Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued two urgent advisories regarding serious ICS vulnerabilities in industrial control systems (ICS) products. These ICS vulnerabilities, identified in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities, as well as B&R Automation’s Runtime software, pose online risks to critical infrastructure systems worldwide. The ICS vulnerabilities, if exploited, could lead to potentially devastating impacts on the integrity, confidentiality, and availability of systems within energy, critical manufacturing, and other essential sectors.

Schneider Electric’s Vulnerability in RemoteConnect and SCADAPack x70 Utilities

The ICS vulnerability in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities arises from the deserialization of untrusted data, identified as CWE-502. This flaw could allow attackers to execute remote code on affected workstations, leading to several security risks, including the loss of confidentiality and integrity. The issue is triggered when a non-admin authenticated user opens a malicious project file, which could potentially be introduced through email, file sharing, or other methods.

Schneider Electric has assigned the CVE identifier CVE-2024-12703 to this vulnerability, with a base CVSS v3 score of 7.8 and a CVSS v4 score of 8.5. Both versions highlight the severity of the issue, with potential consequences including unauthorized remote code execution.

This vulnerability affects all versions of both RemoteConnect and SCADAPack x70 Utilities, products widely deployed in sectors such as energy and critical manufacturing across the globe. Although Schneider Electric is working on a remediation plan for future product versions, there are interim steps that organizations can take to mitigate the risk. These include:

• Only opening project files from trusted sources
• Verifying file integrity by computing and checking hashes regularly
• Encrypting project files and restricting access to trusted users
• Using secure communication protocols when exchanging files over the network
• Following established SCADAPack Security Guidelines for added protection

CISA recommends minimizing the network exposure of control system devices, ensuring they are not directly accessible from the internet, and placing control system networks behind firewalls to isolate them from business networks. When remote access is necessary, using secure methods like Virtual Private Networks (VPNs) is strongly advised. However, organizations should ensure that VPNs are regularly updated and adequately secured.

B&R Automation Runtime Vulnerability

The second advisory concerns a vulnerability in B&R Automation Runtime, a key software used in industrial control systems. The flaw arises from the use of a broken or risky cryptographic algorithm in the SSL/TLS component of B&R Automation Runtime versions prior to 6.1 and B&R mapp View versions prior to 6.1. Unauthenticated network-based attackers could exploit this vulnerability to impersonate legitimate services on impacted devices, creating opportunities for unauthorized access.

B&R Automation assigned CVE-2024-8603 to this vulnerability, which is identified as CWE-327. The CVSS v3 base score for this flaw is 7.5, indicating a moderately high risk to the affected systems. This vulnerability is especially concerning as it is exploitable remotely, with low attack complexity, making it a viable target for attackers seeking to compromise ICS environments.

The affected products are used worldwide, primarily in the critical manufacturing sector. B&R Automation has released an update (version 6.1) that corrects the issue, and users are strongly encouraged to apply this update to mitigate the risk. In the meantime, CISA recommends several mitigation strategies to limit exposure, including:

• Applying the update to B&R Automation Runtime and B&R mapp View products as soon as possible
• Minimizing network exposure for all control system devices to prevent direct internet access
• Implementing firewalls and isolating control system networks from business networks
• Utilizing VPNs for remote access while ensuring that VPNs are kept up-to-date and secure

Conclusion

While no known public exploits targeting these vulnerabilities have been reported to CISA at the time of publication, the discovery of these flaws in Schneider Electric and B&R Automation products highlights the ongoing risks facing critical infrastructure sectors. Exploiting vulnerabilities in ICS products can lead to serious consequences, including data breaches, operational disruptions, and physical damage to infrastructure.

These incidents emphasize the urgent need for organizations to adopt proactive cybersecurity measures, such as regular patching, file integrity verification, and secure network configurations. By following CISA’s guidance and implementing comprehensive defense-in-depth strategies, organizations can better protect their systems from both known and emerging threats, ultimately reducing their exposure to cyber risks and ensuring the security of critical assets.

References:

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-06
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-01

The post New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems appeared first on Cyble.

Blog – Cyble – ​Read More

Imagine: you’re calmly working away on your computer, when suddenly a scary message appears on the screen: “Your computer is infected with viruses! Install an antivirus immediately!” or “Your data is at risk! Clean your system immediately!” Panic? That’s what the scammers are hoping for.

This post explains what scareware is and why this threat is dangerous. We also give tips for avoiding falling for scarewarers’ tricks, and protecting you and your family from such attacks.

What is scareware?

Scareware is a type of digital fraud that weaponizes users’ fears. The aim is to frighten the victim into visiting a malicious site and downloading something they shouldn’t. Scareware usually mimics antiviruses, system optimizers, registry cleaners, and the like. But other, more exotic types also exist.

To display their alarming messages, scammers tend to deploy browser pop-up windows and notifications, banner ads, and on occasion even good-old email.

Scareware creators use a variety of social engineering tricks to instill a sense of danger in the user. Often, threatening messages appear at the most unexpected moment — catching the victim off guard.

And scammers frequently hurry the victim into taking rash actions — not giving them time to think things over. Then, when the target has been properly prepared (that is, put into a state of panic), the attackers offer a simple solution to the problem: just install such-and-such software and all your troubles will be gone.

Upon receiving a scareware notification, in the best case scenario the victim will install a useless but harmless program on their device and pay a relatively small sum for the pleasure. But sometimes an attack can have more serious consequences. Under the guise of an “antivirus” or “system optimizer”, the victim may be fed proper malware that encrypts data or steals money from online bank accounts.

Sextortion scareware

Sometimes scammers employ a hybrid scheme: scareware combined with sextortion. It may go as follows: the user receives an intimidating email saying they’ve been caught in a compromising video.

To see for themselves, the victim is invited to visit a website where they can watch the footage. However, to view the video, they first need to install a special player. This, of course, is malware in disguise.

Faulty screen caused by a virus

In a new variant of the scareware scheme, the user is told that a virus has infected their smartphone. Nothing unusual so far — mobile versions of scareware have been around for ages. Here, however, the focus is artfully placed on what perhaps all smartphone owners fear the most: a faulty screen:

Curiously, the “faulty” display — which also blinks for added alarm — is capable of clearly showing the message about the supposed virus infection. How this window is able to float above a damaged screen is a mystery… To “fix” the screen, you just need to tap the button in the box and purchase the offered “antivirus”.

How to protect against scareware

Of course, the best defense against fake “protection” is the real thing. To defeat scareware, install a bona fide antivirus from a reputable developer, keep a close eye on its notifications, and always heed its recommendations.

Also bear in mind that it’s seniors who are most likely to fall victim. So it’s worth helping your older relatives get the right protection since it can be a challenge for them.

Kaspersky official blog – ​Read More