https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,725 Comments
Tomi Engdahl says:
Exposing initial access broker with ties to Conti https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker
(IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5, 000 emails a day, to as many as 650 targeted organizations globally.
Tomi Engdahl says:
CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/
A large number of IP cameras and surveillance systems used in enterprise networks were recently discovered to be vulnerable to remote code execution and information leakage due to CVE-2021-28372, a vulnerability in the built-in ThroughTek Kalay P2P software development kit that is used by many of these devices. Many users of IP cameras and surveillance systems are unaware of the built-in software and TCP/IP stacks in their devices, and can overlook related vulnerabilities as a result.
Tomi Engdahl says:
China’s DJI And Its Billionaire Chief Put In An Awkward Spot As Both Sides In Ukraine War Use Its Drones https://www.forbes.com/sites/thomasbrewster/2022/03/17/chinas-dji-and-its-billionaire-chief-put-in-an-awkward-spot-as-both-sides-in-ukraine-war-use-its-drones/
Since Russia’s invasion of his country, Ukraine deputy prime minister Mykhailo Fedorov has written scores of letters to tech companies urging them to quit doing business with what he calls the Kremlin war machine. Among the latest targets is Chinese drone supplier DJI. Both Ukrainian and Russian militaries have been using DJI’s technology, according to various social media posts and reports, even though DJI says its drones are for hobbyists, police and first responders, not for helping wage war.
Tomi Engdahl says:
Merenkulun robotisaation hidaste ? [Uusi raportti korostaa miljoonia dollareita, joita laivanvarustajat maksavat hakkereille vuosittain](https://splash247.us9.list-manage.com/track/click?u=d9cd6e3c7ddb7a9f609caa158&id=3d96359ac7&e=b2801f26ba)
22. maalis 2022 16:20 | Sam-kammiot
Uusi tutkimus on havainnut, että jos meriteollisuuden kyberhyökkäykset johtavat lunnasmaksuun, laivanvarustajat maksavat tekijöille keskimäärin yli 3 miljoonaa dollaria. Uusi 43-sivuinen raportti nimeltä The Great Disconnect, jonka ovat tuottaneet merenkulun kyberturvallisuusyritys CyberOwl, merenkulun innovaatiovirasto Thetius ja asianajotoimisto HFW, paljastaa myös merkittäviä aukkoja …
New report highlights the millions of dollars shipowners pay hackers every year
https://splash247.com/new-report-highlights-the-millions-of-dollars-shipowners-pay-hackers-every-year/
New research has found that where cyber attacks in the maritime industry lead to a ransom payment, shipowners pay more than $3m on average to the perpetrators.
A new 43-page report entitled The Great Disconnect, produced by maritime cyber security company CyberOwl, maritime innovation agency Thetius and law firm HFW, also reveals significant gaps in cyber risk management that exist across shipping organisations and the wider supply chain. It is based on a survey of more than 200 industry professionals, including C-suite leaders, cyber security experts, seafarers, shoreside managers, and suppliers and also covers the increased risks of cyber attacks in the wake of Russia’s invasion of Ukraine.
Tomi Engdahl says:
IoT Security and the Internet of Forgotten Things https://securityintelligence.com/articles/iot-security-internet-forgotten-thing/
In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities. One case in
2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100, 000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn. Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.
Tomi Engdahl says:
Seven Ways to Keep your Smart Home Devices out of the Hands of Hackers https://blog.checkpoint.com/2022/03/21/seven-ways-to-keep-your-smart-home-devices-out-of-the-hands-of-hackers/
Check Point Software Technologies has seven tips to keep your smart home devices out of the hands of hackers. In an increasingly connected world, it would be hard to find a home that doesn’t have some sort of smart device, in fact, according to the latest research there are 2.22 million smart homes in the UK alone. Whether it’s a speaker that can also curate a shopping list, a doorbell with a fully functioning camera or a smoke alarm that connects directly to your mobile phone to remind you to replace those batteries, these devices are here to stay.
However, while these gadgets provide much convenience for consumers, they are also simultaneously multiplying the number of access points that hackers can use to steal private and personal information. An investigation by Which? reported that, on average, homes with smart devices are vulnerable to 12, 000 hacking or unknown scanning attacks from across the world in just a single week, which tells you the size of the problem. From there you only have to switch on the news to hear horror stories, ranging from smart devices listening to private conversations to hackers using camera-enabled gadgets to gain access to a constant stream of live video from inside our homes.
Tomi Engdahl says:
Over-the-air (OTA) update sends AEG microwaves into an identitycrisis
https://www.logic.nl/ota-update-sends-aeg-microwaves-into-identitycrisis/?utm_medium=email
The importance of implementing strict processes for software development, testing and deployment were emphasized once more when earlier in March 2022, domestic kitchen chefs in the Netherlands suddenly found that their AEG hot air / microwave kitchen appliance, had transformed itself into a quite different tool. The appliance became inoperable and complained to the user with error messages.
The cause of this behavior was an over-the-air (OTA) software update released by AEG on March 2, 2022. The appliance received the update, followed its hard coded instructions to flash the new firmware and performed a restart. Sadly, the update also affected the WiFi connection making it impossible to remotely correct the problem and leaving AEG no other choice than to have a repair man making house calls.
According to a spokesman of Electrolux (owner of AEG), the cause stems from an operator who applied a wrong number during the update procedure. This activated a wrong software update to be deployed.
It is a too simple statement to blame an operator for applying a wrong number, allowing an erroneous update of this magnitude.
Tomi Engdahl says:
Some developers are fouling up open-source software https://www.zdnet.com/article/some-developers-are-fouling-up-open-source-software
- From ethical concerns, a desire for more money, and simple obnoxiousness, a handful of developers are ruining open-source for everyone. One of the most amazing things about open-source isn’t that it produces great software. It’s that so many developers put their egos aside to create great programs with the help of others. Now, however, a handful of programmers are putting their own concerns ahead of the good of the many and potentially wrecking open-source software for everyone.
Tomi Engdahl says:
Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector https://www.cisa.gov/uscert/ncas/alerts/aa22-083a
On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.
Tomi Engdahl says:
Over 100 Building Controllers in Russia Vulnerable to Remote Hacker Attacks
https://www.securityweek.com/over-100-building-controllers-russia-vulnerable-remote-hacker-attacks
A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.
The security flaws were discovered by researcher Jose Bertin in a controller made by Russian company Tekon Avtomatika, which specializes in equipment and software for elevators and other building systems.
A Shodan search shows more than 100 internet-exposed Tekon controllers that the vendor describes as “engineering equipment controllers.” Shodan currently shows 117 devices located in Russia and three in Ukraine.
Tomi Engdahl says:
Many Critical Flaws Patched in Delta Electronics Energy Management System
https://www.securityweek.com/many-critical-flaws-patched-delta-electronics-energy-management-system
At least 30 vulnerabilities were found in the past year in the DIAEnergie industrial energy management system made by Delta Electronics. The company says it has created patches for all of them, but for now most of those patches are only available on demand.
In August 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations using the DIAEnergie product that researcher Michael Heinzl had identified eight vulnerabilities, including ones rated “critical severity.”
DIAEnergie vulnerabilities Heinzl told SecurityWeek at the time that exploitation of the vulnerabilities could have “dire consequences” and there had been no patches from the vendor at the time.
After the first round of vulnerabilities were disclosed, Heinzl warned, “The consequences of a malicious actor’s actions could be dire for affected customers — falsifying monitoring data, suppressing alarms, using the system as the initial foothold in the network infrastructure for further pivoting, or simply ‘ransomwaring’ the deployment as has become so prevalent over the last five years or so.”
DIAEnergie is designed to help companies visualize and improve electric and power systems, particularly high-consumption equipment. The product is used around the world in various sectors. It can be integrated with various industrial control systems (ICS) and data sinks, including power meters, programmable logic controllers (PLCs) and other Modbus devices.
Tomi Engdahl says:
Exploitation of Flaws in Delta Energy Management System Could Have ‘Dire Consequences’
https://www.securityweek.com/exploitation-flaws-delta-energy-management-system-could-have-dire-consequences
An industrial energy management system made by Delta Electronics is affected by several vulnerabilities whose exploitation could have serious consequences in a real world environment, according to the researcher who discovered the flaws.
The existence of the vulnerabilities affecting Delta’s DIAEnergie product was disclosed last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who identified them, Michael Heinzl.
The security holes were reported to the vendor, through CISA, in April, but they have yet to be patched. CISA says patches are expected to become available on September 15. In the meantime, organizations using the affected product have been advised to implement mitigations to reduce the risk of exploitation.
DIAEnergie vulnerabilitiesHeinzl told SecurityWeek that the eight DIAEnergie vulnerabilities disclosed last week are just some of the issues he reported to the vendor. The remaining flaws will be disclosed at a later date.
Tomi Engdahl says:
The Rising Importance of Research Communities for Industrial Cybersecurity
https://www.securityweek.com/rising-importance-research-communities-industrial-cybersecurity
Tomi Engdahl says:
Vulnerabilities Identified in Wyze Cam IoT Device https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/
While looking into the Wyze Cam device, we identified several vulnerabilities that let an outside attacker access the camera feed or execute malicious code to further compromise the device. Bitdefender
whitepaper:
https://www.bitdefender.com/files/News/CaseStudies/study/413/Bitdefender-PR-Whitepaper-WCam-creat5991-en-EN.pdf.
Lisäksi:
https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-remotely-access-your-saved-videos/.
Lisäksi:
https://www.forbes.com/sites/leemathews/2022/03/29/bitdefender-uncovers-serious-flaws-in-wyze-security-cameras/
Tomi Engdahl says:
Critical Vulnerabilities Found in Microsoft Defender for IoT
https://www.securityweek.com/critical-vulnerabilities-found-microsoft-defender-iot
Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.
Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.
Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.
Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.
Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.
Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All
https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all/
Executive Summary
SentinelLabs has discovered a number of critical severity flaws in Microsoft Azure’s Defender for IoT affecting cloud and on-premise customers.
Unauthenticated attackers can remotely compromise devices protected by Microsoft Azure Defender for IoT by abusing vulnerabilities in Azure’s Password Recovery mechanism.
SentinelLabs’ findings were proactively reported to Microsoft in June 2021 and the vulnerabilities are tracked as CVE-2021-42310, CVE-2021-42312, CVE-2021-37222, CVE-2021-42313 and CVE-2021-42311 marked as critical, some with CVSS score 10.0.
Microsoft has released security updates to address these critical vulnerabilities. Users are encouraged to take action immediately.
At this time, SentinelLabs has not discovered evidence of in-the-wild abuse.
Introduction
Operational technology (OT) networks power many of the most critical aspects of our society; however, many of these technologies were not designed with security in mind and can’t be protected with traditional IT security controls. Meanwhile, the Internet of Things (IoT) is enabling a new wave of innovation with billions of connected devices, increasing the attack surface and risk.
The problem has not gone unnoticed by vendors, and many offer security solutions in an attempt to address it, but what if the security solution itself introduces vulnerabilities? In this report, we will discuss critical vulnerabilities found in Microsoft Azure Defender for IoT, a security product for IoT/OT networks by Microsoft Azure.
First, we show how flaws in the password reset mechanism can be abused by remote attackers to gain unauthorized access. Then, we discuss multiple SQL injection vulnerabilities in Defender for IoT that allow remote attackers to gain access without authentication. Ultimately, our research raises serious questions about the security of security products themselves and their overall effect on the security posture of vulnerable sectors.
Microsoft Azure Defender For IoT
Microsoft Defender for IoT is an agentless network-layer security for continuous IoT/OT asset discovery, vulnerability management, and threat detection that does not require changes to existing environments. It can be deployed fully on-premises or in Azure-connected environments.
This solution consists of two main components:
Microsoft Azure Defender For IoT Management – Enables SOC teams to manage and analyze alerts aggregated from multiple sensors into a single dashboard and provides an overall view of the health of the networks.
Microsoft Azure Defender For IoT Sensor – Discovers and continuously monitors network devices. Sensors collect ICS network traffic using passive (agentless) monitoring on IoT and OT devices. Sensors connect to a SPAN port or network TAP and immediately begin performing DPI (Deep packet inspection) on IoT and OT network traffic.
Both components can be either installed on a dedicated appliance or on a VM.
Deep packet inspection (DPI) is achieved via the horizon component, which is responsible for analyzing network traffic. The horizon component loads built-in dissectors and can be extended to add custom network protocol dissectors.
Defender for IoT Web Interface Attack Surface
Both the management and the sensor share roughly the same code base, with configuration changes to fit the purpose of the machine. This is the reason why both machines are affected by most of the same vulnerabilities.
The most appealing attack surface exposed on both machines is the web interface, which allows controlling the environment in an easy way. The sensor additionally exposes another attack surface which is the DPI service (horizon) that parses the network traffic.
Defender for IoT is a product formerly known as CyberX, acquired by Microsoft in 2020. Looking around in the home directory of the “cyberx” user, we found the installation script and a tar archive containing the system’s encrypted files. Reading the script we found the command that decrypts the archive file.
Tomi Engdahl says:
Smart Meters are Vulnerable to this Attack
https://www.youtube.com/watch?v=kli-hRqRAys
Voltage glitching attacks have been documented for quite some time, now I am going to apply these well known techniques to extract the smart meters firmware for analysis.
Tomi Engdahl says:
Get Outta Here: Securing Computing Systems by Storing Security Elsewhere
Feb. 5, 2022
This article details the architecture of the cybersecurity conflict and offers recommendations for how to tilt the scales in favor of the good guys.
https://www.electronicdesign.com/industrial-automation/article/21215467/kameleon-security-get-outta-here-securing-computing-systems-by-storing-security-elsewhere?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS220221103&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
What you’ll learn:
Why hackers historically have had an architectural advantage against software- and firmware-based security defenses.
How this edge has translated into increased attacks on firmware levels.
What enterprises and CSPs can do to protect themselves.
Cybersecurity has long been a game of cat and mouse between organizations looking to secure their networks, devices, and data with increasingly more sophisticated security solutions. Meanwhile, hackers look to poke and exploit whatever holes may exist in those defenses. The architecture of this conflict has disproportionately benefited hackers, as through trial and error they have been able to map a target’s defenses until the point where they identify a way in.
The location of where security solutions are stored plays a pivotal role here, as hackers’ perpetual probing only serves its purpose if a target’s defenses are visible, or worse, accessible. Storing unprotected encryption keys, credentials, and sensitive data anywhere reachable is equally unadvisable.
Don’t Store Your Security Solutions in These Spots
Cybersecurity defenses have typically been stored at the software, or application, layer. This exposes defenses to visibility and manipulation by any hacker who gains access to that layer, which is what happened in the recent Huawei Cloud attack. This cloud service provider (CSP) was hit with malware that used a software script to simply disable the security agent in charge of scans and reset user credentials.
Moving security solutions down to the firmware isn’t necessarily much safer, as hackers have shown great resourcefulness and little trouble in breaching this layer, too. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) shows that attacks on firmware have risen by 500% since 2018. Furthermore, survey data from a new Microsoft report shows that 83% of enterprise IT decision-makers have had their systems hit with a firmware attack in the last two years, but that only 29% of the average security budget is dedicated to protecting the firmware level.
Intel recently discovered the danger of under-securing this level themselves, as significant vulnerabilities were exposed in the BIOS firmware of various Intel processors. Intel advised that users apply available BIOS updates to patch the holes, but most motherboard vendors don’t release BIOS updates all that frequently, since it’s something of a legacy solution (replaced in many applications by UEFI firmware).
Become Isolated
Storing security defenses in an isolated processor creates an architectural advantage for security applications that prevents attackers from disabling or evading defenses. Unlike processor-based systems that are susceptible to trial-and-error attacks, where hackers try various techniques to glean information about a system’s defenses, isolated security chips provide very little visibility to would-be intruders.
Turn to TPMs
Trusted Platform Modules (TPMs) are a good step in this direction. TPMs sit separate from a computing system’s processor. They function as a sort of black box that attackers will struggle to access or even see into, and are assigned to hold valuable assets like keys as well as sensitive data while owning only low-level operations.
However, TPMs alone aren’t secure or flexible enough. Emerging solutions instead offload security, assets, and trust anchors to a more specialized and more dynamic security processing unit (SPU) chip. Under this approach, attackers are unable to access (and thus corrupt) security systems, data, and most importantly, the system’s root of trust (RoT). This means the integrity of its attestations from boot through runtime is preserved.
Isolated SPUs also are more convenient to manage. UEFI firmware authentication introduces logistical issues that can lock a CPU to a particular platform, which limits the ability to upgrade or change a CPU on the motherboard.
All told, what CIOs, CISOs, and IT decision-makers need to realize is that their systems are very much vulnerable, especially at the software and firmware levels. Storing security systems, let alone a RoT, at these levels is folly. Therefore, what’s needed is a hardware solution that can be used to store security beyond the hacker’s reach while also hosting a RoT that can authenticate and authorize any alteration of any stack level. In addition, it must be flexible enough to adapt to new vulnerabilities and enable security
Tomi Engdahl says:
Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds https://thehackernews.com/2022/03/bugs-in-wyze-cams-could-let-attackers.html
Three security vulnerabilities have been disclosed in the popular Wyze Cam devices that grant malicious actors to execute arbitrary code and access camera feeds as well as unauthorizedly read the SD cards, the latter of which remained unresolved for nearly three years after the initial discovery. Myös:
https://www.tivi.fi/uutiset/tv/988311cf-d3fc-45a9-99ec-662e162cb992
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Wyze had been aware of several remote access vulnerabilities in its home security cameras for months and years without fixing them, despite Bitdefender warnings — A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards …
Wyze Cam flaw lets hackers remotely access your saved videos
https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-remotely-access-your-saved-videos/
Tomi Engdahl says:
New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs
https://www.securityweek.com/new-vulnerabilities-allow-stuxnet-style-attacks-against-rockwell-plcs
Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.
Claroty on Thursday published a blog post describing its findings. Separate advisories for the two vulnerabilities were also released on Thursday by the US Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell Automation (account required).
One of the security holes, tracked as CVE-2022-1161 and classified as “critical,” affects various CompactLogix, ControlLogix, GuardLogix, FlexLogix, DriveLogix and SoftLogix controllers. The second flaw, tracked as CVE-2022-1159 and rated “high severity,” affects the Studio 5000 Logix Designer programming software that runs on engineering workstations.
According to Rockwell Automation and Claroty, the vulnerabilities can allow an attacker who has access to the victim’s systems to make changes to PLC program code and modify automation processes without being detected. This could result in significant damage, depending on the type of system controlled by the PLC.
Stuxnet targeted Siemens devices, but vulnerabilities that can be exploited to achieve a similar goal have also been found in recent years in PLCs made by Schneider Electric and other vendors.
Tomi Engdahl says:
These ten hacking groups have been targeting critical infrastructure and energy
https://www.zdnet.com/article/these-ten-hacking-groups-have-been-targeting-critical-infrastructure-and-energy/#ftag=RSSbaffb68
Electricity, oil and gas and other critical infrastructure vital to our everyday lives is increasingly at risk from cyber attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services. A report from cybersecurity company Dragos details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe and it’s warned that this activity is likely to grow in the next 12 months. The list includes several state-backed hacking operations, such as Electrum also known as Sandworm which is linked to the Russian military, Covellite, which is linked to North Korea’s Lazarus Group, and Vanadinite, which is lined to APT 41, a hacking operation working on behalf of China. Alkup.
https://www.dragos.com/blog/industry-news/assessing-threats-to-european-industrial-infrastructure/
Tomi Engdahl says:
Raspberry Pi Removes Default User to Improve Security
https://www.securityweek.com/raspberry-pi-removes-default-user-improve-security
In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.
The “pi” user, which has been present in all Raspberry Pi installations since the beginning, does make it easier to conduct brute-force attacks (it is usually paired with the password “raspberry”), even if some don’t necessarily see it as a security weakness.
With the latest change – which is also prompted by new legislation in some countries forbidding the use of default accounts – users will be required to create an account when booting a newly-flashed Raspberry Pi OS image.
“This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” Raspberry Pi senior principal software engineer Simon Long explains.
An update to Raspberry Pi OS Bullseye
https://www.raspberrypi.com/news/raspberry-pi-bullseye-update-april-2022/
Tomi Engdahl says:
Ukraine Says Potent Russian Hack Against Power Grid Thwarted
https://www.securityweek.com/ukraine-says-potent-russian-hack-against-power-grid-thwarted
Russian military hackers attempted to knock out power to millions of Ukrainians last week in a long-planned attack but were foiled, Ukrainian government officials said Tuesday.
At one targeted high-voltage power station, the hackers succeeded in penetrating and disrupting part of the industrial control system, but people defending the station were able to prevent electrical outages, the Ukrainians said.
“The threat was serious, but it was prevented in a timely manner,” a top Ukrainian cybersecurity official, Victor Zhora, told reporters through an interpreter. “It looks that we were very lucky.”
Tomi Engdahl says:
Industroyer2: Industroyer reloaded
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
The blogpost presents the analysis of a cyberattack against a Ukrainian energy provider.. [Also https://www.wired.com/story/sandworm-russia-ukraine-blackout-gru/
Tomi Engdahl says:
Developer and security researcher Didelot Maurice-Michel has published details of security vulnerabilities, now thankfully fixed, in an unusual target device: an experimental satellite created by the European Space Agency.
Didelot Maurice-Michel Hacked a Satellite — and Made the ESA’s Experimental Platform Safer for All
https://www.hackster.io/news/didelot-maurice-michel-hacked-a-satellite-and-made-the-esa-s-experimental-platform-safer-for-all-fbaf2c51b977
During a contest run by security firm CYSEC, the European Space Agency’s OPS-SAT satellite was tested — and found wanting.
Developer and security researcher Didelot Maurice-Michel has published details of security vulnerabilities, now thankfully fixed, in an unusual target device: an experimental satellite created by the European Space Agency (ESA).
“During January of this year I stumbled upon an ad for an hacking contest organized by an enterprise called CYSEC that is specialized in [the] space industry,” Maurice-Michel explains. “This enterprise, was calling for hacker participation, with the idea be able to demonstrate in live the possibility and risk of an attack on critical device like satellite during one of their event called the HackCYSAT.”
Tomi Engdahl says:
Advanced hackers have shown they can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert on Wednesday, warning of the potential for cyber spies to harm critical infrastructure.
U.S. says advanced hackers have shown ability to hijack critical infrastructure
https://www.reuters.com/technology/us-says-advanced-hackers-have-demonstrated-ability-hijack-multiple-industrial-2022-04-13/
Advanced hackers have shown they can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert on Wednesday, warning of the potential for cyber spies to harm critical infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency and other government agencies issued a joint advisory saying the hackers’ malicious software could affect a type of device called programmable logic controllers made by Schneider Electric (SCHN.PA) and OMRON Corp (6645.T).
Alert (AA22-103A)
APT Cyber Tools Targeting ICS/SCADA Devices
https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
Technical Details
APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:
Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
OPC Unified Architecture (OPC UA) servers.
The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
APT Tool for OPC UA
The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.
DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
Implement robust log collection and retention from ICS/SCADA systems and management subnets.
Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
Ensure all applications are only installed when necessary for operation.
Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.
Tomi Engdahl says:
US agencies warn of custom-made hacking tools targeting energy sector systems
https://therecord.media/us-agencies-warn-of-custom-made-hacking-tools-targeting-energy-sector-systems/
Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies.
In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US.
“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-fix-several-critical-vulnerabilities
Tomi Engdahl says:
Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks
https://www.securityweek.com/flaws-abb-network-interface-modules-expose-industrial-systems-dos-attacks
Industrial technology giant ABB is working on patches for three high-severity vulnerabilities discovered by researchers in some of the company’s network interface modules.
The vulnerabilities affect Symphony Plus SPIET800 and PNI800, which are network interface modules that enable communications between a control network and a host computer running an engineering tool or a human-machine interface (HMI).
Due to the way these products handle certain packets, an attacker who has local access to the control network or remote access to a system server can cause a denial-of-service (DoS) condition that can only be addressed with a manual reboot.
The vulnerabilities, discovered by researchers at OT cybersecurity firm Verve Industrial, have been assigned the CVE identifiers CVE-2021-22285, CVE-2021-22286 and CVE-2021-22288, and they have all been rated “high severity.”
ABB published an advisory for these vulnerabilities in February and the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory last week to inform organizations using the affected products about the risks.
ICS Advisory (ICSA-22-097-02)
ABB SPIET800 and PNI800
https://www.cisa.gov/uscert/ics/advisories/icsa-22-097-02
SECURITY – Denial of Service Vulnerabilities in SPIET800 INFI-Net to Ethernet Transfer module and PNI800 S+ Ethernet communication interface module
CVE ID: CVE-2021-22285, CVE-2021-22286, CVE-2021-22288
https://library.e.abb.com/public/0e2620afd4ec4cd88894d2669672f4c3/7PAA001353_en_Cyber%20Security%20Advisory%20ABB_SPIET800_PNI800_Firmware.pdf?x-sign=AKJrxPXeIG3wJPzf6MIcYtDymeynp4o9hbeyK0vUDBe6apjd57Fbi1O1VsxbhrO7
Tomi Engdahl says:
U.S. Warns New Sophisticated Malware Can Target ICS/SCADA Devices
https://www.securityweek.com/us-warns-new-sophisticated-malware-can-target-icsscada-devices
The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers.
A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.
“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory [PDF].
The government advisory said the custom malware has been seen targeting the following products:
● Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
● OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
● OPC Unified Architecture (OPC UA) servers.
The government warning comes on the heels of a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service.
APT Cyber Tools Targeting ICS/SCADA Devices
https://www.cisa.gov/uscert/sites/default/files/publications/Joint_Cybersecurity_Advisory_APT%20Cyber%20Tools%20Targeting%20ICS%20SCADA%20Devices.pdf
Tomi Engdahl says:
Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems
https://www.wired.com/story/pipedream-ics-malware/
The malware toolkit, known as Pipedream, is perhaps the most versatile tool ever made to target critical infrastructure like power grids and oil refineries.
MALWARE DESIGNED TO target industrial control systems like power grids, factories, water utilities, and oil refineries represents a rare species of digital badness. So when the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.
“This is the most expansive industrial control system attack tool that anyone has ever documented,” says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.”
Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”
While the toolkit’s adaptability means it could be used against practically any industrial environment, from manufacturing to water treatment, Dragos points out that the apparent focus on Schneider Electric and OMRON PLCs does suggest that the hackers may have built it with power grid and oil refineries—particularly liquified natural gas facilities—in mind, given Schneider’s wide use in electric utilities and OMRON’s broad adoption in the oil and gas sector. Caltagirone suggests the ability to send commands to servo motors in those petrochemical facilities via OMRON PLCs would be particularly dangerous, with the ability to cause “destruction or even loss of life.”
The CISA advisory doesn’t point to any particular vulnerabilities in the devices or software the Pipedream malware targets, though Caltagirone says it does exploit multiple zero-day vulnerabilities—previously unpatched hackable software flaws—that are still being fixed. He notes, however, that even patching those vulnerabilities won’t prevent most of Pipedream’s capabilities, as it’s largely designed to hijack the intended functionality of target devices and send legitimate commands in the protocols they use.
The discovery of the Pipedream malware toolkit represents a rare addition to the handful of malware specimens found in the wild that target industrial control systems (ICS) software. The first and still most notorious example of that sort of malware remains Stuxnet, the US- and Israeli-created code that was uncovered in 2010 after it was used to destroy nuclear enrichment centrifuges in Iran. More recently, the Russian hackers known as Sandworm, part of the Kremlin’s GRU military intelligence agency, deployed a tool called Industroyer or Crash Override to trigger a blackout in the Ukrainian capital of Kyiv in late 2016.
The next year, Kremlin-linked hackers infected systems at the Saudi Arabian oil refinery Petro Rabigh with a piece of malware known as Triton or Trisis, which was designed to target its safety systems—with potentially catastrophic physical consequences—but instead triggered two shutdowns of the plant’s operations. Then, just last week, Russia’s Sandworm hackers were detected using a new variant of their of Industroyer code to target a regional electrical utility in Ukraine, though Ukrainian officials say they managed to detect the attack and avert a blackout.
Tomi Engdahl says:
Five Security “Must Haves” and the World Economic Forum
March 28, 2022
Secure Thingz’s CEO, Haydn Povey, talks about the World Economic Forum’s Council on the Connected World announcement.
https://www.electronicdesign.com/technologies/embedded-revolution/video/21236230/electronic-design-iar-security?utm_source=EG+ED+Auto+Electronics&utm_medium=email&utm_campaign=CPS220405124&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
The World Economic Council on the Connected World recently announced a joint statement of support on consumer IoT device security. It included a list of five security “must haves” as a minimum requirement for consumer-facing IoT devices:
Must not have universal default passwords.
Must keep software updated.
Must have secure communication.
Must ensure that personal data is secure.
Must implement a vulnerability disclosure policy.
The first four are ones that most developers would take for granted, but whether it’s part of a corporate policy is another matter. Getting companies to pay attention to security concerns tends to be an ongoing struggle. Still, pronouncements like this can help elevate those efforts. The ETSI standard 303-645, announced in 2020, also is part of the discussion.
Tomi Engdahl says:
https://www.darkreading.com/vulnerabilities-threats/vulnerabilities-in-rockwell-automation-plcs-could-enable-stuxnet-like-attacks
Tomi Engdahl says:
Arduino releases secure bootloader based on MCUboot
https://www.cnx-software.com/2022/04/13/arduino-mcuboot-secure-bootloader/
Arduino has released a new bootloader based on MCUBoot to increase the range of features and firmware safety of Arduino products, with the first release targetting STM32H7 based Arduino Portenta and Nicla Vision boards from the Arduino Pro family.
Tomi Engdahl says:
https://coderoasis.com/attacks-against-ups-devices/
Tomi Engdahl says:
The default “pi” user in Raspberry Pi OS
The default “pi” user in Raspberry Pi OS has been removed, and you must establish a user account during setup.
https://www.hackster.io/kamaluddinkhan/the-default-pi-user-in-raspberry-pi-os-64c782
Tomi Engdahl says:
CISA expands cyber defense initiative with industrial control systems partnership https://therecord.media/cisa-expands-cyber-defense-initiative-with-industrial-control-systems-partnership/
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced Wednesday the expansion of the Joint Cyber Defense Collaborative (JCDC) to incorporate industry leaders including security vendors, integrators, and distributors. As the U.S.
government continues to build upon and push for public cooperation in cybersecurity and resilience initiatives, the announced partnership with industrial control systems and operational technology (ICS/OT) experts is expected to enhance public and private collaboration.
Tomi Engdahl says:
New BotenaGo Variant Infects Lilin Security Cameras With Mirai
https://www.securityweek.com/new-botenago-variant-infects-lilin-security-cameras-mirai
A newly identified variant of the BotenaGo malware is specifically targeting security cameras manufactured by Taiwan-based Lilin, warns OT and IoT security firm Nozomi Networks.
The threat is based on the source code of the Go-written BotenaGo malware, which was leaked online in October 2021, but its sole purpose appears to be the infection of compromised devices with Mirai.
The original BotenaGo contained over 30 exploits for known vulnerabilities in routers and other types of IoT devices. The malware could create two backdoor ports on infected devices, and execute remote shell commands.
With a low detection rate, the new variant of the malware – which Nozomi refers to as Lillin scanner – was stripped of most of the 30 exploits in the original source code and repurposed to target a two-year-old vulnerability in Lillin security camera DVR devices.
Tomi Engdahl says:
Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict
https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict
We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.
In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.
In early April, high-voltage electrical substations operated by an energy provider in Ukraine were targeted with Industroyer2 malware, with the intent of causing damage by manipulating industrial control systems (ICS). And on April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI warned that threat actors have developed custom-made tools to target ICS and supervisory control and data acquisition (SCADA) devices.
Since the beginning of the year, we’ve seen a steady drumbeat of alerts and new resources available for critical infrastructure organizations. A joint Cybersecurity Advisory, authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, released in January, 2022, details tactics, techniques, and procedures associated with a number of Russian state actors. Given these threat actors’ demonstrated capabilities and activities, it comes as no surprise that CISA is stepping in and speaking directly to operators of critical infrastructure networks, giving them specific indicators of compromise to look out for and any unexplained equipment behavior.
Tomi Engdahl says:
Päivittyykö autosi ohjelmisto yöllä? Kesällä se pitää tapahtua turvatusti
https://etn.fi/index.php/13-news/13458-paeivittyykoe-autosi-ohjelmisto-yoellae-kesaellae-se-pitaeae-tapahtua-turvatusti
Uudet autot alkavat tunnetusti olla ”tietokoneita pyörillä” ja niihin tuodaan säännölisesti uusia ominaisuuksia ja korjauksia ohjelmistopäivityksillä. YK:n alainen UNECE (United Nations Economic Commission for Europe) vaatii, että heinäkuusta lähtien autojen OTA-päivitykset on tehtävä kyberturvallisesti.
Heinäkuussa tulee käyttöön INECEn WP.29-asetus. Se määrää, että langattomia ohjelmistopäivityksiä tukevien ajoneuvojen on todistettava, että tietoturva on suojattu kyberturvallisuuden hallintajärjestelmällä kehityksen, valmistuksen ja valmistuksen jälkeen.
Tämän määräyksen täyttämiseksi järjestelmä vaatii mekanismeja, jotka pitävät autojen ohjelmistojen tiedot turvassa ja hyvin suojattuna. Auton järjestelmien kehittäjät ovat työstäneet näitä mekanismeja jo pidemmän aikaa. Yksi ratkaisuista perustuu Excelforen ja IIJ Globalin yhteistyöhön.
Tomi Engdahl says:
ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022
https://www.securityweek.com/ics-exploits-earn-hackers-400000-pwn2own-miami-2022
Pwn2Own Miami 2022, a hacking contest focusing on industrial control systems (ICS), has come to an end, with contestants earning a total of $400,000 for their exploits.
The contest, organized by Trend Micro’s Zero Day Initiative (ZDI), saw 11 contestants demonstrating their exploits in the OPC UA Server, Control Server, Human Machine Interface, and Data Gateway categories.
Participants demonstrated a total of 26 unique zero-day exploits against products from Unified Automation, Iconics, Inductive Automation, Prosys, Aveva, Triangle MicroWorks, OPC Foundation, Kepware, and Softing.
A majority of the 32 hacking attempts were successful — two failed and eight involved previously known bugs. These “bug collisions” still earned participants $5,000 for each attempt.
Pwn2Own Miami 2022 Results
https://www.zerodayinitiative.com/blog/2022/4/14/pwn2own-miami-2022-results
Tomi Engdahl says:
Many Industrial Firms Say Cybersecurity Systems Cause Problems to Operations
https://www.securityweek.com/many-industrial-firms-say-cybersecurity-systems-cause-problems-operations
Despite an increase in cybersecurity incidents, many industrial organizations turn off security systems if they interrupt or otherwise impact operations, according to a global survey conducted earlier this year by Kaspersky.
Kaspersky reported recently that it only saw a small increase in the percentage of industrial control system (ICS) computers targeted in 2021, compared to the previous year.
However, of the more than 300 respondents who took part in the latest survey, half reported seeing an increase in security incidents affecting ICS or other operational technology (OT) systems since the end of 2019.
In the past year, nearly one-third of the organizations that took part in the survey experienced a high number of incidents (at least 20). These incidents are often related to staff violating IT security policies, devices getting infected with malware, or employees inappropriately using IT resources.
While many organizations have come to understand the importance of securing their OT environments, 40% of respondents admitted that the security tools they are currently using are not compatible with their automation systems, and 38% reported at least one event where cybersecurity products interrupted or in some way affected their operations.
When they experienced these disruptions, 30% of companies decided to turn off their security systems. Others made changes to production or automation systems to avoid conflicts, they changed security settings in an effort to find a balance between security and productivity, or they switched cybersecurity vendors.
Additional information, along with recommendations for improving OT security, is available in the “Kaspersky ICS Security Survey 2022” (PDF).
https://go.kaspersky.com/rs/kaspersky1/images/Kaspersky_ICS_Security_Survey_2022.pdf
Tomi Engdahl says:
Slight Increase in Attacks on ICS Computers in 2021: Report
https://www.securityweek.com/slight-increase-attacks-ics-computers-2021-report
Kaspersky said it saw only a small increase in the percentage of industrial control system (ICS) computers targeted in 2021 compared to the previous year, but there was a more significant rise for certain types of threats.
Overall, Kaspersky blocked “malicious objects” on 39.6% of the ICS computers protected by its products, up from 38.6% in 2020. On the other hand, in the second half of 2021, the company observed attacks only against 31.4% of devices, the smallest of any six-month period since the start of 2020.
However, there were certain types of threats where the number of detections has been on an upwards trend in the past two years. This includes spyware (blocked on over 8.1% of devices compared to 5.6% in H1 2020), malicious scripts and phishing pages (9.3% up from 6.5%), and cryptocurrency miners (2.1% up from 0.9%).
In North America, nearly 20% of systems were targeted, roughly the same as in Western Europe, Kaspersky’s report shows. In comparison, the percentage of targeted systems exceeded 40% in many parts of Asia and even 50% in Africa and Southeast Asia.
The cybersecurity firm’s solutions blocked roughly 5,000 malware families and 20,000 malware variants on industrial systems in both the first and the second half of 2021. In terms of variants, this is roughly the same as in the previous two years. However, in terms of malware families, while there was no significant change in 2021 compared to 2020, the numbers are roughly double compared to 2019.
Tomi Engdahl says:
Insteon Blames Abrupt Shutdown on Failed Effort to Find a Buyer https://uk.pcmag.com/smart-home/139876/smart-home-company-insteon-shuts-down-servers-without-warning
Original Story 4/19:Home automation company Insteon appears to have quietly shut down without warning. The abrupt service termination left users with broken smart home setups and plenty of questions.. UPDATE:
Why did Insteon shut down without warning? It ran out of money.
Tomi Engdahl says:
Aftonbladet: Skandaali Verisuressa: työntekijöiden kerrotaan katselleen asiakkaiden alastonkuvia yhtiö selvittää https://www.is.fi/digitoday/art-2000008769860.html
Verisure on kohun keskellä Ruotsissa. Maan tietosuojaviranomainen käynnistää selvityksen hälytysjärjestelmäjätistä.
Ruotsin tietosuojaviranomainen (IMY) kertoo käynnistävänsä selvityksen turvapalveluyhtiö Verisureen liittyen.
IMY selvittää nyt, ovatko yrityksen työntekijät Ruotsissa aiheettomasti jakaneet valvontakameroiden kuvamateriaalia keskenään ja tallentaneet sitä tietokoneille.
– Aloitamme nyt tarkastuksen yritykseen selvittääksemme mitä on tapahtunut, mutta myös selvittääksemme, mitä teknisiä turvatoimia yhtiöllä on valtuutuksien valvonnan ja lokien muodossa ja mitä ohjeita työntekijöille annetaan kuvamateriaalin käsittelystä, IMY:n selvitystä johtava Jenny Bård sanoo IMYn verkkosivuilla eilen perjantaina julkaistussa tiedotteessa.
https://www.imy.se/nyheter/imy-granskar-larmbolaget-verisure/
Tomi Engdahl says:
Hackers Easily Breach Power Grid OPC UA at Pwn2Own 2022
https://gizmodo.com/hackers-breach-power-grid-opc-ua-pwn2own-2022-1848825967
It’s Pretty Easy to Hack the Program That Runs Our Power Grids, It Turns Out
Getting inside a program that runs most of the world’s industrial control systems? The easiest thing you’ll do all weekend, two white hat hackers said.
Two hackers just pwned the software that runs a majority of the world’s electrical grids. And they did it without breaking a sweat.
Thankfully, the hackers in question were not cybercriminals or nation-state actors out to wreak havoc but adept white hats, who rocked the software on stage in front of an audience at 2022’s Pwn2Own, a hacker conference this week in Miami, according to MIT Technology Review. The point of such conferences is to identify bugs in software so that companies can patch them before they’re exploited by bad guys.
Dutch security researchers Daan Keuper and Thijs Alkemade said that breaking into OPC UA, an open source communications protocol used by a majority of industrial control systems around the world, was the “easiest” thing they’d hacked at the conference so far. “In industrial control systems, there is still so much low-hanging fruit,” Keuper told MIT. “The security is lagging behind badly.” Comforting news!
Keuper and Alkemade apparently went to town on droves of different kinds of industrial control software, but the hacking of OPC UA protocol won the duo $40,000 and helped them to secure the conference’s championship title, called “Master of Pwn.”
“OPC UA is used everywhere in the industrial world as a connector between systems,” Keuper told MIT. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That’s why people found it to be the most important and interesting. It took just a couple of days to find.”
As Tech Review aptly notes, it’s pretty unsettling timing for this accomplishment to occur. For the last several weeks, national security professionals and White House officials have very publicly worried that Russian nation state hackers might attempt to conduct debilitating cyberattacks on U.S. critical infrastructure as retaliation for U.S. support for Ukraine. The White House recently warned American companies to be on guard against potential cyberattacks and the FBI and other agencies have said they fear Russian attacks on electrical power grids, nuclear power plants, water systems, and more.
The question naturally springs to mind: If it’s a cinch for two contest-goers to hack a utility system, what’s the likelihood that foreign intelligence agencies have the same capabilities? In short: good job, guys! But, also, yikes!
Tech
Privacy and Security
Tomi Engdahl says:
These hackers showed just how easy it is to target critical infrastructure
Two Dutch researchers have won a major hacking championship by hitting the software that runs the world’s power grids, gas pipelines, and more. It was their easiest challenge yet.
https://www-technologyreview-com.cdn.ampproject.org/c/s/www.technologyreview.com/2022/04/21/1050815/hackers-target-critical-infrastructure-pwn2own/amp/
“I’m surprised to see so many unique bugs on the Iconics Genesis64,” says Childs. “It just shows there is a real depth of bugs to be mined. There is a lot more out there than what people are reporting right now.”
The indisputable highlight of the show belonged to Keuper and Alkemade, who targeted a communications protocol called OPC UA. Think of it as the lingua franca that different parts of a critical-operations system use to talk to each other in industrial settings. Keuper and Alkemade—competing under their company name, Computest—successfully bypassed the trusted-application check.
When it happened, the room instantly erupted into the biggest applause of the entire weeklong competition. I watched the audience buzz as Keuper and Alkemade turned their laptops around for us all to witness their success. In just a few seconds, the team won $40,000 and enough points to secure the competition’s championship title, “Master of Pwn.”
“We’re looking for exactly that kind of big thing,” says Childs.
“OPC UA is used everywhere in the industrial world as a connector between systems,” says Keuper. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That’s why people found it to be the most important and interesting. It took just a couple of days to find.”
the OPC UA hack was a side project, a distraction from Keuper and Alkemade’s day jobs. But its impact is outsized.
in critical infrastructure, some systems can last for decades. Some known security flaws can’t be fixed at all. Operators often can’t update their technology for security fixes because taking a system offline is out of the question. It’s not easy to turn a factory on and off again like a light switch—or like a laptop.
“In industrial control systems, the playing field is completely different,” Keuper says. “You have to think about security differently. You need different solutions. We need game changers.”
“Hopefully we made the world a safer place,” says Keuper.
Tomi Engdahl says:
Embedded Security Solutions with dsPIC33 DSCs and PIC24 MCUs
Microchip’s solutions deliver an application-specific feature set for low-power security, functional safety, and more
https://www.digikey.com/en/product-highlight/m/microchip-technology/embedded-security-solutions-with-dspic33-dscs-and-pic24-mcus?dclid=CPeC1NyRsfcCFQJCGQodFEgJqQ
Microchip’s high-performance dsPIC33C digital signal controllers (DSCs) and low-power PIC24F microcontrollers (MCUs) are combined with their ATECC608 CryptoAuthentication™ and TrustAnchor100 (TA100) CryptoAutomotive™ security ICs to provide robust system-level security. The dsPIC33C DSCs and PIC24F MCUs deliver high performance, low power consumption, and an application-specific feature set for low-power security, sensor interfacing, real-time control, functional safety, digital power conversion, Qi wireless charging, and motor control applications.
Protecting embedded systems with robust security is essential in IoT (Internet of Things), automotive, medical, consumer, wireless, industrial, and other connected designs. Security standards are available and constantly evolving to reinforce the requirements of IoT applications. Many automotive original equipment manufacturers (OEMs) are including security in their design specifications to protect electronic control units (ECUs) in connected vehicles from attacks. Markets and applications share similar requirements for security specifications including unique passwords for all devices without default passwords, secure storage to isolate sensitive cryptographic keys, firmware verification at boot to ensure integrity before execution and after software updates, and secure communication between devices or ECUs and the external world.
Tomi Engdahl says:
Many IoT Devices Exposed to Attacks Due to Unpatched Flaw in uClibc Library
https://www.securityweek.com/many-iot-devices-exposed-attacks-due-unpatched-flaw-uclibc-library
Nozomi Networks, a firm specialized in securing operational technology (OT) and IoT systems, has disclosed a potentially serious vulnerability affecting a C standard library used by several major companies.
The affected library is uClibc, which is designed for developing embedded Linux systems. According to the official uClibc website, the library is used by Linksys and Netgear for their wireless routers, and by Axis for its network cameras. uClibc-ng, a fork for the OpenWRT router operating system, is also impacted by the vulnerability.
The security hole, tracked as CVE-2022-05-02, can be exploited for DNS poisoning attacks against affected devices.
“In a DNS poisoning attack, an attacker is able to deceive a DNS client into accepting a forged response, thus inducing a certain program into performing network communications with an arbitrarily defined endpoint, and not the legitimate one,” Nozomi explained in a blog post detailing the vulnerability.
“A DNS poisoning attack enables a subsequent Man-in-the-Middle attacks because the attacker, by poisoning DNS records, is capable of rerouting network communications to a server under their control. The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” the company added.
There is no patch for the vulnerability, but its disclosure will hopefully lead to the development of a fix.
Tomi Engdahl says:
Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug https://therecord.media/iot-vulnerability-ics-nozomi-networks-uclibc-ng/
Cybersecurity analysts published information Monday about a potentially serious unpatched bug in code for internet of things (IoT) devices because they want the public’s help in fixing the problem, which could affect technology used in critical infrastructure. Also https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-millions-of-routers-and-iot-devices/