PLCs with hard-coded key vulnerabilities is a 10 out of 10 severity per Ars Technica

PLCs are programmable logic controllers used in within industrial control system or ICS: manufacturing, industrial plants, power plants. Be concerned. Be very concerned. While they look like the desktops and keyboards we used to use at the office, this is specialized equipment that helps run our daily lives, keeps our lights on, keeps us safe. Referred to as Critical Infrastructure, it’s the ideal target for nation-state attacks where revenge and control collide.

When malware and tactics are weaponized for destruction, bad things happen like:

• power plant sabotage by Black Energy malware in the Ukraine
• cyber attacks water treatment plants by Iran in Israel
• industrial safety system malfunctioning by Triton malware
• centrifuges spin out of control in a nuclear facility with Stuxnet.

On Feb 26, US CISA issued a warning here for CVE-2021-22681, involving the extraction of a secret encryption key hard-coded in Logix brand PLCs from Rockwell Automation. Key point here (sorry had to) is don’t hardcode or embed passwords and security keys as a fundamental good security practice. This makes the PLCs vulnerable to attack by someone remote and with low skill levels, who could then alter their configuration or their application coding. Do you want bad things? Because this is how you get bad things. How bad?

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable”

Sharon Brizinov, principal vulnerability researcher at Claroty

Which brings me to my second “key” point: don’t expose sh@t you value online. Because people know how to go hunting with Shodan, and omg they things they find!

There’s another thing that troubles me. Maybe I’m being petty but apparently Claroty told Rockwell “Hi! You may have a security problem” back in 2019. I know we lost a whole year with 2020 but still, it took til last Thursday for anything to be said.

Pretty much any Rockwell Logix PLC is at risk. It’s a long list. How about a patch for that? Well, not just yet. But there is an advisory now available from Rockwell with mitigations and instructions. You can read the write up by Claroty here and you probably should.

Want to know more? In addition to this excellent article by Dan Goodin forArs Technica, I can recommend reading “Sandworm” by Andy Greenberg and “Countdown to Zero Day“ by Kim Zetter. Here is where I get to cheer on the work being done by the team of dedicated security researchers who specialize in the field of ICS and SCADA at Dragos Inc., Bryson Bort and the awareness he’s bringing, and my friend Chris Sistrunk at Mandiant who helps keep the power grid safe and our lights on among many other things.

2000% Increase in New Malware Written in Go per ZDNet

Noting a trend where malware writers have shifted away from using C and C++. Cybercriminals and APTs both find it easy to work with and it’s good for evasion because it’s hard to detect. Moreover, with the massive migration to all things cloud, many cloud-native applications are written in Go. This is the way.

Malicious Firefox Extensions Used to Hijack Gmail Accounts per Bleeping Computer

Chinese-based APT group TA413 targeted Tibetan organizations in a cyber espionage campaign that hijacked Gmail accounts to infect them with Scanbox malware to harvest data and log keystrokes. TA413 used phishing emails to redirect victims to a malicious Adobe Flash Player update site (wait isn’t that always a bad thing?) and victims would get tricked into loading the FriarFox browser extension to let attackers gain control.

Malicious browser extensions are more prevalent than we realize, and are being leveraged by state-sponsored attackers to gain control over dissidents. Think beyond that to how it can be leveraged against us. Good report by Proofpoint here.

Patch It Now! Vulnerable VmWare Vcenter servers are being hunted online and exploited per ZDNet. Over 6700 are exposed online and vulnerable to attacks that can take over entire company networks. A Chinese researcher published their PoC for CVE-2021-21972 here.

Got Cisco? Get Patching! Per Threatpost Cisco has fixed a critical flaw that could allow a remote attacker to bypass authentication. This affects Cisco’s ACI Multi-site orchestrator used as business management software. But wait, there’s more! A critical flaw in their application services engine could allow unauthenticated remote attackers gain privileged access to host-level operations. And they have patched another critical flaw in their Nexus series 3000 and 9000 switches, NX-OS, which could grant root-level privilege. I worry about these things …

The Data Behemoth: Concerns over Amazon and security lapses per Politico

After years of massive breaches – governments, Equifax, Yahoo and so many more – our data is out there, including usernames and passwords, social insurance numbers, payment data. Unfortunately, the ocean of data keeps rising, cloud is where everything is moving to, and security misconfigurations have been keeping pace, with data spillage in the millions of records.

The pandemic has been a boom for online ordering, which means payment card data is more at risk than ever. The article raises concerns about Amazon’s history of somewhat lax security practices, but anyone handling our data merits our concern – Amazon just has a lot more data to worry about. The onus rests with us to be vigilant and monitor where our data is because if we have to trust someone else with it, we need to verify what happened to it.

New Advances in Payment Card Skimmers per Krebs on Security

Security researcher Brian Krebs has become an expert on card skimming devices and methods. It’s enough to make you seriously question ever swiping your card again. His column today presents how retail self-checkout point of sales (POS) machines can be equipped with a “flexible, paper-thin device that fits inside the terminal’s chip reader slot”. Unless you knew to look, and what to check for, you’d have no idea. Ironically, these risky readers draw power from the chip on the secure chip and pin cards we use, and can operate indefinitely. But good news – his next post is about detecting these skimmers.

Phishing Alert: per Threatpost . Be war, wary careful of emails being sent supposedly from FedEx and DHL couriers, among others. The targets have been over 10,000 Microsoft email users.

Shadow Attacks Can Compromise Integrity of Digitally-signed PDFs per The Hacker News

Whoa! We know attackers have been steadily abusing trust via digital certificates but this is a disturbing new wrinkle. Security researchers from Ruhr-University Bochum demonstrated their new attack, “Hiding and Replacing Content in Signed PDFs”, which abuses the “enormous flexibility provided by the PDF specification so that shadow documents remain standard compliant.” Consider how much we rely on PDFs because they can’t be changed the way other documents can, supporting the security principle of Integrity. Of note: These researchers have previously shown how to extract the contents of password-protected PDF files.

Equation Group Tool Cloned by Chinese Hackers per ZDNet

Remember that treasure trove of NSA cyber exploit goodies made public by the Shadow Brokers in 2017? The home of Eternal Blue and friends? Like Pandora’s box, once the lid lifted everything escaped. These were exploits for 0days, many Windows, acquired and not made known for patching to build a cyber weapons arsenal. It’s what all the cool nation states do.

Turns out that credit for the hacking tool “Jian”, an exploit for privilege escalation and full system compromise on Windows systems from XP to 8, does not go to APT31 aka Zirconium but to … a clone of Equation Group’s EpMe. This was one of four privilege escalation exploits that are part of a module. Note: APT3 were another Chinese group who availed themselves of NSA tools, before they got loose. Good time to revisit that “Lost in Translation” leak by the Shadow Brokers.

Update: Possible Ties to FIN11, Clop Ransomware in the Accellion File Transfer Attack Per Threatpost

This was a major security issue for organizations that rely on secure file transfer: think legal, financial, government. At least 100 entities are victims, of which 25 have suffered “significant data theft”. Extortionist ransomware, name & shame sites.

Researchers have identified threat actors UNC2546 and UNC2582, connected to established cybercrime group FIN11 who work with the Clop ransomware operation. We’re seeing the waters get muddier and murkier when it comes to attribution, as cybercriminals work with state-backed adversaries, and offshoots develop to act one-step removed.

Bring it! Show us what you’ve learned, what you’re made of, what you think. Last year’s virtual event was outstanding, and opened the doors for so many more attendees to submit. The Diana Initiative features a diverse speaker line-up covering a wide range of topics – why not yours! There will be multiple speaking tracks. Speakers have a choice of a 20 minute slot or a 50 minute slot. Please review the details and process below and submit your talk! For any CFP questions, email [cfp@dianainitiative.org]

Important Dates

• Feb 15th, 2021: Call For Papers Opens
• March 21st, 2021: First Round closes
• April 7th, 2021: First Round notifications sent
• May 7th, 2021: Second Round closes
• May 22nd, 2021: Second Round notifications sent

Submission Guidelines: Papers that don’t meet these may be rejected

1. Submission Title
2. Speaker Name(s)
3. Speaker Email (this is how we will contact you) Hidden from reviewers
4. Speaker biography (150 words or less per speaker) Hidden from reviewers
5. Abstract for your talk (200 words or less) Please refrain from including identifying information
6. Detailed talk outline Please refrain from including identifying information
   Break your talk idea down into subheading with bullet points to provide detail on what it is, why it matters, what attendees will take away as learning or something they can apply. Show approximate speaking times for each section. Less is not more when it comes to the outline and selling your concept.
7. Whether this would be your first speaking engagement at a conference
8. Whether this talk has been previously given at another conference

Attackers can Bypass Mastercard PIN by Using it as VISA Card per The Hacker News

Oops! Security researchers found a PIN bypass attack using a chip and PIN secured VISA card without requiring the PIN. It exploits “serious” vulnerabilities that are known in the EMV contactless protocol, using an Android app in a man-in-the-middle attack that intercepts and manipulates the NFC or WiFi communications. The good news: Mastercard was notified in advance and attackers need the planets to align to pull this off. But it’s valid.

Decade-old Iranian APT Malware Still Running C&C from Dutch Data Center per Bitdefender

Gone but not forgotten. Actually still very much active and beaconing home. Iranian APT malware “Foudre” and “Tonnerre” were found operating on a server in a Dutch data center. They install a backdoor onto compromised Windows x86 and x64 machines for cyber espionage. Tonnerre is equipped for persistence, data exfil and all the spygame fun that Iranian APTs are notoriously good at.

Details of Exploit for Unpatched Internet Explorer 0-Day per Threatpost

Yes, this is that IE bug that a certain North Korean APT was using to lure security researchers in a very deceptive social engineering attack. The bug is still unpatched but security researchers with 0patch have details on where the bug exists and what triggers it. It’s described as a “double-free bug” triggered with JavaScript code and will corrupt memory in process space in Internet Explorer. No POC till there’s a patch and this could be weaponized.

Update to CRA email removal: 100k online accounts were suspended as a precaution when login credentials were found being sold on dark web forums. No breach.

SolarWinds Update: per Bleeping Computer’s article today, the SolarWinds attackers could get access to source code for some components used by Azure, Intune and Exchange. It could lead to gaining API keys, credentials and security tokens embedded in the source code. I’ll just leave that with you 😲

US Charges Three North Korean Hackers over $1.3 Billion Cryptocurrency Heist per The Hacker News

This is significant because North Korea has shifted its targets to cryptocurrency and exchanges to make some coin – bitcoin. Assistant Attorney General John C. Demers summed it up best:

“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers”

But remember – this is a nation equipped with and prepared to use destructive malware and are motivated by revenge as well as finances.

Missed you all! Sending wishes for warmth and safety to all those in the south without power

CRA Locks Online Accounts Amid Investigation, Leaving Users Worried per CBC News

Since yesterday a growing number of Canadians are reporting being locked out of their accounts for Canada Revenue’s online platform, with the message their email address has been removed. That is disturbing because that can be a preliminary safety measure in response to an information leak or attempted hack. More disturbing if it is issued with no further explanation and tax season is upon us. The CRA has said this is not a breach but is a security precaution “in the context of ongoing investigative work”and that those users locked out will receive a letter by regular mail to help them unlock their account. And unfortunately it seems there is no getting through on the phone lines 😞

Now, the CRA had a breach involving CERB payments fraud last August and did the same thing, shutting down online services, before announcing it. Precedent?

Tracker Pixels in Emails Now an Endemic Privacy Concern per ZDNet

Spy pixels are tracking pixels or web beacons that hide in the content of an email, tiny image files that just blend right in. So when the recipient opens the email, the tracking pixel is automatically downloaded. Great for marketers and business to measure customer engagement but awful for privacy. Users can prevent them from triggering by not configuring browsers to prevent or not allow images to automatically upload.

I am not a marketer and I have a decidedly different view on privacy because I do security for a living. That said, I have had concerns about the use of trackers in emails for sometime, and it’s only getting worse. When I see “automatically downloads” I think of how attackers enable macros and malware, steganography tactics. Call me paranoid.

Nicole Perlroth is currently a cybersecurity reporter with the New York Times. This book has been years in the making, a history of dark secrets that are rarely divulged, let alone recorded, about cyber arms deals. A history of and cautionary tale on the development of the cyber weapons industry, with America at the center of things.

Now, I have strange tastes in bedtime stories. For years, “Countdown to ZeroDay”, the fabulous history on Stuxnet by Kim Zetter, has been my favourite. Seriously, I did read it to my kids. They’ve sadly outgrown bedtime stories but I haven’t and this book by Nicole Perlroth has everything I could ask for: dark topics, disturbing truths, and echoing thoughts I’ve expressed to the disbelief or disinterest of others (I wasn’t paranoid enough lol)I’ll be sharing tasty morsels as I make my way through.