There is an Alerton CVE that was released last week. There is no patch at the moment and it allows for controller data to be overwritten without password. We've been pressing our OT vendor and Honeywell for more details about how to best mitigate until a patch is available, but they've been slow to provide information. The one thing I cannot determine from the articles I've found is if the controllers are being overwritten through a direct connection to the controller either direct or through the internet, or if they're exploiting the web front-end on the server to gain access to the nodes. https://www.securityweek.com/ot-security-firm-warns-safety-risks-posed-alerton-building-system-vulnerabilities
NanoSSL TLS library misuse leads to vulnerabilities in common enterprise switches.
GENERAL OVERVIEWTECHNICAL FINDINGSFINAL NOTES
Following the March, 2022 disclosure of TLStorm—a set of critical vulnerabilities in APC Smart-UPS devices that allow an attacker to take control of Smart-UPS devices— Armis researchers have discovered five new vulnerabilities that share a common source. The root cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana. By exploring similar faulty implementations of the Mocana NanoSSL library in network switches, Armis has discovered these new vulnerabilities in the implementation of TLS communications in multiple models of Aruba (acquired by HP) and Avaya (acquired by ExtremeNetworks) network switches.
Using the Armis knowledgebase—a database of over 2 billion assets—our researchers identified dozens of devices using the Mocana NanoSSL library. The findings include two popular network switch vendors that are affected by a similar implementation flaw of the library, leading to remote code execution (RCE) vulnerabilities that can be exploited over the network. While UPS devices and network switches differ in function and levels of trust within the network, the underlying TLS implementation issues allow for devastating consequences, if attackers are able to identify and exploit TLStorm vulnerabilities.
This new set of vulnerabilities, dubbed TLStorm 2.0, exposes vulnerabilities that could allow an attacker to take full control over these switches. The exploitation of these RCE vulnerabilities can lead to:
These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer be considered a sufficient security measure.
To learn more about the TLStorm 2.0 vulnerabilities and potential impact to organizations, see our detailed blog here.
Armis has discovered a set of three critical vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets and can be found in data centers, industrial facilities, hospitals and more.
APC is a subsidiary of Schneider Electric, and is one of the leading vendors of UPS devices with over 20 million devices sold worldwide. If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities. This blog post provides a high-level overview of this research and its implications.
Armis proactively researches various assets to help security leaders protect their organizations against new threats, including those targeting IT assets and cyber-physical systems (CPS). As part of this research, we’ve investigated APC Smart-UPS devices and the way they communicate with their respective remote management and monitoring services.
The latest APC Smart-UPS models are controlled through a Cloud connection. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution (RCE) attack on a device, which in turn could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it.
Attacks targeting the power grid and the apparatus of appliances within it have taken place in the past, with the most famous one being the Ukraine Power Grid attack that occurred in 2015 — in which UPS devices (as well as many other types of devices), have been remotely hacked which lead to wide-scale power outage. Recent events in the Russia-Ukraine conflict have raised concerns by US officials that the US power grid would be targeted by Russia via cyber attacks. The discovery of TLStorm vulnerabilities underlines the volatility of devices within enterprise environments responsible for power reliability, and stresses the need to act and protect such devices against malicious attacks.
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets. In cases where a power disruption could cause injuries, business downtime, or data loss, UPS devices help ensure high availability of critical technology in:
The set of discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by Cloud-connected Smart-UPS devices, as well as a third critical vulnerability, a design flaw, in which firmware upgrades of all Smart-UPS devices are not properly signed and validated.
Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost.
These vulnerabilities can be triggered via unauthenticated network packets without any user interaction (ZeroClick attack).
The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. This means an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried.
Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, as has been recently detailed in the analysis of the Cyclops Blink malware, and improper signing of firmwares of embedded devices is a recurring flaw in various embedded systems. A previous vulnerability discovered by Armis in Swisslog PTS systems (PwnedPiper, CVE-2021-37160) was a result of a similar type of flaw.
Armis disclosed these vulnerabilities to Schneider Electric on October 31, 2021. Since then, Armis has worked with Schneider Electric to create and test a patch, which is now generally available.
The fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target. In the television series Mr. Robot, bad actors cause an explosion using an APC UPS device. However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke.
Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall. They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.
Cyber-Physical Systems (CPS) are computerized systems that operate devices with real-world interactions, for example, automatic doors, PLCs, MRI machines and smart vehicles. The increasing adoption of IoT and CPS devices has created a wealth of new targets for bad actors.
The destructive implications of network-based attacks resulting in real-world damage are no longer theoretical. In 2014 there was an attack against a German steel mill where hackers infiltrated the mill’s network and tampered with a blast furnace shutdown mechanism. This attack resulted in a massive explosion, which luckily did not cause any casualties.
Illustrating the cyber-physical effect of the TLStorm attack, Armis researchers were able to damage a Smart-UPS over the network with no user interaction:
TLStorm: 3 vulnerabilities. Millions of devices at risk.
As noted above, TLStorm is a set of three critical vulnerabilities. One is in the firmware signing of almost all APC Smart-UPS devices. The other two relate to the TLS implementation of the Smart-UPS devices with the “SmartConnect” feature, which automatically connects devices to the Schneider Electric management cloud.
It is common practice to sign firmware files cryptographically and to check the signature during a firmware update. The APC Smart-UPS firmware is encrypted with symmetrical encryption, but is not cryptographically signed.
Our researchers were able to exploit the following key design flaws to fabricate a malicious firmware that was accepted by the Smart-UPS as official valid firmware:
The combination of these flaws allows an attacker to “upgrade” Smart-UPS devices over the network with customized and malicious firmware.
The firmware upgrade process depends on the specific model of the UPS device:
Since software developers can’t reinvent the wheel every time they write new code, developers must rely on third-party code libraries for software development. In the case of Log4j2, almost every user of the library unknowingly inherited a remote code execution vulnerability (Log4Shell).
The root cause for both of the TLS vulnerabilities is improper error handling of TLS errors in the TLS connection from the Smart-UPS and the Schneider Electric cloud. APC uses Mocana nanoSSL as the library responsible for TLS communications. The library manual clearly states that library users should close the connection when there is a TLS error. In the APC usage of this library, however, some errors are ignored, leaving the connection open but in a state that the library was not designed to handle.
The latest generation of Smart-UPS models implement a feature called SmartConnect, which is a dedicated Ethernet port through which the device will connect to the cloud service and allow remote management of the device.
Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state. When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device. The attack flow can be seen in the following diagram. On the left is a normal TLS session setup and resumption and on the right is the exploit handshake that is only possible due to the improper error handling:
The same root cause – ignoring the nanoSSL library errors, leads to a memory vulnerability in the reassembly of TLS packets. The TLS reassembly feature allows TLS record fragmentation. The record is assembled chunk by chunk until the full record is received. An attacker can leverage the ignored nanoSSL library error and trigger a pre-authentication heap overflow condition that can lead to remote code execution.
There are a few steps that you can take to minimize the risk of an attack. Armis recommends using all three mitigations and not just updating the device.
Armis customers can leverage the Armis platform to:
The Armis platform provides the required visibility to ensure all your assets, including cyber-physical assets that are not covered by traditional security solutions, are continuously protected against the latest threats.
UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.
It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.
Armis experts will discuss the TLStorm research during the following virtual and in-person events:
Want to discuss this with one of our experts and/or schedule a demo? – Contact us here.
From Homeland Security Today (HSToday)
Every IoT sensor has a unique IP address, enabling it to communicate and exchange data with other machines and serving as a potential access point.
Fighting back and keeping IoT devices secure
The proliferation of IoT devices could open the floodgates for cyberattacks threatening the security of smart buildings. A recent report indicated that in 2019 nearly 40 percent of 40,000 smart buildings were impacted by a cyberattack. That in mind, it’s critical that organizations get ahead of the onslaught of threats by implementing security best practices including:
Strong password policies: It can’t be stated enough that one of the easiest ways that attackers compromise an IoT device is due to its weak, guessable or default passwords. In fact, 70% of IoT devices are still using the factory-set default passwords. Having strong password policies that entail long and unique passwords help prevent cyberattacks.
Robust patch management: The biggest security hurdle with IoT devices is the inability to easily upgrade or patch them. Most IoT devices are often too critical to stop operations for software updates. Developing policies to define processes for different types of upgrades from bug fixes to new releases to emergency updates will help to make your IoT update process more robust.
Segment your network: Organizations can minimize the impact of an IoT attack from spreading to other parts of the network by separating out critical systems, such as BAS systems, from the rest of the network.
We are excited to hold our Annual Real Estate Cyber Consortium (RECC) Leadership Board meeting in-person for the first time in two years today and tomorrow (March 29-30). My thanks to everyone who is attending, some coming in from as far as London, England, as well as those who are attending virtually. Out special thanks to Clint Osteen and the Granite Properties team who are hosting us at their beautiful facilities at Granite Place – Southlake Town Square, Dallas TX.
#RECC #ShieldsUp #Cybersecurity
Dear RECC Members,
Today, March 8th, 2022, Armis has announced the discovery of 3 zero-day vulnerabilities found in American Power Conversion (APC) Smart UPS-devices, potentially exposing over 20 million enterprise devices worldwide. Uninterruptible Power Supply (UPS) devices provide emergency backup power for mission-critical assets and these vulnerabilities, collectively known as TLStorm, allow threat actors to disable, disrupt, and destroy APC Smart-UPS devices and even attached assets.
Armis researchers disclosed their findings to Schneider Electric, APC’s parent company, on October 31st, 2021 and have been working with them since to create and test a patch.
Why is this research important?
Armis proactively researches various assets to help security leaders protect their organizations against new threats, including those targeting not-so-obvious assets like UPS-devices. We found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. According to Armis data, more than 70% of organizations appear to have assets that are vulnerable to TLStorm.
It’s important to note that Smart UPS-devices are often installed and forgotten, which can have severe implications if exploited by a bad actor since these devices are connected to the same networks as the core business systems.
What are the risks?
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centers, industrial facilities, hospitals, and more. This makes them a high-value cyber-physical target. Armis researchers were able to remotely control a Smart-UPS device, alter the voltage, and make it literally go up in smoke.
These vulnerabilities can also enable a UPS to act as a gateway from the Internet to the internal network, and attack other devices within the corporate network.
What should customers do to minimize the risk of an attack?
Armis recommends that all organizations:
How can Armis help?
Use the Armis platform to:
What resources are available about this?
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint Cybersecurity Advisory (CSA)highlighting a global increase in sophisticated, high-impact, ransomware incidents against critical infrastructure organizations in 2021. This CSA provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.
Click here for a PDF version of this report.
#CISA #Ransomware #GlobalThreat
Latest update 1/4/2022 2:00 PM PST:
Latest library is v2.17. Multiple vulnerabilities (3) have been discovered in Log4j functional code.
Log4j flaw attack levels remain high, Microsoft warns
A serious Zero-day vulnerability in a widely used Apache Java logging library has become a full-blown internet crisis, affecting millions of digital systems across the internet. On December 11, 2021, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released a statement, highlighting that “To be clear, this vulnerability poses a severe risk… We urge all organizations to join us in this essential effort and take action.”
Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. According to Kaspersky, almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.16. The simplest and most effective protection method is to upgrade the most recent version of the library:
Relative to exploitation post-compromise, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.
Microsoft guidance for preventing, detecting, and hunting for Log4j vulnerabilities
Bitdefender Technical Advisory on Log4j2
This report from Dark Reading describes how the convergence and integration of OT and IT has resulted in a growing number of cyber-risks for critical infrastructure. Recommendations include setting a regular time to review cybersecurity strategy, policies, and tools to stay on top of these threats; mitigate USB usage threats by evaluating the risk of your OT operations and the effectiveness of your current safeguards for USB devices (ports and their control); and deploying a defense in-depth strategy and layer OT cybersecurity tools and policies to give your organization the best chance to stay safe from ever-evolving cyber threats.
#DarkReading #Cybersecurity #OT
A Bleeping Computer report states the Emotet malware is back, and it is evolving. Emotet was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. Emotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others. At the beginning of the year, an international law enforcement action coordinated by Europol and Eurojust took down the Emotet infrastructure and arrested two individuals. German law enforcement used the Emotet infrastructure to deliver an Emotet module that uninstalled the malware from infected devices on April 25th, 2021. On November 15, 2021, Emotet research groups have begun to see the TrickBot malware dropping a loader for Emotet on infected devices using an embedded process that allows the malware to reconstruct the Trickbot architecture on the host site.