critical infrastructure | Breaking Cybersecurity News | The Hacker News

A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. "These vulnerabilities could enable attackers to take control of a router by injecting malicious code, allowing them to persist on the device and use it as a gateway into enterprise networks," Forescout Vedere Labs said in a technical report shared with The Hacker News. Of the 14 security flaws – collectively called DRAY:BREAK – two are rated critical, nine are rated high, and three are rated medium in severity. The most critical of the shortcomings is a flaw that has been awarded the maximum CVSS score of 10.0. CVE-2024-41592 concerns a buffer overflow bug in the "GetCGI()" function in the Web user interface that could lead to a denial-of-service (DoS) or remote code execution (RCE) when processing the query string parameters. Another critical vulnerability (CVE-2024-41

Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks. "These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher Pedro Umbelino said in a report published last week. Making matters worse, the analysis found that thousands of ATGs are exposed to the internet, making them a lucrative target for malicious actors looking to stage disruptive and destructive attacks against gas stations, hospitals, airports, military bases, and other critical infrastructure facilities. ATGs are sensor systems designed to monitor the level of a storage tank (e.g., fuel tank) over a period of time with the goal of determining leakage and parameters. Exploitation of security flaws in such systems could therefore have

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

Nation-state threat actors backed by Beijing broke into a "handful" of U.S. internet service providers (ISPs) as part of a cyber espionage campaign orchestrated to glean sensitive information, The Wall Street Journal reported Wednesday. The activity has been attributed to a threat actor that Microsoft tracks as Salt Typhoon, which is also known as FamousSparrow and GhostEmperor. "Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet," the publication was quoted as saying, citing people familiar with the matter. The end goal of the attacks is to gain a persistent foothold within target networks, allowing the threat actors to harvest sensitive data or launch a damaging cyber attack. GhostEmperor first came to light in October 2021, when Russian cybersecurity company Kasperksy detailed a long-standing evasive operation targeting Southeast Asian targets in

The U.S. Department of Commerce (DoC) said it's proposing a ban on the import or sale of connected vehicles that integrate software and hardware made by foreign adversaries, particularly that of the People's Republic of China (PRC) and Russia. "The proposed rule focuses on hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS)," the Bureau of Industry and Security (BIS) said in a press statement. "These are the critical systems that, through specific hardware and software, allow for external connectivity and autonomous driving capabilities in connected vehicles." The agency said nefarious access to such systems could enable adversaries to harvest sensitive data and remotely manipulate cars on American roads.  The proposal extends to all wheeled on-road vehicles such as cars, trucks, and buses. Agricultural and mining vehicles are not included. The BIS said "cert

Ukraine has restricted the use of the Telegram messaging app by government officials, military personnel, and other defense and critical infrastructure workers, citing national security concerns. The ban was announced by the National Coordination Centre for Cybersecurity (NCCC) in a post shared on Facebook. "I have always advocated and advocate for freedom of speech, but the issue of Telegram is not a question of freedom of speech, it is a matter of national security," Kyrylo Budanov, head of Ukraine's GUR military intelligence agency, said . Ukraine's National Security and Defense Council (NSDC) said that Telegram is "actively used by the enemy" to launch cyber attacks, spread phishing messages and malicious software, track users' whereabouts, and gather intelligence to help the Russian military target Ukraine's facilities with drones and missiles. To that end, the use of Telegram has been proscribed on official devices of employees of state

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett). The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023. "Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News. The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered

The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center ( Unit 29155 ). "These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said . "Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine." Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries. The joint advisory, released last week as part of a coordinated exercise dubbed Operatio

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure. "RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV)," government agencies said . A ransomware-as-a-service (RaaS) platform that's a descendant of Cyclops and Knight, the e-crime operation has attracted high-profile affiliates from other prominent variants such as LockBit

A comprehensive guide authored by Dean Parsons, SANS Certified Instructor and CEO / Principal Consultant of ICS Defense Force, emphasizes the growing need for specialized ICS security measures in the face of rising cyber threats. With a staggering 50% increase in ransomware attacks targeting industrial control systems (ICS) in 2023, the SANS Institute is taking decisive action by announcing the release of its essential new strategy guide, " ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024 ." Authored by Dean Parsons, CEO of ICS Defense Force and a SANS Certified Instructor, this guide offers a comprehensive analysis of the rapidly evolving threat landscape and provides critical steps that organizations must take to safeguard their operations and ensure public safety. As cyber threats grow in both frequency and sophistication, this guide is an indispensable resource for securing the vital systems that underpin our world. Key Insights from t

A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said . Details of the security shortcoming were first made public earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and the ability to exploit it remotely. "Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process," the agency noted in an alert published August 1, 2024. It's worth noting that the issue remains unpatched. It impacts AVM1203 camera devices using firmwar

The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024, the Black Lotus Labs team at Lumen Technologies said in a technical report shared with The Hacker News. The campaign is believed to be ongoing against unpatched Versa Director systems. The security flaw in question is CVE-2024-39717 (CVSS score: 6.6), a file upload bug affecting Versa Director that was added to the Known Exploited Vulnerabilities (KEV) catalog last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Ce

Traditionally, the focus has been on defending against digital threats such as malware, ransomware, and phishing attacks by detecting them and responding. However, as cyber threats become more sophisticated. There is a growing recognition of the importance of measures that stop new attacks before they are recognized. With high-value assets, it's not good enough to have the protection, it's essential to have some assurance that the protection is effective. With software, that assurance is hard work, and this has led to a complimentary approach, called hardsec. What is Hardsec? Short for " Hardware Security ." Hardsec is about using hardware logic and electronics to implement a security defence, rather than through software alone - thereby providing a higher level of security assurance and resilience against both external and insider threats . Making it an essential component of comprehensive cybersecurity strategies. The Rise of Sophisticated Attacks When the impact of an attack ag

Cybersecurity researchers have identified a number of security shortcomings in photovoltaic system management platforms operated by Chinese companies Solarman and Deye that could enable malicious actors to cause disruption and power blackouts. "If exploited, these vulnerabilities could allow an attacker to control inverter settings that could take parts of the grid down, potentially causing blackouts," Bitdefender researchers said in an analysis published last week. The vulnerabilities have been addressed by Solarman and Deye as of July 2024, following responsible disclosure on May 22, 2024. The Romanian cybersecurity vendor, which analyzed the two PV monitoring and management platforms, said they suffer from a number of issues that, among others, could result in account takeover and information disclosure. A brief description of the issues is listed below - Full Account Takeover via Authorization Token Manipulation Using the /oauth2-s/oauth/token API endpoint  Deye

Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. The elevated access could then be weaponized to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even get correctly signed X.509 VPN certificates for foreign devices to take over their VPN sessions. "This allows attackers hijacking VPN sessions which results in significant security risks against users of the Cosy+ and the adjacent industrial infrastructure," SySS GmbH security researcher Moritz Abrell said in a new analysis. The findings were presented at the DEF CON 32 conference over the weekend. Following responsible disclosure, the issues have been addressed in firmware versions 21.2s10 and 22.1s3 as part of an advisory [PDF] issued by Ewon on July 29, 2024 - CVE-2024-33892 (CVSS score: 7.4) - Information leakage through cookies

The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million. That's according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). "BlackSuit actors have exhibited a willingness to negotiate payment amounts," the agencies said . "Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption." Attacks involving ransomware have targeted several critical infrastructure sectors spanning commercial facilities, healthcare and public health, government facilities, and critical manufacturing. An evolution of the Royal ransomware , it leverages the initial access obtained via phishing emails to disarm antivirus software and exfiltrate sensitive data before ultimately