https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,735 Comments
Tomi Engdahl says:
https://www.securityweek.com/new-russia-linked-cosmicenergy-ics-malware-can-disrupt-electric-grid/
Tomi Engdahl says:
Amazon’s Ring cameras were used to spy on customers https://www.malwarebytes.com/blog/news/2023/06/amazons-ring-camera-used-to-spy-on-customers
Every single Amazon Ring employee was able to access every single customer video, even when it wasn’t necessary for their jobs.
Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.
That’s what the FTC has alleged in a recent complaint, for which Amazon is facing a settlement of $5.8 million.
And, unsurprisingly, some employees abused that access right.
Tomi Engdahl says:
New GobRAT Remote Access Trojan Targeting Linux Routers in Japan
https://thehackernews.com/2023/05/new-gobrat-remote-access-trojan.html
Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT.
“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT,” the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection.
The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access.
Tomi Engdahl says:
Useimpien yritysten OT-järjestelmään on murtauduttu
https://etn.fi/index.php/13-news/15050-useimpien-yritysten-ot-jaerjestelmaeaen-on-murtauduttu-2
Operatiivisesta teknologiasta (OT) on tullut tärkeä osa kyberturvallisuustyötä organisaatioissa. Tietoturvayritys Fortinetin kyselyn perusteella vuonna 2022 kuusi prosenttia organisaatioista raportoi, että niiden järjestelmiin ei ollut onnistuttu tunkeutumaan, vuonna 2023 luku on noussut jo 25 prosenttiin.
Vaikka tilanne on vuodessa parantunut, parantamisen varaa on edelleen, jos kolmen neljästä yrityksestä OT-verkkoon on onnistuttu murtautumaan viimeisen vuoden aikana. Toisaalta OT-verkkoihin liitetään koko ajan lisää laitteita.
- Paikallisten yritysten kanssa käymiemme keskustelujen perusteella myös verkkoon yhdistetyt OT-laitteet ovat yleistyneet Suomessa räjähdysmäisesti. IT ja OT lähenevät toisiaan. Kaikki on yhteydessä verkkoon, ja esimerkiksi reaaliaikaisen data-analyysin mahdollistavaa dataa jaetaan enemmän kuin koskaan. Tämä tarkoittaa, että mahdollinen hyökkäysvektori kasvaa, ja sen myötä kasvavat myös riskit, sanoo Suomen Fortinetin teknologiajohtaja Jani Ekman.
OT-verkkoihin murtaudutaan samoilla menetelmillä kuin IT-verkkoihin. Tunkeutumiset johtuivat tyypillisimmin erilaisista haittaohjelmista (56 %) ja tietojen kalastelusta (49 %). Kolmannes vastaajista ilmoitti joutuneensa viime vuonna kiristysohjelmahyökkäyksen uhriksi.
Ekmanin mukaan OT-tietoturvasta huolehtiminen vaatii toisenlaista ajattelutapaa. – Monien laitteiden ennustettu käyttöikä on yli 25 vuotta, eikä niitä ole suunniteltu vastaamaan nykypäivän kyberturvallisuusympäristön haasteisiin. Monet laitteista ovat osa liiketoiminnan kannalta kriittistä tuotantoa, eikä niitä voi noin vain poistaa verkosta korjaustiedostojen asentamista varten.
2023 State of Operational Technology and Cybersecurity Report
https://www.fortinet.com/content/dam/fortinet/assets/reports/report-state-ot-cybersecurity.pdf
Tomi Engdahl says:
Air-Gapped Networks (Part 1): Air-Gapped Madness
April 11, 2023
It’s not enough to have an air-gapped network—that network must be located in a secure facility, too.
https://www.electronicdesign.com/technologies/embedded/article/21263671/digistor-airgapped-networks-part-1-airgapped-madness?oly_enc_id=7211D2691390C9R
Tomi Engdahl says:
COSMICENERGY Malware Is Not an Immediate Threat to Industrial Control Systems https://www.dragos.com/blog/cosmicenergy-malware-is-not-an-immediate-threat-to-industrial-control-systems/
Dragos recently analyzed the new industrial control systems (ICS) malware dubbed COSMICENERGY by Mandiant on May 25, 2023. This malware, designed to target IEC 104 devices, exploits existing Microsoft SQL (MS SQL) servers that are connected to remote terminal units (RTUs). Dragos Threat Intelligence independently analyzed the malware and, counter to media headlines claiming power disruption or grid crippling abilities, concluded that COSMICENERGY is not an immediate threat to operational technology.
Tomi Engdahl says:
Hakkerit iskevät terveydenhuoltoon aiempaa useammin – Osa laitteista on tietoturvaltaan niin vanhentuneita, ettei päivittäminen onnistu [TILAAJILLE]
https://www.tivi.fi/uutiset/tv/23d3d577-9dbc-418b-ab6e-094554a104a7
Meneillään oleva siirtymävaihe hyvinvointialueille on tietoturvariski.
”Tietojen kalastelulle on muutostilanteissa loistava hetki”, sanoo tietoturva-asiantuntija Jarno Ahlström Check Pointilta.
Tomi Engdahl says:
CSC’s recommendations on securing US critical infrastructure
In a new report, the Cyberspace Solarium Commission (CSC) deems the system currently used to designate critical sectors as inadequate. CSC evaluates the state of the public-private sector relationship, underlines flaws in policy implementation, and provides recommendations on how to change it to improve national security.
CSC 2.0 Reports
Revising Public-Private Collaboration to Protect U.S. Critical Infrastructure
https://cybersolarium.org/csc-2-0-reports/revising-public-private-collaboration-to-protect-u-s-critical-infrastructure/
The current systems for designating sectors as critical and for mitigating cross-sector risks are inadequate.
Few things more directly impact Americans’ security and well-being than the reliability, availability, and safety of critical infrastructure. The security of this critical infrastructure relies, in turn, on the strength of the relationship between the government and the private sector, which owns and operates the majority of the infrastructure. Thus, the federal government has endeavored for decades to build a strong relationship with the private sector.
Nevertheless, the policy underpinning this public-private sector relationship has become outdated and incapable of meeting today’s demands. Similarly, the implementation of this policy — and the organization, funding, and focus of the federal agencies that execute it — is inadequate. This report will evaluate the state of the public-private sector relationship and offer recommendations to reshape it to improve national security going forward.
Tomi Engdahl says:
New Research Shows Potential of Electromagnetic Fault Injection Attacks Against Drones
https://www.securityweek.com/new-research-shows-potential-of-electromagnetic-fault-injection-attacks-against-drones/
New research conducted by IOActive shows the potential of electromagnetic fault injection (EMFI) attacks against drones.
New research shows the potential of electromagnetic fault injection (EMFI) attacks against unmanned aerial vehicles, with experts showing how drones that don’t have any known vulnerabilities could be hacked.
The research was conducted by IOActive, a company specializing in cybersecurity research and assessments. The security firm previously found vulnerabilities affecting cars, ships, Boeing and other airplanes, industrial control systems, communication protocols, and operating systems.
The analysis was led by Gabriel Gonzalez, director of hardware security at IOActive, and it focused on electromagnetic side-channel and fault injection attacks with the goal of achieving arbitrary code execution on the targeted drone.
The research is ongoing, but initial results show that EMFI techniques can be efficient for black-box hacking, where the attacker does not have internal knowledge of the targeted system.
The experiments demonstrated that injecting a specific EM glitch at a specific time during the firmware update process could allow an attacker to execute arbitrary code on the main processor, giving them access to the Android operating system that implements core functionality.
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-linux-kernel-exploits-update-on-bec-losses-cybersecurity-awareness-act/
Dragos launches Global Partner Program
Industrial cybersecurity firm Dragos has launched a Global Partner Program that comprises OT security services, technology and threat intelligence. Partners also get training that enables them to offer assessment services to customers.
Dragos Launches OT Cyber Industry’s Only Global Partner Program to Span Technology, Services, Threat Intelligence, and Training
https://www.dragos.com/resource/dragos-launches-ot-cyber-industry-global-partner-program/
HANOVER, Md., June 13, 2023 – Dragos Inc., the global leader in cybersecurity for industrial controls systems (ICS)/operational technology (OT) environments, today announced the launch of the Dragos Global Partner Program, the only channel program to comprise OT cybersecurity technology, services, and threat intelligence. The Dragos Partner Program extends even further by offering training that prepares partners as experts who can offer their customers assessment services based on Dragos’s proven assessment methodology; resell the Dragos Platform including asset discovery, threat detection, and vulnerability management; and manage deployment for customers.
The Dragos Partner Program enables channel partners to offer their customers the full range of ICS/OT cybersecurity technology and services to increase revenue opportunity and deliver positive customer outcomes. Partners gain confidence in being backed by Dragos experts, the industry’s largest, most experienced group of ICS/OT security practitioners who’ve been on the frontlines of major cyberattacks on industrial infrastructure.
“Market demand for OT cybersecurity is accelerating as evolving threats, geopolitical dynamics, and regulations shine a spotlight on the need to protect industrial infrastructure,” said Christophe Culine, Vice President of Global Sales and Chief Revenue Officer, Dragos. “With the new Dragos Global Partner Program, we will transfer our knowledge and experience as the industry’s ICS/OT cybersecurity leader to our channel partners, enabling them to fully manage their customers’ deployments with the industry’s most comprehensive and complete ICS/OT security solution.”
Tomi Engdahl says:
Flipper Zero “Smoking” A Smart Meter Is A Bad Look For Hardware Hackers
https://hackaday.com/2023/06/14/flipper-zero-smoking-a-smart-meter-is-a-bad-look-for-hardware-hackers/
Alright, we’re calling it — we need a pejorative equivalent to “script kiddie” to describe someone using a Flipper Zero for annoyingly malign purposes. If you need an example, check out the apparent smart meter snuff video below.
The video was posted by [Peter Fairlie], who we assume is the operator of the Flipper Zero pictured. The hapless target smart meter is repeatedly switched on and off with the Flipper — some smart meters have contactors built in so that service can be disconnected remotely for non-payment or in emergencies — which rapidly starts and stops a nearby AC compressor. Eventually, the meter releases a puff of Magic Smoke, filling its transparent enclosure and obscuring the display. The Flipper’s operator mutters a few expletives at the results, but continues turning the meter on and off even more rapidly before eventually running away from the scene of the crime.
Tomi Engdahl says:
OT:Icefall: Vulnerabilities Identified in Wago Controllers
https://www.securityweek.com/oticefall-vulnerabilities-identified-in-wago-controllers/
Forescout Technologies has disclosed the details of vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.
Forescout Technologies has disclosed the details of three vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.
The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.
After an initial set of 56 vulnerabilities disclosed in June 2022, Forescout shared the details of three more flaws in November 2022, and is now adding two new bugs to the list, while also sharing information on a previously identified but not disclosed issue.
Tracked as CVE-2023-1619 and CVE-2023-1620, the new vulnerabilities impact Wago 750 controllers using the Codesys v2 runtime and could be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition, Forescout says.
The first issue is the result of a poor implementation of protocol parsers, while the second is an insufficient session expiration bug. The two flaws can be exploited by an authenticated attacker to crash a device, by sending a malformed packet or specific requests after being logged out, respectively.
Tomi Engdahl says:
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.
The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.
The widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored.
The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.
Tomi Engdahl says:
Checkmate: What Chess Taught Me About Cyber Resilience https://www.forbes.com/sites/forbestechcouncil/2023/06/23/checkmate-what-chess-taught-me-about-cyber-resilience/
In the game of chess, every single move contributes to the overall outcome.
All 16 pawns—the queen, knights, bishops and others—provide unique value to a player. The queen is the most powerful piece of the game and, if used strategically, can protect every other piece.
When investing in cybersecurity, CISOs must strategically place every resource in the right spot. Making the right moves at the right time will ensure the tools, people, practices and processes they invest in can protect their systems, networks and data from a cyberattack or data breach.
Making strategic moves is critical in building a successful and secure business.
A chess player must outsmart their opponent by predicting their next move and subsequently making a move to counteract their opponent. In cybersecurity, security teams must think ahead by putting themselves in the adversary’s shoes.
Tomi Engdahl says:
IoT devices and Linux-based systems targeted by OpenSSH trojan campaign https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/
Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to generate revenue from targeting a wide range of vulnerable systems, including Internet of Things (IoT) devices.Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware.
Tomi Engdahl says:
Alert: New Electromagnetic Attacks on Drones Could Let Attackers Take Control https://thehackernews.com/2023/06/alert-new-electromagnetic-attacks-on.html
Drones that don’t have any known security weaknesses could be the target of electromagnetic fault injection (EMFI) attacks, potentially enabling a threat actor to achieve arbitrary code execution and compromise their functionality and safety.
The research comes from IOActive, which found that it is “feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update.”
Tomi Engdahl says:
5 Things CISOs Need to Know About Securing OT Environments https://thehackernews.com/2023/06/5-things-cisos-need-to-know-about.html
For too long the cybersecurity world focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself.
Traditionally, few industrial enterprises had dedicated cybersecurity leaders.
Any security decisions that arose fell to the plant and factory managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or knowledge.
Tomi Engdahl says:
https://hackaday.com/2023/06/27/bluetooth-battery-monitors-that-also-monitor-your-position-without-asking/
Tomi Engdahl says:
5 Things CISOs Need to Know About Securing OT Environments
https://thehackernews.com/2023/06/5-things-cisos-need-to-know-about.html
Tomi Engdahl says:
IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems.
https://en.wikipedia.org/wiki/IEC_62443
IEC 62351-8:2020
Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control for power system management
https://webstore.iec.ch/publication/61822
Tomi Engdahl says:
MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk?
https://thehackernews.com/2023/06/mitre-unveils-top-25-most-dangerous.html
MITRE has released its annual list of the Top 25 “most dangerous software weaknesses” for the year 2023.
“These weaknesses lead to serious vulnerabilities in software,” the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) said. “An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.”
The list is based on an analysis of public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity.
Tomi Engdahl says:
https://github.com/shaurya-007/NSA-Linux-Hardening-docs
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/07/03/kolme-miljoonaa-euroa-iot-tietoturvan-kehittamiseen/
Tomi Engdahl says:
Smart car chargers. Plug-n-play for hackers?
https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/
Over the last 18 months, we’ve been investigating the security of smart electric vehicle chargers. These allow the owner to remotely monitor and manage the charge state, speed and timing of their car charger, among many functions. We bought 6 different brands of chargers and also reviewed security of some public charging networks.
Tomi Engdahl says:
ICS/OT
Security Firm Finds Over 130k Internet-Exposed Photovoltaic Diagnostics Systems
https://www.securityweek.com/security-firm-finds-over-130k-internet-exposed-photovoltaic-diagnostics-systems/
Cyble has discovered more than 130,000 Photovoltaic monitoring and diagnostic solutions exposed to the internet.
More than 130,000 photovoltaic monitoring and diagnostic solutions are accessible from the public internet, which could make them susceptible to cyberattacks, threat intelligence firm Cyble says.
These solutions are used in the solar industry to gather real-time data on the efficiency and operations of photovoltaic installations, and are connected to the electric grid, enabling operators to manage the integration of photovoltaic systems with the grid.
Considered critical components of the systems, these monitoring and diagnostics solutions represent a wide attack surface that threat actors could target to impact grid operations.
Photovoltaic systems use IT and networking infrastructure for monitoring, control, remote diagnostics, and power management, which makes them susceptible to the same risks and types of cyberattacks that any internet-exposed critical infrastructure is prone to.
“A cyberattack on PV diagnostic and monitoring systems might have serious consequences for distributed energy resources (DER), including reduced energy production, system instability, physical asset damage, and unique cybersecurity challenges,” Cyble notes.
Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks
https://www.securityweek.com/exploited-solar-power-product-vulnerability-could-expose-energy-organizations-to-attacks/
An actively exploited vulnerability in the Contec SolarView solar power monitoring product can expose hundreds of energy organizations to attacks.
Hundreds of energy organizations could be exposed to attacks due to an actively exploited vulnerability affecting a solar power monitoring product made by Contec, vulnerability intelligence company VulnCheck warned on Wednesday.
Contec specializes in custom embedded computing, industrial automation, and IoT communication technology. The company’s SolarView solar power monitoring and visualization product is used at more than 30,000 power stations, according to its website.
Palo Alto Networks reported on June 22 that a Mirai variant has been exploiting a vulnerability in SolarView to hack devices and ensnare them into a botnet. The flaw, CVE-2022-29303, is one of the nearly two dozen targeted by the botnet.
CVE-2022-29303 is described as a code injection issue affecting SolarView version 6.0. The vulnerability can be exploited remotely by unauthenticated attackers.
VulnCheck’s analysis indicates that the security hole was only patched with the release of version 8.0 and versions dating back to at least 4.0 are impacted.
Solar monitoring systems exposed: Secure your devices https://www.malwarebytes.com/blog/news/2023/07/solar-monitoring-systems-exposed-secure-your-devices
Researchers who go looking for devices exposed to the Internet report “tens of thousands” of solar photovoltaic (PV) monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting.
No fewer than 134,000 products from an assortment of vendors were found to be exposed, though as Bleeping Computer notes, this does not necessarily mean they’re all vulnerable right now.
Indeed, the research highlights that around 7,000 devices belonging to one particular brand are in the list. A separate report linked by Bleeping Computer found 425 examples of said device making use of a firmware version known to be vulnerable to attack. As per said report, which cleverly makes use of a copyright string on the product’s landing page to work out which versions are vulnerable:
Tomi Engdahl says:
https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/
Tomi Engdahl says:
The Biden administration is tackling smart devices with a new cybersecurity label / The US Cyber Trust Mark would require smart products to meet certain thresholds, including ongoing software security support, to qualify for the program
https://www.theverge.com/2023/7/18/23798153/fcc-cyber-trust-mark-biden-security
The Biden administration is launching a new cybersecurity label for smart devices today.
https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/
Tomi Engdahl says:
USB drive malware attacks spiking again in first half of 2023
https://www.bleepingcomputer.com/news/security/usb-drive-malware-attacks-spiking-again-in-first-half-of-2023/
What’s old is new again, with researchers seeing a threefold increase in malware distributed through USB drives in the first half of 2023
A new report by Mandiant outlines how two USB-delivered malware campaigns have been observed this year; one named ‘Sogu,’ attributed to a Chinese espionage threat group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.
Tomi Engdahl says:
Hackers use new malware to breach air-gapped devices in Eastern Europe https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/
Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems.
Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices.
Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.
According to the findings, the hackers used at least 15 distinct implants in attacks in Eastern Europe, each for a distinct stage of the operation, as well as their signature ‘FourteenHi’ malware family.
Kaspesky says that the attacks started in April last year and involved three separate stages.
Air-gapped systems are an attractive target for APT groups, who typically turn to USB drives to deliver malware and exfiltrate data from the isolated environment.
Tomi Engdahl says:
https://www.securityweek.com/decommissioned-medical-infusion-pumps-expose-wi-fi-configuration-data/
Tomi Engdahl says:
Dozens of RCE Vulnerabilities Impact Milesight Industrial Router
https://www.securityweek.com/dozens-of-rce-vulnerabilities-impact-milesight-industrial-router/
Cisco Talos researchers warn of dozens of critical- and high-severity vulnerabilities in the Milesight UR32L industrial router leading to code execution.
Dozens of vulnerabilities impacting the Milesight UR32L industrial router could be exploited to execute arbitrary code or commands, Cisco’s Talos security researchers warn.
A cost-effective solution, the UR32L router provides WCDMA and 4G LTE support, Ethernet ports, and remote device management, which make it suitable for a broad range of M2M/IoT applications.
During their investigation into the UR32L router and the accompanying remote access solution MilesightVPN, Talos submitted more than 20 vulnerability reports that resulted in 69 CVEs being assigned. Of these, 63 impact the industrial router.
The most severe of the identified issues is CVE-2023-23902 (CVSS score of 9.8), described as a buffer overflow vulnerability in the HTTP server login functionality of the router, which could lead to remote code execution (RCE) via network requests.
“This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution,” Talos says.
Except two bugs, the remaining vulnerabilities impacting the UR32L router are high-severity flaws, most of which could lead to arbitrary code execution or command execution.
Tomi Engdahl says:
670 ICS Vulnerabilities Disclosed by CISA in First Half of 2023: Analysis
https://www.securityweek.com/670-ics-vulnerabilities-disclosed-by-cisa-in-first-half-of-2023-analysis/
CISA disclosed 670 ICS vulnerabilities in the first half of 2023, but roughly one-third have no patches or mitigations from the vendor.
The US Cybersecurity and Infrastructure Security Agency (CISA) disclosed 670 vulnerabilities affecting industrial control systems (ICS) and other operational technology (OT) products in the first half of 2023, according to industrial asset and network monitoring company SynSaber.
SynSaber’s analysis, conducted in collaboration with the ICS Advisory Project, shows that CISA published 185 ICS advisories in the first half of 2023, down from 205 in the first half of 2022. The number of vulnerabilities covered in these advisories dropped by 1.6% in H1 2023 compared to H1 2022.
More than 40% of the flaws impact software and 26% affect firmware. OEMs continued to report most of these vulnerabilities — more than 50% — followed by security vendors (28%) and independent researchers (9%).
Critical manufacturing and energy are the critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of 2023.
Of the CVEs disclosed in H1 2023, 88 have been rated ‘critical’ and 349 have been rated ‘high severity’. More than 100 flaws require both local/physical access to the targeted system and user interaction, and 163 require some type of user interaction, regardless of network availability.
Thirty-four percent of the reported vulnerabilities don’t have a patch or remediation available from the vendor, up from 13% in the first half of 2022, but roughly the same as in the second half of 2022.
https://14520070.fs1.hubspotusercontent-na1.net/hubfs/14520070/Collateral/SynSaber+ICS-Advisory-Project_ICS-Vulnerabilities_First-Half-2023.pdf
Tomi Engdahl says:
https://www.icsadvisoryproject.com/
Tomi Engdahl says:
Discarded medical devices found to have troves of information on healthcare facilities https://therecord.media/discarded-medical-devices-have-data
Infusion pumps being sold on secondary markets like eBay were found to still carry troves of sensitive information about the hospitals that once owned them, researchers have found.
Rapid7 principal security researcher Deral Heiland and several others examined
13 infusion pump device brands, like Alaris, Baxter and Hospira, finding access credentials and authentication data for their previous owners. The machines are crucial devices which sit next to hospital beds and transmit fluids, medication or nutrients into a patient’s circulatory system.
Tomi Engdahl says:
Tesla infotainment jailbreak unlocks paid features, extracts secrets https://www.bleepingcomputer.com/news/security/tesla-infotainment-jailbreak-unlocks-paid-features-extracts-secrets/
Researchers from the Technical University of Berlin have developed a method to jailbreak the AMD-based infotainment systems used in all recent Tesla car models and make it run any software they choose.
Additionally, the hack allows the researchers to extract the unique hardware-bound RSA key that Tesla uses for car authentication in its service network, as well as voltage glitching to activate software-locked features such as seat heating and ‘Acceleration Boost’ that Tesla car owners normally have to pay for.
The German researchers shared the full details of their hack with BleepingComputer, which will be published in an upcoming BlackHat 2023 presentation scheduled for August 9, 2023, titled ‘Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater.’
Tomi Engdahl says:
UK Warns Of Stalking Risks From Connected Devices https://www.forbes.com/sites/emmawoollacott/2023/08/07/uk-warns-of-stalking-risks-from-connected-devices/
The ‘vast majority’ of domestic abuse cases in the UK now involve the use of technology such as spyware, a UK government committee has warned.
The Culture, Media and Sport Committee launched an inquiry a year ago to investigate the benefits and potential dangers of connected technology, such as smart speakers, virtual assistants and wearable fitness trackers.
And, they say, with most domestic abusers now collecting recordings and images of their victims or monitoring their movements, the government should make it a priority to tackle the problem.
Tomi Engdahl says:
Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft
https://www.securityweek.com/threat-actors-abuse-cloudflare-tunnel-for-persistent-access-data-theft/
Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports.
Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin. The tool creates an outbound connection over HTTPS, with the connection’s settings manageable via the Cloudflare Zero Trust dashboard.
Threat actors have been observed abusing the open source Cloudflare Tunnel tool Cloudflared to maintain stealthy, persistent access to compromised systems.
Through Cloudflared, services such as SSH, RDP, SMB, and others are directly accessible from outside, without having to modify firewall rules.
For threat actors, this represents a great opportunity to maintain access to a victim’s environment without exposing themselves. However, the attacker does need access to the target system to execute Cloudflared and establish the connection.
“Since the Cloudflared execution only requires the token associated with the tunnel they’ve created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection,” GuidePoint explains.
Tunnel Vision: CloudflareD AbuseD in the WilD
https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
Tomi Engdahl says:
ICS/OT
ICS Patch Tuesday: Siemens Fixes 7 Vulnerabilities in Ruggedcom Products
https://www.securityweek.com/ics-patch-tuesday-siemens-fixes-7-vulnerabilities-in-ruggedcom-products/
ICS Patch Tuesday: Siemens releases a dozen advisories covering over 30 vulnerabilities, but Schneider Electric has only published one advisory.
Siemens released a dozen advisories covering more than 30 vulnerabilities this Patch Tuesday, but Schneider Electric has only published one advisory to inform customers about one flaw.
Siemens has published three advisories describing serious vulnerabilities patched in its Ruggedcom products.
One advisory covers five vulnerabilities, including four rated ‘critical’ and ‘high severity’, in the Ruggedcom Crossbow server application. The weaknesses can be exploited to cause a DoS condition, escalate privileges, execute arbitrary SQL queries on the database, and write arbitrary files to the targeted system. The issues were discovered by the UK’s National Cyber Security Centre (NCSC).
Siemens also informed customers about a critical mirror port isolation vulnerability in Ruggedcom ROS devices.
“The affected products insufficiently block data from being forwarded over the mirror port into the mirrored network,” the vendor explained. “An attacker could use this behavior to transmit malicious packets to systems in the mirrored network, possibly influencing their configuration and runtime behavior.”
ROS devices are also impacted by a high-severity DoS vulnerability, which has been covered by Siemens in a separate advisory.
The industrial giant informed customers about several high-severity vulnerabilities that can be exploited using specially crafted files. Impacted products include Sicam Toolbox II, Parasolid, Teamcenter Visualization, JT2Go, JT Open, JT Utilities, Solid Edge, and Siemens Software Center (SSC).
Two of Siemens’ advisories describe the impact of two medium and high-severity OpenSSL vulnerabilities on its Simatic products.
Tomi Engdahl says:
Routers from the Underground: Exposing AVrecon https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
Lumen Black Lotus Labs® identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.” Apart from a single reference to AVrecon in May 2021, the malware has been operating undetected for more than two years. Black Lotus labs performed an extensive analysis documenting the malware functionality, its size, and how it fits into the cybercrime ecosystem.
We assess the purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth. This assessment is based on observed telemetry and the analysis of functionality in the binary that allows the actor to interact with a remote shell and deploy subsequent binaries. Using Lumen’s global network visibility, Black Lotus Labs has determined the composition of a network that has infiltrated more than 70,000 machines, gaining a persistent hold in more than 40,000 IPs in more than 20 countries.
Tomi Engdahl says:
AVrecon malware infects 70,000 Linux routers to build botnet https://www.bleepingcomputer.com/news/security/avrecon-malware-infects-70-000-linux-routers-to-build-botnet/
Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service.
This allows its operators to hide a wide spectrum of malicious activities, from digital advertising fraud to password spraying.
According to Lumen’s Black Lotus Labs threat research team, while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.
Tomi Engdahl says:
Rockwell warns of new APT RCE exploit targeting critical infrastructure https://www.bleepingcomputer.com/news/security/rockwell-warns-of-new-apt-rce-exploit-targeting-critical-infrastructure/
Rockwell Automation says a new remote code execution (RCE) exploit linked to an unnamed Advanced Persistent Threat (APT) group could be used to target unpatched ControlLogix communications modules commonly used in manufacturing, electric, oil and gas, and liquified natural gas industries.
The company teamed up with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to analyze the exploit linked to APT threat actors, but they have yet to share how they obtained it.
“Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules,” the company said in a security advisory accessible only after logging in.
The targeted vulnerability (tracked as CVE-2023-3595) is caused by an out-of-bounds write weakness that can let attackers gain remote code execution or trigger denial-of-service states through maliciously crafted CIP messages.
Tomi Engdahl says:
New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection https://thehackernews.com/2023/07/new-openssh-vulnerability-exposes-linux.html
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
“This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent,” Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week. The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS
score: N/A). It impacts all versions of OpenSSH before 9.3p2.
Tomi Engdahl says:
ICS/OT
Weintek Weincloud Vulnerabilities Allowed Manipulation, Damaging of ICS Devices
Several vulnerabilities found in Weintek Weincloud could have allowed hackers to manipulate and damage ICS, including PLCs and field devices.
https://www.securityweek.com/weintek-weincloud-vulnerabilities-allowed-manipulation-damaging-of-ics-devices/
Tomi Engdahl says:
Identity & Access
CISA Releases Cyber Defense Plan to Reduce RMM Software Risks
https://www.securityweek.com/cisa-releases-cyber-defense-plan-to-reduce-rmm-software-risks/
CISA has published a cyber defense plan outlining strategies to help critical infrastructure organizations reduce the risks associated with RMM software.
The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday announced the release of a strategic plan to help critical infrastructure organizations reduce the risks associated with the use of remote monitoring and management (RMM) solutions.
The newly released RMM Cyber Defense Plan (PDF) was developed by the Joint Cyber Defense Collaborative (JCDC) in line with June 2023 guidance on securing remote access software against malicious attacks and aligns with the CISA Strategic Plan for 2023–2025.
“To support the CISA Strategic Plan, the JCDC RMM Cyber Defense Plan identifies a path forward to reduce risks to—and strengthen the resilience of—America’s critical infrastructure organizations that are dependent upon RMM products,” the agency notes.
The new plan, CISA says, is meant to identify ways in which RMM vendors can improve cybersecurity, as well as mechanisms to sustain cybersecurity collaborations in the area.
https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_0.pdf
https://www.securityweek.com/us-israel-provide-guidance-on-securing-remote-access-software/
Tomi Engdahl says:
https://www.extremetech.com/cars/unfixable-amd-chip-vulnerability-unlocks-paid-tesla-features-for-free
Tomi Engdahl says:
Scharon Harding / Ars Technica:
3D printer maker Bambu Lab blames a cloud outage for an issue that caused some of its customers’ devices to start printing without their consent — Bambu Lab says it will help with repairs, replacement parts. — Imagine waking in the middle of the night to the sound of your 3D printer, printing away.
3D printers printing without consent is a cautionary tale on cloud reliance
Bambu Lab says it will help with repairs, replacement parts.
https://arstechnica.com/gadgets/2023/08/3d-printers-print-break-on-their-own-due-to-cloud-outage/
Imagine waking in the middle of the night to the sound of your 3D printer, printing away. You know you didn’t request a print. In fact, you’re sure of it, because your previous project is still on the printer. It sounds like an eerie technological haunting or as if the machines have finally become self-aware. Thankfully, the problem stems from something less creepy but perhaps just as scary: a cloud outage.
As reported by The Verge, on August 15, numerous owners of Bambu Lab 3D printers reported that their device started printing without their consent. It didn’t matter if said printing resulted in bent or broken nozzles or other components or if it involved printing a project on top of another. It didn’t matter if it was an ungodly time, like 4 in the morning; the printers, which cost anywhere from $599 to $1,449, were printing.
“Started a print @ 11 PM. Time-lapse shows it finish successfully at just before 2 AM. At ~2:30 AM while I slept, the machine started itself again with the last print still on the bed. I see a timestamped time-lapse video that starts at about 2:30 AM,” a Reddit user going by u/beehphy complained on the r/BambuLab subreddit.
The user continued by saying, “filament spilled out the side and coiled up all inside the chamber, and it only stopped feeding once the temperature sensor was ripped out.”
The company announced a “cloud printing failure” on its system status page and wrote an August 16 blog post saying it would look into the problem.
Also contributing to the problem was a “large number of API access requests” performed simultaneously, preventing a timely response. This is because the printers’ Bambu Studio software uses a logic that “reinitiate[s] a print request immediately after accessing the cloud.”
Cloud conundrum
The confusion, concern, and chaos created by a 3D printer activating in the middle of the night is a reminder of the risk inherent to consumer tech products that rely on the cloud. The concerns are especially notable when considering that these 3D printers are remotely controllable devices with heating elements. Further, 3D printer owners often leave their printers either to print without overseeing the project or powered on while unattended.
“I’m glad I was home and was able to turn it off, looks like it was burning into yesterdays print job and damaging the hot end at the same time,” a user going by u/SyntheticStart on Reddit said of their experience. “This is my first issue with the machine, but I’m scared to do longer prints now when I’m not available to monitor it.”
Last week’s fiasco also brings to mind security concerns. Of course, cloud security concerns aren’t new. But it’s always worth considering if a product that doesn’t need the cloud for its most important functions should rely on it. This incident has shown that it’s possible for 3D printers to be controlled outside of owners’ desires. Did we mention that these printers have integrated cameras?
In the past, Bambu admitted that it had to educate itself on network security since “the security design of the whole Bambu Lab system was not the best from the very beginning.” This was because “the initial team has a background in robotics, but very little experience in network security,” the company said in 2022.
Bambu’s response
Bambu was quick to apologize to owners, and some users online reported that the company told them it would send replacement parts promptly.
On the technical side, Bambu said it updated its Cloud Service’s SDK service logic and “increased the database connection sizes for better throughput.” It plans to update the Cloud Printing logic so that “every time print is initiated, the printer will check the timestamp and automatically discard any outdated print which does not follow our strict configuration.”
Its printers will also get firmware updates to help prevent a new project from printing when the printer’s plate isn’t cleared, including pop-up notifications that users must dismiss, Bambu said.
Printers will also be updated to “continuously monitor the hotend and heatbed temperature. If a fault is detected, an error message will be prompted on the printer screen, Bambu Studio, and Bambu Handy,” and “the heaters will be turned off to further minimize any potential risk,” Bambu added.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/15229-linux-suojaa-iot-datan-kriittisissae-verkoissa
Sulautetuista korttitietokoneistaan tunnettu Kontron on kehittänyt uuden Linux-pohjaisen SecureOS-käyttöjärjestelmän, joka tarjoaa tietoturvan ja tietosuojan IoT-ratkaisuille kriittisissä järjestelmissä. SecureOS suojaa IoT-ratkaisuja tunkeilijoilta, hakkereilta tai kolmansien osapuolien valvonnalta.
SecureOS-ohjelmistoratkaisu suojaa IoT-ratkaisuja uusilta Internetin uhilta ja vihamielisiltä infrastruktuurihyökkäyksiltä. Se voidaan yhdistää useimpiin Kontronin tuotealustoihin ja sillä voidaan laajentaa susietec-työkaluvalikoimaa entisestään. Kontronin mukaan alusta myös alentaa IoT-operoinnin kustannuksia vähintään 15 prosenttia.
Tomi Engdahl says:
TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks
https://www.securityweek.com/tp-link-smart-bulb-vulnerabilities-expose-households-to-hacker-attacks/
Vulnerabilities in the TP-Link Tapo L530E smart bulb and accompanying mobile application can be exploited to obtain the local Wi-Fi password.
Four vulnerabilities identified by academic researchers from Italy and the UK in the TP-Link Tapo L530E smart bulb and its accompanying mobile application can be exploited to obtain the local Wi-Fi network’s password.
Currently a best-seller on Amazon Italy, the TP-Link Tapo smart Wi-Fi light bulb (L530E) is cloud-enabled and can be controlled using a Tapo application (available on both Android and iOS) and a Tapo account.
The most severe of the identified issues is described as a “lack of authentication of the smart bulb with the Tapo app”, which allows an attacker to impersonate a smart bulb and authenticate to the application. The issue has a CVSS score of 8.8.
With a CVSS score of 7.6, the second bug impacts both the smart bulb and the Tapo app, which use a hardcoded, short shared secret exposed by code fragments.
Tomi Engdahl says:
Industrial networks need better security as attacks gain scale https://www.zdnet.com/article/industrial-networks-need-better-security-as-attacks-gain-scale/
Critical infrastructures and operational technology systems will face increasing threats as they move toward common standards.
Tomi Engdahl says:
Smart Cities: Utopian Dream, Security Nightmare, or Political Gimmick?
https://www.securityweek.com/smart-cities-utopian-dream-security-nightmare-or-political-gimmick/
As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.
How much smart does a smart city need to be called smart? It’s not a trivial question. It goes to the heart of understanding the concept of connected cities: what is a smart city, what does it deliver, and is it worth the effort? And is it ultimately a utopian dream or a cybersecurity nightmare?
What is a smart city?
The term smart city implies that the whole city is smart. Excluding China and a few other rich and authoritarian regimes, this is far from accurate.
The UK’s NCSC prefers the term ‘connected places’. “The fundamental aim of a connected place,” it says, “is to enhance the quality of living for citizens through collaborative, interactive, and connected technology… a connected place can be described as a community that integrates information and communication technologies and IoT devices to collect and analyze data to deliver new services to the built environment, and enhance the quality of living for citizens.”
This also falls short. It doesn’t differentiate between smart cities and smart villages or even smart streets. It focuses on the term ‘community’, yet neither defines nor explains who should specify ‘the quality of living for citizens’. The result is misleading. A community doesn’t suddenly decide it will get smart. Smartness is something imposed upon the members of a community with no element of choice. And within this definition, everyone is likely to be part of several or many connected places, with varying degrees of connectedness between the connected places.
In describing a smart city, it is better to concentrate on ‘smart municipal services’: traffic control; energy distribution; water services; waste collection; and, of course, elections. Each of these services will be automated and ‘intelligent’ using sensors, connected devices, artificial intelligence, and communication technologies. They are likely to be overlapping and themselves interconnected, with the citizen as the lowest common denominator across most connected services.