In attacks on infrastructure of various companies, cybercriminals are increasingly resorting to manipulating modules that interact with the Local Security Authority (LSA) process. This enables them to steal user credentials, establish persistence in the system, elevate privileges, or extend the attack to other systems within the target company. Therefore, for the latest quarterly update of our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, we’ve added rules designed to detect such attempts. In terms of the MITRE ATT&CK classification, the new rules can detect techniques T1547.002, T1547.005 and T1556.002.

What are techniques T1547.002, T1547.005 and T1556.002?

Both variants of technique T1547 mentioned above involve using the LSA process to load malicious modules. Sub-technique 002 describes adding malicious dynamic-link libraries (DLLs) with Windows authentication packages, while sub-technique 005 involves DLLs with security support provider (SSP) packages. Loading these modules allows attackers to access the LSA process memory, which can contain critical data such as user credentials.

Technique T1556.002 describes a scenario where an attacker registers a malicious password filter DLL in the system. These filters are essentially mechanisms for enforcing password policies. When a legitimate user changes a password or sets a new one, the LSA process compares it against all registered filters, and is forced to handle the passwords in plain text form, i.e., unencrypted. If an attacker manages to introduce a malicious password filter into the system, they can collect passwords with every request.

All three techniques involve placing malicious libraries in the C:Windowssystem32 directory and registering them in the system registry under the following keys of the SYSTEMCurrentControlSetControlLSA branch: Authentication Packages for T1547.002, Security Packages for T1547.005, and Notification Packages for T1556.002.

How our SIEM counters techniques T1547.002, T1547.005 and T1556.002

To counter these techniques, the Kaspersky Unified Monitoring and Analysis Platform will be updated with rules R154_02–R154_10, which detect, among other things, the following events:

• Loading of suspicious authentication packages, password filter packages, and security support provider modules using events 4610, 4614 and 4622, respectively.
• Commands executed in cmd.exe and powershell.exe and aimed at modifying the LSA registry branch and the Authentication Packages, Notification Packages and Security Packages keys.
• Changes (detected through registry modification event 4657) of the LSA registry branch that could enable a malicious file.

Other improvements in the Kaspersky Unified Monitoring and Analysis Platform update

In this update, we’re also introducing rule R999_99, which detects changes in Active Directory accounts’ critical attributes, such as scriptPath and msTSInitialProgram, which enable various actions to be performed upon login.

These attributes set some scripts to execute every time a user logs into the system. This makes them an attractive target for attackers aiming to establish persistence in the network. Tampering with these attributes may indicate unauthorized attempts to gain a foothold in the system or escalate privileges — technique T1037.003 under the MITRE ATT&CK classification.

The strategy for detecting these manipulations is to monitor Windows event logs — particularly event 5136. This event records any changes made to objects in Active Directory, including attribute modifications.

New and improved normalizers

In the latest update, we’ve also added normalizers to our SIEM system that support the following event sources:

• [OOTB] McAfee Endpoint DLP syslog
• [OOTB] LastLine Enterprise syslog cef
• [OOTB] MongoDb syslog
• [OOTB] GajShield Firewall syslog
• [OOTB] Eltex ESR syslog
• [OOTB] Linux auditd syslog for KUMA 3.2
• [OOTB] Barracuda Cloud Email Security Gateway syslog
• [OOTB] Yandex Cloud
• [OOTB] InfoWatch Person Monitor SQL
• [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog

In addition, our experts have improved the following normalizers:

• [OOTB] Microsoft Products via KES WIN
• [OOTB] Microsoft Products for KUMA 3
• [OOTB] KSC from SQL
• [OOTB] Ideco UTM syslog
• [OOTB] KEDR telemetry
• [OOTB] Vipnet TIAS syslog
• [OOTB] PostgreSQL pgAudit syslog
• [OOTB] KSC PostgreSQL
• [OOTB] Linux auditd syslog for KUMA 3.2

The full list of supported event sources in Kaspersky Unified Monitoring and Analysis Platform 3.4 can be found in the Online Help, where you can also find information on correlation rules. In our blog you can also read about the updates for our SIEM platform for the first, second and third quarters of 2024.

To learn more about our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, please visit the official product page.

Kaspersky official blog – ​Read More

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding three critical flaws that are currently being actively exploited. These vulnerabilities impact a range of products, from industrial control systems (ICS) to web-based applications. The newly added vulnerabilities include CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667, each affecting high-profile systems in industries such as manufacturing, telecommunications, and energy. 

The first flaw added to the Known Exploited Vulnerabilities (KEV) catalog, CVE-2023-45727, affects North Grid’s Proself product suite, including versions prior to 5.62 of Proself Enterprise/Standard Edition, 1.65 of Proself Gateway Edition, and 1.08 of Proself Mail Sanitize Edition. The second vulnerability, CVE-2024-11680, affects ProjectSend, an open-source file management application.  

The last vulnerability, CVE-2024-11667, impacts several Zyxel firewall products, including the ATP series, USG FLEX series, USG FLEX 50(W), and USG20(W)-VPN series, with versions prior to 5.38 being affected. Organizations using these products are urged to apply patches promptly to mitigate the risks associated with these vulnerabilities. 

Technical Details of the Vulnerabilities 

CVE-2023-45727: Proself Vulnerability in North Grid Proself Systems 

One of the newly cataloged vulnerabilities, CVE-2023-45727, affects North Grid Corporation’s Proself product suite. Specifically, the vulnerability is found in versions prior to 5.62 of Proself Enterprise/Standard Edition, 1.65 of Proself Gateway Edition, and 1.08 of Proself Mail Sanitize Edition. This flaw allows attackers to exploit improper restrictions on XML External Entity (XXE) processing, which can lead to remote unauthenticated attacks. 

By submitting specially crafted XML data, attackers can gain access to sensitive files, including those containing account information. This opens the door for data theft or manipulation. The CVSS score for CVE-2023-45727 is notably high, signaling the severity of this flaw. 

CVE-2024-11680: ProjectSend Authentication Vulnerability 

CVE-2024-11680 addresses an issue in ProjectSend, an open-source file management application. Versions prior to r1720 of ProjectSend are vulnerable to improper authentication, allowing attackers to send malicious HTTP requests to the application’s configuration files. 

Exploiting this flaw, attackers can bypass authentication mechanisms and gain unauthorized access to modify system configurations, create new accounts, and upload malicious content such as webshells and embedded JavaScript. 

The critical nature of this vulnerability is highlighted by its CVSS score of 9.8, categorizing it as a high-risk flaw with the potential for extensive compromise if left unaddressed. Remote attackers do not require prior access or authentication to exploit this vulnerability, making it even more dangerous to organizations using ProjectSend versions below r1720. 

CVE-2024-11667: Zyxel Path Traversal in Multiple Firewalls 

The third vulnerability in CISA’s latest update is CVE-2024-11667, which affects several Zyxel firewall products. Specifically, the flaw resides in the web management interface of ATP series and USG FLEX series firewalls, as well as USG FLEX 50(W) and USG20(W)-VPN series devices. Versions of these products prior to 5.38 are susceptible to a path traversal vulnerability, which allows attackers to manipulate file paths and potentially download or upload arbitrary files. 

The flaw could allow attackers to access sensitive files or upload malicious software onto affected devices. With a CVSS score of 7.5, this vulnerability is deemed high-risk but not as critical as CVE-2024-11680. However, for organizations relying on Zyxel products to secure their networks, addressing this flaw is essential to prevent unauthorized access and maintain the integrity of their firewalls. 

Sector-Wide Impact of Known Exploited Vulnerabilities 

These newly cataloged vulnerabilities stress the ongoing risks in industrial control systems (ICS) and critical infrastructure. For example, flaws in systems like Proself, ProjectSend, and Zyxel firewalls can expose vulnerable systems to a range of cyberattacks, including unauthorized access, data exfiltration, and service disruption. Such vulnerabilities are particularly concerning for sectors like energy, critical manufacturing, and telecommunications, where any disruption can have far-reaching consequences. 

With CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667 now added to the list of Known Exploited Vulnerabilities, organizations using these products must adopt upgraded cybersecurity measures to defend against attacks. Organizations are strongly encouraged to follow best practices in patch management, including regularly applying vendor-issued patches and updates.  

For example, users of Proself should upgrade to newer versions that address the XXE vulnerability, while ProjectSend users should ensure they are running r1720 or later. Additionally, Zyxel firewall users should promptly update firmware versions to mitigate the path traversal flaw. 

Mitigation and Recommendation Strategies 

To mitigate the risks associated with these vulnerabilities, organizations are advised to implement several key cybersecurity measures: 

1. Ensure that all systems are regularly updated with the latest security patches to reduce the risk of exploitation from Known Exploited Vulnerabilities. 

2. Adopt a zero-trust model where all access requests are treated as potentially hostile, requiring stringent verification before granting access. 

3. By segmenting networks, organizations can contain potential breaches and prevent attackers from moving laterally through critical systems. 

4. Implement multi-factor authentication (MFA) to protect sensitive systems and reduce the likelihood of unauthorized access. 

5. Regularly conduct vulnerability scans, penetration testing, and security audits to identify and address weaknesses before they can be exploited. 

Conclusion 

The recent updates to CISA’s Known Exploited Vulnerabilities catalog highlight the urgency to address critical security flaws in widely used products. The vulnerabilities in North Grid’s Proself, ProjectSend, and Zyxel firewall systems can expose businesses to a range of cyber threats, including unauthorized access, data theft, and system manipulation.  

As these vulnerabilities can be leveraged for cyberattacks, organizations must apply timely patches, follow best practices in patch management, and adopt cybersecurity strategies. Implementing security measures such as multi-factor authentication, network segmentation, and regular vulnerability assessments will help organizations protect against potential breaches and reduce the risk of exploitation. 

References 

• https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-adds-three-known-exploited-vulnerabilities-catalog 
• https://www.cve.org/CVERecord?id=CVE-2023-45727 
• https://www.cve.org/CVERecord?id=CVE-2024-11680 
• https://www.cve.org/CVERecord?id=CVE-2024-11667 

The post CISA Updates Known Exploited Vulnerabilities Catalog, Adding 3 Critical Flaws appeared first on Cyble.

Blog – Cyble – ​Read More

Key takeaways

• Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign targeting the manufacturing industry, leveraging a deceptive LNK file disguised as a PDF file.
• This campaign leverages multiple Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe, to bypass traditional security mechanisms and remotely execute the next-stage payload.
• The Threat Actor (TA) used Google Accelerated Mobile Pages (AMP) URL along with a shortened URL to evade detection by traditional URL scanners.
• The attack heavily relies on file injection techniques, where the TAs execute malicious payloads directly in memory to bypass conventional security mechanisms.
• The attack chain leverages DLL sideloading and IDATLoader to deploy the Lumma stealer and Amadey bot, enabling the attacker to gain control and exfiltrate sensitive information from the victim’s machine.

Overview

CRIL recently identified a multi-stage cyberattack campaign originating from an LNK file. The initial infection vector remains unknown; however, the attack likely begins with a spear-phishing email, prompting the recipient to click on a link that leads to an LNK shortcut file disguised as a PDF document. The file is hosted on a remote WebDAV share at

“hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk“.

Upon searching for the file name “695-18121-002_Rev” on Google, we discovered a technical engineering drawing for a component. Additionally, we observed similar samples using the name “Instruction_18112,” which led us to another technical document detailing the installation of a chair. The malicious LNK file hosted on the URL impersonates LogicalDOC, a cloud-based document management system commonly used in Manufacturing and Engineering firms. Based on the targeting and nature of these attacks, we suspect that the campaign is likely targeting the manufacturing industry.

Once executed, the LNK file triggers a command to launch ssh.exe, which subsequently runs a PowerShell command. This PowerShell command fetches and executes an additional malicious payload from a remote server using mshta.exe.

The remote server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL that redirects to a location hosting malicious PowerShell code.

The PowerShell code then triggers another malicious script hosted on Pastebin, controlled by the TA. This script contains an encoded PowerShell command that downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable. The executable, in turn, sideloads a malicious DLL file.

In this sophisticated campaign, the TA uses multiple stages of code injection to deploy the Lumma stealer, which then downloads the Amadey Bot onto the victim’s system. The figure below shows the infection chain.

Technical Analysis

Threat Actors are increasingly exploiting LNK files as their initial vector for malware distribution due to their flexibility in executing various commands. In this campaign, they specifically leveraged the Windows SSH client (C:WindowsSystem32OpenSSHssh.exe) as an alternative target in the LNK file’s “Target” field. This approach reduces the likelihood of detection compared to using cmd.exe or powershell.exe as the target. The image below shows the LNK command.

When a user opens the disguised LNK file, it triggers “ssh.exe” to run a PowerShell command through the ProxyCommand option in ssh.exe. The embedded PowerShell command contains obfuscated content, as shown in the image above. The de-obfuscated code attempts to execute PowerShell content hosted at the AMP URL “hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP” using mshta.exe. In this case, the hosted content contains AES-encrypted data, as shown in the image below.

Upon decryption, the data reveals Base64-encoded content, which is displayed in the image below.

The decoded Base64 content reveals an obfuscated PowerShell command, as shown in the image below.

This PowerShell command manipulates security protocols and performs the following actions:

• First, it configures various security protocols, including TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0, using the .NET ServicePointManager class.
• Then, it initiates a web request using Invoke-WebRequest (iwr) to fetch a payload from the URL hxxps://Pastebin[.]com/raw/0v6Vhvpb, which is then immediately executed using Invoke-Expression (iex).

The image below shows the retrieved payload from the Pastebin URL.

The retrieved content from the Pastebin link consists of a PowerShell script that performs several actions:

1. The script begins by sanitizing the content fetched from Pastebin, removing newline characters (“n”) and commas (,).
2. The cleaned string is then decoded from Base64 into binary data.
3. Using a hardcoded decryption key, the script decrypts the binary data.
4. Once decrypted, the script extracts a portion of the data starting from the 64th byte to the end, which is the actual code to execute. This code is then converted into a readable PowerShell command using UTF-8 encoding.
5. Before executing the decoded command, a 2-second delay is introduced with Start-Sleep. Finally, the decoded PowerShell command is executed in memory using Invoke-Expression.

The image below shows the decrypted PowerShell code extracted using the above steps.

The newly introduced script represents the final stage in delivering malicious files to the system. The script operates as follows:

1. The script first verifies the system’s internet connectivity by sending HTTP requests to two distinct domains: 360.net and baidu.com. These requests ensure the system is online before proceeding with further actions.
2. Once the victim’s system is connected to the internet, the script downloads a malicious CPL file named naailq0.cpl from the remote URL hxxps://berb.fitnessclub-filmfanatics.com/naailq0.cpl.
3. The downloaded CPL file is saved as a ZIP file within the Temp directory. This ZIP file is then copied to a newly created folder under the LocalAppData folder. The folder name is dynamically generated using a GUID (Globally Unique Identifier).
4. After extraction, the script scans the folder for any executable files (EXEs). Any EXE files found within the extracted contents are then executed.
5. The script includes a commented-out line that, if activated, would delete the extracted files and folder after execution, potentially covering its tracks.

The image below shows the contents of the downloaded ZIP file. The ZIP file also contains encrypted files, which will be decrypted and loaded in the subsequent stages of infection.

In this case, the script executes “syncagentsrv.exe”, which performs DLL sideloading by loading the malicious “Qt5Network.dll” upon execution. The malicious DLL then reads an encrypted file named “shp” from the same directory, decrypts its contents, and reveals strings such as LoadLibraryA, VirtualProtect, and dbghelp.dll, as shown in the figure below.

After decryption, the malicious DLL extracts the string “dbghelp.dll” from the decrypted content and utilizes it to load the DLL via the LoadLibraryA API. The “dbghelp.dll” is a Microsoft Windows library designed for debugging and managing symbol information. After loading the DLL, the malicious code employs the VirtualProtect API to modify the memory region permissions of “dbghelp.dll” to PAGE_EXECUTE_READWRITE, as illustrated below.

It then overwrites the contents of “dbghelp.dll” with the decrypted data and subsequently modifies the memory protection of the overwritten region to PAGE_EXECUTE_READ, as depicted below.

After modifying the memory protection, the malicious code begins executing the injected content within “dbghelp.dll“. The injected code then proceeds to read another file named “bwvrwtn“, located in the same directory. The file “bwvrwtn” is an encrypted IDAT file containing multiple encrypted chunks, each prefixed with the string “IDAT,” as illustrated below.

The DLL now searches the strings IDAT, takes four bytes following IDAT, and performs a comparison with C6 A5 79 EA. If the comparison is successful, the DLL proceeds to copy all the data following IDAT into memory, decrypts it using the XOR key, and then decompresses the decrypted content using the RTLDecompressBuffer API, as shown below.

It then loads a legitimate “pla.dll” from the %syswow64% directory using the LoadLibraryW API. After loading, it changes the memory permissions of “pla.dll” to PAGE_EXECUTE_READWRITE, copies the decrypted content into its memory, changes the permissions to PAGE_EXECUTE_READ, and finally executes the injected code in the “pla.dll” as shown below.

The code within “pla.dll” proceeds to inject malicious code into “more.com” and then executes it. The malicious code in “more.com” is responsible for deploying the final payload by injecting it into a newly created process, “msiexec.exe.” The injected payload is Lumma Stealer – which is capable of stealing sensitive information from the victim’s machine. The figure below shows the memory string of “msiexec.exe” containing Lumma Stealer’s C2 details.

Amadey Bot

The TA behind this campaign also deploys the Amadey bot in the “%temp%” directory, employing the same technique of injecting code into “more.com.” This injected code further injects the final Amadey bot payload into “explorer.exe“. To achieve persistence, the malware creates a Task Scheduler entry named “NodeJS Web Framework.” This task is configured to execute a copy of the Amadey bot stored in the %Appdata% directory, as illustrated below.

The figure below shows the execution flow of Lumma Stealer and Amadey bot.

Conclusion

This multi-stage cyberattack campaign demonstrates the increasing sophistication and adaptability of threat actors. By leveraging various evasion techniques such as URL shortening and AMP URLs, the attackers successfully bypass traditional security mechanisms.

The use of legitimate system tools like ssh.exe and mshta.exe to execute malicious PowerShell commands further illustrates the complexity of the attack. The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems.

Yara and Sigma rule to detect this campaign, available for download from the Github repository.      

Recommendations

• The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
• Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
•  Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
• Consider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links, or implementing policies that require explicit user consent before executing such files.
• The campaign abused the legitimate ssh utility; hence, it is advised to monitor the activities conducted by the ssh utility and restrict access to limited users.
• Consider limiting the execution of scripting languages, such as PowerShell and mshta.exe, on user workstations and servers if they are not essential.
• Implement application whitelisting to ensure only approved and trusted applications and DLLs can be executed on the systems.
• Monitor AMP links using advanced URL filtering and threat intelligence feeds to detect suspicious activity.
• Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Indicators Of Compromise

References

https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-Lumma-infostealers

https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel

The post Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot appeared first on Cyble.

Blog – Cyble – ​Read More

Just a decade ago, people who taped over their webcam were seen as a little eccentric, shall we say. Fast forward to today, and many laptop models feature a built-in privacy shutter that lets you cover the webcam with a single swipe. Useful, yes – but if the mic is still on, the overall benefit is less clear. Is it still worth covering your webcam in 2024, or is such practice a relic of the past?

Spies in the woodwork

Ever heard of spyware? That’s what we call Trojans designed for spying and stalking. And just like they did ten years ago, many members of this family are still spying on victims through their webcam and mic. Back then, however, malware was limited mostly to taking webcam screenshots, while today, besides this, it can steal passwords from the clipboard, intercept keystrokes, remotely control your device, and play cat-and-mouse with security solutions (but not with ours). One example is the SambaSpy Trojan, which was recently discovered by our experts.

As for peeping, attackers’ motives can vary: some are just voyeurs; others might organize commercial surveillance against a CEO; still others might add such functionality to their malware on the off-chance that something interesting crops up.

Tracking can take many forms, and we’ve covered them all many times. But how to defend yourself? There are many protection methods, but they can all be divided into two groups: physical and software. Meanwhile, for those without reliable protection, covering the webcam, turning off the mic, and checking the permissions granted to newly installed programs is a no-brainer.

How to physically guard against webcam and mic surveillance

Physical protection methods are both useful and inconvenient at the same time, and compromises have to be made to ensure your privacy. What to do?…

Buy a device without a webcam or mic

Just think: intruders won’t be able to spy and eavesdrop even if they somehow get malware onto your device. But it’s hard to find such devices these days, and in most cases they’ll be either outdated or very low-performance. That said, some companies are modifying smartphones on the market by removing cameras: how do you like, for example, the non-camera iPhone? Such devices are in high demand at government and military agencies and restricted-access facilities, and even by highly religious people.

Disable the webcam and mic

Owners of desktop computers, nettops, or the above-mentioned laptop models without built-in webcam and mic can use external wired accessories. The most reliable option would be to disconnect them with a physical switch or pull them out of the socket when not in use. But there’s a danger of laziness creeping in: some users won’t bother doing it more than a couple of times, which is when RATs and nasties can appear.

In addition, there are tons of online guides on how to physically disable the laptop webcam or mic yourself. But not all devices make the procedure painless: for example, modern MacBooks use the camera as a sensor, and go into Safe Mode if it’s disabled. And once it is disabled – there’s no way back.

Opt for a “super-private” device

Some companies – such as Purism – make laptops with hardware switches that let you physically turn off the camera, microphone, Wi-Fi, or Bluetooth. However, they’re expensive, and demanding users are often left dissatisfied with the features available.

Cover the webcam

A good and common option – but not foolproof. Sure, it will thwart video surveillance, but the sound from the mic can still be potentially eavesdropped and used against you. Cover the microphone too? Modern laptops often have several mics to enhance sound quality, and taping over them all will be difficult. In some models, however, built-in microphones are disabled when you connect an external one. A life hack for them is to plug a dummy into the microphone jack (or the universal jack for mics and headphones). Your laptop will think that an external mic is connected and turn off all its built-in ones.

Software protection against tracking

In most cases, software protection is more convenient than physical – but not always as reliable.

Disable the built-in webcam and mic in the BIOS/UEFI

On many PC-compatible laptops – especially business models – you can go into the BIOS/UEFI settings at startup (if this sounds Greek to you, just scroll to the next method), find there the lines Integrated camera, Camera, Webcam, CMOS camera, Microphone or similar, and select Disabled mode. This is a good way to restrict laptop-based spying, but there’s a catch: you’ll have to reboot and undo everything should you ever need to video-call someone.

Disable devices in the OS settings

On a Windows PC, you need to do this in Device Manager. In the Start menu, go to Device Manager, find there Cameras or Audio inputs and outputs, right-click the device you need and select Disable device. You can just as easily turn it back on later, if necessary. This is much faster than rebooting the computer every time and poking around in the BIOS – but where’s the guarantee that a Trojan can’t do the same thing and turn the camera back on?

Disabling a built-in webcam and microphone in Windows Device Manager

Control permissions

Android device owners can view information about dangerous and special permissions in the Permissions section in Kaspersky for Android: All functions → My apps → Permissions. This way, only apps authorized by you will have access to the camera and microphone.

Viewing permissions in Kaspersky for Android

iOS devices offer similar functionality. To check permissions, open the Settings and go to Privacy & Security. In the menu that opens, like in Android, you can view app permissions.

Viewing permissions on iPhones

Users of the Windows versions of our Kaspersky Standard, Kaspersky Plus and Kaspersky Premium can protect their devices against webcam and microphone tracking with Webcam and Mic Control, which lets you configure your own access settings: Gear icon at the bottom of the Home window → Privacy Settings → Webcam and Mic Control Settings. There you can ask Kaspersky to:

• Notify you when an app uses the camera or microphone.
• Deny access for all apps without exception.
• Allow only trusted apps to connect to the webcam and microphone.

Webcam and Mic Control Settings on a Windows device

Mac owners too have the option to completely block the webcam with Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium: Home → Block Webcam. Our application completely blocks access to system libraries used by the webcam, so no programs can access it.

Block Webcam on a Mac device

Protect yourself

Physical or software protection — the choice is yours, but we recommend a combination of the two. For example, buy a webcam shutter and configure Kaspersky to disable the mic. The main thing is that your device – whether a smartphone, laptop or desktop – must be properly protected.

Kaspersky official blog – ​Read More

Overview 

The recent Weekly Industrial Control System Vulnerability Intelligence Report from Cyble Research & Intelligence Labs (CRIL) covers the vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) from November 26, 2024, to December 02, 2024.  

The report sheds light on online threats, especially vulnerabilities affecting critical systems such as those from Schneider Electric and Hitachi Energy, two of the most prominent vendors in the ICS sector. During the report’s timeframe, CISA issued five major security advisories, focusing on 12 vulnerabilities that impact a wide range of ICS products.  

These vulnerabilities have been identified in devices and systems from key vendors, including Schneider Electric and Hitachi Energy. The vulnerabilities identified in these systems are critical to address due to their potential to expose vital infrastructures to cyberattacks.  

Schneider Electric: A Major Focus for ICS Vulnerabilities  

Schneider Electric, a leading vendor of control systems, was prominently featured in the advisories due to the numerous vulnerabilities impacting their devices. These vulnerabilities range from issues with weak password recovery mechanisms to the use of hard-coded credentials, both of which pose a risk to the integrity of ICS devices.  

Among the affected products is the PM5560 series, which includes multiple versions susceptible to vulnerabilities like weak password recovery mechanisms for forgotten passwords (CVE-2021-22763). This flaw, coupled with improper authentication (CVE-2021-22764), increases the potential for unauthorized access. Such vulnerabilities undermine the effectiveness of ICS security, allowing attackers to potentially take control over critical systems like actuators, sensors, and power supplies.  

One particularly concerning vulnerability (CVE-2023-6408) affects the Modicon M340 CPU and other related Schneider Electric products. This vulnerability arises from improper message integrity enforcement during transmission across communication channels, which could allow attackers to manipulate the integrity of communications between devices, creating openings for man-in-the-middle attacks. The high-severity nature of this vulnerability highlights the ongoing need for organizations to implement stronger security practices, including effective patch management and encryption protocols.  

Additionally, Schneider Electric’s use of hard-coded credentials (CVE-2023-6409) in its devices presents a high-risk issue, making it easier for attackers to gain access to systems. This particular vulnerability is found in several product lines, including the Modicon M580 and Modicon M340 CPUs, which are integral to many ICS operations. These devices are widely used in critical sectors such as energy and manufacturing. 

Hitachi Energy: Security Flaws in SCADA and Control Systems  

Another major player in the ICS sector, Hitachi Energy, also faced critical security challenges during the same reporting period. The vulnerabilities affecting Hitachi’s MicroSCADA Pro/X SYS600 system are especially concerning because they affect key operational components within control systems and supervisory control and data acquisition (SCADA) environments.   

These vulnerabilities could allow attackers to bypass authentication (CVE-2024-3982), potentially gaining unauthorized access to control systems that are vital for managing electricity grids and other industrial processes. Additionally, path traversal vulnerabilities (CVE-2024-3980) were identified, which could allow an attacker to manipulate file paths within the system, gaining unauthorized access to sensitive files.  

These vulnerabilities are classified as high and critical risks, as they could be exploited by attackers to infiltrate ICS systems, causing online disruption to operations. A notable vulnerability in Hitachi Energy’s systems is the authentication bypass by the capture-replay flaw (CVE-2024-3982), which allows attackers to bypass authentication mechanisms by replaying captured credentials.  

Given the high-security requirements of control systems like SCADA, the existence of this vulnerability calls for immediate attention from organizations to ensure these critical systems remain secure. The MicroSCADA Pro/X SYS600 system is also affected by a missing authentication for critical functions (CVE-2024-7940) vulnerability. This flaw could enable attackers to exploit critical functions within the system without proper authentication, allowing them to manipulate system settings or gain unauthorized access to sensitive data.  

The Severity of ICS Vulnerabilities  

The vulnerabilities analyzed in the CRIL report show that the majority of the vulnerabilities in ICS systems fall under high severity. This highlights the critical need for organizations operating ICS devices to adopt proactive cybersecurity measures. Weak passwords, improper authentication, and hard-coded credentials are among the most common issues found across various ICS products. Addressing these vulnerabilities requires rigorous patch management practices, including regular updates and configuration checks.  

The vulnerabilities disclosed by CISA and highlighted in the report are particularly important as they impact critical infrastructure sectors such as energy, critical manufacturing, and communications. Schneider Electric and Hitachi Energy alone account for a notable portion of the vulnerabilities in the ICS space, underlining the need for greater focus on security within the industrial sector.  

Impact on Critical Infrastructure Sectors  

A sector-wise analysis of the vulnerabilities reveals that Critical Manufacturing accounts for the largest portion of vulnerabilities, with an overwhelming 83.3% of the cases. This is due to the expansive operations and critical nature of manufacturing processes that rely heavily on ICS.  

In contrast, the Energy sector, which includes power grids and electrical infrastructure, accounts for 8.3% of the reported vulnerabilities, while the Wastewater Systems sector is also impacted with a similar share. The Commercial Facilities sector reports the smallest share, with only 0.8% of the vulnerabilities.  

This distribution denotes the varied risk levels across critical infrastructure sectors and emphasizes the importance of prioritizing cybersecurity efforts, particularly in manufacturing and energy, where ICS vulnerabilities could lead to more severe consequences.  

Mitigation Strategies and Recommendations  

Here are some of the best practices recommended to mitigate potential risks:  

1. It is essential to regularly update systems and apply patches as soon as they are released. Many vulnerabilities in ICS are a result of outdated software or firmware, which can be addressed by keeping systems up to date.  

2. Implementing a zero-trust security model is crucial in preventing unauthorized access. This involves treating every request for access as if it originates from an untrusted source, requiring strict verification before granting access.  

3. By segmenting networks, organizations can limit the ability of attackers to move laterally across systems, thus reducing the risk of widespread damage.  

4. Strengthening authentication protocols, such as using multi-factor authentication (MFA), is critical to reducing the likelihood of unauthorized access to ICS devices.  

5. Continuous security assessments through vulnerability scans, penetration testing, and audits help identify potential security gaps in ICS before they can be exploited by attackers.  

6. Organizations should invest in cybersecurity training programs for employees to ensure they are aware of the risks posed by phishing, social engineering, and other attack methods.  

Conclusion  

The vulnerabilities in ICS highlighted in the latest report from CISA, along with those analyzed by Cyble Research & Intelligence Labs, highlight the increasing risks faced by critical infrastructure sectors. With vulnerabilities in high-severity products from vendors like Schneider Electric and Hitachi Energy, it is important that organizations address these potential threats before they can compromise sensitive information.  

By implementing security measures, including effective patch management, strong authentication protocols, and comprehensive training programs, organizations can better protect their ICS systems from cybersecurity risks. 

The post Vulnerabilities in ICS: A Detailed Analysis of Recent Security Advisories and Threats  appeared first on Cyble.

Blog – Cyble – ​Read More