Cyberattacks are a common phenomenon today. The most we can do to minimize the chances of being targeted by cyber scams is to take enough preventive measures, such as implementing cybersecurity tools and getting vulnerable systems patched at the earliest. Following are the major cyber headlines this week to help you better protect your information systems.
Rising Attacks on ICS and SCADA, Report Four Agencies
A joint advisory was recently released by the US Department of Energy (DOE), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). This advisory warned of the increasing attacks on Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) devices. This is after the federal agencies detected advanced tools in possession of malicious APT groups enabling them to hijack and compromise devices.
The joint advisory details the capacities of these malicious tools and says that by using these, the APT groups can scan, control, and compromise the affected ICS/SCADA devices. Servers vulnerable to attacks using these tools include different versions of Programmable Logic Controllers (PLCs), the OPC Unified Architecture (OPC UA), and OMRON. The federal agencies warn that these tools could be risky because they can be used to conduct highly-automated attacks. Further, one of these tools can be used to exploit a vulnerability (dubbed CVE-2020-15368) in the ASRock-signed motherboard driver to deploy malicious code in the Windows kernel.
The federal agencies advise all organizations using ICS/SCADA devices to use cybersecurity tools and adopt mitigation measures such as monitoring access to management and engineering workstations dealing with confidential files, isolating ICS and SCADA systems from other IT and OT networks, and looking out for unusual or suspicious activities.
NCC Group Warns of Supply Chain Attack Risks
The latest report by UK-based information assurance firm NCC Group shows that global supply chain attacks have increased by 51% between July and December 2021. The report hints at the increasing risk of third parties, as indicated by a poll of 1400 organizational security decision-makers across 11 countries. NCC Group’s report highlights that only 32% of the respondents seemed very confident in their capabilities of handling a supply chain breach.
An interesting revelation brought in by the report was the confusion surrounding the division of cybersecurity responsibility within organizations. While 53% of organizations claimed that they and their suppliers equally shared responsibility, 36% ( a third) said that the organization was more responsible than suppliers. The NCC Group reminded them that regulators usually hold the organization accountable in case of a supply chain attack. Therefore, the EU’s Digital Operational Resilience Act (DORA) recommends mentioning security requirements in contracts with third parties.
This is in line with the GDPR guidelines, which hold both suppliers and customers accountable in the event of a supply chain breach. The NCC Group report highlighted that 49% of the organizations were not discussing their security standard necessities with suppliers. Another 34% of the respondents claimed that they did not regularly monitor the security risks associated with suppliers. The report concluded that supplier risk is one of the significant challenges facing organizations for at least the next 6-12 months.
Microsoft Warns Of New Malware – Tarrask
Cybersecurity experts at the Microsoft Detection and Response Team (DART) recently discovered a new malware strain that manages to sustain its access to compromised Windows systems using scheduled tasks to evade detection. Known as Tarrask, this new malware strain is believed to be backed by the China-supported hacker group – Hafnium.
DART researchers reported that Hafnium usually uses unpatched zero-days as its initial attack vector. This time, the group is using a defense evasion malware called Tarrask and Impacket for lateral movement and execution. Tarrask works by creating hidden scheduled tasks that are designed to evade traditional identification tools.
The hacker group Hafnium primarily targets the US think tanks, defense companies, and researchers. It is currently using the Tarrask hacking tool to exploit a previously unknown Windows flaw. Tarrask hides the scheduled task attributes from Task Scheduler and schtasks/query by removing the associated Security Descriptor registry value. This is done to maintain access to the compromised devices long after the device has been restored. Because this malware is difficult to detect, cybersecurity researchers at Microsoft advise users to locate these hidden tasks via manual inspection of the Windows Registry or by scanning the system for scheduled tasks without an SD Value in their Task Key.
New Phishing Email Campaign Detected
Cybersecurity experts at Cluster25 recently detected a new phishing email campaign that aims to steal data from South Korean individuals. It is attributed to the DPRK-nexus threat actor group and resembles the Operation Kitty Phishing campaign. It was first noticed in April and believably uses malicious documents with various lures to compromise victim accounts. The spear-phishing emails contain malicious Word documents and impersonate internet security firms like Menlo Security, AhnLab and SaniTOX, the Korean Internet Information Center, or even cryptocurrency firms like Binance.
Opening the document downloads a malicious VBA script created to exploit the injection vulnerability (CVE-2017-0199). This VBA code then activates two embedded remote URLs. Experts note that all domains in this campaign are generated via a Domain Generation Algorithm (DGA) and differ for every payload. The campaign has several variants with minor differences in the kill chain. The campaign’s primary targets are the Naver South Korean online platform users. South Korean users are advised to take additional ransomware protection measures and open attachments only from trusted sources.
Major Security Flaw Detected In NFT Marketplace – Rarible
Cybersecurity researchers have recently uncovered a security flaw in the non-fungible token (NFT) marketplace – Rarible. Although the flaw has been fixed, its exploitation could have led to the theft of crypto assets and account takeovers. With over 2.1 million active users, Rarible is a popular NFT marketplace facilitating NFT transactions, and adversaries are taking complete control of its user wallets by sending malicious NFTs to victims.
As per security experts, there is much difference between Web2 and Web3 infrastructure because of which attackers can easily compromise crypto wallets in marketplaces that use Web3 protocols. In a typical attack, the adversaries send the link to a fake NFT to the victims. Clicking on this link executes arbitrary JavaScript code and allows the adversaries to gain complete control over users’ NFTs. They do this by sending a setApprovalForAll request to the wallet. Since users don’t pay heed to the permissions they give away while signing transactions (usually), the adversaries use this setApprovalForAll API to shift items from the seller’s address to the buyer’s address using the implemented smart contract. One can only fathom the repercussions of such a design enabling almost anyone to control our NFTs!
However, Rarible clarified that users could only become victims of this scam if they consciously signed the suggested transactions with their wallets. Merely clicking on the link to the fake NFT doesn’t fulfill the hackers’ scheme; users need to confirm the transactions. Therefore, it is advised that all NFT users pay attention to the transactions they sign and the websites they visit.
Cisco Fixes Critical Vulnerability in its WLC Software
Cisco recently detected a critical vulnerability in its Wireless LAN Controller (WLC) software, allowing adversaries to bypass authentication. With a CVSS score of 10, the vulnerability (dubbed CVE-2022-20695) was triggered by the poor implementation of the password validation algorithm. Consequently, any hacker with fake credentials could easily bypass the password authenticator and log into vulnerable devices as administrators.
The flaw was detected in WLC software releases 8.10.151.0 and 8.10.162.0 and affects the Mobility Express, 3504, 5520, and 8540 wireless controllers, and Virtual Wireless Controller (vWLC) devices if they have configured the macfilter radius compatibility as ‘Other.’
Since there are no workarounds to fix the bug, affected customers are advised to update their WLC software to 8.10.171.0 or later versions. In addition to fixing this flaw, Cisco has also released patches for several other high-severity vulnerabilities affecting Cisco IOS and Cisco SD-WAN software. Exploiting these bugs would enable adversaries to escalate device privileges and launch denial of service (DoS) attacks. While Cisco has released cybersecurity patches for all the software vulnerabilities, it has no evidence to prove the exploitation of any of these bugs.