Tag Archive for: critical

Router botnet tied to Volt Typhoon’s critical infrastructure breaches

/in


Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.

The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.

One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.

KV-botnet comprised of end-of-life routers

In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.

Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.

“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”

There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.

“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”

In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.

“This botnet was essential for their strategic intelligence collection operations,…

Source…

Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

/in


CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated group, claimed credit for a Nov. 25 cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania. The threat group hacked a system with Israeli-owned parts at one of the water authority’s booster stations. The booster station was able to shut down the impacted system, which monitors water pressure, and switch to manual operations.

This cyberattack is one example among many of how critical infrastructure entities are being targeted by nation state and hacktivist threat actors. What was the impact of this CyberAv3ngers hack, and how will threat actors continue to pursue cyberwarfare?

The CyberAv3ngers Attack

CyberAv3ngers hacked a system known as Unitronics. During the attack, the following message appeared on the screen at the booster station:  “You Have Been Hacked. Down With Israel, Every Equipment ‘Made In Israel’ Is CyberAv3ngers Legal Target.”

The Cybersecurity and Infrastructure and Security Agency (CISA) released a cybersecurity advisory on IRGC-affiliated actors’ exploitation of programmable logic controllers (PLCs) in multiple sectors. Unitronics PLCs are commonly used in water and wastewater systems, according to the advisory. PLCs operate with a human machine interface (HMI). “A human can walk over and touch a keypad and tell it what to do. Empty this tank or fill this tank or pump this water to this location. And those things can be controlled remotely,” Adam Meyers, senior vice president of counter adversary operations at cybersecurity technology company CrowdStrike, explains.

Related:Massive Okta Breach: What CISOs Should Know

Meyers expects that the threat actors were likely scanning for a particular type of hardware. They were likely able to compromise the PLCs at the water authority booster station because they were exposed to the internet and using a default password, according to the CISA advisory. The station was able to switch to a manual system, and the water supply was not impacted.

CrowdStrike has been tracking CyberAv3ngers since July 2020. The group has claimed a number of breaches of critical infrastructure organizations. Some claims are unverified and…

Source…

Critical Bluetooth flaw could take over Android, Apple, Linux devices

/in


A critical Bluetooth security bug that’s reportedly been lurking about for several years can potentially be exploited by attackers to take control of Android, Linux, macOS, and iOS machines.

The flawCVE-2023-45866 — is an authentication bypass that lets attackers connect susceptible devices and inject keystrokes to achieve code execution as the victim.

In a GitHub blog post Dec. 6, SkySafe researcher Marc Newlin said the flaw works “by tricking the Bluetooth host state-machine into pairing with a fake keyboard without user confirmation.”

Newlin went on to write that the underlying unauthenticated pairing mechanism is defined in the Bluetooth specification, and implementation-specific bugs expose it to the attacker. He said full vulnerability details and proof-of-concept scripts will be released at an upcoming conference, and he will update the original document with conference details when available. Newlin’s blog also contains available patch information.

Cyware Director Emily Phelps explained that in this exploit, adversaries fool the Bluetooth system of a device into thinking it’s connecting to a fake keyboard — without user confirmation. This issue stems from a part of the Bluetooth rules that let devices connect without needing authentication.

“Exploiting this vulnerability lets malicious hackers remotely control someone’s device,” said Phelps. “They can download apps, send messages, or run various commands depending on the operation system.”

Phelps said if patches are available for this vulnerability, security teams should fix the issue immediately. For devices that are awaiting the fix, security teams should monitor for updates and patches. They should also make staff aware of the issue and offer mitigation recommendations, such as disabling Bluetooth when not in use.

When devices communicate there’s first a “handshake” where the two systems agree to communicate with each other, explained John Gallagher, vice president of Viakoo Labs. What the attacker took advantage of, Gallagher continued, is the many IoT devices, such as Bluetooth keyboards, want to make that handshake as easy as possible, especially since the keyboard can’t be used until the…

Source…

Russian GRU Hackers Exploit Critical Patched Vulnerabilities

/in


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management

TA422 Is Targeting Organizations in Europe and North America, Proofpoint Says

Prajeet Nair (@prajeetspeaks) •
December 5, 2023    

Russian GRU Hackers Exploit Critical Patched Vulnerabilities
Russian military intelligence hackers are taking advantage of patched vulnerabilities. (Image: Shutterstock)

In the race between hackers and systems administrators that begins each time a company patches a zero day flaw, a Russian military intelligence hacking unit is often the winner, new research discloses.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

Multiple studies suggest that organizations require weeks, if not months, to roll out patches while hackers can rush out an exploit of a newly-disclosed vulnerability in days or weeks.

One organization taking advantage of that disconnect is what Proofpoint dubs TA422 – also known as APT28, Fancy Bear and Forest Blizzard. The security firm in a Tuesday report said it has seen the threat actor “readily use patched vulnerabilities to target a variety of organizations in Europe and North America.” U.S. and British intelligence assess that Forest Blizzard is “almost certainly” part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.

Among the n-days exploited by TA422 is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user’s hashed…

Source…