Year: 2022

 

This Joint Cybersecurity Advisory—coauthored by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) is being released to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

 

Schneider Electric programmable logic controllers (PLCs) OMRON Sysmac NEX PLCs Open Platform Communications Unified Architecture (OPC UA) servers

 

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

 

This Joint Cybersecurity Advisory contains technical details, recommended mitigation measures, additional references, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals. DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this Joint Cybersecurity Advisory to detect potential malicious APT activity and harden their ICS/SCADA devices.

YOU’RE INVITED TO THE CHANNELPRO SMB FORUM: CHICAGO on May 4 – 5th! This event will send you home with actionable strategies for making more money and spending less, straight from some of the channel’s leading MSPs and resellers. You can’t afford to miss it! Find out more and register here.

 

 

Next week, please join us for the second Azure Cosmos DB Conf (April 19-20, 2022).

 

Azure Cosmos DB Conf is an online, virtual conference
dedicated entirely to our customers and community sharing their knowledge and
experience building apps and services using Cosmos DB.

 

The event is run as three, 3-hour live streams in Americas,
APAC and EMEA, each with its own unique content, with a slate of on-demand
sessions as well.

Visit, Azure
Cosmos DB Conf to see our agenda and download an .ics save the date for
your calendar

 

 

Image Source: CNET

 

A recent SMS text message phishing (SMiShing) campaign is targeting Verizon Wireless customers and customers of other providers that piggyback off the Verizon network, such as Spectrum . These messages are spoofed to appear as though the message was sent from the recipient’s own phone number. The messages vary but typically thank the recipient for paying their bill and offer a gift. The messages include a link to accept the gift. These links may lead to malicious websites intending to steal account credentials or personal information, or install malware. A similar campaign targeted AT&T customers in August 2021.

 Researchers discovered that
Cyclops Blink, a botnet linked to Russian advanced
persistent threat group Sandworm, is actively targeting ASUS
routers and WatchGuardfirewall appliances. The malware is modular – meaning it can easily be
updated to target new devices – and features a specialized module that may
allow the malware to read flash memory in order to gather information about
critical files, executables, data, and libraries. The malware then receives a
command to nest in the flash memory and establish persistence, as this storage
space can survive factory resets. Due to the number of indiscriminate targets,
analysts assess that the group’s intent behind this iteration of distribution
is to build and maintain a botnet infrastructure for future attacks on
high-value targets.

A few days ago, I found an
interesting and dangerous situation that I would like to warn you about.

 A company I know well was
under attack from a weakness on their web site.  It was a major intrusion
that needed immediate attention.

 My issues started when I tried
to contact anyone at the company to warn them about the problem.  

 I had to go through a “phone
tree” for support. When I finally got a human to answer, and I explained the
nature of the problem, and how it was time sensitive, the response I got was,
“Thanks for the information. Someone will get back to you in a WEEK! 
(the people who answered the phone were not IT support!)  

 What are your support staff
trained to do when an issue is called in? Do you train them and test the
process?  Think about the issues if this was ransomware!!  How long
would support have waited to call level 2 support?  How much data would
your company lose while waiting for a ticket to even get to the proper person ?

 TRAIN YOUR STAFF NOW so
that they can handle and respond to risks quickly in an appropriate
manner.  Don’t become a victim! 

 

The list provided below is meant to provide an overview of the most prevalent exploit kit variants currently impacting US victims. This page is updated regularly with new information as it becomes available.

Go here 

CrowdStrike security researchers discovered a high severity vulnerability, dubbed “cr8escape,” in the Kubernetes container engine CRI-O – an open source, community-driven container engine. Each Kubernetes node includes a container runtime such as CRI-O. Among other tasks, the container runtime allows containerized apps to safely share each node’s underlying Linux kernel and other resources. The flaw, tracked as CVE-2022-0811  (CVSS v3 8.8), exists due to the addition of sysctl support in version 1.19 used to configure kernel parameters at runtime. Researchers determined that this flaw will now “blindly set any kernel parameters it is passed without validation, meaning that anyone who can deploy a pod on a cluster using the CRI-O runtime can abuse the kernel.core_pattern  parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.” Malicious threat actors may be able to exploit the vulnerability in the components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications, to exfiltrate data and move laterally across pods. The potential impact of this flaw is widespread due to the number of platforms that use CRI-O, such as OpenShift and Oracle Container Engine for Kubernetes. The vulnerability has been resolved and researchers urge users to patch immediately.

 

 QNAP is notifying users that Network Attached Storage (NAS) devices are impacted by the high severity Linux vulnerability dubbed “Dirty Pipe” that allows attackers with local access to gain root privileges. 

Dirty Pipe a vulnerability was discovered in the Linux kernels’ handling of pipe buffer flags affecting Linux kernel versions 5.8 and later as well as some Android kernel versions. CVE-2022-0847 (CVSS v3 7.8), may allow a non-privileged user to overwrite data in arbitrary read-only files and SUID binaries. Successful exploitation of this vulnerability may allow for root privilege escalation through the editing of administrative files such as /etc/passwd and SUID programs. 

Proof of Concept (PoC) exploits have been made publicly available. Although a patch was released for the flaw, QNAP states that there is no mitigation available at this time, further recommending that users install the security updates as soon as possible. Impacted NAS devices comprise of those running QTS 5.0.x and QuTS hero h5.0.x, including: QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS; and QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS.

To learn more go here

 CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity
Advisory that details how Russian state-sponsored cyber actors
accessed a network with misconfigured default multifactor authentication (MFA)
protocols. The actors then exploited a critical Windows Print Spooler
vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with
system privileges. The advisory provides observed tactics, techniques, and
procedures, as well as indicators of compromise and mitigations to protect
against this threat. 

CISA encourages users and administrators to review AA22-074A: Russian
State-Sponsored Cyber Actors Gain Network Access by Exploiting Default
Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
For general information on Russian state-sponsored malicious cyber activity,
see cisa.gov/Russia. For more
information on the threat of Russian state-sponsored malicious cyber actors to
U.S. critical infrastructure, as well as additional mitigation recommendations,
see AA22-011A:
Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S.
Critical Infrastructure and cisa.gov/shields-up.