Security Affairs

Subscribe to Security Affairs feed
Read, think, share … Security is everyone's responsibility
Updated: 1 week 2 days ago

CISA urges to fix actively exploited Firefox zero-days by March 21

Tue, 03/08/2022 - 11:07
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added recently disclosed Firefox zero-days to its Known Exploited Vulnerabilities Catalog.

The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla firefox, tracked as CVE-2022-26485 and CVE-2022-26486, to its Known Exploited Vulnerabilities Catalog. The US agency has ordered federal civilian agencies to address both issues by March 21, 2022.

Yesterday Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address the two zero-day vulnerabilities that are actively exploited in attacks.

The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.

Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.

Below is the description of both flaws included in the advisory published by Mozilla:

  • CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
  • CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. 

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog that are reported in the following table along with the associated due date.

CVE ID Vulnerability Name Due Date CVE-2022-26486Mozilla Firefox Use-After-Free Vulnerability03/21/22CVE-2022-26485Mozilla Firefox Use-After-Free Vulnerability03/21/22CVE-2021-21973VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)03/21/22CVE-2020-8218Pulse Connect Secure Code Injection Vulnerability09/07/22CVE-2019-11581Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability09/07/22CVE-2017-6077NETGEAR DGN2200 Remote Code Execution Vulnerability09/07/22CVE-2016-6277NETGEAR Multiple Routers Remote Code Execution Vulnerability09/07/22CVE-2013-0631Adobe ColdFusion Information Disclosure Vulnerability09/07/22CVE-2013-0629Adobe ColdFusion Directory Traversal Vulnerability09/07/22CVE-2013-0625Adobe ColdFusion Authentication Bypass Vulnerability09/07/22CVE-2009-3960Adobe BlazeDS Information Disclosure Vulnerability09/07/22

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post CISA urges to fix actively exploited Firefox zero-days by March 21 appeared first on Security Affairs.

Categories: Cyber Security News

Ragnar Locker ransomware group breached at least 52 organizations across 10 critical infrastructure sectors

Tue, 03/08/2022 - 10:01
The US FBI warns that the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors.

The US Federal Bureau of Investigation (FBI) and CISA published a flash alert to warn that the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations across 10 critical infrastructure sectors. The ransomware operation has been active since late December 2019, this is the second time that the FBI first shares IoC related to RagnarLocker operation, the FBI first became aware of this threat in April 2020.“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors,” reads the FBI’s flash alert. “RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention.”

The flash alert provides details on attack infrastructure, Bitcoin addresses used by the gang to receive the payments of the ransom from the victims, and email addresses used by the gang’s operators.

The flash alert includes a series of mitigations to neutralize such attacks:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use multi-factor authentication with strong passwords, including for remote access services.
  • Keep computers, devices, and applications patched and up-to-date.
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation.

Users who identify any suspicious activity within their enterprise or have related information,
are recommended to contact their local FBI Cyber Squad immediately with respect to the procedures outlined in the Reporting Notice section of this message.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ragnar Locker ransomware)

The post Ragnar Locker ransomware group breached at least 52 organizations across 10 critical infrastructure sectors appeared first on Security Affairs.

Categories: Cyber Security News

Ukraine’s CERT-UA warns of phishing attacks against Ukrainian citizens

Tue, 03/08/2022 - 07:16
Ukraine’s CERT-UA warned citizens of new phishing attacks launched through compromised email accounts belonging to Indian entities.

Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of new phishing attacks targeting Ukrainian citizens through compromised email accounts belonging to three different Indian entities.

The attacks were aimed at stealing sensitive information from compromised accounts. The malicious emails are sent by “[email protected][.]com” and used the subject line “Увага” (translates “Attention”) and claimed to be from a domestic email service called Ukr.net.

TVS Rubber is an India-based automotive company that was previously compromised by the threat actors behind this campaign.

The messages are crafted to trick the recipients into clicking on a link (hxxp://consumerspanel.frge[.]io/) to change their passwords due to an alleged unauthorized attempt to log in to their accounts from an IP address based out of the eastern Ukrainian city of Donetsk.

“Once you have clicked the link and enter your password, it gets to the attackers. In this way the attackers have access to the email accounts of Ukrainian citizens.” reads the CERT-UA’s alert.

CERT-UA later added that it detected an additional 20 email addresses that were used in the campaign.

“A list of e-mail addresses has been formed from which the malicious messages are sent to compromise the accounts of Ukrainian citizens.” reads the second alert published by CERT-UA. “All these mailboxes are compromised and are used by the special services of the Russian Federation to conduct cyber attacks against Ukrainian citizens.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Ukraine’s CERT-UA warns of phishing attacks against Ukrainian citizens appeared first on Security Affairs.

Categories: Cyber Security News

Dirty Pipe Linux flaw allows gaining root privileges on major distros

Tue, 03/08/2022 - 02:53
Dirty Pipe is a Linux vulnerability, tracked as CVE-2022-0847, that can allow local users to gain root privileges on all major distros.

Security expert Max Kellermann discovered a Linux flaw, dubbed Dirty Pipe and tracked as CVE-2022-0847, that can allow local users to gain root privileges on all major distros.

The vulnerability affects Linux Kernel 5.8 and later versions.

The CVE-2022-0847 vulnerability allows overwriting data in arbitrary read-only files, which could lead to privilege escalation because unprivileged processes can inject code into root processes.

Kellerman explained that the flaw is similar to CVE-2016-5195, aka Dirty Cow, and is more dangerous because it is easier to exploit.

In a blog post, the researcher explained that he discovered the flaw while investigating corrupt access log files for one of its customers.

Kellerman published technical details about the Dirty Pipe flaw along with a proof-of-concept (PoC) exploit that allows local users to overwrite any file contents in the page cache, even if the file is not permitted to be written, immutable or on a read-only mount.

BleepingComputer reported a tweet published by the security researcher Phith0n who explained that it is possible to use the exploit to modify the /etc/passwd file to set the root user without a password. Using this trick a non-privileged user could execute the command ‘su root’ to gain access to the root account.

Why did I overwrite the /etc/passwd?
Because this file saves all the user information on Linux.
I remove the "x" flag behind the "root" user, it means that I set an empty password for this user. So I can use "su root" to escalate privilege without credentials.

— Phith0n (@phithon_xg) March 7, 2022

The researcher Phith0n also published an updated version of the exploit that allows gaining root privileges by overwriting a SUID program like ./exp /usr/bin/su to drop a root shell at /tmp/sh and then executing the script.

Below is the timeline for this vulnerability:

Timeline

Servers running outdated kernel versions are exposed to attacks exploiting this flaw.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

The post Dirty Pipe Linux flaw allows gaining root privileges on major distros appeared first on Security Affairs.

Categories: Cyber Security News

Coinbase blocked 25,000 crypto addresses linked to Russian individuals and entities

Mon, 03/07/2022 - 16:16
Coinbase announced that it’s blocking access to more than 25,000 blockchain addresses linked to Russian individuals and entities.

The popular cryptocurrency exchange Coinbase announced today that it’s blocking access to more than 25,000 blockchain addresses linked to Russian people and entities.

Coinbase chief legal officer Paul Grewal explained that its company is complying with sanctions imposed by governments around the world on individuals and territories in response to Russia’s invasion of Ukraine. The exchange is also using “sophisticated blockchain analytics” to identify accounts held by sanctioned individuals outside of Coinbase.

The company is committed to blocking access to sanctioned actors, detecting attempts at evasion, and identifying high-risk behavior. Sanctioned individuals and entities will be not able to open new accounts.

Coinbase also shared all the blocked addresses with the US government.

“Today, Coinbase blocks over 25,000 addresses related to Russian individuals or entities we believe to be engaging in illicit activity, many of which we have identified through our own proactive investigations.” reads the announcement published by the exchange.. “Once we identified these addresses, we shared them with the government to further support sanctions enforcement.”

Grewal explained that Coinbase checks account applications against lists of sanctioned individuals or entities, including those maintained by other countries such as the United States, United Kingdom, European Union, United Nations, Singapore, Canada, and Japan.

“Sanctions play a vital role in promoting national security and deterring unlawful aggression, and Coinbase fully supports these efforts by government authorities,” Grewal added. “They are best placed to decide when, where, and how to apply them.”

Other crypto companies refused to block crypto addresses linked to Russian entities, Binance founder explained that cryptocurrencies won’t help Russia evade sanctions.

“Currently, the media and politicians are spending a lot of effort and focus on crypto and sanctions,” Binance founder Changpeng Zhao said. “The truth is, crypto is too small for Russia. If we look at the crypto adoption today, there is probably about 3% of the global population with some kind of crypto exposure (ie, owning some crypto). Of those, most only have a small percentage of their net worth in crypto. Less than 10% on average. So, there is probably only less than 0.3% of the global net worth in crypto today. This percentage applies equally to Russia.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Coinbase)

The post Coinbase blocked 25,000 crypto addresses linked to Russian individuals and entities appeared first on Security Affairs.

Categories: Cyber Security News

SharkBot, the new generation banking Trojan distributed via Play Store

Mon, 03/07/2022 - 10:46
SharkBot banking malware was able to evade Google Play Store security checks masqueraded as an antivirus app.

SharkBot is a banking trojan that has been active since October 2021, it allows to steal banking account credentials and bypass multi-factor authentication mechanisms.

The malware was spotted at the end of October by researchers from cyber security firms Cleafy and ThreatFabric, the name comes after one of the domains used for its command and control servers.

The malware was observed targeting the mobile users of banks in Italy, the UK, and the US. The trojan allows to hijack users’ mobile devices and steal funds from online banking and cryptocurrency accounts.

SharkBot is able to perform unauthorized transactions via Automatic Transfer Systems (ATS), an advanced attack technique that is uncommon within Android malware.

ATS enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers without a live operator intervention to authorize the transactions. Researchers pointed out that this technique allows the malware to receive a list of events to be simulated, allowing attackers to automate and scale up their operations.

“The ATS features allow the malware to receive a list of events to be simulated, and them will be simulated in order to do the money transfers.” reads the report published by NCC Group. “Since this features can be used to simulate touches/clicks and button presses, it can be used to not only automatically transfer money but also install other malicious applications or components.”

Experts discovered a reduced version of the SharkBot trojan in the official Google Play Store, it only includes minimum required features, such as ATS, that allows it to install a full version of the Trojan.

The malware was distributed via Google Play Store as a fake Antivirus, it abuses the ‘Direct Reply‘ Android feature to automatically send reply notification with a message to download the fake Antivirus app.

This spread strategy abusing the Direct Reply feature has been seen recently in another banking malware called Flubot, discovered by ThreatFabric.

SharkBot allows to steal banking credentials in Android with one of the following techniques, most of which requests victims to enable the Accessibility Permissions & Services:

  • Injections (overlay attack): SharkBot can steal credentials by showing a WebView with a fake log in website (phishing) as soon as it detects the official banking app has been opened.
  • Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2).
  • SMS intercept: Sharkbot has the ability to intercept/hide SMS messages.
  • Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).

NCC group experts have shared indicators of compromise for this threat, including the list of tainted apps uploaded to the Google Play Store that have been downloaded tens of thousands times:

“One of the distinctive parts of SharkBot is that it uses a technique known as Automatic Transfer System (ATS). ATS is a relatively new technique used by banking malware for Android.” concludes the report. “To summarize ATS can be compared with webinject, only serving a different purpose. Rather then gathering credentials for use/scale it uses the credentials for automatically initiating wire transfers on the endpoint itself (so without needing to log in and bypassing 2FA or other anti-fraud measures).”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Sharkbot)

v

The post SharkBot, the new generation banking Trojan distributed via Play Store appeared first on Security Affairs.

Categories: Cyber Security News

Mozilla addresses two actively exploited zero-day flaws in Firefox

Mon, 03/07/2022 - 02:35
Mozilla fixed two critical actively exploited zero-day bugs in Firefox with the release of 97.0.2, ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0.

Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address a couple of critical zero-day vulnerabilities, tracked as CVE-2022-26485 and CVE-2022-26485, actively exploited in attacks.

The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.

Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.

Below is the description of both flaws included in the advisory published by Mozilla:

  • CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
  • CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. 

“We have had reports of attacks in the wild abusing this flaw.” reads the advisory for both issues.

Mozilla hasn’t shared details about the attacks.

These vulnerabilities were reported by security researchers from the Chinese cybersecurity firm Qihoo 360 ATA.

Users are commended to install security updates immediately.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla)

The post Mozilla addresses two actively exploited zero-day flaws in Firefox appeared first on Security Affairs.

Categories: Cyber Security News

Anonymous offers $52,000 worth of Bitcoin to Russian troops for surrendered tank. Is it fake news?

Sun, 03/06/2022 - 18:26
The popular hacker collective Anonymous is offering to Russian troops $52,000 in BTC for each surrendered tank.

The popular hacker collective Anonymous will reportedly pay $52,000 in BTC for a tank surrendered by Russian troops.

Ukrainian media reported that the hacker group claims to have collected over RUB 1 billion (worth £7.8 million at the time of writing) and is offering to Russian soldiers RUB 5 million ($52,000) for each surrendered tank.

The news was reported by other websites [1,2], I was not able to find the original alleged message from Anonymous.

Soldiers that want to exchange such vehicles for cryptocurrency need to wave a white flag and use the password “million” to accept the offer.

“Russian soldiers, everyone who wants to live with their families, children, and not die, the Anonymous global community has collected RUB 1,225,043 in bitcoin to help you,” reads the alleged message from Anonymous.

The sanctions imposed by the international community on Russia and its biggest financial institutions aim at creating financial instability in the country.

Many Russians attempted to protect their savings from ruble devaluation and sanctions by investing in cryptocurrencies, for this reason, the offer of cryptocurrencies to Russian troops could appear as tempting.

The news is very strange, and at this moment is difficult to track its source and determine its authenticity.

At this time Anonymous has yet to confirm and deny the news, if have any info please contact me.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Anonymous offers $52,000 worth of Bitcoin to Russian troops for surrendered tank. Is it fake news? appeared first on Security Affairs.

Categories: Cyber Security News

CVE-2022-0492 flaw in Linux Kernel cgroups feature allows container escape

Sun, 03/06/2022 - 13:46
A Linux kernel flaw, tracked as CVE-2022-0492, can allow an attacker to escape a container to execute arbitrary commands on the container host.

A now-patched high-severity Linux kernel vulnerability, tracked as CVE-2022-0492 (CVSS score: 7.0), can be exploited by an attacker to escape a container to execute arbitrary commands on the container host.

The issue is a privilege escalation flaw affecting the Linux kernel feature called control groups (groups), that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

“A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.” reads the advisory published for this flaw.

Major Linux distros, including Suse, Ubuntu, and Redhat, also published their own advisories.

The flaw resides in the cgroups v1 release_agent functionality which is executed after the termination of any process in the group.

The root cause of the problem is the cgroups implementation in the Linux kernel that did not properly restrict access to the feature. A local attacker could exploit this vulnerability to gain administrative privileges.

The vulnerability was discovered by the security researchers Yiqi Sun and Kevin Wang.

“On Feb. 4, Linux announced CVE-2022-0492, a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers.” reads the analysis published by Palo Alto Networks Unit 42 researcher Yuval Avrahami. “The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.”

According to Palo Alto Networks, CVE-2022-0492 is caused by the lack of check that the process setting the release_agent file has administrative privileges (i.e. the CAP_SYS_ADMIN capability).

Attackers that can write to the release_agent file, can force the kernel into invoking a binary of their choosing with elevated privileges and take over the machine. Only processes with “root” privileges can write to the file.

“Because Linux sets the owner of the release_agent file to root, only root can write to it (or processes that can bypass file permission checks via the CAP_DAC_OVERRIDE capability). As such, the vulnerability only allows root processes to escalate privileges.” continues the analysis. “At first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem bizarre. Running as root doesn’t necessarily mean full control over the machine: There’s a gray area between the root user and full privileges that includes capabilities, namespaces, and containers. In these scenarios where a root process doesn’t have full control over the machine, CVE-2022-0492 becomes a serious vulnerability.”

Users are recommended to apply the security fixes as soon as possible. Containers running AppArmor or SELinux security systems are not impacted.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

The post CVE-2022-0492 flaw in Linux Kernel cgroups feature allows container escape appeared first on Security Affairs.

Categories: Cyber Security News

Security Affairs newsletter Round 356

Sun, 03/06/2022 - 08:20
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Charities and NGOs providing support in Ukraine hit by malwareLapsus$ gang leaks data allegedly stolen from Samsung ElectronicsAnonymous #OpRussia Thousands of sites hacked, data leaks and moreThousands of satellite users offline in Europe following a cyberattack, is it a conflict spillover?Russian watchdog Roskomnadzor also blocked Facebook in RussiaCISA adds 95 flaws to the Known Exploited Vulnerabilities CatalogThese are the sources of DDoS attacks against Russia, local NCCC warnsRussia-Ukraine, who are the soldiers that crowd cyberspace?Avast released a free decryptor for the HermeticRansom that hit Ukraine75% of medical infusion pumps affected by known vulnerabilities
Cisco fixed two critical flaws in Expressway, TelePresence VCS solutions
The Difference Between Human and Machine IdentitiesUkrainian WordPress sites under massive complex attacksA cyberattack on Russian satellites is an act of war, the invasion of Ukraine noPopular open-source PJSIP library is affected by critical flawsAsylum Ambuscade spear-phishing campaign targets EU countries aiding Ukrainian refugeesNVIDIA discloses data breach after the recent cyber attackAnonymous and its affiliates continue to cause damage to RussiaUkrainian researcher leaked the source code of Conti RansomwareIsaacWiper, the third wiper spotted since the beginning of the Russian invasionUkraine: Volunteer IT Army is going to hit tens of Russian targets from this listChipmaker giant Nvidia hit by a ransomware attack seenCISA and FBI warn of potential data wiping attacks spilloverFoxBlade malware targeted Ukrainian networks hours before Russia’s invasionAnonymous hit Russian Nuclear Institute and leak stolen dataToyota Motors halted production due to a cyber attack on a supplierResearcher leaked Conti’s internal chat messages in response to its support to RussiaSecurity Affairs newsletter Round 355Iran-linked UNC3313 APT employed two custom backdoors against a Middle East gov entityAnonymous breached the internal network of Belarusian railwaysFeb 7- Feb 27 Ukraine – Russia the silent cyber conflict

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 356 appeared first on Security Affairs.

Categories: Cyber Security News

Feb 27- Mar 05 Ukraine – Russia the silent cyber conflict

Sun, 03/06/2022 - 06:40
This post provides a timeline of the events related to the Russia invasion of Ukraine from the cyber security perspective.

March 5 – Anonymous #OpRussia Thousands of sites hacked, data leaks and more

Anonymous and its affiliates continue to target Russia and Belarus, it is also targeting the Russian disinformation machine.

March 5 – Thousands of satellite users offline in Europe following a cyberattack, is it a conflict spillover?

Thousands of satellite internet users across Europe were disconnected from the internet by a cyber-event, experts suspect a cyber attack.

March 4 – Russian watchdog Roskomnadzor also blocked Facebook in Russia

State communications watchdog Roskomnadzor has ordered to block access to Facebook in Russia amid the ongoing invasion of Ukraine.

March 4 – These are the sources of DDoS attacks against Russia, local NCCC warns

Russian government released a list containing IP addresses and domains behind DDoS attacks that hit Russian infrastructure after the invasion.

March 4 – Russia-Ukraine, who are the soldiers that crowd cyberspace?

While Russia is invading Ukraine, multiple forces are joining in the conflict, especially in the cyber space, let’s analyze them

March 3 – Avast released a free decryptor for the HermeticRansom that hit Ukraine

Avast released a decryptor for the HermeticRansom ransomware used in recent targeted attacks against Ukrainian entities.

March 3 – Ukrainian WordPress sites under massive complex attacks

Researchers observed a spike in the attacks against Ukrainian WordPress sites since the beginning of the military invasion of the country.

March 2 – A cyberattack on Russian satellites is an act of war, the invasion of Ukraine no

Russia considers it legitimate to invade another country but warns it will consider cyberattacks on its satellites an act of war.

March 2 – Asylum Ambuscade spear-phishing campaign targets EU countries aiding Ukrainian refugees

A spear-phishing campaign, tracked as Asylum Ambuscade, targets European government personnel aiding Ukrainian refugees.

March 2 – Anonymous and its affiliates continue to cause damage to Russia

The massive operation launched by the Anonymous collective against Russia for its illegitimate invasion continues.

March 2 – Ukrainian researcher leaked the source code of Conti Ransomware

A Ukrainian researcher leaked the source for the Conti ransomware and components for the control panels.

March 1 – IsaacWiper, the third wiper spotted since the beginning of the Russian invasion

IsaacWiper, a new data wiper was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

March 1 – CISA and FBI warn of potential data wiping attacks spillover

US CISA and the FBI warned US organizations that data wiping attacks targeting Ukraine entities could spill over to targets worldwide.

March 1 – FoxBlade malware targeted Ukrainian networks hours before Russia’s invasion

Microsoft revealed that Ukrainian entities were targeted with a previous undetected malware, dubbed FoxBlade, several hours before the invasion.

February 28 – Anonymous hit Russian Nuclear Institute and leak stolen data

Anonymous and other hacker groups that responded to the call to war against Russia continue to launch cyberattacks on gov organizations and businesses.

February 28 – Researcher leaked Conti’s internal chat messages in response to its support to Russia

A Ukrainian researcher leaked tens of thousands of internal chat messages belonging to the Conti ransomware operation.

February 27 – Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list

Ukraine is recruiting a volunteer IT army composed of white hat hackers to launch attacks on a list of Russian entities.

February 27 – Anonymous breached the internal network of Belarusian railways

The Anonymous hacker collective claims to have breached the Belarusian Railway’s data-processing network.

Below is the timeline of the events related to the previous weeks:

https://securityaffairs.co/wordpress/128478/cyber-warfare-2/russian-invasion-of-ukraine-timeline.html

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Feb 27- Mar 05 Ukraine – Russia the silent cyber conflict appeared first on Security Affairs.

Categories: Cyber Security News

Charities and NGOs providing support in Ukraine hit by malware

Sun, 03/06/2022 - 05:48
Malware based attacks are targeting charities and non-governmental organizations (NGOs) providing support in Ukraine

Charities and non-governmental organizations (NGOs) that in these weeks are providing support in Ukraine are targeted by malware attacks aiming to disrupt their operations.

The news was reported by Amazon that associates the attacks with state-sponsored hackers and confirmed that it is helping customers impacted by the attacks to adopt security best practices.

“For several weeks, we have been partnering closely with Ukrainian IT organizations to fend off attacks and working with organizations in Ukraine, and around the world, to share real-time, relevant intelligence. As a result, our teams have seen new malware signatures and activity from a number of state actors we monitor. As this activity has ramped up, our teams and technologies detected the threats, learned the patterns, and placed remediation tools directly into the hands of customers.” reads the post published by Amazon. “While we are seeing an increase in activity of malicious state actors, we are also seeing a higher operational tempo by other malicious actors. We have seen several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption.”

Some of the most impacted operations are related to medical supplies, food, and clothing relief.

Amazon did not name the impacted organizations, it is working with multiple organizations and donated $5 million to organizations that are providing critical support on the ground, including UNICEF, UNHCR, World Food Program, Red Cross, Polska Akcja Humanitarna, and Save the Children.

A few days ago, researchers from cybersecurity firm Proofpoint uncovered a spear-phishing campaign, likely conducted by a nation-state actor, that compromised a Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.

The phishing messages included a weaponized attachment designed to download a Lua-based malware dubbed SunSeed. Experts found similarities between the infection chain associated with this campaign, tracked as Asylum Ambuscade, and other attacks Proofpoint observed in July 2021, a circumstance that suggests they were conducted by the same threat actor.

The campaign observed in July 2021 was linked to the Belarus-linked APT group Ghostwriter (aka TA445 or UNC1151).

Update: Made it clearer that Amazon did not name any of the targeted organizations.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Charities and NGOs providing support in Ukraine hit by malware appeared first on Security Affairs.

Categories: Cyber Security News

Lapsus$ gang leaks data allegedly stolen from Samsung Electronics

Sat, 03/05/2022 - 17:11
The Lapsus$ ransomware group claimed to have hacked Samsung Electronics and leaked alleged stolen confidential data.

The Lapsus$ ransomware gang claims to have stolen a huge trove of sensitive data from Samsung Electronics and leaked 190GB of alleged Samsung data as proof of the hack.

The gang announced the availability of the sample data on its Telegram channel and shared a Torrent file to download it. They also shared an image of the source code included in the stolen data.

Stolen data contains confidential Samsung source code, including:

  • DEVICES/HARDWARE -Source code for every Trusted Applet (TA) installed on all samsung device’s TrustZone (TEE) with specific code for every type of TEE OS (QSEE, TEEGris etc). THIS INCLUDES DRM MODULES AND KEYMASTER/GATEKEEPER!
  • Algorithms for all biometric unlock operations, including source code that communicates directly with sensor (down to the lowest level, we’re talking individual RX/TX bitstreams here).
  • Bootloader source code for all recent Samsung devices, including Knox data and code for authentication.
  • Various other data, confidential source code from Qualcomm.
Source: Lapsus$ gang’s Telegram Channel

If the data leak is authentic this security breach could have a severe impact on the company.

Last week, the Lapsus$ ransomware gang claimed responsibility for the cyber attack against chipmaker giant NVIDIA. The group announced to have stolen 1 TB of data from the company’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung Electronics)

The post Lapsus$ gang leaks data allegedly stolen from Samsung Electronics appeared first on Security Affairs.

Categories: Cyber Security News

Thousands of satellite users offline in Europe following a cyberattack, is it a conflict spillover?

Sat, 03/05/2022 - 04:51
Thousands of satellite internet users across Europe were disconnected from the internet by a cyber-event, experts suspect a cyber attack.

Orange confirmed that “nearly 9,000 subscribers” of a satellite internet service provided by its subsidiary Nordnet in France were offline following a “cyber event” that took place on February 24 at Viasat, the US giant satellite operator that provides services to the European carriers.

Around one-third of 40,000 subscribers of the bigblu satellite internet service in Europe, in Germany, France, Hungary, Greece, Italy and Poland, were impacted by the same cyber event.

Viasat announced on Wednesday that the “cyber event” had caused a “partial network outage” for customers “in Ukraine and elsewhere” in Europe who rely on its KA-SAT satellite.

At this time, Viasat has yet to provide technical details about the malicious event which is under an ongoing investigation by law enforcement.

General Michel Friedling, head of France’s Space Command confirmed that the root cause of the outage is a cyberattack.

“For several days, shortly after the start of operations, we have had a satellite network that covers Europe and Ukraine in particular, which was the victim of a cyberattack, with tens of thousands of terminals that were rendered inoperative immediately after the attack,” said General Michel Friedling.

Cybersecurity and intelligence experts fear a possible spillover from Ukraine and Russia conflict, cyber attacks and cyber weapons used by threat actors involved in the cyber dispute could target infrastructure all over the world.

While Russia is targeting Ukraine with wipers, DDoS attacks, and disinformation campaigns, hacktivists like Anonymous are providing their support to Ukraine targeting government organizations and private businesses in Russia and Belarus.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, satellite service)

The post Thousands of satellite users offline in Europe following a cyberattack, is it a conflict spillover? appeared first on Security Affairs.

Categories: Cyber Security News

Russian watchdog Roskomnadzor also blocked Facebook in Russia

Fri, 03/04/2022 - 17:12
State communications watchdog Roskomnadzor has ordered to block access to Facebook in Russia amid the ongoing invasion of Ukraine.

State communications watchdog Roskomnadzor ordered to block access to Facebook over its decision to ban Russian media and state information resources. The block comes after Facebook recently deactivated or restricted access to accounts belonging to media outlets and news agencies spreading Russian propaganda, including RIA Novosti, Sputnik, and Russia Today. The Russian Roskomnadzor said the ban discriminated against Russia-owned media violating Russian law.

Below is the comment provided by Nick Clegg, Meta’s President for Global Affairs.

On the Russian government's decision to block access to Facebook in the Russian Federation: pic.twitter.com/JlJwIu1t9K

— Nick Clegg (@nickclegg) March 4, 2022

On Friday, the Roskomnadzor also ordered to block the BBC, the U.S. Voice of America, Radio Free Europe/Radio Liberty, Deutsche Welle, and Meduza.

Roskomnadzor recently also blocked access to Twitter following an order by the Prosecutor General’s Office on February 24.

“The social network Twitter has been blocked in Russian territory, Roskomnadzor (RKN) said. In line with RKN’s service for checking blocks of webpages and websites, access to the online resource twitter.com is restricted across Russia based on the Prosecutor General’s Office demand dated February 24.” reported the Interfax. “RKN has earlier reported that Facebook was fully blocked across Russia.”

We’re aware that Twitter is being restricted for some people in Russia and are working to keep our service safe and accessible.

— Twitter Support (@TwitterSupport) February 26, 2022

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

The post Russian watchdog Roskomnadzor also blocked Facebook in Russia appeared first on Security Affairs.

Categories: Cyber Security News

CISA adds 95 flaws to the Known Exploited Vulnerabilities Catalog

Fri, 03/04/2022 - 15:34
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 95 vulnerabilities to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

95 is the largest number of flaws added to the catalog since issuing the binding operational directive in 2021.

The flaws added to the catalog impact several products, including Windows, Office, Cisco, Oracle, Adobe, Mozilla, Siemens, Apache, Exim, Linux, and Treck TCP/IP stack.

The following two issues added by CISA to the catalog are very old, they are dated back 2002 and 2004 respectively:

  • CVE-2002-0367 – Microsoft Windows Privilege Escalation Vulnerability: smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges.
  • CVE-2004-0210 – Microsoft Windows Privilege Escalation Vulnerability: A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system.

The due date for both vulnerabilities is March 24, 2022.

27 out of 95 vulnerabilities added by the US agency to the catalog have March 17, 2022 as due date, 8 of them have been rated with a CVSS score of 9.8.

The catalog of actively exploited bugs for federal agencies has reached a total of 478 entries with the latest added issues.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, catalog of actively exploited)

The post CISA adds 95 flaws to the Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Categories: Cyber Security News

These are the sources of DDoS attacks against Russia, local NCCC warns

Fri, 03/04/2022 - 10:23
Russian government released a list containing IP addresses and domains behind DDoS attacks that hit Russian infrastructure after the invasion.

While the conflict on the battlefield continues, hacktivists continue to target Russian infrastructure exposed online. The Russian National Coordinating Center for Computer Incidents (NCCC) released a massive list containing 17,576 IP addresses and 166 domains that were involved in a series of DDoS attacks that targeted its infrastructure.

The list of domains includes the US CIA and FBI, USA Today, and Ukraine’s Korrespondent magazine, along with domains and apps specifically set up to target Russia amid the invasion.

The advisory provides a list of recommendations for Russian organizations, including conducting an inventory of all network devices and services operating in their organization, restricting outside access to them, setting up logging systems, using complex and unique passwords, using Russian DNS servers, watching out phishing attacks, enforcing data backups.

The Russian government fears the consequence of data breaches suffered by its organizations or possible interference by third-party nation state actors that could exploit the ongoing attacks to carry out covet cyber attacks.

The Kremlin also fear the spreading of news related to the conflict on its soil for this reason Twitter and Facebook restricted in Russia amid conflict with Ukraine.

If you are interested in understanding the numerous threat actors that are providing support to both Russia and Ukraine give a look at the following analysis:

Russia-Ukraine, who are the soldiers that crowd cyberspace?

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

The post These are the sources of DDoS attacks against Russia, local NCCC warns appeared first on Security Affairs.

Categories: Cyber Security News

Russia-Ukraine, who are the soldiers that crowd cyberspace?

Fri, 03/04/2022 - 05:09
While Russia is invading Ukraine, multiple forces are joining in the conflict, especially in the cyber space, let’s analyze them

The analysis of the current scenario in cyberspace is not easy due to the presence of multiple threat actors and the difficulty of attributing the attacks.

Security group CyberKnow shared an interesting analysis about the group, their operations and the channels they are using to disclose their operations.

As reported in the following table published by CyberKnow, Russian and Belarussian APT groups (Gamaredon, SandWorm, GhostWrite), ransomware gangs like Conti and Stormous, and groups of alleged activists like are supporting Russia.

Update 3–2 March cyber group tracker: Ukraine-Russia war 2022. – Source CyberKnown

“Here we are, the third update of the Cyber group tracker for the Ukraine-Russia war and I continue to add more groups each day. I am still amazed about the number of groups. It seems with every attack new groups are entering the battle.” reads the post of CyberKnown.

“It continues to be congested and contested — this is an insight into what the global community can expect in any future conflict big or small.”

The level of entropy is maximum and could advantage information warfare operarations and false flag activities.

Recent data leaks of Conti gangs and Trickbot operation revealed support and relationship with the Russian intelligence, this is a scaring scenario because could rapidly extend the battlefield to international organizations operating on a global scale.

The activity of Anonymous and its affiliates could be exploited by nation-state actors to carry out parallel, independent and stealth operations that are advantaged by the pressure of the popular activist on Russian targets.

The attribution of these attacks is quite impossible for this important it is essential to share information on threat actors, this is the only way to dissolve this thick fog.

For real-time updates: https://twitter.com/Cyberknow20

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

The post Russia-Ukraine, who are the soldiers that crowd cyberspace? appeared first on Security Affairs.

Categories: Cyber Security News

Avast released a free decryptor for the HermeticRansom that hit Ukraine

Thu, 03/03/2022 - 17:51
Avast released a decryptor for the HermeticRansom ransomware used in recent targeted attacks against Ukrainian entities.

Avast has released a free decryptor for the HermeticRansom ransomware employed in targeted attacks against Ukrainian systems since February 23.

The security firms aim at helping Ukrainians victims in recovering their file for free.

The HermeticRansomware was one of the three components involved in disruptive attacks detailed by ESET researchers:

  • HermeticWiper: makes a system inoperable by corrupting its data
  • HermeticWizard: spreads HermeticWiper across a local network via WMI and SMB
  • HermeticRansom: ransomware written in Go

Researchers from Crowdstrike discovered a logic flaw in the encryption process that can allow researchers to break the encryption. The experts speculate the developers invested limited efforts in testing the ransomware, likely because the encryption was not the end goal of the threat.

“According to analysis done by Crowdstrike’s Intelligence Team, the ransomware contains a weakness in the crypto schema and can be decrypted for free.” reported Avast. “If your device has been infected with HermeticRansom and you’d like to decrypt your files, click here to skip to the How to use the Avast decryptor to recover files.”

Crowdstrike also released a script to recover encrypted files that was used by Avast as part of more friendly tool with an easy-to-use GUI.

The post published by Avast includes detailed instructions to recover the encrypted data.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Avast released a free decryptor for the HermeticRansom that hit Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

75% of medical infusion pumps affected by known vulnerabilities

Thu, 03/03/2022 - 14:45
Researchers analyzed more than 200,000 network-connected medical infusion pumps and discovered that over 100,000 of them are vulnerable.

Researchers from Palo Alto Networks have analyzed more than 200,000 medical infusion pumps on the networks of hospitals and other healthcare organizations and discovered that 75% are affected by known vulnerabilities that could be exploited by attackers.

“We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks.” reads the report published by Palo Alto Networks. “An alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”

Image source: Ateq USA website

One of the most interesting findings that emerged from the report is that 52% of all infusion pumps analyzed by the experts were susceptible to two vulnerabilities publicly disclosed in 2019. These data are disconcerting considering that the average infusion pump has a life of eight to 10 years.

The following table reports the 10 most prevalent issues that emerged from the scan of network-connected medical devices. 


CVESeverity
(Score)% of analyzed pumps with CVEs1CVE-2019-122559.8 (Critical)52.11%2CVE-2019-122647.1 (High)52.11%3CVE-2016-93555.3 (Medium) 50.39%4CVE-2016-83754.9 (Medium)50.39%5CVE-2020-251657.5 (High)39.54%6CVE-2020-120409.8 (Critical)17.83%7CVE-2020-120479.8 (Critical)15.23%8CVE-2020-120459.8 (Critical)15.23%9CVE-2020-120439.8 (Critical)15.23%10CVE-2020-120419.8 (Critical)15.23%

Table 1. The top 10 most prevalent vulnerabilities found in the more than 200,000 inf

Experts grouped the issues is several categories, including leakage of sensitive information, unauthorized access and buffer overflow. Palo Alto Networks reported that some issues are related to third-party cross-platform libraries used by the devices, such as network stacks. CVE-2019-12255 and CVE 2019-12264 vulnerabilities in the TCP/IP stack IPNet.

Both flaws affect 52% of the analyzed infusion pumps, approximately more than 104,000 devices.

Palo Alto Networks recommends healthcare providers adopt a proactive security strategy to prevent attacks, below are some key capabilities to consider when evaluating IoMT security strategies and technologies for healthcare:

  • Accurate discovery and inventory
  • Holistic risk assessment
  • Apply risk reduction policies
  • Prevent Threats

“Among the 200,000 infusion pumps we studied, 75% were vulnerable to at least one vulnerability or threw up at least one security alert. While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations in which threat actors may be motivated to put extra resources into attacking a target.” concludes the report.

With attack surfaces widening and attack vectors becoming more refined than ever before, now’s the time for healthcare organizations to define medical device security with a new level of sophistication. “

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking,IoT)

The post 75% of medical infusion pumps affected by known vulnerabilities appeared first on Security Affairs.

Categories: Cyber Security News

Pages