This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
372 Comments
Tomi Engdahl says:
PlugX RAT masquerades as legit Windows debugger to slip past security
DLL side-loading does the trick, again
https://www.theregister.com/2023/03/01/plugx_dll_loading_malware/
Tomi Engdahl says:
Google seems to have inadvertently re-created the tech version of The Ring, except the creepy video is this clip of the movie Alien, and the thing that dies after watching it is a Google Pixel phone.
YouTube video causes Pixel phones to instantly reboot
https://arstechnica.com/gadgets/2023/02/youtube-video-causes-pixel-phones-to-instantly-reboot/?utm_social-type=owned&utm_source=facebook&utm_medium=social&utm_brand=ars
Google’s Tensor chips seem to choke on this 4K HDR clip of Alien.
Tomi Engdahl says:
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/
Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile users text messages and phone calls to another device
Tomi Engdahl says:
Bitdefender Releases Decryptor for MortalKombat Ransomware https://www.bitdefender.com/blog/labs/bitdefender-releases-decryptor-for-mortalkombat-ransomware/
A new decryptor for the MortalKombat ransomware is now available for download. Bitdefender has been monitoring the MortalKombat ransomware family since it first appeared online in January this year. Based on the Xorist ransomware, MortalKombat spreads through phishing emails and targets exposed RDP instances. The malware gets planted through the BAT Loader that also delivers the Laplas Clipper malware. An in-depth description of the ransomware is available in this Cisco Talos blogpost
Tomi Engdahl says:
Iron Tigers SysUpdate Reappears, Adds Linux Targeting https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Iron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade. In 2022, we noticed that they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform
Tomi Engdahl says:
Google: Gmail client-side encryption now publicly available https://www.bleepingcomputer.com/news/security/google-gmail-client-side-encryption-now-publicly-available/
Gmail client-side encryption (CSE) is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. Once enabled, Gmail CSE ensures that any sensitive data sent as part of the email’s body and attachments (including inline images) will be unreadable and encrypted before reaching Google’s servers. It’s also important to note that the email header (including subject, timestamps, and recipients lists) will not be encrypted
Tomi Engdahl says:
Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strike’s Heels https://www.darkreading.com/threat-intelligence/exfiltrator-22-newest-post-exploitation-toolkit-nipping-cobalt-strike-heels
The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was “likely” developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers
Tomi Engdahl says:
Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware https://thehackernews.com/2023/03/cybercriminals-targeting-law-firms-with.htm
Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains. GootLoader, active since late 2020, is a first-stage downloader that’s capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware
Tomi Engdahl says:
Cisco to Acquire Valtix for Cloud Network Security Tech
https://www.securityweek.com/cisco-valtix-acquisition/
Cisco announced plans to acquire Valtix, an early-stage Silicon Valley startup in the cloud network security business.
Tomi Engdahl says:
Dish Network Says Outage Caused by Ransomware Attack
Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.
https://www.securityweek.com/dish-network-says-outage-caused-by-ransomware-attack/
Tomi Engdahl says:
Why TikTok Is Being Banned on Gov’t Phones in US and Beyond
https://www.securityweek.com/why-tiktok-is-being-banned-on-govt-phones-in-us-and-beyond/
So how serious is the threat of using TikTok? Should TikTok users who don’t work for the government be worried about the app, too?
Tomi Engdahl says:
Two Hacking Groups Seen Targeting Materials Sector in Asia
https://www.securityweek.com/two-hacking-groups-seen-targeting-materials-sector-in-asia/
Two APTs, named Winnti and Clasiopa, have been observed targeting Asian organizations in the materials sector
Tomi Engdahl says:
David Shepardson / Reuters:
The US House Foreign Affairs Committee votes 24 to 16 to advance a bill that would enable President Biden to ban TikTok and other apps considered security risks — The U.S. House Foreign Affairs Committee voted on Wednesday to give President Joe Biden the power to ban Chinese-owned social media app TikTok and other apps.
U.S. House panel approves bill giving Biden power to ban TikTok
https://www.reuters.com/technology/us-house-panel-approves-bill-give-biden-power-ban-tiktok-2023-03-01/
WASHINGTON, March 1 (Reuters) – The U.S. House Foreign Affairs Committee voted on Wednesday along party lines to give President Joe Biden the power to ban Chinese-owned TikTok, in what would be the most far-reaching U.S. restriction on any social media app.
Lawmakers voted 24 to 16 to approve the measure to grant the administration new powers to ban the ByteDance-owned app – which is used by over 100 million Americans – as well as other apps considered security risks.
“TikTok is a national security threat … It is time to act,” said Representative Michael McCaul, the Republican chair of the committee who sponsored the bill.
Democrats opposed the bill, saying it was rushed and required due diligence through debate and consultation with experts. The bill does not precisely specify how the ban would work, but gives Biden power to ban any transactions with TikTok, which in turn could prevent anyone in the United States from accessing or downloading the app on their phones.
The bill would also require Biden to impose a ban on any entity that “may” transfer sensitive personal data to an entity subject to the influence of China.
TikTok has come under increasing fire in recent weeks over fears that user data could end up in the hands of the Chinese government, undermining Western security interests.
Tomi Engdahl says:
Martin Smolár / WeLiveSecurity:
Researchers detail UEFI bootkit BlackLotus, capable of bypassing UEFI Secure Boot even on up-to-date Windows 11 systems and selling for $5K since October 2022 — The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
BlackLotus UEFI bootkit: Myth confirmed
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality. In this blogpost we present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022.
UEFI bootkits are very powerful threats, having full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages. This allows them to operate very stealthily and with high privileges. So far, only a few have been discovered in the wild and publicly described (e.g., multiple malicious EFI samples we discovered in 2020, or fully featured UEFI bootkits such as our discovery last year – the ESPecter bootkit – or the FinSpy bootkit discovered by researchers from Kaspersky).
UEFI bootkits may lose on stealthiness when compared to firmware implants – such as LoJax; the first in-the-wild UEFI firmware implant, discovered by our team in 2018 – as bootkits are located on an easily accessible FAT32 disk partition. However, running as a bootloader gives them almost the same capabilities as firmware implants, but without having to overcome the multilevel SPI flash defenses, such as the BWE, BLE, and PRx protection bits, or the protections provided by hardware (like Intel Boot Guard). Sure, UEFI Secure Boot stands in the way of UEFI bootkits, but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism. And the worst of this is that some of them are still easily exploitable on up-to-date systems even at the time of this writing – including the one exploited by BlackLotus.
BlackLotus’s advertisement on hacking forums claims that it features integrated Secure Boot bypass. Adding vulnerable drivers to the UEFI revocation list is currently impossible, as the vulnerability affects hundreds of bootloaders that are still used today. ✅
True: It exploits CVE-2022-21894 in order to break Secure Boot and achieve persistence on UEFI-Secure-Boot-enabled systems. Vulnerable drivers it uses are still not revoked in the latest dbx, at the time of writing.
BlackLotus’s advertisement on hacking forums claims that the bootkit has built-in Ring0/Kernel protection against removal. ✅
True: Its kernel driver protects handles belonging to its files on the EFI System Partition (ESP) against closing. As an additional layer of protection, these handles are continuously monitored and a Blue Screen Of Death (BSOD) triggered if any of these handles are closed, as described in the Protecting bootkit files on the ESP from removal section.
BlackLotus’s advertisement on hacking forums claims that it comes with anti-virtual-machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. ✅
True: It contains various anti-VM, anti-debug, and obfuscation techniques to make it harder to replicate or analyze. However, we are definitely not talking about any breakthrough or advanced anti-analysis techniques here, as they can be easily overcome with little effort.
BlackLotus’s advertisement on hacking forums claims that the HTTP downloader runs under the SYSTEM account within a legitimate process. ✅
True: Its HTTP downloader runs within the winlogon.exe process context.
BlackLotus’s advertisement on hacking forums claims it is a tiny bootkit with an on-disk size of only 80 kB. ✅
True: Samples we were able to obtain really are around 80 kB.
BlackLotus’s advertisement on hacking forums claims that it can disable built-in Windows security protections such as HVCI, Bitlocker, Windows Defender, and bypass User Account Control (UAC).
True: It can disable HVCI, Windows Defender, BitLocker, and bypass UAC.
Tomi Engdahl says:
Trezor warns of massive crypto wallet phishing campaign https://www.bleepingcomputer.com/news/security/trezor-warns-of-massive-crypto-wallet-phishing-campaign/
An ongoing phishing campaign is pretending to be Trezor data breach notifications attempting to steal a target’s cryptocurrency wallet and its assets. Trezor is a hardware cryptocurrency wallet where users can store their cryptocurrency offline rather than in cloud-based wallets or wallets stored on their devices. Using a hardware wallet like Trezor adds protection from malware and compromised devices, as the wallet is not meant to be connected to your PC
Tomi Engdahl says:
Suomalaisille tulee uudenlaisia huijausviestejä 8 seikkaa tekee siitä pelottavan uskottavan https://www.is.fi/digitoday/tietoturva/art-2000009427576.html
SUOMALAISILLE on lähetetty keskiviikkoillan aikana uudenlaisia huijaustekstiviestejä. Viesti erehdyttää maksamaan vuokran väärälle pankkitilille
Tomi Engdahl says:
Iron Tiger hackers create Linux version of their custom malware https://www.bleepingcomputer.com/news/security/iron-tiger-hackers-create-linux-version-of-their-custom-malware/
The APT27 hacking group, aka “Iron Tiger,” has prepared a new Linux version of its SysUpdate custom remote access malware, allowing the Chinese cyberespionage group to target more services used in the enterprise. The threat actor’s interest in expanding the targeting scope to systems beyond Windows became evident last summer when SEKOIA and Trend Micro reported seeing APT27 targeting Linux and macOS systems using a new backdoor named “rshell.”
Tomi Engdahl says:
Hackers Exploit Containerized Environments to Steals Proprietary Data and Software https://thehackernews.com/2023/03/hackers-exploit-containerized.html
A sophisticated attack campaign dubbed SCARLETEEL is targeting containerized environments to perpetrate theft of proprietary data and software. “The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials,” Sysdig said in a new report. The advanced cloud attack also entailed the deployment of crypto miner software, which the cybersecurity company said is either an attempt to generate illicit profits or a ploy to distract defenders and throw them off the trail
Tomi Engdahl says:
Secret Service, ICE carried out illegal stingray surveillance, government watchdog says https://therecord.media/secret-service-ice-carried-out-illegal-stingray-surveillance-government-watchdog-says/
U.S. federal agencies failed to secure required court orders to conduct phone tracking surveillance, according to a recently redacted memorandum from a government watchdog
Tomi Engdahl says:
Osallistuja alkoi näyttämään pornoa Zoom-konferenssissa – Yhdysvaltain keskuspankin tilaisuus peruttiin https://www.is.fi/ulkomaat/art-2000009429915.html
Tomi Engdahl says:
Porn Zoom bomb forces cancellation of Fed’s Waller event
https://www.cnn.com/2023/03/02/business/zoom-bomb-christopher-waller-federal-reserve/index.html
A virtual event with Federal Reserve Governor Christopher Waller was canceled on Thursday after the Zoom videoconference was “hijacked” by a participant who displayed pornographic images.
“We were a victim of a teleconference or Zoom hijacking and we are trying to understand what we need to do going forward to prevent this from ever happening again. It is an incident we deeply regret,” said Brent Tjarks, executive director of the Mid-Size Bank Coalition of America (MBCA), which hosted the event via a Zoom link. “We have had various programs and this is something that we have never had happen to us.”
He said that he suspects one of the security switches that mutes those watching an event was set incorrectly, but he was not yet sure of the details. The decision to cancel was made in consultation with the Fed after the intrusion.
A few minutes before the event was to start, one participant using the screen name “Dan” began displaying graphic, pornographic images, according to a Reuters reporter on the call.
Microphones and video were not muted by the organizer upon joining.
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-critical-vulnerability-in-ip-phones/
Tomi Engdahl says:
Information of European Hotel Chain’s Customers Found on Unprotected Server
https://www.securityweek.com/information-of-european-hotel-chains-customers-found-on-unprotected-server/
The personal information of many customers of European hotel chain Falkensteiner was discovered by a researcher on an unprotected server.
A researcher has discovered an unprotected server storing the personal information of a significant number of customers of European hotel chain Falkensteiner.
Austria-based Falkensteiner has hotels in Central and Eastern Europe, including in Austria, Italy, Croatia, Slovakia, Serbia and the Czech Republic.
The exposed Falkensteiner data was discovered by Anurag Sen, a researcher at cloud security firm CloudDefense.AI. Sen recently also discovered a US government server that was leaking internal US military emails.
An analysis conducted by Sen showed that the exposed Falkensteiner customer data was associated with Gustaffo, a company offering IT solutions for the hospitality industry.
Tomi Engdahl says:
Canadian Bookstore Chain Indigo Says Employee Data Stolen in Ransomware Attack
https://www.securityweek.com/canadian-bookstore-chain-indigo-says-employee-data-stolen-in-ransomware-attack/
Canadian bookstore chain Indigo this week confirmed that employee data was stolen in a ransomware attack last month.
Tomi Engdahl says:
https://www.securityweek.com/cisco-valtix-acquisition/
Tomi Engdahl says:
Critical Vulnerabilities Allowed Booking.com Account Takeover
https://www.securityweek.com/critical-vulnerabilities-allowed-booking-com-account-takeover/
Booking.com recently patched several vulnerabilities that could have been exploited to take control of a user’s account.
Tomi Engdahl says:
BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems
https://www.securityweek.com/blacklotus-bootkit-can-target-fully-patched-windows-11-systems/
ESET says the BlackLotus UEFI bootkit can bypass secure boot on fully updated Windows 11 systems.
Martin Smolár / WeLiveSecurity:
Researchers detail UEFI bootkit BlackLotus, capable of bypassing UEFI Secure Boot even on up-to-date Windows 11 systems and selling for $5K since October 2022 — The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
BlackLotus UEFI bootkit: Myth confirmed
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
Tomi Engdahl says:
Security Defects in TPM 2.0 Spec Raise Alarm
Security defects in the Trusted Platform Module (TPM) 2.0 reference library specification expose devices to code execution attacks.
https://www.securityweek.com/security-defects-in-tpm-2-0-spec-raise-alarm-bells/
Security researchers at Quarkslab have identified a pair of serious security defects in the Trusted Platform Module (TPM) 2.0 reference library specification, prompting a massive cross-vendor effort to identify and patch vulnerable installations.
The vulnerabilities, tracked as CVE-2023-1017 and CVE-2023-1018, provide pathways for an authenticated, local attacker to overwrite protected data in the TPM firmware and launch code execution attacks, according to an advisory from Carnegie Mellon’s CERT coordination center.
TCG TPM2.0 implementations vulnerable to memory corruption
https://kb.cert.org/vuls/id/782720
Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level 00, Revision 01.59 November 2019. An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities. This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys).
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-security-updates-for-intel-cpu-flaws/
Tomi Engdahl says:
https://thehackernews.com/2023/03/hackers-exploit-containerized.html
Tomi Engdahl says:
https://www.immuniweb.com/blog/data-extortionists-responsible-for-millions-euros-damages-arrested-in-netherlands.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/aruba-networks-fixes-six-critical-vulnerabilities-in-arubaos/
Tomi Engdahl says:
https://thehackernews.com/2023/03/2023-browser-security-report-uncovers.html
Tomi Engdahl says:
New TPM 2.0 flaws could let hackers steal cryptographic keys https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/
An explanatory article on TPM 2.0 reference library specification vulnerabilities published recently. — “TPM is a highly-secured space that should theoretically be shielded even from malware running on the device, so the practical importance of these vulnerabilities shouldnt be ignored or downplayed.”
Tomi Engdahl says:
Security Defects in TPM 2.0 Spec Raise Alarm
https://www.securityweek.com/security-defects-in-tpm-2-0-spec-raise-alarm-bells/
Security defects in the Trusted Platform Module (TPM) 2.0 reference library specification expose devices to code execution attacks.
Tomi Engdahl says:
BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems
https://www.securityweek.com/blacklotus-bootkit-can-target-fully-patched-windows-11-systems/
ESET says the BlackLotus UEFI bootkit can bypass secure boot on fully updated Windows 11 systems.
Tomi Engdahl says:
Organizations Warned of Royal Ransomware Attacks
https://www.securityweek.com/organizations-warned-of-royal-ransomware-attacks/
FBI and CISA have issued an alert to warn organizations of the risks associated with Royal ransomware attacks.
Tomi Engdahl says:
Thousands of Websites Hijacked Using Compromised FTP Credentials
https://www.securityweek.com/thousands-of-websites-hijacked-using-compromised-ftp-credentials/
Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials.
Cloud security startup Wiz warns of a widespread redirection campaign in which thousands of websites targeting East Asian audiences have been compromised using legitimate FTP credentials.
In many cases, the attackers managed to obtain highly secure auto-generated FTP credentials, and used them to hijack the victim websites to redirect visitors to adult-themed content.
Likely ongoing since September 2022, the campaign has resulted in the compromise of at least 10,000 websites, many owned by small companies and some operated by large corporations. Differences in hosting providers and tech stacks make it difficult to pinpoint a common entry point, Wiz says.
As part of the initially observed incidents, the attackers added to the compromised web pages “a single line of HTML code, in the form of a script tag referencing a remotely hosted JavaScript script”. The injected tags result in a JavaScript script being downloaded and executed on the website visitors’ machines.
In some cases, JavaScript code was injected directly into existing files on the compromised server, likely via FTP access, which excludes the possibility of malvertising, Wiz says.
The JavaScript redirection code checks for specific conditions before redirecting the visitor to the destination website, including a probability value, a cookie set on the victim’s machine, whether the visitor is a crawler, and whether or not they are using Android.
The goal of the campaign, Wiz says, could be ad fraud or SEO manipulation, but it is also possible that the attackers are simply looking to increase traffic to the destination websites. However, the threat actors could also decide to abuse the obtained access to perform other nefarious activities.
Tomi Engdahl says:
https://futurism.com/the-byte/whistleblower-facebook-messenger-battery
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/
Tomi Engdahl says:
SCAMMERS USING VOICE CLONING AI TO TRICK GRANDMA INTO THINKING GRANDKID IS IN JAIL
https://futurism.com/the-byte/scammers-voice-cloning-grandma-jail
Tomi Engdahl says:
https://thehackernews.com/2023/03/new-flaws-in-tpm-20-library-pose-threat.html
Tomi Engdahl says:
DoppelPaymer ransomware supsects arrested in Germany and Ukraine https://nakedsecurity.sophos.com/2023/03/06/doppelpaymer-ransomware-supsects-arrested-in-germany-and-ukraine/
“A combined operation involving German, Ukrainian and US law enforcement has just resulted in the interrogation and arrest of suspects in Germany and Ukraine, and the seizure of electronic devices in Ukraine for forensic analysis.” More information:
https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets
Tomi Engdahl says:
‘Brittle’ Twitter suffers bad case of the Mondays: Links, pics, vids fail https://www.theregister.com/2023/03/06/twitter_features_outage/
“Starting around 0830 Pacific Time, according to DownDetector, clicking on links in Twitter posts resulted in an error message: “Your current API plan does not include access to this endpoint.” The company’s notional API status page showed no sign anything is amiss.
“All systems operational,” the page confidently declared on Monday morning.”
Tomi Engdahl says:
New HiatusRAT router malware covertly spies on victims https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
“Lumen Black Lotus Labs identified never-before-seen campaign involving compromised routers. This is a complex campaign we are calling Hiatus. It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan (RAT) were calling HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.. The threat actors behind the Hiatus campaign primarily operationalized end-of-life DrayTek Vigor models
2960 and 3900. Analysis indicates the latest Hiatus campaign started in July 2022, but we suspect this activity cluster predates 2022.”
Tomi Engdahl says:
Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs
https://www.securityweek.com/critical-vulnerabilities-allow-hackers-to-take-full-control-of-wago-plcs/
Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).
German industrial automation solutions provider Wago has released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities, including ones that can be exploited to take full control of the targeted device.
During the analysis of Wago PLCs, the researcher discovered several vulnerabilities in the web-based management interface designed for administering, commissioning and updating devices.
Germany’s CERT@VDE has published an advisory that describes the vulnerabilities and shares information on impacted products and versions.
Two of the flaws have been assigned a critical severity rating based on their CVSS score. One of them, a missing authentication issue tracked as CVE-2022-45138, can be exploited by an unauthenticated attacker to read and set some device parameters, which can lead to a full compromise of the controller.
The second critical vulnerability, CVE-2022-45140, allows an unauthenticated attacker to write arbitrary data with root privileges, which can result in arbitrary code execution and a full system compromise.
In a real-world attack, a threat actor could exploit these vulnerabilities to maliciously control actuators, falsify sensor measurements, and disable all safety controls, the researcher explained.
https://cert.vde.com/de/advisories/VDE-2022-060/
The web-based management of affected products is vulnerable to Reflective Cross-Site Scripting. This can be used to install malicious code and to gain access to confidential information on a System that connects to the WBM after it has been compromised.
Additionally, the web-based management of affected products is vulnerable to stealing and setting device parameters and remote code execution by an unauthenticated attacker.
Mitigation
If not needed, you can deactivate the web-based management to prevent attacks (command line)
Restrict network access to the device.
Do not directly connect the device to the internet
Remediation
We recommend all users of affected products to install FW22 Patch 1 or FW 24 or higher.
Tomi Engdahl says:
Cybercrime Marketplace Leaks Over 2.1 Million Payment Cards
https://www.securityweek.com/cybercrime-marketplace-leaks-over-2-1-million-payment-cards/
Carding marketplace BidenCash last week released information on more than 2.1 million credit and debit cards.
Tomi Engdahl says:
BetterHelp Shared Users’ Sensitive Health Data, FTC Says
https://www.securityweek.com/betterhelp-shared-users-sensitive-health-data-ftc-says/
The online counseling service BetterHelp has agreed to return $7.8 million to customers to settle with the Federal Trade Commission for sharing health data it had promised to keep privat
Tomi Engdahl says:
Ransomware Operators Leak Data Allegedly Stolen From City of Oakland
Play ransomware operators have leaked data allegedly stolen from the City of Oakland last month.
https://www.securityweek.com/ransomware-operators-leak-data-allegedly-stolen-from-city-of-oakland/
Tomi Engdahl says:
https://www.securityweek.com/police-looking-for-russian-suspects-following-doppelpaymer-ransomware-crackdown/