"Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th)Fri, 14 May 2021 05:35:22 GMT Jan&#;x26;#;39;s last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as said Jan, there is another issue with such infrastructures: remote access tools. Today, buildings, factories, farms must be controlled remotely or sometimes managed by third parties. If Microsoft RDP is common on many networks (and is often the weakest link in a classic attack like ransomware), there is another protocol that is heavily used to remote control industrial systems: VNC ("Virtual Network Computing")[2]. This protocol works with many different operating systems (clients and servers), is simple and efficient. For many companies developing industrial systems, It is a good candidate to offer remote access.
Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th)Wed, 12 May 2021 11:13:29 GMT With the recent ransomware attack that impacted operation of one of the major US pipelines[1], I thought it might be a good time to revisit the old topic of internet-connected industrial systems. Since operational technologies are generally used to support/control processes that directly impact the physical world, the danger of successful attacks on them should be self-evident, as should the need to protect them.
Microsoft May 2021 Patch Tuesday, (Tue, May 11th)Tue, 11 May 2021 23:25:31 GMT This month we got patches for 55 vulnerabilities. Of these, 4 are critical, 3 were previously disclosed and none is being exploited according to Microsoft.
Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th)Mon, 10 May 2021 12:30:47 GMT Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets.
Who is Probing the Internet for Research Purposes?, (Sat, May 8th)Sun, 09 May 2021 15:32:36 GMT Shodan&#;x26;#;x5b;1&#;x26;#;x5d; is one of the most familiar site for research on what is on the internet. In Oct 2020 I did a diary on Censys &#;x26;#;x5b;2&#;x26;#;x5d;&#;x26;#;x5b;3&#;x26;#;x5d;, another site collecting similar information like Shodan. The next two sites are regularly scanning the internet for data which isn&#;x26;#;39;t shared with the security community at large.
# threatpost.com
FIN7 Backdoor Masquerades as Ethical Hacking ToolFri, 14 May 2021 17:36:33 +0000 The financially motivated cybercrime gang behind the Carbanak RAT is back with the Lizar malware, which can harvest all kinds of info from Windows machines.
DarkSide Ransomware Suffers ‘Oh, Crap!’ Server ShutdownsFri, 14 May 2021 16:05:13 +0000 The RaaS that crippled Colonial Pipeline lost the servers it uses to pull off ransomware attacks, while REvil’s gonads shrank in response.
Verizon: Pandemic Ushers in ⅓ More Cyber-MiseryFri, 14 May 2021 13:26:48 +0000 The DBIR – Verizon’s 2021 data breach report – shows spikes in sophisticated phishing, financially motivated cyberattacks and a criminal focus on web-application servers.
Ransomware Going for $4K on the Cyber-UndergroundThu, 13 May 2021 19:52:33 +0000 An analysis of three popular forums used by ransomware operators reveals a complex ecosystem with many partnerships.
Beyond MFA: Rethinking the Authentication KeyThu, 13 May 2021 15:39:01 +0000 Tony Lauro, director of security technology and strategy at Akamai, discusses hardware security dongles and using phones to act as surrogates for them.
Fresh Loader Targets Aviation Victims with Spy RATsThu, 13 May 2021 14:55:53 +0000 The campaign is harvesting screenshots, keystrokes, credentials, webcam feeds, browser and clipboard data and more, with RevengeRAT or AsyncRAT payloads.
# Reddit netsec
# Krebs On Security
DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash SeizedFri, 14 May 2021 15:44:45 +0000 The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained funds from an account the group uses to pay affiliates.
Microsoft Patch Tuesday, May 2021 EditionTue, 11 May 2021 20:28:19 +0000 Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft's Internet Explorer (IE) web browser.
A Closer Look at the DarkSide Ransomware GangTue, 11 May 2021 16:37:30 +0000 The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here's a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.