Security

Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa
Security

Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa

A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. Critical security vulnerabilities in Moxa’s MXview web-based network management system open the door to unauthenticated remote code execution (RCE) as SYSTEM on any unpatched MXview server, researchers warned this week. The five bugs, affecting versions 3.x to 3.2.2, score a collective 10 out of 10 on the CVSS vulnerability-severity scale, according to Claroty’s Team82 research team. Three of them can be chained together to achieve the aforementioned RCE (CVE-2021-38452, CVE-2021-38460, and CVE-2021-38458), but the others can be used to lift passwords and other sensitive information (CVE-2021-38456, CVE-2021-38454). Mox...
Cybercrooks Frame Targets by Planting Fabricated Digital Evidence
Security

Cybercrooks Frame Targets by Planting Fabricated Digital Evidence

The ‘ModifiedElephant’ threat actors are technically unimpressive, but they’ve evaded detection for a decade, hacking human rights advocates’ systems with dusty old keyloggers and off-the-shelf RATs. Threat actors are hijacking the devices of India’s human rights lawyers, activists and defenders, planting incriminating evidence to set them up for arrest, researchers warn. The actor, dubbed ModifiedElephant, has been at it for at least 10 years, and it’s still active. It’s been shafting targets since 2012, if not sooner, going after hundreds of groups and individuals – some repeatedly – according to SentinelLabs researchers. The operators aren’t what you’d call technical prodigies, but that doesn’t matter. Tom Hegel, threat researcher at SentinelOne, said in a Wednesday post t...
From the back office to the till Cybersecurity challenges facing global retailers
Security

From the back office to the till Cybersecurity challenges facing global retailers

It’s hardly surprising that the retail sector is one of the most frequently targeted globally, with retail sales in the US alone projected to top $5.2 trillion in 2022. Consumers’ money and data have for years been a big potential prize for cybercriminals to get their hands on, and the surge in digital investment and online shoppers prompted by the pandemic has only made retail a more attractive prospect for would-be hackers. Malicious insiders, negligent staff and misconfigured or vulnerable software across networks, endpoints and point of sale (POS) devices have all widened the corporate attack surface over the years. In this context, cybersecurity plays a critical role in protecting customers’ personal and financial data, keeping ransomware at bay&n...
What CISOs Should Tell the Board About Log4j
Security

What CISOs Should Tell the Board About Log4j

It's time for a reset with the board of directors. Very few have a dedicated, board-level cybersecurity committee, which means cybersecurity isn't viewed as a critical executive function. Cyberattacks on corporations are now a common and increasingly frequent occurrence, which should lead their boards of directors to take notice and recognize the need to increase funding and enable other security measures. But a recent Gartner report finds that 88% of boards of directors view cybersecurity as a business risk, not a technology risk, yet only a fraction has a dedicated, board-level cybersecurity committee, which means cybersecurity isn't viewed as a critical executive function. With Log4j taking up a lot of security attention in the last month, it is imperative to revisit not only...
OT Vulnerability Management: A Risk-Based Approach
Security

OT Vulnerability Management: A Risk-Based Approach

The number of missing security patches in an OT system is typically very large—measured in the thousands, at least. It would be difficult and expensive for an asset owner to evaluate each missing security patch / cyber asset pair. This may be one reason we see a patch everything approach, but this is also difficult and expensive. In fact, assessments show this is rarely done even where required by policy. A vulnerability management system can identify the missing security patches for each cyber asset. Equally or even more importantly, a vulnerability management system can help an asset owner automate the decision of what to patch when. While I’m partial to a decision tree approach, see ICS-Patch: What To Patch When In ICS, there are a number of approaches. The k...
DDoS Attacks on a Tear in Q4 2021
Security

DDoS Attacks on a Tear in Q4 2021

New data from Kaspersky shows distributed denial-of-service attacks increased by more than 50% in the fourth quarter of last year compared with the third quarter. Nearly half of all distributed denial-of-service (DDoS) attacks in the fourth quarter of 2021 hit organizations in the US during an extremely active period for the disruptive attacks, new data shows. Kaspersky reported tracking 4.5 times more DDoS attacks in the fourth quarter than in the previous quarter, with attacks targeting victims in the US (43.55%), China (9.96%), Hong Kong (8.80%), Germany (4.85%), and France (3.75%). The security vendor attributed the massive spike in DDoS attacks to seasonal trends, such as online holiday shopping and cyber activists traditionally being more active from October through Decemb...
Google Paid Record $8.7 Million to Bug Hunters in 2021
Security

Google Paid Record $8.7 Million to Bug Hunters in 2021

The company's Chrome and Android technologies continued to be target-rich environments for security researchers from around the world. Bug-bounty programs can sometimes say as much about an organization's willingness to work with external security researchers to identify and fix security vulnerabilities in their products as it does about their potential exposure to potential attacks targeting their technologies. By that measure, Google's Android, Chrome, and Play platforms continue to be vulnerability-rich environments for bad actors to target. Last year, Google paid a record $8.7 million in rewards to 696 third-party bug hunters from 62 countries who discovered and reported thousands of vulnerabilities in the company's technologies. That amount represented a near 3...
Hackers Planted Fake Digital Evidence on Devices of Indian Activists and Lawyers
Security

Hackers Planted Fake Digital Evidence on Devices of Indian Activists and Lawyers

A previously unknown hacking group has been linked to targeted attacks against human rights activists, human rights defenders, academics, and lawyers across India in an attempt to plant "incriminating digital evidence." Cybersecurity firm SentinelOne attributed the intrusions to a group it tracks as "ModifiedElephant," an elusive threat actor that's been operational since at least 2012, whose activity aligns sharply with Indian state interests. "ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry," the researchers said. "The threat actor uses spear-phishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers." Th...
Critical Magento 0-Day Vulnerability Under Active Exploitation — Patch Released
Security

Critical Magento 0-Day Vulnerability Under Active Exploitation — Patch Released

Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild. Tracked as CVE-2022-24086, the shortcoming has a CVSS score of 9.8 out of 10 on the vulnerability scoring system and has been characterized as an "improper input validation" issue that could be weaponized to achieve arbitrary code execution. It's also a pre-authenticated flaw, meaning it could be exploited without requiring any credentials. But the California-headquartered company also pointed out that the vulnerability is only exploitable by an attacker with administrative privileges. The flaw affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions as well as 2.3.7-p2...
Putting AI to Practical Use in Cybersecurity
Security

Putting AI to Practical Use in Cybersecurity

Almost every cybersecurity product has an AI component. Here is where it's working in the real world. The shortcomings of artificial intelligence (AI) tools in the cybersecurity world have drawn a lot of attention. But does the bad press mean that AI isn't working? Or is AI just getting slammed for failing to meet overinflated expectations? It's time to take a hard look at what AI is accomplishing before kicking it to the curb. Where Cyber AI Is WinningThere has never been a superhero who hasn't gone to the dark side or fallen off their pedestal. AI is no different. But if you know where AI performs well, you'll have a better idea of how to test vendors' AI claims. "Machine learning [and] AI technologies have been influencing information security for a long time," says Ale...