USB drive malware attacks spiking again in first half of 2023
Mandiant is describing the proliferation of two USB drive-based malware campaigns have been active this year. Sogu is attributed to Chinese espionage threat group TEMP.HEX, and Snowydrive, is attributed to UNC4698, which focuses on oil and gas firms in Asia. These can be added to China-nexus campaign in November that leveraged USB devices against entities in the Philippines, using four malware families. In January, Palo Alto Network’s Unit 42 team identified a PlugX variant that could hide in USB drives and infect Windows hosts they’re connected to. Mandiant added that while USB attacks require physical access to target computers, they are able to bypassing standard security mechanisms, and access air-gapped systems. Mandiant’s investigation points to print shops and hotels as infection hotspots for USB malware, although any system with a USB port could be a target.
Users of Honeywell Experion DCS platforms urged to patch 9 vulnerabilities immediately
Armis and Honeywell jointly disclosed yesterday a package of 9 new vulnerabilities dubbed Crit.IX (as in critical plus the Roman numeral 9), that Armis researchers found in the Honeywell Experion® DCS platforms. Seven of these flaws are indeed critical. These flaws could allow for unauthorized remote code execution on both legacy versions of the Honeywell server and controllers. Exploitation of these vulnerabilities does not require authentication, only network access to the targeted devices. Potentially, any compromised IT, IoT, and OT assets on the same network as the DCS devices could be leveraged for an attack. Honeywell has made security patches available and strongly advises all affected customers to patch immediately. A CISA advisory is anticipated shortly.
(ITSecurity Guru and Armis)
Ransomware gangs have extorted $449 million this year: Chainalysis
This number represents a near-record profit in the first six months of the year, although the total might actually be much higher, since the research only looks at cryptocurrency wallets being monitored by the firm. “If the trends continue, ransomware groups are on pace to bring in nearly $900 million in 2023, only $40 million behind the peak of $939.9 million seen in 2021.” Eric Jardine, cybercrimes research lead at Chainalysis, told Recorded Future News that a number of factors are contributing to ransomware’s resurgence, including the return of “big game hunting” — where ransomware gangs target large corporations in the hopes of garnering massive ransoms.
Popular WordPress security plugin caught logging plaintext passwords
Installed on more than one million WordPress sites, this is a security and firewall plugin that was designed to prevent cyberattacks such as brute-force attempts, as well as to issue warnings if a default admin username is used to log in. It was also designed to prevent bot attacks, log user activity, and eliminate comment spam. According to Security Week, “AIOS version 5.1.9 writes plaintext passwords from login attempts to the database, which essentially provides any privileged user with access to the login credentials of all other administrator users…Earlier this week, the Updraft team maintaining the plugin released AIOS version 5.2.0 to address the issue and remove the logged passwords from the database.”
Thanks to this week’s episode sponsor, Opal
SonicWall fixes multiple critical vulnerabilities
SonicWall has fixed 15 vulnerabilities that were disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. Four of these vulnerabilities are rated as critical, they can be exploited by an attacker to bypass authentication and potentially expose sensitive information to an unauthorized actor. The vulnerabilities have CVE codes 2023 34124, 34134 and 34137 and have ratings of 9.4, 9.8 and 9.4 respectively. SonicWall is not aware of attacks in the wild exploiting any of these vulnerabilities, but they urge organizations using the vulnerable GMS/Analytics On-Prem versions to install security updates.
Rockwell Automation ControlLogix bugs expose industrial systems to remote attacks
CISA has issued an alert regarding two security flaws affecting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS). Listed as CVE-2023-3595 and 3596 with CVSS scores of 9.8 and 7.5 respectively, they are both out-of-bounds write flaws that could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity, as well as potentially overwriting any part of the system to fly under the radar and stay persistent.
Microsoft rebrands Azure Active Directory to Microsoft Entra ID
Microsoft is changing the name of its Azure Active Directory (Azure AD) enterprise identity service to Microsoft Entra ID. This will be completed by the end of the year. Azure AD provides security features such as single sign-on, multi factor authentication, and conditional access. According to Bleeping Computer, “while the standalone license names are also being modified with this rebrand, it will not affect the service’s capabilities, and everything will work just as before the name change.” The transition will be finalized by the end of 2023, and requires no customer action.
FTC opens investigation into OpenAI over misleading statements
The investigation into the maker of ChatGPT, is based on claims it has run afoul of consumer protection laws by putting personal reputations and data at risk. The agency is investigating whether the company engaged in unfair or deceptive practices that resulted in “reputational harm” to consumers. One of the questions has to do with steps OpenAI has taken to address the potential for its products to “generate statements about real individuals that are false, misleading, or disparaging.”
(Reuters)