Thursday, January 12, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
A widespread logic controller flaw raises the specter of Stuxnet
FROM THE MEDIA: In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them. The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013.
READ THE STORY: arsTechnica
A Global Recession Will Ramp Up Chinese Economic Cyber Espionage
FROM THE MEDIA: Per several financial-related sources, the global economy’s outlook for 2023 does not look favorable due to a variety of factors including but not limited to the ongoing conflict in Ukraine and post-COVID recovery, with some even predicting a global recession in the future. The same sentiment has been expressed by the International Monetary Fund that predicts global growth could fall to 2.7% in 2023. According to JP Morgan, the United States Gross Domestic Product growth is projected to hover around 1%, while it anticipates China’s GDP to be at 4%, outpacing the global average. If valid, this puts China in an advantageous position, as Beijing looks to stabilize the world’s second largest economy and make the necessary policy adjustments to ensure “key targets” are met. What appears evident is that there may be a small window of opportunity for China to capitalize and make global economic gains.
READ THE STORY: OODALOOP
Chinese ‘government-controlled company’ accused of stealthily buying UK semiconductor start-up
FROM THE MEDIA: The British government has been accused of dropping the ball by allowing a company with alleged ties to the Chinese government to acquire a semiconductor start-up against the United Kingdom’s national interests. Flusso, a company which was spun out of the University of Cambridge’s Electrical Engineering department, designs tiny flow sensors that can be used to regulate liquid and air flows in advanced technologies with industrial and consumer applications. It announced last August that it had been acquired by a “company and global private equity fund” without naming the ultimate acquirer. But a recent report by the tech news publication UKTN revealed that the start-up had been bought by an investment vehicle based in China called Shanghai Sierchi Enterprise Management Partnership.
READ THE STORY: The Record
Guardian says cyber attack exposed identity and financial details of staff
FROM THE MEDIA: The Guardian has warned its staff that sensitive personal information including their salaries, bank details and passport numbers were exposed when the media group was hit by a “highly sophisticated” ransomware attack last month. The company said that its internal systems were breached through a successful phishing attack, in which an employee is tricked into giving away access details to a third party. “It’s now clear that we experienced a highly sophisticated cyber attack involving unauthorised third-party access to parts of our network, which appears to have been triggered by a phishing attack,” staff were told in an email on Wednesday by Katharine Viner, the Guardian’s editor-in-chief, and Anna Bateson, chief executive of Guardian Media Group.
READ THE STORY: FT
Electronic Warfare Will Dominate ‘the Battlefield of Tomorrow,’ Experts Say
FROM THE MEDIA: Electronic warfare is a central aspect of the conflict between Russia and Ukraine. Both nations are utilizing cyberattacks, jamming and various other digital aggression tactics to sow disorder on the battlefield and create an advantage. According to top U.S. Army officials, the U.S. sees this demonstration as an indication that it must ramp up and strengthen its EW capabilities. “Everything that we are seeing in Ukraine has implications for a unified network, and almost certainly represents the type of threats we will see,” stated Lt. Gen. Maria Gervais, deputy commanding general and chief of staff for the U.S. Army Training and Doctrine Command, at the Aug. 2022 AFCEA TechNet Augusta conference.
READ THE STORY: GovConWire
Russia's cyberattacks aim to 'terrorize' Ukrainians
FROM THE MEDIA: After widespread failures on Ukraine’s battlefield, Russians are increasing cyberattacks on civilian services such as electricity and internet — a new offensive designed to break the will of everyday citizens and turn the tide of the war. While Russia has relied more on missile strikes than cyber weapons to accomplish its goals in Ukraine, the attacks against energy, government and transportation infrastructure groups show that cyberattacks are still a key part of Moscow’s overall strategy to break the will of Ukrainians. “The longer Russia wages this war, the harder it is going to be on those Ukrainian people and the more vulnerable they’ll be to destructive cyberattacks against the critical infrastructure,” Rob Joyce, the director of cybersecurity at the NSA, said in an interview. “I’m concerned that the Russian actors will increasingly look to amplify the things they’re doing with kinetic effects in that space.”
READ THE STORY: Politico
House Reps introduce bill to fund research into cybersecurity and energy infrastructure
FROM THE MEDIA: A bill to fund research into the cybersecurity needs of the country’s energy infrastructure was introduced by two members of Congress on Wednesday. Congresswoman Deborah Ross (D-NC) and Congressman Mike Carey (R-OH) said the Energy Cybersecurity University Leadership Act will offer grants and other forms of funding to graduate students and postdoctoral researchers focusing on cybersecurity and energy infrastructure. The bill is designed to fund scholarships, fellowships, and R&D projects at colleges and universities so that students can focus on the intersection of cybersecurity and energy infrastructure. Students will also be given chances to get research experience at the Department of Energy’s National Laboratories and utilities. Efforts will also be made to reach students at Historically Black Colleges and Universities, Minority Serving Institutions, and Tribal Colleges and Universities.
READ THE STORY: The Record
New York state adds $35 million to 2023 cybersecurity budget as attacks soar
FROM THE MEDIA: New York Governor Kathy Hochul is adding an additional $35 million in funding to the state’s $61.9 million cybersecurity budget for this year, while also creating a new team focusing on protecting critical infrastructure. This week, Hochul said she decided to add the additional funding to the budget because the “frequency, magnitude, and impact of cyberattacks have increased.” “The Industrial Control Systems assessment team, coupled with record investments, will support physical security and cybersecurity assessment programs to help facilities improve their cybersecurity posture, creating a safer and more secure Empire State,” she said. The Office of Counterterrorism within New York’s Division of Homeland Security and Emergency Services will create the team, which will focus on the energy, transportation and manufacturing sectors.
READ THE STORY: The Record
Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability
FROM THE MEDIA: Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control Web Panel, formerly known as CentOS Web Panel, is a popular server administration tool for enterprise-based Linux systems. "login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter," according to NIST. Gais Security researcher Numan Turle has been credited with discovering and reporting the flaw to the Control Web Panel developers.
READ THE STORY: THN
Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk
FROM THE MEDIA: Details have emerged about a now-patched vulnerability in Google Chrome and Chromium-based browsers that, if successfully exploited, could have made it possible to siphon files containing confidential data. "The issue arose from the way the browser interacted with symlinks when processing files and directories," Imperva researcher Ron Masas said. "Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files." Google characterized the medium-severity issue (CVE-2022-3656) as a case of insufficient data validation in File System, releasing fixes for it in versions 107 and 108 released in October and November 2022.
READ THE STORY: THN
Scattered Spider hackers use old Intel driver to bypass security
FROM THE MEDIA: A financially motivated threat actor tracked as Scattered Spider was observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products. The BYOVD technique involves threat actors using a kernel-mode driver known to be vulnerable to exploits as part of their attacks to gain higher privileges in Windows. Because device drivers have kernel access to the operating system, exploiting a flaw in them allows threat actors to execute code with the highest privileges in Windows. Crowdstrike saw this new tactic right after the publication of the cyberintelligence firm's previous report on Scattered Spider at the start of last month. According to the latest Crowdstrike report, the hackers attempted to use the BYOVD method to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
READ THE STORY: BleepingComputer
Multiple Danish Banks Disrupted By DDoS Cyber-Attack
FROM THE MEDIA: Denmark's central bank and seven private banks, including Jyske Bank and Sydbank, have been hit by distributed denial of service (DDoS) attacks that disrupted their operations this week. According to Reuters, a spokesperson for the central bank said its website was working normally on Tuesday afternoon. The attack, which also affected IT financial industry solutions developer Bankdata, did not reportedly impact the bank's other systems or day-to-day operations. However, it impacted access to the websites of the aforementioned private banks, which was briefly restricted on Tuesday after the DDoS attack on Bankdata. "The recent DDoS attack on Denmark's central bank and an IT partner once again proves that the financial services industry is a prime target for cyber-criminals," said Rick McElroy, principal cybersecurity strategist at VMware.
READ THE STORY: InfoSecurity
Ransomware Group Behind Victoria Fire Department Outage
FROM THE MEDIA: The Vice Society ransomware group today claimed responsibility for a December 2022 attack on an Australian state fire department that led to a widespread IT outage. Fire Rescue Victoria warned current and former employees and job applicants of data leak. Although the threat group did not share many details about the leak or its negotiations with the fire department, it released a data set as proof of its claims. The leaked data includes budget documents, job applications and other sensitive information. The Fire Rescue Victoria, which operates 85 fire stations in Melbourne and surrounding areas, also informed the Office of the Australian Information Commissioner of a possible data breach and is currently analyzing the data set shared by the threat actors on the dark web.
READ THE STORY: BankInfoSec
New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors
FROM THE MEDIA: A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware. Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2).
READ THE STORY: THN
Cybersecurity analysts warn of malware disguised as a Pokémon game
FROM THE MEDIA: The internet can be a wonderful place for gamers, as it can bring you tons of information, online friends to game with, and a great sense of community. Unfortunately, it can also be a breeding ground for those with evil intent, and that’s exactly what’s going on with Pokémon fans right now. Unfortunately, it appears there are a number of fake Pokémon games floating around the internet, and they can certainly do harm should you download/play them. South Korea’s AhnLab’s Security Emergency Center (ASEC) has discovered a fake Pokémon Card Game that includes malware, and it could end up stealing your personal info and giving over access of your mobile/PC hardware. This fake Pokémon game has its own website that attempts to get fans to sign up to access content.
READ THE STORY: Go Nintendo
Iran’s citizens targeted by EyeSpy spyware hidden in VPNs
FROM THE MEDIA: Cybersecurity software SecondEye is the latest tool to be used against citizens of Iran to track their behavior, new research has revealed. SecondEye, which was developed in Iran, is marketed as a parenting or employee surveillance tool but has been converted into a spyware called EyeSpy. The malware is deployed hidden in free VPN packages, which have increased in popularity since the Iranian government’s digital blackout, which has left citizens without access to the internet during the recent civil unrest. Once the spyware has been downloaded, the victim has effectively enabled round-the-clock digital surveillance on their device. “The malware steals sensitive information from an infected system,”says the report published today by security vendor Bitdefender. “Stored passwords, crypto-wallet data, documents and images, contents from clipboard and logs of key presses” can all be monitored. This sort of access can lead to complete account takeovers, identity theft and financial loss.
READ THE STORY: TechMonitor
Hundreds of SugarCRM servers infected with critical in-the-wild exploit
FROM THE MEDIA: For the past two weeks, hackers have been exploiting a critical vulnerability in the SugarCRM (customer relationship management) system to infect users with malware that gives them full control of their servers. The vulnerability began as a zero-day when the exploit code was posted online in late December. The person posting the exploit described it as an authentication bypass with remote code execution, meaning an attacker could use it to run malicious code on vulnerable servers with no credentials required. SugarCRM has since published an advisory that confirms that description. The exploit post also included various “dorks,” which are simple web searches people can do to locate vulnerable servers on the Internet. Mark Ellzey, senior security researcher at network monitoring service Censys said in an email that as of January 11, the company had detected 354 SugarCRM servers infected using the zero-day.
READ THE STORY: arsTechnica
Computer scientist says AI 'artist' deserves its own copyrights
FROM THE MEDIA: Computer scientist Stephen Thaler on Tuesday asked a Washington, D.C., federal court to rule that his artificial intelligence system is entitled to copyrights for art it created. Seeking a pre-trial win in a lawsuit he filed last June, Thaler asked the U.S. District Court for the District of Columbia to overturn a U.S. Copyright Office decision that said creative works must be made by humans to receive copyright protection. Thaler's case is one of the first over copyrights in AI-created works and coincides with the fast rise of AI-based generation software like ChatGPT, Dall-E and Lensa. His attorney Ryan Abbott of Brown Neri Smith & Khan told Reuters on Wednesday that there is a "real financial importance to this case" that "might not have been so readily apparent a year and a half ago."
READ THE STORY: Reuters
Cisco warns of auth bypass bug with public exploit in EoL routers
FROM THE MEDIA: Cisco warned customers today of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life (EoL) VPN routers. The security flaw (CVE-2023-20025) was found in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers by Hou Liuyang of Qihoo 360 Netlab. It is caused by improper validation of user input within incoming HTTP packets. Unauthenticated attackers can exploit it remotely by sending a specially crafted HTTP request to vulnerable routers' web-based management interface to bypass authentication. Successful exploitation allows them to gain root access. By chaining it with another vulnerability tracked as CVE-2023-2002 (also disclosed today by Cisco), they can execute arbitrary commands on the underlying operating system.
READ THE STORY: BleepingComputer
Snapdragon Satellite And The State Of Satellite Mobile Communications
FROM THE MEDIA: There is no question that satellite-enabled smartphones have become a major trend recently. Just in the past year, the likes of Apple, Amazon, AST-SpaceMobile, AT&T, Bullitt Group, GlobalStar, Huawei, Lynk Global, SpaceX, T-Mobile and Verizon have talked about or launched satellite-based smartphone services. My colleague Will Townsend and I have been covering all the latest developments on our 5G podcast, the G2 on 5G. Even with all the announcements and product launches of 2022, some companies were curiously missing from the conversation, namely Qualcomm, Iridium and Garmin. These three firms have some of the longest pedigrees in the satellite space—easily longer than most of the companies mentioned above. That all changed this month at CES 2023, when the three companies announced a two-way messaging service called Snapdragon Satellite.
READ THE STORY: Forbes
Items of interest
Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike
FROM THE MEDIA: The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons. The campaign goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks. From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware. Gootkit loader, more commonly known as Gootloader, began delivering Cobalt Strike on systems last summer in a similar search engine result poisoning campaign. Gootloader has been associated with ransomware infections several times, with the malware coming back in 2020 through a high-profile collaboration with the REvil gang.
READ THE STORY: BleepingComputer
Breaking the IIoT: Hacking industrial Control Gateways (Video)
FROM THE MEDIA: This presentation reviews the security of those gateways; going from attacking the communication protocols up to reverse engineering and fuzzing proprietary firmware’s and protocols, concluding with a live demonstration of the vulnerabilities on real devices, showing that the industrial control gateways from most vendors have significant security shortcomings and are not secure enough to be used in critical infrastructure.
SCADA Hacking | Operational Technology (OT) Attacks (Video)
FROM THE MEDIA: Understanding the attacks on Operational Technology by Hacking ICS like SCADA using MODBUS TCP protocol.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com