image
The benefits of using a cloud-based management platform to monitor and configure industrial control systems (ICS) devices are obvious — efficiency, cost-savings and better diagnostics just for starters. But new research found critical vulnerabilities in these platforms that could be used to paralyze operations if left unmitigated. An analysis by Claroty’s newly branded Team82 research team found striking vulnerabilities in the CODESYS and WAGO industrial systems, which make use of cloud-based automation for operational technology (OT) — a segment often referred to as “Industry 4.0.” CODESYS has developed a cloud-based platform called Automation Server to manage programmable logic controllers (PLCs) remotely, which are the computers involved in managing physical industrial equipment. OT engineers using Automation Server can download logic and configure their PLCs through the cloud-based Automation Server management console. WAGO PFC100/200 meanwhile is a series of PLCs that make heavy use of the CODESYS runtime, and most of the communication, configuration and programming of these PLCs is done through the CODESYS platform. These devices can also be managed by the CODESYS Automation Server platform, and engineers can remotely download logic to them. The vulnerabilities, if exploited, can lead to serious consequences, including gaining control of industrial equipment and operations. “A vulnerability in a Level 0/1 device such as a PLC can be leveraged to launch attacks…

Source

image
iPhone users, drop what you’re doing and update now: Apple has issued a warning about a ream of code-execution vulnerabilities – some of which are remotely exploitable – and experts are emphatically recommending an ASAP update to version 14.7 of iOS and iPadOS. Unfortunately, you aren’t getting a fix for the flaw that makes your iPhones easy prey for Pegasus spyware. As headlines have focused on all week, a zero-click zero-day in Apple’s iMessage feature is being exploited by NSO Group’s notorious Pegasus mobile spyware: A spyware blitz enabled by a bug that has given the security community pause about the security of Apple’s closed ecosystem. The patches address a total of 40 vulnerabilities, 37 of which are in iPhones. The most severe of the flaws could allow for arbitrary code execution with kernel or root privileges. See below for a full list of the vulnerabilities and their details. Besides fixing other, non-Pegasus-associated vulnerabilities in iOS and iPadOS, Wednesday’s security updates also squashed bugs in macOS Big Sur 11.5 and in macOS Catalina. Fortunately, as of now, there are no reports of these vulnerabilities being exploited in the wild. But as noted by MS-ISAC, the Multi-State Information Sharing and Analysis Center, the risk to large and medium-sized government and business entities is rated high. The flaws are rated medium-risk for small business or government entities, while the risk to home users is considered low. WebKit: The Little Engine That…

Source

image
A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wednesday to prevent attackers from accessing data and creating new accounts on compromised systems. The bug, dubbed SeriousSAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers. A prerequisite for abuse of the bug is an adversary needs either remote or local access to the vulnerable Windows 10 system. Tracked as CVE-2021-36934, Microsoft said the vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the (SAM) database. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft bulletin explains. Simply stated, an attacker could leverage the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline and used to bypass Windows 10 user access controls. Proof-of-Concept Available The bug is rated important in severity by Microsoft. The flaw was revealed to Microsoft by researchers Jonas Lyk over the weekend and made public Monday. Proof-of-concept code was published by researcher Kevin Beaumont to help network admins identify exposure to the bug. In a…

Source

image
A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that lead to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today. 60-year-old Mark Herring died of a heart attack after police surrounded his home in response to a swatting attack. Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals that's been "swatting" and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames. At Sonderman's sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique. Other victims of the group told prosecutors their tormentors further harassed them by making false reports of child abuse to social services local to the target's area, and false reports in the target's name to local suicide prevention hotlines. Eventually, when subjects of their harassment refused to sell or give up their Twitter and Instagram usernames, Sonderman and others would swat their targets — or make a false report to authorities in the target's name with the intention of sending a heavily armed police response to that person's address. For weeks throughout March and April 2020, 60-year-old Mark Herring of Bethpage, Tenn. was inundated with text messages…

Source

image
A credentials-stealing code bomb that uses legitimate password-recovery tools in Google’s Chrome web browser was found lurking in the npm open-source code repository, waiting to be planted within the sprawling galaxy of apps that pull code from that source. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands. npm (originally short for Node Package Manager, or NPM) is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine. It’s similar to other code repositories such as GitHub, RubyGems and PyPI in that it’s part of a (very long) software supply chain. “Vast” would be an understatement to describe the ecosystem: npm hosts more than 1.5 million unique packages, and serves up more than 1 billion requests for JavaScript packages per day, to around 11 million developers worldwide. Abusing Google ChromePass Utility Besides textual JavaScript files, npm also holds various types of executables, such as PE, ELF and Mach-O. ReversingLabs researchers, who published their findings in a Wednesday post, said that during an analysis of the code repository, they found an interesting embedded Windows executable file: a credential-stealing threat. Labeled…

Source

image
The federal government is fighting back against what it says are China-based cyberattacks against U.S. universities and companies with indictments and a “naming-and-shaming” approach — but researchers aren’t convinced the efforts will come to much in terms of deterring future activity. On Monday, the White House released an official statement announcing its attempt to push back against “irresponsible and destabilizing behavior in cyberspace.” The European Union, the United Kingdom, and NATO countries also announced it will join the U.S. in “exposing and criticizing [China’s] malicious cyber-activities,” the White House statement added. The statement also formally attributed the widespread Microsoft Exchange zero-day exploitation to the China’s Ministry of State Security. The U.S. Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Administration (NSA) released multiple advisories providing details about cybersecurity threats from the Chinese government, and announced the indictments of four Chinese nationals alleged to have been operating on behalf of the Chinese Hanian State Security Department. The indictments allege the four Chinese Hainan State Security Department (HSSD officers), were behind the advanced persistent threat group APT40: Including Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin, as well as Wu Shurong, who allegedly wrote and targeted malware against universities, governments and companies across…

Source

image
Kubernetes clusters are being attacked via misconfigured Argo Workflows instances, security researchers are warning. Argo Workflows is an open-source, container-native workflow engine for orchestrating parallel jobs on Kubernetes – to speed up processing time for compute-intensive jobs like machine learning and big-data processing. It’s also used to simplify container deployments in general. Kubernetes, meanwhile, is a popular container-orchestration engine for managing cloud deployments. Malware operators are dropping cryptominers into the cloud via Argo thanks to some instances being publicly available via dashboards that don’t require authentication for outside users, according to an analysis from Intezer. These misconfigured permissions thus can allow threat actors to run unauthorized code in the victim’s environment. “In many instances, permissions are configured which allow any visiting user to deploy workflows,” according to the Intezer analysis, published Tuesday. “In instances when permissions are misconfigured, it is possible for an attacker to access an open Argo dashboard and submit their own workflow.” Researchers said the misconfigurations can also expose sensitive information such as code, credentials and private container-image names (which can be used to assist in other kinds of attacks). Intezer’s scan of the web found scads of unprotected instances, operated by companies in several industries, including technology, finance and logistics. “We have…

Source

image
French lawmakers have launched an investigation into Israeli offensive cybersecurity company NSO Group after they learned French President Emmanuel Macron topped a list of 14 heads of states potentially targeted by the company’s spyware. Amnesty International said Tuesday the French leader was a potential spyware target, along with presidents Imran Khan of Pakistan, Cyril Ramaphosa of South Africa and Barham Salih of Iraq. Heads of state, including the prime ministers and the king of Morocco, Mohammed VI, were also high-profile potential targets of NSO’s software known as Pegasus. “The unprecedented revelation … should send a chill down the spine of world leaders,” wrote Agnes Callamard, Amnesty International’s secretary general, in a statement. The world leaders were potential targets, according to a list of 50,000 phone numbers believed linked to the NSO Group and leaked to Amnesty International and the Paris-based journalism nonprofit Forbidden Stories. The extensive list is believed to date back to 2016 and includes people of interest by clients of NSO. On Sunday, a consortium of 17 media partners published a bombshell report shedding light onto what they believe is a systemic and widespread use of the Pegasus spyware by sometimes repressive regimes against human rights activists, political dissidents, journalists and religious and world leaders. French Outraged French daily Le Monde, said after it launched its own investigation into the NSO leaked data, it determined…

Source

image
In 2021, the threat of ransomware has loomed large. In many ways, it’s exactly what cybersecurity experts expected (and predicted) after the major cyber attacks of 2020—including hospital ransomware attacks on a healthcare industry hard-hit by both ransomware and Covid-19. But in other ways, this surge is unprecedented. Because of our DNS filtering technology at DNSFilter, we are able to identify trends in malware and phishing domains on our network. Over the last year, we’ve seen traffic to domains categorized as malware rise and fall. Stepping back and looking at domain traffic to malware domains so far in 2021, we noticed a few spikes in traffic. Including a brief spike between January and February that coincided with the Silver Sparrow ransomware attack. Here, we’ll examine a few periods of time that had high traffic to malware domains on the DNSFilter network. Starting the year with a surge in malware traffic: Silver Sparrow and more In mid-February, the Silver Sparrow malware was detected on 30,000 Mac computers. This malware used installer packages leveraging the macOS Installer JavaScript API, which is unlike other malicious macOS installers that use pre-install or post-install scripts. The network component of this malware launched to execute a shell script that then downloaded a JSON file to disk from their C2 checking every hour. Silver Sparrow made liberal use of AWS S3 bucket infrastructure for distribution. On our network, malicious queries to related Silver…

Source

image
There’s a new version of the old FormBook form-stealer and keylogger that’s added Mac users to its hit list, and it’s selling like hotcakes on the darknet for as low as $49. It’s not only cheap; it’s easy. The data stealer is distributed in the form of malware-as-a-service (MaaS) and stands out from competing malware by being drop-dead simple to use, outfitting even code dummies with a multipurpose malware tool. In a report posted on Wednesday, analysts at Check Point Research (CPR) said that the new strain of FormBook – which mainly targeted Windows users when it first popped up on hacking forums in 2016 – is named XLoader. According to the report, FormBook disappeared from malware markets in 2018, then rebranded to XLoader in 2020. Over the past six months, XLoader’s been a busy beaver, prolifically targeting Window users but also gnawing on its newfound love: namely, “to CPR’s surprise,” Mac users. XLoader licenses start at $49: a price that will get even the most inexperienced and poorly funded cyberattackers a tool that they can use to harvest log-in credentials, collect screenshots, log keystrokes and execute malicious files. CPR has tracked XLoader requests flooding in from eager attackers in 69 countries. Most of the targets – 53 percent – are in the U.S., including both Mac and Windows users. The breakdown of victims by country is presented in the bar graph below: Victims are tricked into downloading XLoader via spoofed emails that contain malicious Microsoft…

Source