Key Takeaways

Since June 2024, a new Android Spyware campaign has been identified targeting individuals in South Korea, leveraging an Amazon AWS S3 bucket as its Command and Control (C&C) server.

The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos.

The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information.

The spyware operates with a simple source code and few key permissions, demonstrating that even simple malware can be highly effective in exfiltrating sensitive data.

The malware remained undetected by all major antivirus solutions. Four unique samples were identified, exhibiting zero detection rates across all engines.

Overview

Cyble Research and Intelligence Labs (CRIL) has uncovered a previously undetected Android spyware campaign targeting individuals in South Korea, which has been active since June 2024. The spyware leverages an Amazon AWS S3 bucket as its Command and Control (C&C) server and is designed to exfiltrate sensitive data from compromised devices, including contacts, SMS messages, images, and videos.

The spyware samples observed disguise themselves as live video apps, adult apps, refund apps, and interior design applications. Below are the icons used by the malware.

Two malicious URLs distributing the spyware have been identified:

hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk

hxxps://bobocam365[.]icu/downloads/pnx01.apk

Since its emergence, this malware has remained undetected by all security solutions, allowing it to operate stealthily. CRIL has identified four unique samples linked to this spyware, all exhibiting zero detection rates across major antivirus engines.

All identified spyware samples were observed communicating with the same Command and Control (C&C) server hosted on an Amazon S3 bucket: hxxps://phone-books[.]s3.ap-northeast-2.amazonaws.com/. Our analysis revealed that the stolen data, including contacts, SMS messages, images, and videos, was openly stored in the S3 bucket (C&C server), further confirming that the malware specifically targeted individuals in South Korea.

The attackers’ poor operational security resulted in the unintentional exposure of sensitive data. We reported the misuse of the AmazonAWS S3 bucket to Amazon Trust and Safety, which disabled access to the URL and made the data no longer accessible. Furthermore, our investigation found no other C&C servers utilizing S3 buckets or exposing stolen data linked to this campaign.

Technical Details

After installation, all spyware samples display a single screen with a message in Korean tailored to the app’s theme.

The source code of this spyware is relatively simple. It utilizes a minimal set of permissions, including “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE,” to carry out its malicious operations. The manifest file specifies only the main activity, which triggers the malicious functionality upon execution.

Upon installation, the spyware requests the necessary permissions; once granted, it executes its malicious functions. These functions, responsible for collecting data from the infected device, are executed within the API method “onRequestPermissionsResult”, as illustrated in the image below.

To exfiltrate images and videos, the malware queries the device’s content provider and uploads each file to the C&C server via the endpoint “/media/+filename”. This behavior is evident in the exposed data, as shown in Figure 3.

The malware gathers contacts and SMS messages from the infected device and stores them in two separate files: phone.json for contacts and sms.json for SMS data. These files are then transmitted to the C&C server, as demonstrated in the figure below.

Conclusion

This campaign highlights the growing sophistication of Android spyware targeting individuals in South Korea. By utilizing an Amazon AWS S3 bucket for Command and Control infrastructure, the threat actors were able to maintain stealth and evade detection for an extended period. This spyware strain utilizes a minimalist approach—leveraging only a few key permissions to exfiltrate sensitive data such as contacts, SMS messages, images, and videos—and demonstrates how even simple malware can be extremely effective.

It is concerning that attackers are increasingly turning to trusted cloud services like AWS as part of their malicious infrastructure. This tactic allows them to bypass traditional security measures and stay under the radar.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Download and install software only from official app stores like Google Play Store or the iOS App Store.

Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.

Use strong passwords and enforce multi-factor authentication wherever possible.

Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.

Be wary of opening any links received via SMS or emails delivered to your phone.

Ensure that Google Play Protect is enabled on Android devices.

Be careful while enabling any permissions.

Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Procedure

Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site

Collection (TA0035)
Protected User Data: Contact List (T1636.003)
The malware collects contacts from the infected device

Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device

Collection (TA0035)
Data from the Local System (T1533)
Malware steals images and videos from an infected device

Command and Control (TA0037)
Application Layer Protocol: Web Protocols (T1437)
Malware uses HTTPS protocol for C&C communication

Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description

afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851 63952a785e2c273a4dc939adc46930f9599b9438 1d7bbb5340a617cd008314b197844047
SHA256 SHA1 MD5
Spyware hashes

d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde 46eb3ba5206baf89752fe247eff9ce64858f4135 68e6401293e525bf583bade1c1a36855
SHA256 SHA1 MD5
Spyware hashes

a8e398fc4b483a1779706d227203647db3e04d305057fdc7f3f6a4318677b9c8 d07a165b1b7c177c2f57b292ae1b2429b6187e45 16139baf56200f3975e607f89e39419a
SHA256 SHA1 MD5
Spyware hashes

3608f739c66c9ca18628fecded6c3843630118baaab80e11a2bacee428ef01b3 1fc56a6d34f1a59a4987c3f8ff266f867e80d35c fa073ca9ae9173bb5f0384471486cce2
SHA256 SHA1 MD5
Spyware hashes

hxxps://phone-books.s3.ap-northeast-2.amazonaws.com/
URL
C&C server

hxxps://bobocam365[.]icu/downloads/pnx01.apk
hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
URL
Distribution URL

The post Undetected Android Spyware Targeting Individuals In South Korea appeared first on Cyble.

Blog – Cyble – ​Read More

Key Takeaways

Five exploits of recent vulnerabilities were detected by Cyble honeypot sensors this week.

A 9.8-severity PHP flaw identified in June remains under widespread attack, and organizations are urged to upgrade as soon as possible.

Cyble researchers also identified 9 phishing scams, a number of very active brute-force attack networks, and the most commonly targeted ports.

Security teams are advised to use the information provided to harden defenses

Overview

The Cyble Global Sensor Intelligence Network, or CGSI, monitors and captures real-time attack data through Cyble’s network of Honeypot sensors. This week, Cyble’s Threat Hunting service discovered and investigated dozens of exploit attempts, malware intrusions, financial fraud, and brute-force attacks. 

The full report is available to subscribers; here we’ll cover a number of important attacks and exploits that security teams need to be aware of, plus Cyble investigations into phishing campaigns and brute force attacks. The report covers the week of Sept. 11-Sept. 17.

Attack Case Studies

The Cyble Sensor Intelligence report examined 18 attacks in all; here are five that stand out.

CVE-2024-7954: Arbitrary Code Execution Vulnerability in SPIP’s Porte Plume Plugin

CVE-2024-7954 affects the porte_plume plugin in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, and allows remote unauthenticated attackers to ecute arbitrary PHP code by sending a specially crafted HTTP request. Users should upgrade to patched versions to mitigate this vulnerability.

CVE-2024-7120: OS Command Injection Vulnerability in Raisecom MSG Devices

CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.

CVE-2024-4577: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a critical PHP vulnerability that impacts CGI configurations. It enables attackers to execute arbitrary commands through specially crafted URL parameters. Given PHP’s importance and wide use, impacted organizations must upgrade to a more secure PHP version as soon as possible.

CVE-2024-36401: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a critical RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, though it may impact functionality.

CVE-2024-7029: Network Command Injection Vulnerability Without Authentication in AVTECH IP Cameras

CVE-2024-7029 allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems. AVM1203, firmware version FullImg-1023-1007-1011-1009 and prior, are affected, and other IP cameras and network video recorder products may also be affected.

Phishing Scams Identified

Cyble researchers identified nine email phishing scams this week. Below are the subject lines and deceptive email addresses used in the scams, along with a description of each.

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

COMPASSION FUND OF 5.5 MILLION DOLLARS. 
info@uba.group.org 
Charity Scam 
Fake charitable fund to steal personal or financial details 

Compensation 
info.us.com 
Compensation Scam 
Offering fake compensation to collect sensitive data 

Dear Beneficiary !!! 
info@federalreservebank.com 
Impersonation Scam 
Scammers posing as a bank CEO to solicit sensitive information 

FACEBOOK GIFTS 
info@fam-koeppel.de 
Social Media Giveaway Scam 
Pretending to offer gifts to steal personal info 

WINNING GIFTS 
fachrisalman.2020@student.uny.ac.id 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

INVESTMENT PROPOSAL 
David@uS.com 
Investment Scam 
Unrealistic investment offers to steal funds or data 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake UN compensation to collect financial details 

Your abandoned shipment 
contact@wine.plala.or.jp 
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

RE: Request Commercial We need your product 
accounts@eswil.com 
Business Commercial Scam 
Fake business requests to obtain goods without payment 

Brute-Force Attacks

Brute-force attacks consist of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. A brute force attack uses the trial-and-error method to guess login info and encryption keys or to find a hidden web page. Hackers work through all possible combinations, hoping to guess correctly.

Cyble observed thousands of brute-force attacks in the last week. A close inspection of the distribution of attacked ports based on the top five attacker countries revealed that attacks originating from the United States targeted ports 3389 (60%), 445 (19%), 22 (13%), 5900 (6%), and 9200 (3%). Attacks originating from Russia targeted ports 5900 (96%), 445 (2%), 25 (1%), 3389 (1%), and 1025 (1%). Attacks originating from The Netherlands, India, and Bulgaria largely targeted ports 5900 and 445.

 Security analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

The most frequently used usernames and passwords in brute-force attacks are shown in the figure below. The analysis report indicates brute-force attacks on IT automation software and servers frequently employing usernames such as 3comcso, elasticsearch, and hadoop and database attacks as in mysql and Postgres. Some of the most common username/password combinations were “root”, “admin”, “password”, “123456”, etc. Hence, it is critically important to set up strong passwords for servers and devices, and to always change default credentials.

Cyble Recommendations

Cyble researchers offered a number of recommendations for subscribers in the report:

Blocking the listed hashes, URLs, and email info on security systems.

Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.

Constantly check for attackers’ ASNs and IPs in the real-time attack table.

Block brute force attack IPs and the targeted ports listed in the IoC table in security products.

Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Sensor Intelligence: Attacks, Phishing Scams and Brute-Force Detections appeared first on Cyble.

Blog – Cyble – ​Read More

Executive Summary

In September 2024, the pro-Russian hacktivist group Just Evil and possibly the state-backed Beregini group led a coordinated cyberattack on Lithuanian energy infrastructure. The attackers claimed to target the PV monitoring solution used by the state-owned Energy holding company Ignitis Group.  

Just Evil is a faction that emerged from the split of the Killnet group, while Beregini exemplifies the complex interplay of hacktivism and state-sponsored cyber operations within the context of the Russia-Ukraine conflict. It operates under the guise of a Ukrainian group while aligning closely with pro-Russian interests.

Just Evil allegedly accessed the power monitoring dashboard of 22 Ignitis’ clients, including hospitals and military academies, via a compromised PV Monitoring Platform in the city of Kaunas. This is the latest in a series of cyberattacks on Ignitis, following earlier DDoS incidents in 2022 and more in 2024, impacting the company’s energy distribution services.

Previous Attacks on Lithuanian Energy Infrastructure

The first significant attack against Ignitis was orchestrated by Killnet in 2022 in retaliation to Lithuania’s ban on the transit of goods to Russia’s Kaliningrad region. The severity of the attack can be adjudged from the fact that the Lithuanian National Cyber Security Centre had to intervene to contain it, and this was widely reported in the media.

In early February 2024, the Russian cybercriminal group Just Evil allegedly gained unauthorized access to the Ignitis ON app control panel, a service that helps electric vehicle owners charge their cars.

The hacktivist group provided video evidence of shutting down user access to charging stations and deleting the users from the control panel. They also demanded a ransom to cease the attacks and for not leaking the user data. As per local media, Ignitis accepted the breach and did not pay the ransom. As a result, Just Evil leaked user data containing details of over 20,000 EV car owners, employee data, access keys, and firmware for car charging stations.

Just Evil later on also advertised selling admin access to Igntis ON platform for Euros 50,000. 

A few days later, the group claimed that they were able to gain access to the Ignitis On app via a vulnerability called ‘Human Factor’, possibly indicating social engineering and the use of valid credentials to gain access. The group also mentioned defacing the panel after gaining illicit access.

Analysis of the Incident Targeting PV Solar Monitoring Solution

Upon closer investigation of the screenshots shared by Just Evil on their telegram channel, Cyble Research & Intelligence Labs (CRIL) investigated the plausibly impacted PV monitoring solutions of Ignitis and ascertained them to be Sungrow’s iSolarCloud. Our open-source search also cemented the fact that Ignitis does use iSolarCloud for managing solar-generated electricity. Hence, considering the compromised panel screenshots, Just Evil’s claims seem credible.  

iSolarCloud by Sungrow offers several features for centralized management, monitoring, and optimization of solar energy systems. The platform offers real-time monitoring of solar systems, tracking energy production, consumption, and inverter performance. It provides data analytics for performance trends, efficiency tracking, and fault alerts, allowing remote diagnostics and predictive maintenance.  

 While the TA claimed to target multiple Lithuanian entities such as hospitals, gymnasiums, and educational facilities, CRIL assessed that the TA was able to access the solar power plants of the institutions mentioned above via the iSolarCloud Platform that provides a centralized PV management solution for managing them, rather than individually compromising them. Considering the names of Lithuanian entities as indicated in the screenshot below, we assess that this iSolarCloud Platform may be in use by Ignitis.  

Looking at the group’s history of attacks, CRIL appraises that the ‘Use of Valid Credentials’ could be the likely initial attack vector in this incident. Conjugate to this hypothesis, Cyble Vision, too, identified recently compromised credentials pertaining to ISolarCloud instances in Europe.

Using Cyble’s ODIN scanner, CRIL investigated other PV monitoring solutions from Lithuania and found that they were exposed on the Internet and could be targeted in the near future.

Conclusion

Solar energy generation and distribution are critical to a nation’s essential services. The recent attack on a centralized PV monitoring platform, which targeted multiple locations simultaneously, represents a significant threat to Lithuania’s energy sector. As observed by Cyble Vision, numerous compromised credentials exist for iSolarCloud platform users from various regions, including Europe and China. CRIL suggests that such compromised credentials could pose a serious risk, potentially being used to target critical infrastructure systems.

Globally, the solar energy sector has increasingly become a target for cybercriminals, with incidents such as ransomware attacks, data breaches, and remote access exploitation growing in frequency.

The impact of such attacks extends beyond immediate operational disruptions, potentially undermining national energy security, causing financial damage, and affecting public trust in renewable energy technologies.

Recommendations

Enhance Network Segmentation: Use firewalls and virtual LANs (VLANs) to separate critical control systems from non-essential networks. Isolate monitoring platforms from other network segments to limit the lateral movement of threats.

Implement Strong Authentication Measures: A key method of preventing unauthenticated access due to compromised credentials is implementing mandatory multi-factor authentication (MFA) for accessing solar monitoring and control systems. Employ strong, unique passwords and regularly update them.

Regular Security Audits and Penetration Testing: Foster a cyber-aware culture with routine security assessments and penetration tests on solar energy systems, including inverters, monitoring platforms, and network devices, to help detect and address vulnerabilities before they can be exploited.

Patch Management and Firmware Updates: Establish a robust patch management policy to ensure all systems, including inverters and monitoring platforms, are up-to-date with the latest security patches and firmware updates. Regularly check for updates from equipment manufacturers.

Implement Advanced Threat Detection and Response: Remember to utilize intrusion detection systems (IDS) alongside intrusion prevention systems (IPS) and Security Information and Event Management (SIEM) tools to oversee, identify, and address potentially malicious activities throughout the network.

Secure Remote Access: Restrict remote access to critical systems through VPNs, limit access to authorized personnel only, and monitor remote sessions for any unusual activity. Disable unused ports and services to reduce attack surfaces.

Employee Training and Awareness Programs: Train employees and operators on cybersecurity best practices, including recognizing phishing attempts and proper handling of sensitive information. Regularly update staff on emerging threats and attack vectors specific to the solar sector.

Incident Response Planning and Disaster Recovery: Create detailed incident response and disaster recovery plans tailored to the solar sector. Ensure that response procedures are in place to quickly isolate and mitigate attacks, minimize downtime, and restore normal operations.

Implement Dark Web Monitoring: Regularly monitor dark web forums, marketplaces, and other underground channels for stolen credentials, sensitive data, or discussions related to your solar infrastructure. Utilize threat intelligence platforms to detect compromised information early, allowing for proactive measures such as credential resets, system audits, and enhanced security protocols to prevent further exploitation.

Minimize Internet Exposure of Critical Systems: Restrict Internet exposure of critical solar monitoring and control systems by ensuring they are not directly accessible from the public internet. Use secure gateways, VPNs, and access controls to shield critical assets. Implement strict firewall rules and regularly scan your network for exposed services to reduce the risk of unauthorized access.

References:

https://faq.isolarcloud.com/web_faq/manage/#/_en_US/a2
https://web3.isolarcloud.com.hk/#/login
https://en.sungrowpower.com/productDetail/987/cloud-platform-isolarcloud

The post Solar Monitoring Solutions in Hacktivists’ Crosshairs appeared first on Cyble.

Blog – Cyble – ​Read More

The trend of using spearphishing techniques in mass emails continues to gain momentum. We recently came across a sample email in which attackers used a whole box of relatively sophisticated spearphishing tricks. Now, one might think that use of such tactics for a “mere” mass phishing attack would be somewhat OTT in terms of effort on the attackers’ side; not so – it transpired in this case: the attackers still gave it a shot (though detailed analysis reveals the attack was doomed from the start). In any case, it presented us with an excellent opportunity to take a dive into the techniques employed by phishers.

Email mimicking update of corporate guidelines

Almost everything about the email is spot on. It’s addressed to a specific individual within a specific organization, and uses ghost spoofing for the sender’s name — that is, the “From” field displays a forgery of the legitimate address of the target company (which, of course, has no relation to the address in the “Reply To” field).

The email is sent through the infrastructure of a reputable marketing company, raising no red flags with email filters. What’s more, the name of this company and the top-level domain hosting its website are deliberately chosen to lull the recipient’s vigilance — the website’s based in Indonesia, and the victim may well perceive the “.id” domain as an abbreviation for “identifier” rather than a country code. Alongside the spoofed address in the “From” field, it looks convincing enough:

But that’s not all. In the email body there’s practically zero text — only a copyright line and an unsubscribe link (both of which, as it happens, are inserted by the mail engine of the legitimate company used to send the message). Everything else, including the recipient’s name, is an image. This is to prevent anti-phishing mechanisms from applying text-based filtering rules.

An attached PDF file is used instead of a direct phishing link for the same reason. Websites can easily be blacklisted and blocked at the mail-server level. A PDF file, on the other hand, appears as a completely legitimate attachment.

PDF attachment

In actual fact, attackers have long been concealing links in PDF files. Thus, in theory, security software should be able to analyze a PDF — including any text and links within. But the creators of this phishing campaign were wise to that as well. Their PDF technically has no text or links in it whatsoever. Instead, it presents another image featuring a QR code and embedded accompanying text.

In addition, the PDF mimics the interface of DocuSign, a well-known service used for electronic document management. DocuSign does indeed allow you to send documents for signing, and to track their status. But, of course, it has nothing to do with PDF files housing a QR code.

At this point, it becomes painfully obvious that the attackers overcooked the attack. The victim receives what seems to be confidential corporate guidelines by email, but to read them they need to scan a QR code with a mobile phone… — not exactly realistic. Most employees won’t bother — especially if they use their own (non-corporate) phone.

Epic fail: the phishing website

So what happens if the victim does pull out their phone and scan the code? Well, for starters, they’ll be greeted by Cloudflare’s verification system and asked to prove they’re human. Cloudflare is a legitimate service to guard against DDoS attacks, and cybercriminals like to put their phishing pages behind it to add plausibility.

But after that it’s a disaster. The website plays an animation of an envelope opening, then crashes with an error message.

It appears the attackers forgot to renew their subscription to the hosting services. Maybe the site had some more kooky tricks in store for the victim, but by the time the phishing emails were being pumped out, it was already defunct.

How to stay safe

To protect company employees from phishing:

Secure corporate email at the mail-gateway level.
Use local security solutions with anti-phishing technologies on all work devices (including mobile ones).
Inform employees of the latest phishing tricks (for example, by pointing them toward our posts regarding signs of phishing).
Hold regular cybersecurity awareness training for staff.

Kaspersky official blog – ​Read More

Key Takeaways

Cyble highlights eight significant vulnerabilities affecting industrial control systems (ICS), as disclosed by the Cybersecurity and Infrastructure Security Agency (CISA).

Among the critical issues identified, CVE-2024-45032, affecting Siemens Industrial Edge Management, stands out due to its critical CVSS score of 10. Exploitation of this bug requires no permissions or user interaction.

Major vendors impacted by these vulnerabilities include Rockwell Automation, Siemens, and Viessmann Climate Solutions.

Several critical vulnerabilities affecting Viessmann Vitogate 300 are at high risk of exploitation due to the availability of a proof of concept and the product’s internet exposure recorded by Cyble’s Internet of Things search engine – ODIN. 

In the past week, U.S. CISA advisories disclosed multiple vulnerabilities impacting Sinema Remote Connect from Siemens. Cyble researchers using ODIN discovered over 1,000 internet-exposed instances that could become targets for attackers in the near future. 

A critical Authorization Bypass vulnerability (CVE-2024-45032) in Siemens’ Industrial Edge Management has also been flagged, with Cyble’s ODIN scanner detecting over 52 internet-facing instances.

Overview

Cyble Research and Intelligence Labs (CRIL) has observed multiple vulnerabilities in its Weekly Industrial Control System (ICS) Vulnerability Intelligence Report. This report provides a comprehensive overview of critical vulnerabilities disclosed from September 10 to September 16.

The Cybersecurity and Infrastructure Security Agency (CISA) issued 29 security advisories concerning Industrial Control Systems (ICS) in the past week. These advisories highlight eight significant vulnerabilities in products from various vendors, including Rockwell Automation, Siemens, and Viessmann Climate Solutions.

Key vulnerabilities include command injection and heap-based overflow issues that could severely affect critical infrastructure.

The Week’s Top ICS Vulnerabilities

1. CVE-2024-45824: Command injection – Rockwell Automation

CVE-2024-45824 is a critical vulnerability found in Rockwell Automation FactoryTalk View Site Edition up to version 14.0. The vulnerability involves an unspecified functionality with a CVSS score of 9.8, indicating its severity. Exploiting this vulnerability requires network conditions but does not require any permissions or user interaction and is considered to have low difficulty of exploitation.

Mitigation: Upgrading the affected software eliminates the vulnerability. Utilize ODIN’s capabilities to determine if devices are exposed and secure them accordingly.

2. CVE-2024-35783: Execution with Unnecessary Privileges – Siemens

A critical vulnerability with a CVSS score of 9.1 has been identified in Siemens SIMATIC BATCH, SIMATIC Information Server (2020, 2022), SIMATIC PCS 7, SIMATIC Process Historian (2020, 2022), and SIMATIC WinCC (Runtime Professional, SCADA Software). This flaw, found in the DB Server component, allows for exploitation under network conditions with low difficulty but requires high privileges.

Mitigation: Upgrading the affected software eliminates the vulnerability.

3. CVE-2023-44373: Improper Neutralization of Special Elements – Siemens

CVE-2023-44373 refers to a vulnerability in Siemens devices where input fields are not properly sanitized, allowing an authenticated remote attacker with administrative privileges to inject code or gain root shell access by exploiting improper neutralization of special elements, essentially enabling a command injection attack due to missing server-side input validation. The affected devices include Siemens RUGGEDCOM and SCALANCE M-800/S615 family.

Mitigation: Update to the latest firmware version, specifically version 3.0.2 or higher.

4. CVE-2024-45032: Authorization Bypass – Siemens Industrial Edge Management

Siemens Industrial Edge Management Pro and Industrial Edge Management Virtual have identified a critical vulnerability in the Device Token Handler component. This flaw allows attackers to bypass authorization. The vulnerability has a CVSS score of 10.0, indicating its severity. Exploitation is feasible over a network with low difficulty, requiring no permissions or user interaction.

Mitigation: Upgrading the affected systems is necessary to mitigate this issue.

Industrial Edge Management Pro: Version 1.9.5 and later

Industrial Edge Management Virtual: Version 2.3.1-1 and later

5. CVE-2023-46850: Use after free – Siemens

This vulnerability in OpenVPN (versions 2.6.0 to 2.6.6) is a use-after-free issue, potentially leading to undefined behavior, memory leaks, or remote code execution when network buffers are sent to a remote peer. The CVSS score is 9.8, indicating a critical severity. Exploitation requires network access but no special permissions or user interactions.

Mitigation: The most effective way to mitigate CVE-2023-46850 is to install the latest software updates from Siemens, containing the necessary fixes.

6. CVE-2024-33698: Heap-based Buffer Overflow – Siemens User Management Components

CVE-2024-33698 is a critical vulnerability in several Siemens products, including SIMATIC Information Server 2022 and 2024, SIMATIC PCS neo, SINEC NMS, and Totally Integrated Automation Portal. The issue resides in the User Management Components (UMC) and is classified as a heap-based buffer overflow. This vulnerability has a CVSS score of 9.8, indicating its high severity. Exploiting this vulnerability requires network access but no special permissions or user interaction.

Mitigation and Workaround: Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

CVE-2024-33698:

Filter the ports 4002 and 4004 to only accept connections to/from the IP addresses of machines that run UMC and are part of the UMC network, e.g., with an external firewall

In addition, if no RT server machines are used, port 4004 can be filtered completely

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.

7. CVE-2023-45852: Command Injection – Viessmann Climate Solutions SE

CVE-2023-45852 is a command injection vulnerability in the Viessmann Vitogate 300 firmware (version 2.1.3.0). An unauthenticated attacker can exploit this vulnerability by injecting shell metacharacters into the ipaddr parameter in the JSON data for the put method in the /cgi-bin/vitogate.cgi endpoint. This allows the attacker to bypass authentication and execute arbitrary commands, potentially compromising the system. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. No user interaction or specific permissions are required to exploit this flaw, and it can be exploited over a network with low difficulty.

Mitigation: Update to the latest version to fix the issue.

8. CVE-2023-5222: Use of Hardcoded Credentials – Viessmann Climate Solutions SE 

A critical vulnerability (CVSS score: 9.8) exists in Viessmann Vitogate 300 firmware up to version 2.1.3.0, specifically in the isValidUser function of the /cgi-bin/vitogate.cgi component within the Web Management Interface. This vulnerability is due to use of hard-coded password, making it exploitable over the network with low difficulty and no user interaction or permissions required. Public exploit details are available. The vendor has not responded to disclosure attempts.

Conclusion

The vulnerability severity distribution for ICS vulnerabilities shows a predominance of critical and high-severity issues in products belonging to known ICS vendors. The majority of affected products come from vendors like Siemens and Rockwell Automation. This calls for a prompt response to mitigate potential impacts on industrial control systems.

Organizations must prioritize patching these vulnerabilities, implement robust security measures, and follow recommended best practices to protect their ICS environments from potential threats. Regular updates, security monitoring, and proactive risk management are essential for maintaining the integrity and security of critical infrastructure.

Recommendations for Mitigation

Implement network segmentation to separate ICS networks from corporate and internet networks. Use firewalls and demilitarized zones (DMZs) to control traffic and limit exposure.

Apply multi-factor authentication for ICS system access. Limit user permissions based on the principle of least privilege to minimize potential damage.

Keep all ICS hardware and software updated with the latest patches to protect against known vulnerabilities. Regular patching is crucial for maintaining system security.

Deploy comprehensive security monitoring tools to detect and alert suspicious activities. Maintain detailed logs for forensic investigations and incident response.

Develop a robust incident response plan tailored to ICS environments. Regularly test and update the plan to ensure effective response to security incidents.

Train personnel on ICS-specific security risks and best practices. Awareness of potential threats and social engineering attacks is essential for maintaining security.

Use secure remote access methods such as VPNs and strong encryption. Minimize direct remote access and monitor remote sessions for potential threats.

Continuously review and update security policies to adapt to evolving threats and changes in the ICS environment. Ensure alignment with industry best practices and regulatory requirements.

Conduct vulnerability assessments and penetration testing to identify and address weaknesses in ICS systems. Regular assessments are vital for proactive security management.

The post Top ICS Vulnerabilities This Week: Critical Bugs in Rockwell Automation, Siemens, and Viessmann appeared first on Cyble.

Blog – Cyble – ​Read More