Skip to Content

Cybersecurity and Infosec News Headlines Update on February 27, 2022

Sites Running Older Versions of Magento Hit with MageCart Attacks

More than 500 e-commerce sites running outdated versions of Magento have been hit with MageCart card skimming attacks. Adobe is urging customers still running Magento 1 to upgrade to Adobe Commerce; Adobe discontinued support for Magento 1 in June 2020.

Note

  • The attack leverages a flaw in the Quickview plugin to run code on the server. When exploited, the attackers leave multiple back doors into the server, so if detected you’re going to have to fully scan and analyze the system to discover all of them; possibly building a new server based on a clean install. If you’re still using Magento 1, you need to be migrating to the newest version of Magneto Open Source which is based on Magneto 2, or to a commercially supported platform such as Adobe Commerce, there are not going to be updates or fixes for Magento 1.

Read more in

Vodafone Portugal Cyberattack

Vodafone Portugal suffered a cyberattack earlier this week. Outages affected availability of 4G and 5G networks, SMS messaging, and television services. The attack also affected services used by emergency services. Vodafone Portugal has called the incident “a deliberate and malicious attack intended to cause damage.”

Note

  • With the deployment and move to 5G, 3G and earlier networks are being shut down, decommissioned and the frequencies reallocated, fortunately Vodafone was able to reactivate their 3G network and provide some relief to customers. This is intended to restore voice services as the data rates are much lower. Customers relying on cellular data will need to wait for the full restoration to achieve the expected data rates. Watch the Vodaphone site below for status updates. Note the site is in Portuguese.

Read more in

Microsoft is Retiring WMIC Tool

Microsoft is no longer developing, they write, “the WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by Windows PowerShell for WMI. Note: This deprecation only applies to the command-line management tool. WMI itself is not affected.”

Note

  • WMIC was a blessing back when I was a sysadmin, and it was released. Note that WMI is not affected. If you want to understand WMI, it is MITRE ATT&CK T1047: attack.mitre.org: Windows Management Instrumentation
  • Read that again – the WMI itself is not deprecated, you just need to use PowerShell for WMI instead of WMIC. If you haven’t looked recently, the Microsoft link below addresses many features which are being removed and when, such as IE11 and the BitLocker To Go Reader.
  • Practitioner’s note: This will mean eventually replacing cmd.exe commands like wmic service where (displayname like “hyper%”) get name,displayname with PowerShell equivalents like Get-CimInstance Win32_Service -filter “displayname like ‘hyper%'” | select Name, DisplayName

Read more in

Siemens Issues Patches and Mitigations for Vulnerabilities

Siemens has released advisories to address a total of 27 security issued affecting its SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, the TIM 1531 IRC communication module, as well as SIPLUS extreme products. Some of the vulnerabilities could be remotely exploited without authentication to cause denial-of-service conditions.

Note

  • These are flaws in PLCs and exploiting these flaws can crash them. As such, you should be isolating them and only allowing connections from authorized devices and users. Note there are no mitigations to these flaws and your firewall likely cannot parse the S7CommPlus_TLS protocol to discover malicious content, use the Siemens General Security Recommendations for a defense-in-depth approach to cover hardening, network and physical security. See Siemens Operational Guidelines for Industrial Security
    cert-portal.siemens.com: Operational Guidelines for Industrial Security (PDF)

Read more in

Temple University Critical Infrastructure Cyberattack Research Project

Researchers at Temple University have been gathering information about ransomware attacks targeting critical infrastructure. The dataset includes records for 1,137 incidents that have been reported between November 2013 and the end of January 2022.

Note

  • You can download the entire dataset as an Excel file. The dataset continues to evolve and additional fields, such as point of attack, are being requested and considered. Note that while the number of incidents reported for 2021 is lower than 2020, it is likely due to focus on other incidents or on roll-up reporting versus indicating a trend towards fewer attacks.
  • When viewing these numbers, keep in mind that extortion is only one of the bad things that could result from these breaches. While some of the breaches exploited human error, the indication is that the cost of attack for far too many systems is much lower than the value of success to the attackers. Collectively we need to raise the cost of attack. Please do your part.

Read more in

Apple Releases Updates to Address Actively Exploited Zero-Day

Apple released updates to macOS Monterey, WatchOS, Sarari, iOS and iPadOS to address CVE-2022-22620, a WebKit use after free memory corruption flaw that is being actively exploited. Processing maliciously formatted content can result in remote code execution. The flaw is fixed in macOS 12.2.1, Safari 15.3, Watch OS 8.4.2 and iOS/iPadOS 15.3.1.

Note

  • While you just started pushing iOS 15.3, you need to regroup and push 15.3.1. The update is small for devices already on 15.3. MacOS 10 & 11 users need only apply the update to Safari while Monterey users need to install 12.2.1. While Apple seems to be responding to more vulnerability disclosure reports in an effort to maintain the security of their products, the out-of-cycle updates are a bit disruptive, they are calling these flaws actively exploited. One hopes that doesn’t become so commonplace as to be regarded like the boy who cried wolf.

Read more in

Vulnerability: DPD parcel tracking flaw may have exposed customer data

The big news this week was the disclosure of a vulnerability in the parcel tracking portal of DPG Group, which may have exposed customer data.

The vulnerability was discovered by Pen Test Partners in September 2021, and they co-operated with DPD Group to assess and triage the vulnerability. DPD Group resolved the vulnerability in October 2021 and had requested that the details only be published in the new year to have time to conduct a full review.

The package tracking provides an API call that accepts a UK postcode together with a parcel tracking code to return a PNG image of the recipient’s address through an OpenStreetMap. The first stage of the exploit was that attackers could post a random parcel code to retrieve an image like the following:

Vulnerability: DPD parcel tracking flaw may have exposed customer data

Using elementary analysis of the received map image, the researchers determined the exact postcode of the recipient. This postcode could then be supplied together with the parcel code to retrieve detailed delivery information, including PII information.

A successful attack would have been reliant on guessing an active, valid parcel code and would also have required manual steps to extrapolate the exact postcode and defeat the Captcha. However, given the valuable PII disclosed, DPD Group considered this attack to be serious, and they responded quickly to remediate it.

Lessons learned here include:

Vulnerability: Apache Pulsar admin API vulnerability

The second vulnerability covered in this week’s edition comes courtesy of a flaw in the admin API of the popular Apache Pulsar platform.

The admin API required a client to submit a topic and a ledger ID associated with the provided topic. The API implementation did check the client authorization, but unfortunately it did not check the authorization for the ledger ID. This could have allowed an attacker to provide a ledger ID for data on other tenants, for which they were not authorized.

This issue affects Apache Pulsar version 2.8.0 and prior versions. If you are using an affected version, do upgrade to a version with the fix as soon as possible

This vulnerability is an example of API1:2019 — Broken object level authorization, perhaps also API5:2019 — Broken function level authorization.

Vulnerability: SQL injection vulnerability in Casdoor API

The third vulnerability this week is the vulnerability in the Casdoor single-sign-on platform. The vulnerability, tracked as CVE-2022-24124, was discovered by the security researcher @wuhan005, and it is detailed in a GitHub issue on the associated GitHub repository.

The researcher discovered that the endpoint /api/get-organizations was vulnerable to SQL injection by examining the underlying code:

session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))

This is an example of an API8:2019 — Injection vulnerability — in this case, an SQL injection attack that celebrates its 20th anniversary this year!

Mayday: Computer Crash Investigations

The US Department of Homeland Security has officially established the Cyber Safety Review Board (CSRB), with its first task to be a review of the Log4j vulnerability and responses to it.

The new organisation is tasked with reviewing cyber security incidents, establishing root causes and providing recommendations to improve security. This CSRB concept is comparable to the NTSB, which investigates civil aviation accidents in the US and issues safety recommendations aimed at preventing future disasters.

Reassuringly, “to the greatest extent possible, the CSRB will share a public version of the report with appropriate redactions for privacy and to preserve confidential information”. This is welcome. The CSRB, as originally described, did not have a clear requirement for public reports. These are necessary for the broader industry to learn lessons from the review.

There are some significant legislative differences between the operation of the CSRB and the NTSB. Firstly, the NTSB has the power to issue subpoenas and can compel cooperation. Secondly, NTSB reports cannot be used in civil court proceedings. It’s a carrot and stick approach that helps the NTSB get to the bottom of the incidents it investigates. The CSRB doesn’t have these powers and doesn’t offer similar protections to the entities it will investigate, but it has the implicit backing of the US government. It remains to be seen whether the culture of cooperation in NTSB investigations translates into the cyber realm.

Adam Shostack, a long-time advocate of an ‘NTSB for cyber’ and co-author of Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity, told us the board is “potentially [a] huge step forward”.

On Log4J, Shostack thinks “the key questions are what happened and why, and in this incident, why was it so hard to address? I know a great many people who lost their Decembers to managing these issues”.

Given the CSRB cannot subpoena witnesses, Shostack thought focussing on federal agencies would be a good first step. He also thought that measuring how effective government standards such as the NIST Cybersecurity Framework were during the Log4J incident would be useful.

“Did those standards help with this? Did they enable those building or acquiring software to be ready? Distract from the things that would have set us up to deal with them?”

As an aside, some of this information already does see the light of day. Cisco CISO Brad Arkin summarised his testimony to a Senate Committee on the Log4J vulnerability in an excellent twitter thread.

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker