Subterms
Image: Maria Diaz / ZDNet Google has updated Chrome for iOS so that it can automatically fill in the password for any app and is bringing four other features to improve its browser for the iPhone and iPad. Chrome also has a password manager – Google Password Manager – for desktop and Android and now […] More
The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should but aren’t always isolated from the internet. CISA has released released five advisories covering multiple vulnerabilities affecting industrial control systems discovered by researchers at Forescout. Forescout this week released its report “OT:ICEFALL”, which covers a set of common security issues in software for operational technology (OT) devices. The bugs they disclosed affect devices from Honeywell, Motorola, Siemens and others. OT is a subset of the Internet of Things (IoT). OT covers industrial control systems (ICS) that may be connected to the internet while the broader IoT category includes consumer items like TVs, doorbells, and routers. Forescout detailed the 56 vulnerabilities in a single report to highlight these common problems.CISA has released five corresponding Industrial Controls Systems Advisories (ICSAs) which it said provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. The advisories include details of critical flaws affecting software from Japan’s JTEKT, three flaws affecting devices from US vendor Phoenix Contact, and one affecting products from German firm Siemens. The ICSA-22-172-02 advisory for JTEKT TOYOPUC details missing authentication and privilege escalation flaws. These have a severity rating of 7-2 out of 10.Flaws affecting Phoenix devices are detailed in the advisories ICSA-22-172-03 for Phoenix Contact Classic Line Controllers; ICSA-22-172-04 for Phoenix Contact ProConOS and MULTIPROG; and ICSA-22-172-05 : Phoenix Contact Classic Line Industrial Controllers. The Siemens software with critical vulnerabilities are detailed in the advisory ICSA-22-172-06 for Siemens WinCC OA. It’s a remotely exploitable bug with a severity score of 9.8 out of 10. “Successful exploitation of this vulnerability could allow an attacker to impersonate other users or exploit the client-server protocol without being authenticated,” CISA notes.OT devices should be air-gapped on a network but often they’re not, giving sophisticated cyber attackers a broader canvass to penetrate. The 56 vulnerabilities identified by Forescount fell into four main categories, including insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality. The firm published the vulnerabilities (CVEs) as a collection to illustrate that flaws in the supply of critical infrastructure hardware are a common problem. “With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault,” Forescout said. “The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts,” it said. As firm details in a blogpost, there are some common faults that developers should be aware of:Insecure-by-design vulnerabilities abound: More than a third of the vulnerabilities it found (38%) allow for compromise of credentials, with firmware manipulation coming in second (21%) and remote code execution coming third (14%). Vulnerable products are often certified: 74% of the product families affected have some form of security certification and most issues it warns of should be discovered relatively quickly during in-depth vulnerability discovery. Factors contributing to this problem include limited scope for evaluations, opaque security definitions and focus on functional testing.Risk management is complicated by the lack of CVEs: It is not enough to know that a device or protocol is insecure. To make informed risk management decisions, asset owners need to know how these components are insecure. Issues considered the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they ought to be.There are insecure-by-design supply chain components: Vulnerabilities in OT supply chain components tend to not be reported by every affected manufacturer, which contributes to the difficulties of risk management.Not all insecure designs are created equal: None of the systems analyzed support logic signing and most (52%) compile their logic to native machine code. 62% of those systems accept firmware downloads via Ethernet, while only 51% have authentication for this functionality.Offensive capabilities are more feasible to develop than often imagined: Reverse engineering a single proprietary protocol took between 1 day and 2 weeks, while achieving the same for complex, multi-protocol systems took 5 to 6 months. More
Image: Shutterstock / BLACKDAY A group of likely state-backed cyber attackers have adopted a new loader to spread five different kinds of ransomware in a bid to hide their true espionage activities. On Thursday, cybersecurity researchers from Secureworks published new research on HUI Loader, a malicious tool that criminals have used widely since 2015. Loaders […] More
Image: Getty Images/iStockphoto Cybersecurity authorities from the US, the UK, and New Zealand have advised businesses and government agencies to properly configure Microsoft’s built-in Windows command-line tool, PowerShell – but not to remove it. Defenders shouldn’t disable PowerShell, a scripting language, because it is a useful command-line interface for Windows that can help with […] More
Image: Shutterstock / fizkes Malware delivered to email accounts rose 196% in 2021 year on year, according to cybersecurity firm Trend Micro, which warns that email remains a major avenue for criminals looking to deliver malware and phish account credentials. Some 74.1% of the all threats blocked by Trend Micro in 2021 were email threats versus […] More
The Linux Foundation At the 2022 Open Source Summit in Austin, Tx, The Linux Foundation, the leading open source, non-profit group with its partners, and Snyk, a leading developer security company, released their first joint research report, The State of Open Source Security, uncovered worrying news. 41% of organizations are not confident in their open source software security. […] More
Ukrainian organizations have been subjected to new hacking attempts tailored to drop malware and malicious Cobalt Strike beacons onto their networks. On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) published two advisories on the hacking incidents, suspected of being the work of threat groups APT28 — also known as Fancy Bear — and UAC-0098.The phishing campaign, conducted by Russian advanced persistent threat (APT) APT28, sees it attempting to spread a malicious document titled, “Nuclear Terrorism A Very Real Threat” Distribution is suspected of being carried out on June 10. UAC-0098’s hacking attempts also begins with a malicious email. The phishing messages have a malware document attached, “Imposition of penalties.docx,” and its distribution has been described as “persistent” with an original compilation date of June 16. This document is also spread through a password-protected archive, fraudulently passed off as communication from Ukraine’s tax office, with the subject line: “Notice of non-payment of tax.” When opened, both documents automatically download an HTML file that initiates malicious JavaScript code containing an exploit for CVE-2022-30190. Issued a CVSS severity score of 7.8, CVE-2022-30190 is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited in the wild, first emerged as a zero-day flaw in May. If the target system has not been protected, victims of Fancy Bear’s attacks will find their systems infected with the CredoMap malware. According to Malwarebytes, CredoMap is an information stealer able to exfiltrate browser data, cookies, and account credentials. Older variants of the malware have previously been used by APT28 against Ukrainian targets. The tax-related doc, however, deploys Cobalt Strike beacons. Cobalt Strike is a legitimate, commercial penetration testing tool that has, unfortunately, been abused for malicious purposes by cyberattackers for many years. The tool’s beacon functionality can facilitate remote connections and can be used for the deployment of shellcode and malware. Since Russia’s invasion of Ukraine began, CERT-UA has pivoted its focus to warning against cyberthreats impacting both Ukrainian businesses and residents. Many campaigns are trying to take advantage of the situation, whether on behalf of the Russian state or just as run-of-the-mill attackers trying to make a profit. The agency has previously warned organizations of Ghostwriter phishing campaigns, Invisimole activities tied to the Russian APT Gamaredon, and frequent misinformation schemes targeting Ukraine’s residents. CERT-UA has also alerted Ukrainian media agencies to phishing campaigns, potentially conducted by the Russian Sandworm hacking group, intended to spread the CrescentImp malware. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
Image: Shutterstock Microsoft has revealed how artificial intelligence (AI) technologies are used in the fight against ransomware. Ransomware is one of today’s most prolific and vicious digital threats. Ransomware families including Locky, WannaCry, NotPetya, and Cerber plague consumers and businesses alike, locking up infected systems and demanding payment in return for decryption keys, which may […] More
