by Ravie Lakshmanan | Dec 2, 2022 | Cybersecurity
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an Industrial Control Systems (ICS) advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software.
“Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs,” the agency said.
GX Works3 is an engineering workstation software used in ICS environments, acting as a mechanism for uploading and downloading programs from/to the controller, troubleshooting software and hardware issues, and performing maintenance operations.
The wide range of functions also makes them an attractive target for threat actors looking to compromise such systems to commandeer the managed PLCs.
Three of the 10 shortcomings relate to cleartext storage of sensitive data, four relate to the use of a hard-coded cryptographic key, two relate to the use of a hard-coded password, and one concerns a case of insufficiently protected credentials.
The most critical of the bugs, CVE-2022-25164, and CVE-2022-29830, carry a CVSS score of 9.1 and could be abused to gain access to the CPU module and obtain information about project files without requiring any permissions.
Nozomi Networks, which discovered CVE-2022-29831 (CVSS score: 7.5), said an attacker with access to a safety PLC project file could exploit the hard-coded password to directly access the safety CPU module and potentially disrupt industrial processes.
“Engineering software represents a critical component in the security chain of industrial controllers,” the company said. “Should any vulnerabilities arise in them, adversaries may abuse them to ultimately compromise the managed devices and, consequently, the supervised industrial process.”
The disclosure comes as CISA revealed details of a denial-of-service (DoS) vulnerability in Mitsubishi Electric MELSEC iQ-R Series that stems from a lack of proper input validation (CVE-2022-40265, CVSS score: 8.6).
“Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to cause a denial-of-service condition on a target product by sending specially crafted packets,” CISA noted.
In a related development, the cybersecurity agency further outlined three issues impacting Remote Compact Controller (RCC) 972 from Horner Automation, the most critical of which (CVE-2022-2641, CVSS score: 9.8) could lead to remote code execution or cause a DoS condition.
Found this article interesting? Follow us on
Twitter and
LinkedIn to read more exclusive content we post.
by Ravie Lakshmanan | Dec 1, 2022 | Cybersecurity
A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.
“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device,” Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.
Variston, which has a bare-bones website, claims to “offer tailor made Information Security Solutions to our customers,” “design custom security patches for any kind of proprietary system,” and support the “the discovery of digital information by [law enforcement agencies],” among other services.
The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.
Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.
Noise is designed to take advantage of a security flaw in the Chrome V8 engine JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called “chrome-sbx-gen” to enable the final payload (aka “agent”) to be installed on targeted devices.
However, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.
Heliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.
Soft is a web framework that’s engineered to deliver a decoy PDF document featuring an exploit for CVE-2021-42298, a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entailed the user visiting a malicious URL, which then served the weaponized PDF file.
The Files package – the third framework – contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 (CVE-2022-26485). However, it’s suspected that the bug was likely abused since at least 2019.
Google TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there’s no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.
The development arrives more than five months after the tech giant’s cybersecurity division linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.
“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” the researchers said.
Found this article interesting? Follow us on
Twitter and
LinkedIn to read more exclusive content we post.
by Ravie Lakshmanan | Nov 30, 2022 | Cybersecurity
A malicious Android SMS application discovered on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp.
The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.
This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that’s typically sent to verify the user when setting up new accounts.
“The malware asks the phone number of the user in the first screen,” security researcher Maxime Ingrao, who discovered the malware, said, while also requesting for SMS permissions.
“Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the various services.”
Some of the major services illegally signed up using the phone numbers include Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp, among others.
Additionally, the data collected by the malware is exfiltrated to a domain named “goomy[.]fun,” which was previously used in another malicious application called Virtual Number (com.programmatics.virtualnumber) that has since been taken down from the Play Store.
The app’s developer, Walven, has also been linked to another Android app known as ActivationPW – Virtual numbers (com.programmatics.activation) that claims to offer “virtual numbers to receive SMS verification” from more than 200 countries for less than 50 cents.
According to Ingrao, Symoo and ActivationPW represent the two ends of the fraudulent scheme, wherein the phone numbers of the hacked devices that have the former installed are employed to help users buy accounts through the latter.
Google told The Hacker News that the two apps have been removed from the Play Store and that the developer has been banned.
by Ravie Lakshmanan | Nov 30, 2022 | Cybersecurity
The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart.
“The backdoor […] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers,” ESET researcher Filip Jurčacko said in a new report published today.
Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.
The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper.
The campaign, first uncovered by Kaspersky and Volexity last year, entailed the weaponization of two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.
ScarCruft, also called APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a track record of attacking government entities, diplomats, and news organizations associated with North Korean affairs. It’s been known to be active since at least 2012.
Earlier this April, cybersecurity firm Stairwell disclosed details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR that shares overlaps with another ScarCruft backdoor named BLUELIGHT.
The latest findings from ESET shed light on a second, more sophisticated backdoor delivered to a small pool of victims via BLUELIGHT, indicative of a highly-targeted espionage operation.
This, in turn, is achieved by executing an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the backdoor.
“While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims,” Jurčacko explained.
What makes Dolphin a lot more potent than BLUELIGHT is its ability to search removable devices and exfiltrate files of interest, such as media, documents, emails, and certificates.
The backdoor, since its original discovery in April 2021, is said to have undergone three successive iterations that come with its own set of feature improvements and grant it more detection evasion capabilities.
“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services,” Jurčacko said. “One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.”
by Ravie Lakshmanan | Nov 25, 2022 | Cybersecurity
An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk.
EFI Development Kit, aka EDK, is an open source implementation of the Unified Extensible Firmware Interface (UEFI), which functions as an interface between the operating system and the firmware embedded in the device’s hardware.
The firmware development environment, which is in its second iteration (EDK II), comes with its own cryptographic package called CryptoPkg that, in turn, makes use of services from the OpenSSL project.
Per firmware security company Binarly, the firmware image associated with Lenovo Thinkpad enterprise devices was found to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018.
What’s more, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was shipped on August 4, 2014.
“The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip,” Binarly explained in a technical write-up last week.
“This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues.”
The diversity of OpenSSL versions aside, some of the firmware packages from Lenovo and Dell utilized an even older version (0.9.8l), which came out on November 5, 2009. HP’s firmware code, likewise, used a 10-year-old version of the library (0.9.8w).
The fact that the device firmware uses multiple versions of OpenSSL in the same binary package highlights how third-party code dependencies can introduce more complexities in the supply chain ecosystem.
Binarly further pointed out the weaknesses in what’s called a Software Bill of Materials (SBOM) that arises as a result of integrating compiled binary modules (aka closed source) in the firmware.
“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” the company said.
“A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”