VERT’s Cybersecurity News Roundup – Week of February 28, 2022

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of February 28, 2022. I’ve also included some comments on these stories.

High-Severity Flaws Discovered in Schneider, GE Digital SCADA Software

In mid-February, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an advisory warning of multiple vulnerabilities in Schneider’s Easergy protection relays. Two of those high-severity flaws enable an attacker to manipulate traffic associated with the device and/or to execute arbitrary code, reported The Hacker News. This advisory emerged around the same time that CISA warned of similar weaknesses in General Electric’s Proficy CIMPLICITY supervisory control and data acquisition (SCADA) software.

Andrew Swoboda | Senior Security Researcher at Tripwire

Schneider Electric’s Easergy is subject to several vulnerabilities. Versions of Easergy p3 prior to v30.205 and versions of Easergy P5 prior to 01.401.101 are vulnerable to the following vulnerabilities: CVE-2022—22722, CVE-2022-22723, and CVE-2022.22725. CVE-2022-22722 is a hardcoded credentials vulnerability. CVE-2022-22723 and CVE-2022-22725 are buffer overflow vulnerabilities that could cause denial-of-service (DoS) conditions or code execution. These vulnerabilities were discovered by Timothée Chauvin, Paul Noalhyt, and Yuanshe Wu at Red Balloon Security.

Researchers’ Apple AirTag Clone Can Bypass Anti-Stalking Protections

On February 28, The Hacker News reported on the development of an Apple AirTag clone by a team of cybersecurity researchers. The device is unique in that it bypasses anti-stalking protections built into the “Find My” Bluetooth-based tracking protocol. Someone could go on to use the device to track an iPhone user for five days without triggering a tracking notification.

Dylan D’Silva | Security Researcher at Tripwire

Here is an example of where persistence pays off—in this case, bringing large, negative consequences along with the specific use of unwanted stalking/tracking.

Quick recommendations/highlights:

1. Have Bluetooth enabled so that your iPhone can detect AirTags.
2. If you have an Android device, download “Tracker Detect” to detect AirTags.
3. Look at other apps such as AirGuard, Bluetooth BLE Device Finder, and BLE Scanner to scan the local area to help you locate the device.

Apple’s AirTags were designed with the purpose of tracking down your lost items such as keys, backpacks, wallets, etc. Unfortunately, they have been used for far worse purposes including stalking, tracking, and even high-end vehicle theft in other reported cases. I would like to highlight that they were designed to discourage unwanted tracking, alerting your iPhone that an AirTag not belonging to you is “traveling” with you. iPhone will provide options to play a sound so you can locate it, and after a while if you still haven’t found it, it will start playing a sound to let you know where it is.

Researchers were able to build a clone of an AirTag that bypasses the anti-stalking protection that’s built into the Bluetooth tracking protocol, resulting in a test user being tracked for more than five days without a single notification.

In previous weaknesses to the “Find My” system, flaws were discovered in the design and implementation that led to correlation attacks and unauthorized access to users’ location histories.

Apple introduced additional anti-stalking measures earlier this month to prevent the tracking of users without their consent, including inserting a warning that notifies users of illegal tracking.

Focusing back on the clone device, it looks like they circumvent current and upcoming protection measures. It broadcasts new public keys every 30 seconds from a predefined list of over 2,000, which made the cloned tracking device undetectable by both iOS and Apple’s own Tracker Detect Android App.

Notably, third-Party app AirGuard was capable of discovering the cloned device in a manual scan. The researchers brought up an interesting point that Apple should consider widening their threat model to include non-genuine AirTags, which will better shore-up the “Find My” protocol/ecosystem as opposed to just the AirTag itself.

Toyota Halts Production in Japan Following Cyberattack Against Supplier

Toyota halted all production at its 14 plants in Japan following a cyberattack against one of its suppliers. Kojima Industries Corp. determined that the incident prevented the company from communicating with Toyota and monitoring production. Even so, the supplier determined that there was nothing physically wrong with its production equipment, reported SecurityWeek.

Dylan D’Silva | Security Researcher at Tripwire

Operational technology (OT) cybersecurity may be an afterthought to those that do not work in OT industries, but it’s important to keep in mind that while OT and its security needs/considerations are different than those of traditional IT, they are nonetheless important.

Toyota, the world’s largest car manufacturer, appears to have been bit with a suspected cyberattack, halting all production in Japan. More specifically, the attack looks to be affecting a domestic parts supplier, affecting its ability to properly communicate with Toyota and monitor production. The expected impact is a 5% drop in monthly output/product, translating to ~13K units.

Taking a “page” out of the Best Cybersecurity Practices for Industrial Control Systems (ICS), I can recommend at minimum that the following should be done:

1. Identify critical information. Determine what adversaries might want to do and determine what information they need to accomplish their goal.
2. Analyze the threat. Who are potential adversaries? What is their intent and capability? What do they already know or need to know?
3. Analyze the vulnerabilities. Determine weaknesses that may be exploited to gain critical information.
4. Assess risk. Decide if a countermeasure needs to be assigned to a vulnerability based on how that vulnerability affects your organization.
5. Apply countermeasures. Change procedures, control distribution, use cyber protection tools, and add/conduct ongoing awareness training.

Arbitrary Code Execution Facilitated by Google Chrome Bugs

The Center for Internet Security (CIS) warned of multiple vulnerabilities in Google Chrome. It noted that some of those flaws could enable an attacker to execute arbitrary code in the browser. Malicious actors could leverage a successful attack to view, change, or delete data.

Dylan D’Silva | Security Researcher at Tripwire

This is a nice little reminder to keep your software and systems up to date. As new vulnerabilities and flaws are discovered, it’s important to keep your systems patched to ensure they are not exploited.

While the risk to home users may be low, CIS highlights that government and businesses are at high risk simply due to the nature of the work being conducted.

The most severe of the new Chrome vulnerabilities will allow for arbitrary code execution. Pair that with the associated privileges of the application, and it could allow an attacker to view, change, or delete data, which breaks all three tenets of the confidentiality, integrity, and availability (CIA) Triad.

CIS has recommended fthe ollowing actions, which are standard best practices:

• Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
• Apply the principle of least privilege to all systems and services.

I will continue to advocate and advise that business and governments have a vulnerability management program in place to proactively address vulnerabilities and flaws as they are discovered. By doing so, it will increase your overall cybersecurity posture as well as reduce both your attack surface and the number of attack vectors.

Attackers Demand Nvidia Remove GPU Cap

The Lapsus$ threat group leaked approximately 20GB of data that it claims to have stolen from GPU maker Nvidia. As part of its leak, the group demanded that Nvidia remove the lite hash rate (LHR) technology on its GeForce RTX 30 Series firmware, a move which would free up GPU capacity particularly for gamers and cryptominers. The attackers threatened to publish LHR’s specifications if Nvidia refused to comply, noted Bleeping Computer.

Samantha Zeigler | Security Researcher at Tripwire

Proprietary data is essential for every company to maintain their trade secrets and ensure their place in their respective markets. The potential of losing 1TB of data could be monumental to any company. This is why it is important to always stay vigilant with security updates and changes within your system. Identifying attackers as early as possible in the system can mitigate the information they retrieve and the damage they do.

Phishers Using Threat of Russian Hacking to Target Microsoft Accounts

Security researchers came across an email warning recipients that someone from Russia had attempted to access their Microsoft account. It then gave recipients the option of reporting the user, reported Threatpost. If they complied, the campaign then sent the recipients to a fake login page designed to steal their account credentials.

Andrew Swoboda | Senior Security Researcher at Tripwire

Microsoft accounts are being subject to a phishing campaign. The phishing emails will claim that there has been unusual sign-on activity from Russia. The email will contain the following information: the country/region, the IP address, the date, the platform, and the browser. This email requires the potential victim to “report the user.” This button creates a new email that replies to the original. This allows the attacker to respond with a way to collect sensitive information related to the victim’s account.

It is important to not respond to phishing emails. Microsoft accounts have a feature to look up any activity associated with an account. You can always change your password if you have any concerns about the security of your account or if there is any unusual activity.

“First Side-Channel Attack” Demonstrated on Homomorphic Encryption

On March 3, The Hacker News shared how a group of researchers from North Carolina State University and Dokuz Eylul University demonstrated what they’re calling the “first side-channel attack” on homomorphic encryption. The technique involves monitoring power consumption on a device while it’s in the process of applying homomorphic encryption to a set of data. Attackers could potentially leverage this technique to read the data in plaintext during the encryption process, the researchers pointed out.

Andrew Swoboda | Senior Security Researcher at Tripwire

A side-channel attack has been found for homomorphic encryption. This attack can be used to leak data during the encryption process. To exploit this issue, an attacker needs to monitor the power consumption of the device to be able to read the data as it is being encrypted.

TeaBot Android Malware Gets Some Upgrades

According to ZDNet, malware authors have upgraded the TeaBot Android remote access trojan (RAT). The new-and-improved threat now targets over 400 applications, thereby broadening its focus beyond smishing attacks. The malware has also expanded its range of targets beyond Europe to include banks, cryptocurrency exchanges, and digital insurance providers in Russia, the United States, and Hong Kong.

Samantha Zeigler | Security Researcher at Tripwire

For a long time, people thought that malware attacks only went after desktop devices. In recent years, it has become increasingly clear that attackers can and will attack any device they can get into. Things like phishing and smishing allow attackers to gain control of accounts without having control of the device itself. Often, these attacks will come with another layer such as a malware download when the user clicks a button or, in this case, a secondary application.

Stay safe from all kinds of phishing and smishing attacks by avoiding clicking links and going directly to the website that you plan to log into. Never download secondary applications from an unofficial source and minimize permissions for applications you download.

Network Defense Best Practices Released by NSA

The U.S. National Security Agency (NSA) has published best practices that security professionals can use to bolster their organization’s network defense. The guidance is not technology-specific, wrote SecurityWeek on March 4. It’s intentionally generic so that organizations can apply it across whatever devices are deployed on their networks.

Dylan D’Silva | Security Researcher at Tripwire

Governments, organizations, businesses, and individuals should take a look at their current network implementations and compare it to the “Best Practices for Improving Network Defenses” just released by the NSA.

Having more insight into your network is never a bad thing. It will enable admins to better manage their network and mitigate risks as well as prevent adversaries from exploiting their network.

One of reasons I advocate for better network defenses simply boils down to cost, both financial and reputational. This brings to mind the famous saying, “An ounce of prevention is worth a pound of cure.” There are different numbers floating around, but the general average of a data breach is roughly about $4M USD, per IBM. Not all organizations are going to have mountains of capital floating about to invest/reinvest into network security, but it sure is worth consideration, a serious conversation, and a risk assessment. The short-term pain and discomfort of capital investment and potentially having to rearchitect a network will pay “dividends” in your long-term cybersecurity posture. Those costs will pale in comparison to the longer term financial and reputational risks.

Taking the steps below will reduce your attack surface as well as the number of attack vectors that threaten your systems and data.

Let’s look at some of the NSA’s recommendations:

• Implement multiple defensive layers as well as adopt a zero-trust security model.
• Install border routers and next-gen firewalls at your perimeter, placing publicly accessible systems and outbound proxies between firewalls.
• Group similar systems together and isolate them into their respective subnets, applying proper network segmentation. This will ensure that if a device is exploited, attackers cannot pivot and move laterally around the network.
• Related to logical network segmentation is physical segmentation. This provides stronger protection because the intermediary device between subnets would need to be compromised for an adversary to bypass restrictions.
• Properly configure AAA (authentication, authorization, and accounting), applying the principle of least privilege.
• Ensure administrator accounts are properly secured through unique usernames and passwords, enabling multi-factor authentication (MFA) were possible. Ensure that credentials are stored securely and that all unused accounts are disabled.
• Follow proper file system and boot management, maintain/patch all software and operating systems, as well as ensure that in-use hardware is still supported by vendors.
• Finally, implement remote logging and monitoring with secure remote management of network devices, disable IP source routing, as well as disable unused ports, port monitoring, and unnecessary network services.

One last piece of advice I will suggest: If you do not have a patching and vulnerability management program in place, strongly consider implementing one. Continually review and patch your systems to quickly close potential security gaps.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups