VERT’s Cybersecurity News for the Week of April 18, 2022

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of April 18, 2022. I’ve also included some comments on these stories.

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks

On April 13, the Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory to warn that certain industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices can be targeted by advanced persistent threat (APT) actors who have the capability to gain full system access, reports Dark Reading.

DYLAN D’SILVA | Security Researcher at Tripwire

For those in the CI (Critical Infrastructure) sectors, and more specifically, for those that are responsible for the security of their respective ICS and SCADA Systems, I hope you are paying attention to the news and advisories being published, for good reason.

Mid last week, CISA and a couple of the other lettered, federal agencies (DoE, NSA, FBI) released a new advisory warning that certain ICS and SCADA systems are being targeted by APT (Advanced Persistent Threat) actors to gain full system access and control.

Vulnerable products include:

• Schneider Electric PLCs
• OMRON Sysmac NEX PLCs
• Open Platform Communications Unified Architecture Servers

Once compromised, the threat actors can then use custom-made tools to scan for additional vulnerable devices so they can take control of them too. Noted in the article is that there is a critical issue with Windows-based engineering workstations, whereby they leverage vulnerable motherboard drivers, whether they are in the OT or IT environment. From there, they could elevate their privileges and move laterally across the environment with the potential to cause greater damage.

Recommendations

1. If you have yet to identify a way to effectively implement cybersecurity controls and risk management, start with a thoughtfully devised framework, such as NIST. This will help guide you and leaders on how to create policies and procedures to protect your IT and OT Environments. ( https://www.nist.gov/cyberframework)
2. Sign up to receive the new alerts as they are issued by CISA. This will enable you to act and prioritize your work if you have hardware and software that’s identified as being vulnerable. ( https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new)
3. Practice Incident Response! If you have not sufficiently practiced, or even worse, are unfamiliar with your company’s incident response plan, make it a priority to fix that gap. If an incident/breach/attack happens you want all responsible parties to be familiar with the sequence of events and know who is responsible for what. It will add confusion and slow your response and remedy time if there are uncertainties.
4. With the convergence of IT and OT systems, it’s important to understand both perspectives. It’s critical to understand that it’s not: IT vs. OT; it’s IT & OT vs. the problem. Each side will have their non-negotiables which is fine, but it’s important both teams work together to create the best possible outcome when it comes to cybersecurity.
5. Ensure best practices are being followed, such as (but not limited to): Network architecture and segmentation, changing default passwords, disabling or deleting old/unused accounts, ensuring MFA and additional authentication tools are being leveraged, having a good backup strategy, which may include off-site storage, knowing what your DRP is and how to implement it, leveraging data from your SIEM to help analyze data and identify potential issues, and finally investigating how ‘Defense in Depth’ and ‘Zero Trust’ methodologies can aid your organization when developing your cybersecurity policies.

FBI Warns of ‘Reverse’ Instant Payments Phishing Schemes

The Federal Bureau of Investigation (FBI) has issued an alert on a new phishing scheme aimed at tricking victims into making money transfers to accounts controlled by cybercriminals, Security Week reports. The attack moonlights as a legitimate financial institution and targets users of digital payment applications, sending them a text and asking them to confirm that they initiated an instant money transfer.

DYLAN D’SILVA | Security Researcher at Tripwire

Phishing schemes and their social engineering techniques appear to be getting more and more sophisticated, which is a problem for people who are unfamiliar with these types of schemes, or for those who may be more vulnerable.

Digital banking and payment apps are beyond commonplace now (pandemic aside, I can’t remember the last time I stepped foot inside a physical bank branch), so it’s unsurprising that phishing has made its way to them. The FBI is warning of a ‘Reverse’ Instant Payment scam.

As the article notes, if a recipient of an automated text message responds, the cybercriminal will call the potential victim from a spoofed 1-800 number that appears to match that of the financial institution. Additionally, the criminals are typically speaking English with no accent.

Diving a bit deeper into how the scam is perpetrated, the attackers look to have extensive information of the victim’s background, including past addresses, Social Security numbers, etc. Armed with this, they claim to represent the bank’s fraud department and walk the victim through a process that’s meant to “reverse” a fake instant payment transaction (that the victim did not initiate in the first place).

From there, the victim is asked to remove their email address from the digital payment app and share it with the cybercriminal, who then adds it to a bank account that is controlled by the cybercriminals.

After the email address has been changed, they ask the victim to initiate a new instant payment transaction address to themselves which will “cancel or reverse” the original fraudulent payment. What is happening is that the victim is now sending the payment from their bank account to the one now controlled by cybercriminal.

Recommendations

From the FBI:

• Be cognizant and suspicious of requests (that you did not initiate) to verify account information.
  Use MFA (Multi-Factor Authentication) for all accounts.
• Be skeptical of callers that provide personal information to “prove” their identity.

Personal Suggestions

• If you receive a text message stating that an unauthorized payment was sent, use a separate/secondary method to verify; log into your bank account from your computer and investigate the transactions and e-transfers.
• You may have alerts setup on your accounts for various reasons, but they all will typically come from the same automated number (that belongs to the bank); be suspicious of ones that come from a new number. If in doubt, simply delete the text message.
• Banks will typically never call you asking you to verify information. If so, there is absolutely no harm in hanging up, looking up their 1-800 customer support number and calling them back to verify. Your priority is to protect yourself; you are not obligated to take any phone call that you don’t want to.

Apple iCloud account attack results in man losing $650,000 from his cryptocurrency wallet

Cryptocurrency wallet maker MetaMask has warned its 21 million monthly users to be wary of Apple iCloud backing up their app’s data by default, after attackers successfully stole $650,000 of funds and NFTs. In a blog on Bitdefender, Graham Cluley explains that once your Apple ID is compromised, hackers can gain access to sensitive data from any of your apps (like MetaMask) that backed up with default settings.

DYLAN D’SILVA | Security Researcher at Tripwire

This is an example of how good social engineering and phishing is getting, as well as ensuring you review the default settings on an app when you choose to install it. A cryptocurrency wallet user revealed that he had fallen victim to a social engineering scam and had $650K worth of funds and NFTs stolen.

Here is how the scam was pulled off:

• He received multiple messages asking him to reset this Apple ID password, as well as a phone call with the caller id of “Apple Inc.” (this was obviously spoofed).
• The scammer informed the victim that there had been suspicious activity on his Apple iCloud account and all he needed to do to resolve the issue was to provide the one-time verification code that his phone was about to receive.
• The victim notes that he was fooled into thinking this was legitimate because the caller had an American accent.

So now the attacker had access to the victim’s iCloud account. By default, that won’t automatically provide access to a user’s separate cryptocurrency wallet. Here is where checking the app settings to see what is being backed up to your iCloud account is critical.

The default setting of MetaMask (the cryptocurrency wallet used by the victim) is to back up data to the user’s iCloud account, including the secret 12-word recovery phrase, which would be used in an emergency (by the user) if they cannot remember their password or access their account. There is no warning provided by the app to inform users that data is being backed up to the users iCloud Account, which is critical in my opinion.

The article and victim do not go into detail as to how the attacker then got access to the victim’s MetaMask encrypted vault, but it does suggest that if they had reused a password, chose an obvious one, or one that could easily be cracked, then they could go on to access everything in the crypto wallet.

Recommendations provided by the article, which I wholeheartedly endorse:

• Keep your investments (crypto and otherwise) to yourself. There is no need to put this on social media, otherwise expect to be targeted.
• Caller ID can be spoofed, so be aware as to who is calling, why they are calling and what they are asking for. If in doubt, simply hang up and check your account/settings yourself.
• Never provide any one-time verification codes/passwords etc. to anyone that asks for them. No good company will ask for these, including your bank.
• Double-check your phone and app settings to see what is being backed up to your cloud accounts.
• Do not reuse passwords, use weak passwords, and/or use obvious passwords. Consider using a password manager program which will help securely store passwords/passphrases, but also have a utility to generate strong, secure passwords/passphrases.
• Instead of passwords, consider using passphrases.

Amazon Web Services fixes container escape in Log4Shell hotfix

Amazon Web Services (AWS) has fixed four security issues in its hot patch from December that addressed the critical Log4Shell vulnerability (CVE-2021-44228), reports Bleeping Computer. This particular vuln affects cloud or on-premise environments running Java applications with a vulnerable version of the Log4j logging library or containers.

DYLAN D’SILVA | Security Researcher at Tripwire

AWS looks to have addressed four issues from its initial hot patch release in December, which was meant to address the Log4Shell vulnerability, which affects Java applications running a vulnerable version of Log4j logging library or containers.

It is important to note that the hot patches are not exclusive to AWS Resources, which allowed escaping a container in the environment and taking control of a host.

For those unfamiliar with containers, and escaping a container, they can be broken down as follows. Containers are:

• Dedicated code that is bundled to a specific task within an application
• Logically isolated with the ability to communicate with each other through APIs
• They share a kernel with their host

Escaping a container involves exploiting vulnerabilities which allow an attacker to break free of a container’s isolation and access the hosts resources. This presents a large problem as they may be able to elevate privileges and cause additional harm.

Security Researchers discovered that the hot-fix solutions meant to address the Log4j/Log4Shell would keep searching for Java processes and patch them on the fly, without checking to see what restrictions should be enforced by the container. An additional problem that was created because of the patches was that the host processes were all provided with elevated privileges during the Log4Shell patching processes.

AWS Users that applied the initial hot patch can review the security bulletin which details the four new issues and what to do to address them.

Thoughts and Recommendations

This is a fitting example of why vulnerability management is such an important and critical piece of risk management and cybersecurity. If security practitioners and their leadership do not have a good handle on what vulnerabilities exist within their organization and what is being done to address them, then it is only a matter of time before malicious actors exploit these gaps in your digital defenses.

Vulnerability Management is a continuous and on-going exercise, which should feed into the larger cybersecurity policies. Look at the NIST Cybersecurity Framework for starters. While this is geared towards the Critical Infrastructure sectors, it has five distinct functions in its cycle, with specific sub-categories and outputs to help define an entire plan.

Cisco Patches Virtual Conference Software Vulnerability Reported by NSA

Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA). Tracked as CVE-2022-20783 (CVSS score of 7.5), the NSA-reported flaw is a denial of service (DoS) issue in TelePresence Collaboration Endpoint (CE) and RoomOS software, which could be exploited remotely, without authentication, Security Week noted on April 21.

SAMANTHA ZEIGLER | Security Researcher at Tripwire

Cisco released another round of patches of high-severity vulnerabilities. Some key patches include fixes for a denial-of-service vulnerability that the NSA reported in their TelePresence CE and RoomOS software. They also patched an elevation of privilege vulnerability in their VIM product alongside about 10 medium severity vulnerabilities.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups

Comments are closed.