower — that you could really use. We want to gift this to you,” said Pezzullo, who appeared before Senate estimates on Thursday night. “Sometimes we can see things they can’t see. They might see the attack coming in across their wire. We might be able to see the attacker.” When explaining how government cybersecurity capabilities differ from those of the private sector, such as those possessed by the Australian Signals Directorate (ASD), Pezzullo said the federal government ideally wants the private sector to receive this assistance on a partnership basis rather than on a “last resort” one. “It’s really about building those relationships, which are not in any way going to denigrate the professional expertise of the private sector teams. It just accepts the reality that we have access to more sensitive information,” Pezzullo said. “Once you get through some of the initial distance and you build the partnership, we want to move from a point where direct regulatory consequences are not only a last resort but almost, to an extent, a failure of the relationship.” During Pezzullo’s appearance before Senate Estimates, he also shared department advice regarding how organisations should approach building cybersecurity on older mainframe systems as well as what smaller businesses could do to improve their cybersecurity postures. “The ASD advice is very particular. It says to patch at least on — from memory — a 28-day cycle. If you can’t, mitigate it by putting sensors and cyber mousetraps around that older infrastructure,” Pezzullo told Senate estimates. In all instances, the Home Affairs secretary noted that the idea is to always “conform at the highest level” where possible, even if a system does not have virtualised software controls and is unable to patch quickly. Pezzullo added this is the cybersecurity protocol  undertaken by Home Affairs for its older mainframe systems.For small to medium-sized businesses, Pezzullo said improving cybersecurity starts with the basics of investing in digital tools that integrate cybersecurity. The government has various initiatives for encouraging cybersecurity uplifts, such as allowing small businesses to deduct an additional 20% of the cost for digital business expenses like setting up cybersecurity systems, but only 25% of small businesses will likely take advantage of these initiatives offered by the federal government, according to departmental analysis.   “As you deploy in a way that suits your company … don’t bolt on cyber as an afterthought. It’s got to be integrated,” the Home Affairs secretary said. Cyber is expected to be a growing focus for the Australian government, with the Coalition allocating AU$9.9 billion for bolstering cybersecurity and intelligence capabilities in its Budget earlier this week. It also appears support for bolstering the nation’s cybersecurity will be bipartisan, as Labor Party leader Anthony Albanese pledged last week to set a goal of 1.2 million tech-related jobs by 2030 if he wins the upcoming federal election.”Whether there is a change in government, I don’t see the cybersecurity strategies changing in the future. Both parties are committed to protecting Australia against future security risks, whether they’re physical, cyber, or space-based,” RMIT cybersecurity professor Warren said.  Related Coverage More

Nothing is quite as vexing as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, went looking for bugs in Linux and found a whopper. This vulnerability, CVE-2022-27666, in IPSec’s esp6 (Encapsulating Security Payload) crypto module can be abused for local privilege escalation.

The problem is your basic heap overflow hole. Xiaochen explained that  “the basic logic of this vulnerability is that the receiving buffer of a user message in esp6 module is an 8-page buffer, but the sender can send a message larger than 8 pages, which clearly creates a buffer overflow.” Yes, yes it will. As buffer overflows always are, this is bad news. As Red Hat puts it in its security advisory on the bug, “This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.” This is bad enough that both Red Hat and the National Institute of Standards and Technologies (NIST) give the hole a high Common Vulnerability Scoring System (CVSS) score of 7.8. Or, as I like to call vulnerabilities with such high scores, it’s a “Fix it now!” bug.Also: Linux developers patch security holes faster than anyone else, says Google Project ZeroRed Hat also noted that if a Linux system is already using IPsec and has IPSec Security Associations (SA) configured, then no additional privileges are needed to exploit the hole. Since almost everyone uses IPSec and SAs are essential for the network security protocol, this means pretty much everyone with the vulnerable code in their Linux distro is open to attack. Xiaochen has found that the latest Ubuntu, Fedora, and Debian Linux distros can be hacked with it. Red Hat reports that Red Hat Enterprise Linux (RHEL) 8 is vulnerable. Specifically, if your Linux contains a 2017 esp6 crypto module, which contains the commits cac2661c53f3 and 03e2a30f6a27, it’s attackable.  Usually, such an attack can knock a Linux system offline. Xiaochen dug into it deeper and found more. On his hunt, he found a way to get around Kernel Address-space Layout Randomization (KASLR). KASLR, as the name says, makes it harder to exploit memory vulnerabilities by placing processes at random, rather than fixed, memory addresses.Also: Nasty Linux netfilter firewall security hole foundThen, after hanging the process, an attacker can use Filesystem in User Space (FUSE) to create his own filesystem and map memory on it. Consequently, all the read and write going through that memory will be handled by his own file system. Once that’s done, it’s relatively trivial to get root in the system. And, as we all know, once the attacker has root, it’s game over. The attacker’s now in charge of the computer. The good news is the fix is now available on Ubuntu, Debian, the Linux kernel, and most other distros. Now get patching! More

Researchers have uncovered a new infostealer malware being peddled in Russian underground forums.  Dubbed BlackGuard, zScaler says that the new malware strain is “sophisticated” and has been made available to criminal buyers for a monthly price of $200.  Infostealers are forms of malware designed to harvest valuable data, potentially including operating system information, contact lists, screenshots, network traffic, and online account credentials including those used to access financial services and banking.  A range of malicious software and exploit kits are sold every day underground, some of which are purchased outright. In contrast, others are offered on a malware-as-a-service (MaaS) basis: subscribers pay on a weekly, monthly, or yearly basis, and the developer keeps their malicious creations updated in return. Perhaps to build a customer base for this malware, or to generate cash quickly, BlackGuard is also being sold for $700 in return for a lifetime subscription. 
zScaler
According to the cybersecurity researchers, BlackGuard can steal information, including saved browser credentials and history, email client data, FTP accounts, autofill content, conversations in messenger software, cryptocurrency credentials, and other account information. Messengers targeted include Telegram, Signal, Tox, Element, and Discord.

When it comes to cryptocurrency theft, the malware will target files such as wallet.dat that may contain wallet addresses and private keys. BlackGuard may also go after Chrome and Edge cryptocurrency wallet browser extensions. Written in .NET, the infostealer is still in active development but is already equipped with a crypto-based packer, base64 decoding, obfuscation, and antibugging capabilities to make reverse-engineering more difficult.  Once it lands on a vulnerable machine, the malware will also check the operating system’s processes and will try to stop any activities related to antivirus software or sandboxing.  The infostealer is also selective when it comes to its targets. For example, the malware will exit if the OS appears to be located in a CIS country, such as Russia, Belarus, or Azerbaijan.  If an exit isn’t necessary, the infostealer then grabs all of the information it can, packages it up into a .zip archive, and sends it to a command-and-control (C2) server through a POST request.  “While applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it continues to be improved and is developing a strong reputation in the underground community,” the researchers say.  Infostealers can be used on their own or packaged up with other forms of malware, such as Trojans or ransomware variants.  In other malware news, researchers from Aqua Security have recently uncovered a new strain of ransomware designed to target Jupyter Notebook environments.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A major businesses email compromise (BEC) scheme which has cost victims millions of dollars has been disrupted in an international operation coordinated by the FBI. Over a period of three months which started in September 2021, ‘Operation Eagle Sweep’ resulted in the arrests of 65 people suspects. Arrests were made in the United States as well 12 in Nigeria, eight in South Africa, two in Canada, and one in Cambodia. The operation targeted scammers who were believed to be behind business email compromise attacks targeting over 500 victims in the United States which caused losses of at least $51 million. BEC attacks see cyber criminals use social engineering to trick an employee at a business into transferring a large sum of money to an account controlled by the scammers. Common techniques used in BEC attacks including sending emails designed to look like urgent requests for payments from your boss or a colleague.  Cyber criminals have also been known to use phishing emails to hack into email accounts and monitor communications around real business deals and contracts, waiting until the deal is about to be completed before sending an email from the compromised user which asks for the real payment, but directs it into a bank account owned by the attackers. SEE: How to keep your bank details and finances more secure onlineWhile many of these campaigns target businesses to make off with hundreds of thousands or millions of dollars at once, the FBI says that the same criminal groups which carry out BEC attacks also target individuals, including homebuyers and the elderly. Romance scams also follow a similar model. According to the Internet Crime Complaint Center (IC3), victims of BEC attacks reported total losses of nearly $2.4 billion in 2021. “The FBI works tirelessly with our domestic and international partners to disrupt and dismantle criminal enterprises, to stop the victimization of U.S. citizens and businesses, and to impose real consequences on cybercriminals using our unique authorities and enduring partnerships,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.  “Our message to criminals involved in these BEC schemes will remain clear: We will pursue you no matter where you may be located. The public we serve deserves nothing less,” he added. Law enforcement agencies around the world helped conduct investigations and arrests. Those working alongside the FBI and U.S. Postal Inspection Service include the Nigerian Economic and Financial Crimes Commission, South African Police Service, Toronto Police Service, Cambodian National Police, as well as law enforcement agencies in Australia and Japan. Microsoft Corporation’s Digital Crimes Unit also provided assistance. MORE ON CYBERSECURITY More

Hostile hacking groups are exploiting Russia’s invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more from victims around the world. According to cybersecurity researchers at Google’s Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber-criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyberattacks. 

In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that’s stealing information, stealing money, or something else. SEE: Ukraine is building an ‘IT army’ of volunteers, something that’s never been tried beforeAmong these are a Russian-based hacking group that Google refers to as Coldriver, but also know as Calisto. Their targets have included several US-based NGOs and think tanks, military of multiple Eastern European countries, the military of a Balkans country, a Ukraine-based defense contractor, as well as a NATO Centre of Excellence. The campaigns use newly created Gmail accounts to send phishing emails. The links are designed to steal usernames and passwords from victims, something that the attackers could use to commit espionage or potentially plant malware.Another hacking threat that Google says is attempting to exploit the Russian invasion of Ukraine is Ghostwriter, a cyber-threat group working out of Belarus. Ghostwriter’s phishing attacks simulate a browser within the browser in order to spoof legitimate domains, exploiting this to host websites designed to steal login credentials.  Once a user enters their username and password, the details are sent to a domain controlled by the attacker, where they are stored and can be exploited to conduct further attacks in future. Google also warns about campaigns by a hacking group referred to as Curious Gorge, which is linked to the People’s Liberation Army Strategic Support Force, the cyber and electronic warfare branch of the Chinese military. According to TAG, Curious Gorge is using lures related to Russia’s invasion of Ukraine and has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. But it isn’t just governments that are looking to exploit the interest and confusion around the war to commit cyberattacks. Criminals have been getting in on the action, too. Google notes that one cyber-criminal operation is impersonating military personnel and demanding payments for rescuing relatives stuck in Ukraine.  “We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks,” said Billy Leonard, security engineer at Google’s Threat Analysis Group.  Google notes that ransomware groups are still operating as normal. MORE ON CYBERSECURITY More