Overview 

The recent Weekly Industrial Control System Vulnerability Intelligence Report from Cyble Research & Intelligence Labs (CRIL) covers the vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) from November 26, 2024, to December 02, 2024.  

The report sheds light on online threats, especially vulnerabilities affecting critical systems such as those from Schneider Electric and Hitachi Energy, two of the most prominent vendors in the ICS sector. During the report’s timeframe, CISA issued five major security advisories, focusing on 12 vulnerabilities that impact a wide range of ICS products.  

These vulnerabilities have been identified in devices and systems from key vendors, including Schneider Electric and Hitachi Energy. The vulnerabilities identified in these systems are critical to address due to their potential to expose vital infrastructures to cyberattacks.  

Schneider Electric: A Major Focus for ICS Vulnerabilities  

Schneider Electric, a leading vendor of control systems, was prominently featured in the advisories due to the numerous vulnerabilities impacting their devices. These vulnerabilities range from issues with weak password recovery mechanisms to the use of hard-coded credentials, both of which pose a risk to the integrity of ICS devices.  

Among the affected products is the PM5560 series, which includes multiple versions susceptible to vulnerabilities like weak password recovery mechanisms for forgotten passwords (CVE-2021-22763). This flaw, coupled with improper authentication (CVE-2021-22764), increases the potential for unauthorized access. Such vulnerabilities undermine the effectiveness of ICS security, allowing attackers to potentially take control over critical systems like actuators, sensors, and power supplies.  

One particularly concerning vulnerability (CVE-2023-6408) affects the Modicon M340 CPU and other related Schneider Electric products. This vulnerability arises from improper message integrity enforcement during transmission across communication channels, which could allow attackers to manipulate the integrity of communications between devices, creating openings for man-in-the-middle attacks. The high-severity nature of this vulnerability highlights the ongoing need for organizations to implement stronger security practices, including effective patch management and encryption protocols.  

Additionally, Schneider Electric’s use of hard-coded credentials (CVE-2023-6409) in its devices presents a high-risk issue, making it easier for attackers to gain access to systems. This particular vulnerability is found in several product lines, including the Modicon M580 and Modicon M340 CPUs, which are integral to many ICS operations. These devices are widely used in critical sectors such as energy and manufacturing. 

Hitachi Energy: Security Flaws in SCADA and Control Systems  

Another major player in the ICS sector, Hitachi Energy, also faced critical security challenges during the same reporting period. The vulnerabilities affecting Hitachi’s MicroSCADA Pro/X SYS600 system are especially concerning because they affect key operational components within control systems and supervisory control and data acquisition (SCADA) environments.   

These vulnerabilities could allow attackers to bypass authentication (CVE-2024-3982), potentially gaining unauthorized access to control systems that are vital for managing electricity grids and other industrial processes. Additionally, path traversal vulnerabilities (CVE-2024-3980) were identified, which could allow an attacker to manipulate file paths within the system, gaining unauthorized access to sensitive files.  

These vulnerabilities are classified as high and critical risks, as they could be exploited by attackers to infiltrate ICS systems, causing online disruption to operations. A notable vulnerability in Hitachi Energy’s systems is the authentication bypass by the capture-replay flaw (CVE-2024-3982), which allows attackers to bypass authentication mechanisms by replaying captured credentials.  

Given the high-security requirements of control systems like SCADA, the existence of this vulnerability calls for immediate attention from organizations to ensure these critical systems remain secure. The MicroSCADA Pro/X SYS600 system is also affected by a missing authentication for critical functions (CVE-2024-7940) vulnerability. This flaw could enable attackers to exploit critical functions within the system without proper authentication, allowing them to manipulate system settings or gain unauthorized access to sensitive data.  

The Severity of ICS Vulnerabilities  

The vulnerabilities analyzed in the CRIL report show that the majority of the vulnerabilities in ICS systems fall under high severity. This highlights the critical need for organizations operating ICS devices to adopt proactive cybersecurity measures. Weak passwords, improper authentication, and hard-coded credentials are among the most common issues found across various ICS products. Addressing these vulnerabilities requires rigorous patch management practices, including regular updates and configuration checks.  

The vulnerabilities disclosed by CISA and highlighted in the report are particularly important as they impact critical infrastructure sectors such as energy, critical manufacturing, and communications. Schneider Electric and Hitachi Energy alone account for a notable portion of the vulnerabilities in the ICS space, underlining the need for greater focus on security within the industrial sector.  

Impact on Critical Infrastructure Sectors  

A sector-wise analysis of the vulnerabilities reveals that Critical Manufacturing accounts for the largest portion of vulnerabilities, with an overwhelming 83.3% of the cases. This is due to the expansive operations and critical nature of manufacturing processes that rely heavily on ICS.  

In contrast, the Energy sector, which includes power grids and electrical infrastructure, accounts for 8.3% of the reported vulnerabilities, while the Wastewater Systems sector is also impacted with a similar share. The Commercial Facilities sector reports the smallest share, with only 0.8% of the vulnerabilities.  

This distribution denotes the varied risk levels across critical infrastructure sectors and emphasizes the importance of prioritizing cybersecurity efforts, particularly in manufacturing and energy, where ICS vulnerabilities could lead to more severe consequences.  

Mitigation Strategies and Recommendations  

Here are some of the best practices recommended to mitigate potential risks:  

1. It is essential to regularly update systems and apply patches as soon as they are released. Many vulnerabilities in ICS are a result of outdated software or firmware, which can be addressed by keeping systems up to date.  

2. Implementing a zero-trust security model is crucial in preventing unauthorized access. This involves treating every request for access as if it originates from an untrusted source, requiring strict verification before granting access.  

3. By segmenting networks, organizations can limit the ability of attackers to move laterally across systems, thus reducing the risk of widespread damage.  

4. Strengthening authentication protocols, such as using multi-factor authentication (MFA), is critical to reducing the likelihood of unauthorized access to ICS devices.  

5. Continuous security assessments through vulnerability scans, penetration testing, and audits help identify potential security gaps in ICS before they can be exploited by attackers.  

6. Organizations should invest in cybersecurity training programs for employees to ensure they are aware of the risks posed by phishing, social engineering, and other attack methods.  

Conclusion  

The vulnerabilities in ICS highlighted in the latest report from CISA, along with those analyzed by Cyble Research & Intelligence Labs, highlight the increasing risks faced by critical infrastructure sectors. With vulnerabilities in high-severity products from vendors like Schneider Electric and Hitachi Energy, it is important that organizations address these potential threats before they can compromise sensitive information.  

By implementing security measures, including effective patch management, strong authentication protocols, and comprehensive training programs, organizations can better protect their ICS systems from cybersecurity risks. 

The post Vulnerabilities in ICS: A Detailed Analysis of Recent Security Advisories and Threats  appeared first on Cyble.

Blog – Cyble – ​Read More

Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from ANY.RUN simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries.

Let’s take a look at how you can use them to identify and collect intel on malware and phishing attacks more effectively. 

About Threat Intelligence Lookup 

Threat Intelligence (TI) Lookup is a fast and efficient tool designed to simplify cyber threat investigations. It allows for flexible searches for Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).  

TI Lookup provides access to a constantly updated database of threat data collected from millions of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox.  

Each sandbox session contains detailed logs of system and network events that occur while a threat is executing. By searching through this comprehensive data, you can easily find connections between seemingly unrelated pieces of information and tie them to a specific threat. 

Here’s how TI Lookup can help you and your organization: 

• Investigate Threats Quickly: Gather extensive and in-depth information on emerging and persistent cyber threats with over 40 search parameters (e.g. threat names, command lines, registry logs, etc.). 

• Receive Real-Time Updates: Stay informed with real-time updates on results for your search queries. 

• Enrich Threat Intelligence: Get relevant context, indicators, and samples manually analyzed by threat analysts. 

Search Operators in TI Lookup 

Search operators are essential tools in TI Lookup that allow you to combine several indicators to refine your search queries effectively. They act as logical connectors that help you specify the relationships between different conditions in your search and achieve greater flexibility and precision in your searches. 

TI Lookup supports logical operators like AND, OR, and NOT, as well as grouping with parentheses. Let’s take a closer look at each of these. 

AND 

What it does  

The AND operator helps you combine multiple conditions. 

Why use it  

AND is great for narrowing down your search to find threats by including as many unique indicators as possible.  

It is equally effective in situations when you have several completely disparate artifacts, like an IP address and a mutex, and want to link them to a particular threat. 

Example 

This query is designed to search for sandbox sessions where both thum[.]io and logo[.]clearbit[.]com domains were found. 

• Thum[.]io is a real-time website screenshot generator. 

• logo[.]clearbit[.]com is a service for fetching company logos. 

TI Lookup almost instantly provides results: associated IP addresses and sandbox sessions, all of which contain a “malicious activity” label and a “phishing” tag. 

We can click any session of our interest to investigate the threat further.

By reviewing the analysis report, we can spot that this is a cyber attack which uses thum[.]io to dynamically generate phishing pages with the backgrounds of a website that coincides with that of the victim. Attackers also use logo[.]clearbit[.]com to add corresponding company logos to make fake pages appear more legitimate. 

OR 

What it does 

The OR operator helps return matches where at least one of the given conditions is found. 

Why use it  

OR is excellent in situations when you are not sure which one of two indicators is related to a threat. It is also useful for broadening your search to include results where both indicators are found, but necessarily together in the same session.  

Example  

It searches for entries where the synchronization object name is “DocumentUpdater” or “PackageManager”. If you’re investigating a threat that could be using either of these sync objects, this query ensures you don’t miss any relevant information. 

TI Lookup shows that the synchronization objects are mutexes and provides sandbox sessions where they were previously discovered. 

NOT 

What it does 

The NOT operator excludes results that match the specified condition. 

Why use it 

NOT is helpful when you want to refine your search and see sandbox sessions where no certain item, like a domain or file name, was observed. 

Example 

This query is looking for phishing samples but excludes any entries where the initial submission uploaded to the ANY.RUN sandbox was a URL.

It helps us find email, html, zip, exe, or other types of files, used in phishing attacks. 

Parentheses () 

What they do 

Parentheses group conditions and control the order of operations to ensure they are processed in the order you specify. 

Why use them  

Parentheses are essential for creating complex queries, making your search more precise and effective. 

Example

This query searches for sandbox sessions and their related data where the process “mshta.exe” was observed along with connections to destination ports of either 80 or 443. The parentheses ensure that the OR condition is processed first, making the search more precise. 

TI Lookup returns a wealth of threat data related to our query. Some of the results include malicious domains and IP addresses, as well as a list of network threats detected during analyses. 

Wildcard Characters 

Wildcards in TI Lookup act as placeholders in your search queries. They can represent different types of character sequences. 

Asterisk (*) 

What it does  

The asterisk represents any number of characters, including none. This means it can stand in for zero, one, or multiple characters. The asterisk is added by default at the start and end of each query, so you in most cases there is no need to enter it manually.

Why use it 

The asterisk is great for when you’re not sure about the exact content of a string. It helps you find matches even if there are unknown parts or certain variations in your query string. 

Example 

This query searches for sandbox sessions where the command line includes paths to specific script files located in the C:UsersPublic directory. The scripts must be of types .vbs (Visual Basic Script), .bat (Batch file), and .ps1 (PowerShell script).  

Yet, the names of these scripts are replaced with the asterisk wildcard, representing any string of characters, as they can vary.

This helps us discover scripts with different file names and see how each of them fits into a wider context of the entire attack analyzed in the sandbox.

In the image above, you can see the execution of one of the found scripts inside the ANY.RUN sandbox. 

Question Mark (?) 

What it does  

The question mark represents any single character or its absence. This means it can stand in for exactly one character or none at all. 

Why use it  

The question mark is perfect for situations when you are not sure about a certain character in your string or know that it varies. 

Example  

Here, we can borrow a query from Jane_0sint’s article on phishing investigations, which is intended for identifying samples of Mamba2FA attacks.  

A notable part of this query is that we can see the question mark being used twice. Yet, there is a difference between these two instances: 

• The first one is the wildcard that serves as a stand-in for the characters “m”, “n”, and “o” that are commonly used in Mamba2FA URLs.  

• The second question mark is a part of the address. To escape it, we use the slash symbol. 

We once again can observe a variety of results, including command lines that contain different URLs matching our query. 

Dollar Sign ($) 

What it does 

The dollar sign ensures that the search term must appear at the end of the string. It excludes matches with any characters after the specified content. 

Why use it  

The dollar sign is useful when you know the exact ending of a string but are unsure about the beginning. It helps you find matches that end with your specified term. 

Example 

This query searches for any synchronization object whose name ends with _STOP. 

Among the results, we can see mutex names such as biudfw_stop, jeboi_stop, and nonij_stop. As always, we can explore each of them in detail by navigating to their corresponding sandbox sessions. 

Caret (^) 

What it does  

The caret ensures that the search term must appear at the beginning of the string. It prevents matches with any characters before the specified query content. 

Why use it 

The caret is helpful when you know the exact starting point of a string but are unsure about the rest. It narrows down your search to items that begin with your specified term. 

Example 

This query finds domain names that start with 0ffice and end with .com, with any characters allowed in between. The caret (^) and dollar sign ($) ensure the exact start and end. 

TI Lookup provides us with domains that match our query along with sandbox sessions, where they were found. 

Conclusion 

wildcards and operators in TI Lookup provide the flexibility and precision needed to perform threat intelligence searches. By learning how to use these tools, you can make your threat hunting efforts more effective.

Give it a try by requesting a free trial of TI Lookup.

About ANY.RUN  

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

See Black Friday deals for ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup →

The post Search Operators and Wildcards for Cyber Threat Investigations appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More