Vulnerabilities & Exploits

CISA Alert: Unveiling Cyber Onslaughts on Critical Infrastructure

As the cyber landscape faces ever-growing cyber threats, critical infrastructure entities continue to be prime targets. This Security Advisory explores significant cyber incidents from breaches in U.S. water facilities to ransomware attacks on power generation and municipal water authorities. As these incidents unfold, the imperative for proactive cybersecurity measures becomes even more pronounced.

CISA Alert: Breach at U.S. Water Facility by Exploiting Unitronics PLCs

CISA’s alert revealed a concerning breach at a U.S. water facility, exposing vulnerabilities in Unitronics programmable logic controllers (PLCs). Despite quick action preventing harm to drinking water, the incident emphasizes the need for heightened security measures. Some of the highlights of the CISA Alert for system administrators are:

Change all default passwords on PLCs and HMIs and use a strong password.
Ensure the Unitronics PLC default password “1111” is not in use.
Require multifactor authentication for all remote access to the Operational Technology (OT) network, including from the IT network and external networks.
- Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC.
- Use an allowlist of IPs for access.
If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC.
Update PLC/HMI to the latest version provided by Unitronics.

nGuard’s services, such as a comprehensive device configuration audit, play a crucial role in securing critical devices within your infrastructure. By meticulously evaluating your assets against established benchmarks and industry-leading security practices, we ensure the elimination of insecure default settings. This meticulous process ensures that your baseline configuration aligns seamlessly with the highest security standards, enhancing the overall resilience of your system.

Iranian Cyber Av3ngers: Municipal Water Authority Breach

Iranian threat actors, identified as Cyber Av3ngers, breached the Municipal Water Authority of Aliquippa in Pennsylvania on November 25th. They gained control of a booster station, though the Authority emphasized that this did not impact the facility’s operations, water supply, or drinking water. Matthew Mottes, the chairman of the board, attributed the attack to Cyber Av3ngers, noting its immediate detection. The Pro-Palestine group targeted a system by Unitronics, the devices discussed in the CISA Alert mentioned earlier, with the attackers claiming to have accessed several SCADA systems at Israeli water facilities as well. Despite these claims, no serious damage has been reported from the attacks on the targeted facilities.

The ability to detect and alert on attacks like these depends on having well-managed endpoint detection and a SIEM to collect logs and correlate the activity within your network so you can react when the time is right.

Cyberattack on North Texas Municipal Water District: Daixin Team at Play

The North Texas Municipal Water District faced a cyberattack that disrupted its operations, including its phone system. The Daixin Team claimed responsibility for the attack and reportedly stole over 33,000 files containing customer information from the water utility, which serves two million people across 13 cities in North Texas. While the business network has mostly been restored, the phone system remains affected. The core water, wastewater, and solid waste services to member cities and customers have not been impacted.

If your organization finds itself in a situation where incident response services are needed like the North Texas Municipal Water District, nGuard’s Cyber Security Incident Response service can jump in and help you triage.

Ransomware Strikes Slovenian Power Generation: HSE Under Attack

Slovenian power generation company Holding Slovenske Elektrarne (HSE) experienced a ransomware attack on November 22, compromising its systems without affecting power production. Control was regained, and the attack contained by November 24. The National Office for Cyber Incidents and the Ljubljana Police Administration were notified, and HSE collaborated with third-party experts to mitigate the attack’s effects and prevent the spread of malware to other critical infrastructure systems in Slovenia. The Rhysida ransomware gang is suspected, although no ransom demand has been made. The disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, with HSE officials asserting control over the situation.

In the face of escalating cyber threats against critical infrastructure, the recent incidents in the U.S. and Slovenia underscore the critical need for robust cybersecurity measures. CISA does offer free vulnerability scanning for water utilities, but if your organization is seeking a deeper evaluation, nGuard’s comprehensive services, including vulnerability management, incident response, and strategic assessments, offer a proactive defense against emerging threats. The uphill battle for strong, defense-in-depth cybersecurity requires constant vigilance, and nGuard stands ready to assist organizations in safeguarding your infrastructure and digital assets.

Microsoft’s Patch Tuesday Addresses Actively Exploited Zero-Days

In the latest Patch Tuesday release from Microsoft, the tech giant has rolled out vital updates, fortifying a total of 67 vulnerabilities. This comprehensive security overhaul addresses actively exploited zero-days, critical flaws, and publicly disclosed vulnerabilities, urging swift action from administrators to bolster system defenses. This month’s update takes a focused approach to three actively exploited Windows zero-days, underscoring the necessity for immediate deployment. Let’s delve into the specifics of these vulnerabilities.

Actively Exploited Windows Zero-Days

CVE-2023-36033 (CVSS 7.8): Desktop Window Manager Core Library Elevation of Privilege
- Impact: Allows attackers to gain SYSTEM privileges without user interaction.
- Affected Systems: Windows 10, Windows 11, Windows Server 2016, and newer.
CVE-2023-36036 (CVSS 7.8): Cloud Files Mini Filter Driver Elevation of Privilege
- Impact: Enables attackers to gain SYSTEM privileges without user interaction.
- Affected Systems: Windows Server 2008 and later, including the latest Windows desktop and server versions.
CVE-2023-36025 (CVSS 8.8): SmartScreen Security Feature Bypass
- Impact: Allows attackers to bypass Windows Defender SmartScreen checks by convincing users to click on a crafted URL.
- Affected Systems: All Windows OS versions dating back to Server 2008.

Publicly Disclosed Vulnerabilities

CVE-2023-36038 (CVSS 8.2): ASP.NET Core Denial of Service
- Impact: Could lead to a service disruption.
- Affected Systems: .NET 8.0, Microsoft Visual Studio 2022, and ASP.NET Core 8.0.
CVE-2023-36413 (CVSS 6.5): Microsoft Office Security Feature Bypass
- Impact: Exploitation more likely; requires user interaction for successful exploitation.

Exchange Server Fixes and Additional Updates

Microsoft has addressed four vulnerabilities in Exchange Server, including three spoofing issues and a critical remote-code execution flaw (CVE-2023-36439). Administrators are advised to update Exchange instances promptly due to the platform’s susceptibility to sophisticated attacks.

Curl Vulnerabilities Resolved

Addressing vulnerabilities in the open-source Curl tool, Microsoft distributed Curl version 8.4.0 to fix issues related to SOCKS5 heap buffer overflow (CVE-2023-38545) and HTTP headers consuming excessive memory (CVE-2023-38039).

Immediate Action Required

The severity of these vulnerabilities demand quick actions from administrators and organizations. Several steps can be taken to mitigate the risks associated with these vulnerabilities:

Patch Systems: The most effective way to safeguard these vulnerabilities is to apply the Microsoft patches promptly.
Conduct Vulnerability Scanning: Proactively identify and assess security weaknesses, like these vulnerabilities and more, in your systems, networks, and applications, allowing you to address these vulnerabilities before cybercriminals can exploit them.
Routine Security Assessments: Routine security assessments, such as external and internal penetration testing, are crucial to identify vulnerabilities and weaknesses in an organization’s network and systems.
Inventory Assessment: Organizations should conduct a detailed inventory of all their enterprise assets. This can help identify vulnerable systems that require immediate attention.
Log Collection and Correlation: By analyzing logs from various sources and identifying patterns or anomalies, you can respond to threats, mitigate risks, and improve overall security posture.
Validate Incident Response Capabilities: Conduct tabletop exercises to simulate real-world scenarios, evaluate their preparedness, and refine response plans. Updating or creating an incident response policy and having an incident response team on retainer ensures a structured and efficient response to security incidents, reducing potential damage and minimizing downtime in the event of a breach.

Microsoft’s November Patch Tuesday is a critical update, emphasizing the ongoing threats faced by Windows systems. Administrators are strongly encouraged to prioritize these patches to protect their systems against potential exploits and enhance overall cybersecurity.

Boeing Grapples with LockBit Gang

In a world where cyber threats loom large, even giants like Boeing are not immune to the relentless onslaught of ransomware attacks. Last week, Boeing confirmed that it had fallen victim to a ransomware attack orchestrated by the notorious LockBit gang. The repercussions of this attack are extensive and should serve as a wake-up call for corporations globally. In this advisory, we delve into the specifics of the Boeing incident and explore the broader implications of such attacks.

The Encounter

The aerospace behemoth Boeing, which plays a pivotal role in global aviation, made headlines on November 1^st, when it officially disclosed that it was grappling with a “cyber incident.” Boeing spokesperson Jim Proulx confirmed that this breach had targeted specific aspects of the company’s parts and distribution business. Notably, Boeing stressed that the attack did not compromise flight safety, which is undoubtedly a relief to the aviation industry and passengers worldwide.

LockBit, a ransomware group with alleged ties to Russia, wasted no time in claiming responsibility for this audacious cyberattack on Boeing. This attack serves as another example of the growing boldness and sophistication of ransomware operators. The Cybersecurity & Infrastructure Security Agency has also voiced its concerns, with recent advisories revealing that LockBit has targeted nearly 1,800 victim systems across the United States and around the globe since late 2019.

The gang’s method was not limited to encrypting Boeing’s systems and demanding a ransom. In a since-deleted post, LockBit issued a chilling ultimatum: either meet their ransom demands by November 2, or face the publication of a substantial trove of sensitive data allegedly stolen from Boeing. The removal of this listing from LockBit’s website suggests ongoing negotiations, which is a common tactic employed by ransomware gangs to exert pressure on victims.

The Ethical Quandary and Immediate Fallout

The situation is further complicated by the fact that the U.S. government has previously sanctioned Evil Corp, believed to be an affiliate of the LockBit group. These sanctions make it illegal for any business or individual to pay the attackers, raising complex legal and ethical questions surrounding ransom payments.

Moreover, the implications of paying ransoms to these hacking groups and ransomware gangs go beyond just legality. It can potentially incentivize and finance their criminal activities, leading to a vicious cycle of attacks. In the wake of the recent ransomware attack against MGM Resorts International, Boeing made the swift decision to take down their Parts and Distribution site to ensure no further systems could be reached by malicious actors. This compromise to IT infrastructure caused an immediate halt in production and operations, sending shockwaves despite not fully disclosing the precise details of the breach, including the method of compromise or whether data exfiltration has occurred.

A Ticking Time Bomb

One of the most concerning aspects of this incident is the potential exfiltration of sensitive data. Boeing has not confirmed whether data was stolen or whether a ransom demand was received. Additionally, unverified claims of a zero-day exploit in one of Boeing’s networks may be the source of this breach. This leaves many unanswered questions about the extent of the incident and what sensitive information may be at risk. Boeing’s ordeal is clearly not an isolated incident but part of a broader trend of escalating ransomware attacks.

Given the rise of cyber threats, ensure your organization is implementing the following best practices:

Vulnerability Management: From production delays to the cost of restoring systems and potential fines, financial impacts can be crippling. Routine scanning of networks and systems through nGuard’s Vulnerability Management gives your organization the ability to remediate vulnerabilities before attackers discover and exploit them.
Patch Management: Performing regular patching and system backups ensures stability and boosts productivity across all endpoints, lowering risk and cost over time.
SIEM Solutions: With the constant threat of incoming cyberattacks, employing centralized SIEM services for correlating data and monitoring in real-time ensures your organization is maintaining appropriate logging and continuous event analysis.
Incident Response: The disruption of operations and supply chains can have ubiquitous impacts, including public safety. Partnering with nGuard will assist in implementing a robust and comprehensive incident response plan tailored to your environment to minimize damage and downtime.
Penetration Testing: Regularly assessing infrastructure and security controls promotes optimal performance. Identifying vulnerabilities and enacting the appropriate remediations hardens infrastructure and reduces the likelihood of future breaches.
Strategic Assessments: Threats and breaches underscore the pressing need for companies of all sizes to prioritize their cybersecurity measures. Through certified GRC services, nGuard identifies gaps in protecting assets and maintaining strong security controls across your entire organization.

Boeing’s recent encounter with LockBit serves as a striking reminder that no entity is too large or too fortified to be targeted by cybercriminals. Beyond the immediate operational disruptions, the attack has led to a loss of trust, increased costs, and ongoing legal and regulatory challenges. Boeing’s response to the attack will likely shape its long-term resilience against future cyber threats.

The implications of this attack reach far beyond the industry, highlighting the urgent call for all institutions to fortify their cyber defenses and take proactive measures to safeguard their digital assets. As the battle against ransomware rages on, this incident emphasizes the gravity of the cybersecurity challenges facing even the most prominent organizations.

A Critical Alert: Organizations Must Respond to This Cisco Threat

In recent weeks, the cybersecurity community has been abuzz with discussions surrounding a critical vulnerability identified as CVE-2023-20198. This vulnerability, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI), has raised alarms due to its potential to compromise a vast number of devices. Here’s a comprehensive look at what we know so far and how organizations can safeguard themselves.

The Vulnerability Unpacked
CVE-2023-20198 is classified as a zero-day vulnerability, which means it was actively exploited in the wild before vendors became aware of it or had a chance to address it. This vulnerability specifically targets the web-based User Interface (UI) of Cisco’s IOS XE software, a highly versatile and widely used operating system for Cisco routers and switches.

The flaw lies in the authentication mechanisms of the web UI. Under normal circumstances, the web UI requires proper credentials for access. However, this vulnerability allows attackers to bypass these authentication measures. Once exploited, attackers can create accounts with the highest privileges, essentially giving them administrative rights over the device.

With such elevated privileges, attackers have the capability to make any changes they desire. This includes, but is not limited to, altering device configurations, rerouting traffic, or even shutting down the device entirely. More alarmingly, they can install backdoors or implants. These malicious tools can provide attackers with persistent access to the device, even after the original vulnerability has been patched. This poses a significant threat as these compromised devices can be used in larger coordinated attacks, data exfiltration, or as stepping stones to penetrate deeper into an organization’s network.

In a curious turn of events, just a day before Cisco made public the patches for this vulnerability, there was a notable drop in the number of compromised internet-facing Cisco devices. This sudden decline was observed by multiple cybersecurity entities and researchers. The cause behind this drop is not definitively known. Some speculate that the attackers, realizing that their activities might soon be detected or thwarted, decided to clean up their tracks. This could involve removing the implants or backdoors they had previously installed.

Another theory suggests that white-hat hackers or ethical cybersecurity professionals might have intervened. These individuals, upon discovering the vulnerability, could have taken measures to neutralize the threat on vulnerable devices. There’s also the possibility that law enforcement agencies, having gained intelligence about the exploitation, took covert actions to mitigate the threat.

The Importance of Penetration Testing and Vulnerability Management
Given the nature of this vulnerability, devices with administrative interfaces exposed to the internet are at a heightened risk. While it’s best practice to limit external access to these admin interfaces, the reality is that many organizations still have them openly accessible. This highlights the importance of regular penetration testing and vulnerability management to ensure that potential security gaps are identified and addressed promptly.

While external threats are a concern, internal threats can be just as damaging. Internal penetration testing can help identify vulnerabilities within your organization’s internal network. Additionally, both external and internal vulnerability management are crucial in ensuring that potential security loopholes are identified and addressed promptly.

Configuration Audits for Cisco Devices
Given that the vulnerability in question affects Cisco devices, it’s imperative for organizations to ensure that their Cisco equipment is up-to-date and receiving patches from the vendor. Conducting a configuration audit can help in this regard, ensuring that devices are configured correctly and are receiving timely updates.

Guidance from CISA & Cisco
The Cybersecurity & Infrastructure Security Agency (CISA) has also weighed in on the issue, releasing guidance addressing both CVE-2023-20198 and another vulnerability, CVE-2023-20273. CISA has emphasized the importance of reviewing their guidance and implementing the recommended mitigations, which include disabling the HTTP Server feature on internet-facing systems and monitoring for malicious activity. The latest guidance from Cisco can be found here:

Detailed Guide for Addressing Cisco IOS XE Web UI Vulnerabilities

Wrap Up
CVE-2023-20198 serves as a stark reminder of the ever-evolving threats in the cybersecurity landscape. Organizations must remain vigilant and proactive in their security measures, ensuring that both external and internal systems are regularly tested and updated. The vulnerability underscores the importance of timely patching, configuration audits, and adherence to guidance from authoritative bodies like CISA. In an era where cyber threats are becoming increasingly sophisticated, a robust and multi-faceted approach to security is not just recommended but essential. Organizations that prioritize and invest in their cybersecurity infrastructure will be better positioned to defend against and mitigate the impacts of such vulnerabilities in the future.

PATCH NOW! Linux “Looney Tunables” Vulnerability

The world of cybersecurity has been shaken by the discovery of a significant vulnerability in Linux systems, known as “Looney Tunables” (CVE-2023-4911). This vulnerability, categorized with a Common Vulnerability Scoring System (CVSS) score of 7.8, poses a substantial risk to Linux-based operating systems. It allows attackers to gain root privileges, potentially leading to unauthorized access, system manipulation, data theft, and even complete system takeover.

The “Looney Tunables” Vulnerability

Looney Tunables is a buffer overflow vulnerability located in the GNU C Library’s (glibc) dynamic loader, specifically in how it processes the GLIBC_TUNABLES environment variable. Glibc, a critical component of Linux systems, defines system calls and essential functions required for typical program execution.

The dynamic loader’s role is to prepare and execute programs, including loading shared libraries into memory and linking them at runtime. Importantly, this loader operates with elevated privileges, making it a high-value target for attackers.

When malicious actors manipulate the GLIBC_TUNABLES environment variable, they can trigger a buffer overflow, a well-known and dangerous type of vulnerability. Successful exploitation of this vulnerability grants the attacker root privileges, essentially giving them full control over the compromised system.

Widespread Impact

Looney Tunables affects a broad range of Linux distributions, making it a serious concern for the Linux community. There has already been a proof-of-concept exploit released to the public. It has been successfully exploited on default installations of various major distributions, including Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. Other distributions are also likely to be vulnerable, with a few exceptions like Alpine Linux, which uses musl libc instead of glibc.

Given the extensive use of glibc across Linux distributions, the risk is significant. Attackers can exploit this vulnerability to target a wide range of systems, from personal computers to servers and even Internet of Things (IoT) devices. IoT devices are highly vulnerable due to their use of Linux kernels within custom operating systems.

Immediate Action Required

The severity of this vulnerability demands swift action from Linux users, administrators, and organizations. Several steps can be taken to mitigate the risks associated with Looney Tunables:

Patch Systems: The most effective way to safeguard against this vulnerability is to apply patches promptly. Various Linux distribution vendors, including Red Hat, Ubuntu, Debian, Fedora, and Gentoo, have released updates to address this issue. Ensure that your system is running a non-vulnerable version of the glibc library.
Implement Temporary Mitigations: If patching is not immediately possible, implement temporary mitigations. Red Hat offers scripts that can help protect systems by terminating any setuid program invoked with GLIBC_TUNABLES in the environment.
Conduct Vulnerability Scanning: Proactively identify and assess security weaknesses, such as the Looney Tunables, in your systems, networks, and applications, allowing you to address these vulnerabilities before cybercriminals can exploit them.
Routine Security Assessments: Routine security assessments such as external and internal penetration testing are crucial to identify vulnerabilities and weaknesses in an organization’s network and systems, helping to proactively address them before exploitation by malicious actors.
Inventory Assessment: Organizations should conduct a detailed inventory of all their assets, including IT infrastructure, IoT devices, and applications. This can help identify vulnerable systems that require immediate attention.
Log Collection and Correlation: By analyzing logs from various sources and identifying patterns or anomalies, you can swiftly respond to threats, mitigate risks, and improve overall security posture.
Validate Incident Response Capabilities: Conduct tabletop exercises to simulate real-world scenarios, evaluate their preparedness, and refine response plans. Updating or creating an incident response policy and having an incident response team on retainer ensures a structured and efficient response to security incidents, reducing potential damage and minimizing downtime in the event of a breach.

The “Looney Tunables” Linux vulnerability serves as a reminder of the ever-present cybersecurity threats facing the Linux community. Prompt action, including patching systems and implementing mitigations, is essential to protect against potential exploitation. As vulnerabilities continues to evolve, proactive measures remain crucial to ensure the integrity and security of not just Linux-based systems, but all enterprise assets.

MGM’s Cyber Gamble: How One Phone Call Broke the Bank!

In today’s digital age, cyber threats loom large, and even industry stalwarts like MGM Resorts can find themselves under siege. The recent cyberattacks on MGM Resorts serve as a stark reminder of the vulnerabilities that exist and the importance of robust cybersecurity measures.

The Initial Attack
The cyber onslaught on MGM Resorts began subtly but had far-reaching consequences. As detailed by Gizmodo, the notorious ransomware group ALPHV, also known as BlackCat, employed a tactic that many would consider benign: a phone call. Leveraging information from LinkedIn, they identified an MGM employee and initiated a 10-minute conversation with the company’s Help Desk. This was not a routine call. The hackers used sophisticated social engineering techniques, manipulating the employee into providing critical access information.

This breach was not just a technical failure; it was a human one. It underscores the importance of training employees to recognize and resist manipulative tactics. At nGuard, we understand this all too well. Our social engineering simulations are designed to help businesses train their staff to identify and counteract these tactics, ensuring that they don’t become the weak link in the security chain.

The Aftermath and Resolution
The ramifications of the breach were immediate and severe. As reported by Fox Business, MGM Resorts faced daily losses of approximately $8.4 million. For ten agonizing days, a wide array of MGM’s systems, from hotel reservations to credit card processing, were in disarray. The total estimated financial impact reached a staggering $80 million.

But the financial losses were just the tip of the iceberg. The breach affected MGM’s reputation, customer trust, and operational integrity. Systems across its Aria, Bellagio, and MGM Grand locations were compromised, impacting corporate emails, restaurant reservations, hotel bookings, and even digital key card access. Even after the company announced a return to normalcy, several users reported issues with MGM’s mobile app, indicating lingering challenges.

Furthermore, as highlighted by Business Insider, MGM wasn’t the sole target. Rival casino Caesars Entertainment also disclosed a cyberattack, emphasizing the industry-wide risk.

In such dire situations, having a robust incident response strategy is paramount. nGuard’s incident response services ensure that businesses are equipped to handle such crises, minimizing damage and expediting recovery. Additionally, nGuard emphasizes the importance of security awareness training, empowering employees with the knowledge and skills to prevent potential threats and breaches.

To further bolster defenses, continuous monitoring is essential. nGuard’s managed event collection provides businesses with real-time surveillance, ensuring threats are identified and neutralized promptly.

Conclusion
The MGM Resorts cyberattack is a testament to the multifaceted nature of cyber threats. While technology plays a pivotal role, human factors are equally consequential. Comprehensive training, proactive monitoring, and partnering with cybersecurity experts like nGuard can help businesses fortify their defenses and navigate the challenging cyber landscape with confidence.