CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) to release an advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action outlining a PRC state-sponsored cyber group’s activity. The following organizations also collaborated with ASD's ACSC on the guidance:
The National Security Agency (NSA);
The Federal Bureau of Investigation (FBI);
The United Kingdom’s National Cyber Security Centre (NCSC-UK);
The Canadian Centre for Cyber Security (CCCS);
The New Zealand National Cyber Security Centre (NCSC-NZ);
The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV);
The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC); and
Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA).
The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting.
APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.
CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.
For more information on PRC state-sponsored threat actor activity, see CISA’s People's Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.
This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.
The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.
The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1]
The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.
To download the PDF version of this report, visit the following link.
Activity Summary
APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.
Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.
APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.
Figure 1: TTP Flowchart for APT40 activity
This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells [T1505.003] for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken.
Notable Tradecraft
Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this technique [T1594].
APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.
Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders [T1001.003].
APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.
Tooling
ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to better understand the threats they need to defend against.
ASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ their tools and tradecraft.
Case Study 1
This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.
Executive Summary
This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organization’s network between July and September 2022. This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.
In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events.
From July to August, key actor activity observed by the ASD’s ACSC included:
Host enumeration, which enables an actor to build their own map of the network;
Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and
Deployment of other tooling leveraged by the actor for malicious purposes.
The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actors moved laterally through the network [T1021.002]. Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability.
Investigation Findings
In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.
In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which showed evidence of having been impacted by the compromise.
Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network.
In September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the initial notification. In October, the organization commenced remediation.
Details
Beginning in July, actors were able to test and exploit a custom web application [T1190] running on <webapp>2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002] were used to query the Active Directory [T1018] and exfiltrate data by mounting file shares [T1039] from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server [T1558.003]. The group were not observed gaining any additional points of presence in either the DMZ or the internal network.
Visual Timeline
The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organization’s network.
Detailed Timeline
July: The actors established an initial connection to the front page of a custom web application [T1190] built for the organization (hereafter referred to as the “web application” or “webapp”) via a transport layer security (TLS) connection [T1102]. No other noteworthy activity was observed.
July: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate.
July: The actors concentrate on attempts to exploit a specific endpoint.
July: The actors are able to successfully POST to the web server, probably via a web shell placed on another page. A second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and tested a number of likely web shells.
The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on <webapp>2-ext.
ASD's ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart.
July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actors log into the web application using compromised credentials for <firstname.surname>@<organisation domain>.
The actors’ activity does not appear to have successfully achieved privilege escalation on <webapp>2-ext. Instead, the actors pivoted to network-based activity.
July: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in internally accessible binaries.
July: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor's attack machines into the organization’s internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account.
August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account.
August: The actors perform significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful data exfiltration.
This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity.
August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked.
September: The organization blocks the malicious IP by denylisting it on their firewalls.
Actor Tactics and Techniques
The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a common global language around threat actor behavior.
The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:
The actor enumerated the custom web application’s website to identify opportunities for accessing the network.
Initial Access
T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)
T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)
Exploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor was later able to use credentials they had compromised to further their access to the network.
Execution
T1059 – Command and Scripting Interpreter (regarding command execution through the web shell)
T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP)
Persistence
T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)
Credential Access
T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS])
T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)
Lateral movement
T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)
Collection
T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)
Exfiltration
T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)
Case Study 2
This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.
Executive Summary
This report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s network in April 2022. This investigation report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.
In May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s network since April 2022. Subsequently, the organization informed ASD's ACSC that they had discovered malicious software on an internet‑facing server which provided the login portal for the organization’s corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as 'the compromised appliance'. This report details the investigation findings and remediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC.
Evidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via the organization’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicized around the time of the compromise.
Key actor activity observed by the ASD’s ACSC included:
Host enumeration, which enables an actor to build their own map of the network;
Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands;
Exploitation of software vulnerabilities to escalate privileges; and
Credential collection to enable lateral movement.
The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate network using a legitimate user account.
Investigation Summary
The ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for organization staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single appliance.”
The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following:
The collection of several hundred genuine username and password pairs; and
The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user.
The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organization services to achieve persistence and other goals.
Other organization appliances within the hosting provider managed environment did not show evidence of compromise.
Access
The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions [T1021.001].
Location
Compromised appliance hostnames (load-balanced)
Datacentre 1
HOST1, HOST2, HOST3
The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance.
There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence but indicates that the group sought to move laterally in the organization’s network [TA0008].
Internal Hosts
The ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011].
Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111]. The group also collected JSON Web Tokens (JWTs) [T1528], which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions [T1563.002] and access the internal organization network segment as a legitimate user [T1078].
The actor also used access to the compromised appliance to scrape an SQL server [T1505.001], which resided in the organization’s internal network. It is likely that the actor had access to this data.
Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilized this device, potentially to pivot into the internal network.
Investigation Timeline
The below list provides a timeline of key activities discovered during the investigation.
Time
Event
April 2022
Known malicious IP addresses interact with access gateway host HOST7. The nature of the interactions could not be determined.
April 2022
All hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors, and web shells were placed on the hosts.
A log file was created or modified on HOST2. This file contains credential material likely captured by a malicious actor.
The /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3, indicating that passwords were changed. Evidence available on HOST1 suggests that the password for user ‘sshuser’ was changed.
April 2022
HOST2 was shut down by the organization.
Additional web shells (T1505.003) were created on HOST1 and HOST3. HOST1experienced SSH brute force attempts from HOST3.
A log file was modified (T1070) on HOST3. This file contains credential material (T1078) likely captured by a malicious actor.
JWTs were captured (T1528) and output to a file on HOST3.
HOST3 was shut down by the organization. All activity after this time occurs on HOST1.
April 2022
Additional web shells were created on HOST1 (T1505.003). JWTs were captured and output to a file on HOST1.
April 2022
Additional web shells are created on HOST1 (T1505.003), and a known malicious IP address interacts with the host (TA0011).
A known malicious IP address interacts with access gateway host HOST7.
May 2022
A known malicious IP address interacted with access gateway host HOST7 (TA0011).
An authentication event for a user is linked to a known malicious IP address in logs on HOST1. An additional web shell is created on this host (T1505.003).
May 2022
A script on HOST1 was modified by an actor (T1543). This script contains functionality which would have scraped data from an internal SQL server.
May 2022
An additional log file on HOST1 was last modified (T1070). This file contains username and password pairs for the organization network, which are believed to be legitimate (T1078).
May 2022
An additional log file was last modified (T1070). This file contains JWTs collected from HOST1.
May 2022
Additional web shells were created on HOST1 (T1505.003). On this date, the organization reported the discovery of a web shell with creation date in April 2022 to ASD’s ACSC
May 2022
A number of scripts were created on HOST1, including one named Log4jHotPatch.jar.
May 2022
The iptables-save command was used to add two open ports to the access gateway host. The ports were 9998 and 9999 (T1572).
Actor Tactics and Techniques
Highlighted below are several tactics and techniques identified during the investigation.
The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.
This initial access method is considered the most likely due to the following:
The server was vulnerable to these CVEs at the time;
Attempts to exploit these vulnerabilities from known actor infrastructure; and
The first known internal malicious activity occurred shortly after attempted exploitation attempts were made.
Execution
T1059.004 Command and Scripting Interpreter: Unix Shell
The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance.
Complete details of the commands run by actors cannot be provided as they were not logged by the appliance.
Actors deployed several web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells.
Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.
Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actors would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance
would have allowed the actors to attain root privileges.
Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file.
T1111 Multi-Factor Authentication Interception The actor also captured the value of MFA tokens
corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the “secret server’ which stores the unique values that provide for the security of MFA tokens.
The actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs.
As described above, the actor captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access.
There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement.
Collection
Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above.
Command and Control
T1071.001 Application Layer Protocol: Web Protocols
Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance [T1572].
T1001.003 Data Obfuscation: Protocol Impersonation
Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic.
Detection and mitigation recommendations
The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarized in Table 1.
Detection
Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\ Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration.
The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.
Title: World Writable Execution - Temp
ID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c
Description: Detect process execution from C:\ Windows\Temp.
Background: This rule looks specifically for execution out of C:\ Windows\Temp\*. Temp is more broadly used by benign applications and thus a lower confidence malicious indicator than execution out of other world writable subdirectories in C:\Windows.
Removing applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the quantity of benign activity selected by this rule.
This means that the rule may miss malicious executions at a higher privilege level but it is recommended to use other rules to determine if a user is attempting to elevate privileges to SYSTEM.
Investigation:
Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.
condition: temp and not (common_temp_path or system_user or dismhost or known_parent)
False positives:
Allowlist auditing applications have been observed running executables from Temp.
Temp will legitimately contain an array of setup applications and launchers, so it will be worth considering how prevalent this behavior is on a monitored network (and whether or not it can be allowlisted) before deploying this rule.
Level: low
Title: World Writable Execution - Non-Temp System Subdirectory
ID: 5b187157-e892-4fc9-84fc-aa48aff9f997
Description: Detect process execution from a world writable location in a subdirectory of the Windows OS install location.
Background:
This rule looks specifically for execution out of world writable directories within C:\ and particularly C:\Windows\*, with the exception of C:\Windows\Temp (which is more broadly used by benign applications and thus a lower confidence malicious indicator).
AppData folders are excluded if a file is run as SYSTEM - this is a benign way in which many temporary application files are executed.
After completing an initial network baseline and identifying known benign executions from these locations, this rule should rarely fire.
Investigation:
Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.
appdata: Image|contains: '\\AppData\\' User: 'SYSTEM' condition: writable_path and not appdata
False positives:
Allowlist auditing applications have been observed running executables from these directories.
It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of these directories and should be addressed on a case-by-case basis.
Level: high
Title: World Writable Execution - Users
ID: 6dda3843-182a-4214-9263-925a80b4c634
Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users.
Background:
AppData folders are excluded if a file is run as SYSTEM - this is a benign way in which many temporary application files are executed.
Investigation:
Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.
appdata: Image|contains: '\\AppData\\' User: 'SYSTEM' condition: users and not appdata
False positives:
It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis.
Level: medium
Mitigations
Logging
During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs.
Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralised patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable.
Most exploits utilized by the actor were publicly known and had patches or mitigations available.
Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems.
Network Segmentation
Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or “jump servers.” These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them.
Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actors were able to access and extract.
Additional Mitigations
The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below.
Disable unused or unnecessary network services, ports and protocols.
Use well-tuned Web application firewalls (WAFs) to protect webservers and applications.
Enforce least privilege to limit access to servers, file shares, and other resources.
Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including:
For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory.
Reporting
Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.
Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca.
New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
MITRE ATT&CK – Historical APT40 Tradecraft of Interest
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
CISA released seven Industrial Control Systems (ICS) advisories on July 2, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Vulnerabilities: Allocation of Resources Without Limits or Throttling, Improper Neutralization, Uncontrolled Search Path Element, Improper Authentication, Unsafe Reflection
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in denial of service, improper privilege management, or potentially remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ICONICS reports that the following versions of ICONICS Product Suite are affected:
ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.2 (CVE-2022-2650, CVE-2023-4807)
AlarmWorX Multimedia (AlarmWorX64 MMX): All versions prior to 10.97.3 (CVE-2024-1182)
MobileHMI: All versions prior to 10.97.3 (CVE-2024-1573)
ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: All versions prior to 10.97.3 (CVE-2024-1574)
A bug in OpenSSL that might corrupt the internal state of the application on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.
The GENESIS64 Automatic Login feature, when used with MobileHMI in a certain specific condition, can result in improper privileges being given to a non-logged-in user.
Use of externally-controlled input to select classes or code (‘Unsafe Reflection') condition in the licensing service (used by ICONICS licensing) can result in an improper authorization condition.
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.
3.4 RESEARCHER
Asher Davila of Palo Alto Networks reported AlarmWorX64 MMX Pager Agent vulnerability to ICONICS.
4. MITIGATIONS
Versions 10.97.3 and later have mitigations for these vulnerabilities. ICONICS recommends that users of its products take the following mitigation steps:
Use the 10.97.3 version.
If planning to use the AlarmWorX64 MMX Pager agent, follow the guidelines provided in the ICONICS Whitepaper on Security Vulnerabilities June 2024 edition.
ICONICS and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).
ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the ICONICS Whitepaper on Security Vulnerabilities, the most recent version of which can be found here, and to the Mitsubishi Electric security advisory for information on the availability of the security updates.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.
Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.
Juniper Networks released a security bulletin to address a vulnerability in Junos OS: SRX Series. A cyber threat actor could exploit this vulnerability to cause a denial-of-service condition.
Users and administrators are encouraged to review the following and apply the necessary updates:
Progress Software released a security bulletin to address a vulnerability in MOVEit Transfer. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Users and administrators are encouraged to review the following bulletin and apply the necessary updates:
The affected product's WEB HMI server's function to process HTTP requests has a security flaw (reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.
The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Yokogawa reported these vulnerabilities to CISA.
4. MITIGATIONS
Yokogawa recommends customers using FAST/TOOLS to update to R10.04 and first apply patch software R10.04 SP3 and afterwards apply patch software I12560.
Yokogawa recommends customers using Collaborative Information Server (CI Server) to update to R1.03.00 and apply patch software R10.04 SP3.
For both platforms, if the password for the default account has not been changed, please change that password according to the documentation included with the patch software.
Yokogawa strongly recommends all customers to establish and maintain a full security program, not only for the vulnerability identified in this YSAR. Security program components are: Patch updates, Anti-virus, Backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.
For questions related to this report, please contact Yokogawa.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at the Johnson Controls product security website
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: marKoni
Equipment: Markoni-D (Compact) FM Transmitters, Markoni-DH (Exciter+Amplifiers) FM Transmitters
Vulnerabilities: Command Injection, Use of Hard-coded Credentials, Use of Client-Side Authentication, Improper Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to tamper with the product to bypass authentication or perform remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of TELSAT marKoni FM Transmitters are affected:
Markoni-D (Compact) FM Transmitters: All versions prior to 2.0.1
Markoni-DH (Exciter+Amplifiers) FM Transmitters: All versions prior to 2.0.1
TELSAT marKoni FM Transmitters are vulnerable to a command injection vulnerability through the manipulation of settings and could allow an attacker to gain unauthorized access to the system with administrative privileges.
TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials.
TELSAT marKoni FM Transmitters are vulnerable to users gaining unauthorized access to sensitive information or performing actions beyond their designated permissions.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at the Johnson Controls product security website
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at Johnson Controls product security website: https://www.johnsoncontrols.com/cyber-solutions/security-advisories Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Successful exploitation of this vulnerability could allow an attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SDG Technologies PnPSCADA, a web-based SCADA HMI, are affected:
SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
CISA released seven Industrial Control Systems (ICS) advisories on June 27, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
Today, CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, released Exploring Memory Safety in Critical Open Source Projects. This guidance was crafted to provide organizations with findings on the scale of memory safety risk in selected open source software (OSS).
This joint guidance builds on the guide The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.
CISA encourages all organizations and software manufacturers to review the methodology and results found in the guidance to:
Reduce memory safety vulnerabilities;
Make secure and informed choices;
Understand the memory-unsafety risk in OSS;
Evaluate approaches to reducing this risk; and
Continue efforts to drive risk-reducing action by software manufacturers.
To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Successful exploitation of this vulnerability could allow unauthenticated remote attackers to execute arbitrary OS commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
PTC reports that the following versions of Creo Elements/Direct License Server are affected; note that this vulnerability does not impact "Creo License server":
Creo Elements/Direct License Server: Version 20.7.0.0 and prior
Creo Elements Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
CISA released two Industrial Control Systems (ICS) advisories on June 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Uri Sade, Roman Dvorkin, Ariel Harush, Eran Jacob, and Roni Gavrilov from OTORIO reported these vulnerabilities to ABB.
4. MITIGATIONS
ABB recommends updating to an active product version to obtain the latest corrections. The problem is or will be corrected in the following product versions:
ABB 800xA Base 6.2.0-0 (part of System 800xA 6.2.0.0)
ABB 800xA Base 6.1.1-3 (part of System 800xA 6.1.1.2)
ABB 800xA Base 6.0.3-x (included in next revision)
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Juniper Networks released a security bulletin to address multiple vulnerabilities affecting Juniper Secure Analytics optional applications. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Users and administrators are encouraged to review the following and apply the necessary updates:
CISA also released a related blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urging software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.
Under certain conditions, a malicious actor already present in the same network segment of the affected product, could abuse Local File Inclusion (LFI) techniques to access unauthorized file system resources, such as configuration files, password files, system logs, or other sensitive data. This could expose confidential information and potentially lead to further threats.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Sweden
3.4 RESEARCHER
Aviv Malka and Joseph Baum of OTORIO reported these vulnerabilities to CISA.
4. MITIGATIONS
Westermo advises users to disable HTTP access to the WebGUI and instead use HTTPS instead. This change will secure the credentials and session IDs, effectively nullifying the exploits described.
To mitigate the risk of a denial-of-service attack through continuous login attempts, Westermo recommends disabling access to the device's WebGUI on external communication interfaces. For devices in production environments, disabling the WebGUI is suggested if possible.
Westermo suggests limiting access to the device's CLI on external communication interfaces to prevent SSH DOS attacks through repeated login attempts.
Westermo will keep users updated on any further enhancements.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
If an attacker is somehow able to intrude into a computer that installed affected product or access to a shared folder, by replacing the DLL file with a tampered one, it is possible to execute arbitrary programs with the authority of the SYSTEM account.
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
JPCERT/CC reported this vulnerability to CISA.
4. MITIGATIONS
Yokogawa recommends that customers update to CENTUM VP or CENTUM VP Entry Class R6.11.12 or later. CENTUM CS and earlier versions of Centum VP will not be patched because these products are no longer supported.
Yokogawa strongly recommends all customers to establish and maintain a full security program, not just for the vulnerability identified in this advisory. Security program components are: Patch updates, Anti-virus, Backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running a security program continuously. Yokogawa can perform a security risk assessment for users considering the most effective risk mitigation plan.
For questions related to this report, please contact Yokogawa.
For more information and details on implementing these mitigations and downloading the latest patch, users should see Yokogawa advisory YSAR-24-0002.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
CISA released three Industrial Control Systems (ICS) advisories on June 20, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA released one Industrial Control Systems (ICS) advisory on June 18, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), released guidance, Modern Approaches to Network Access Security, along with the following organizations:
New Zealand’s Government Communications Security Bureau (GCSB);
New Zealand’s Computer Emergency Response Team (CERT-NZ); and
The Canadian Centre for Cyber Security (CCCS).
The guidance urges business owners of all sizes to move toward more robust security solutions—such as Zero Trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE)—that provide greater visibility of network activity. Additionally, this guidance helps organizations to better understand the vulnerabilities, threats, and practices associated with traditional remote access and VPN deployment, as well as the inherent business risk posed to an organization’s network by remote access misconfiguration.
CISA and its partners encourage leaders to review the guidance to help with the prioritization and protection of remote computing environments.
For more information and guidance on protection against the most common and impactful tactics, techniques, and procedures for network access security, visit CISA’s Cross-Sector Cybersecurity Performance Goals. For more information on zero trust, visit CISA’s Zero Trust Maturity Model.
RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Cleartext Storage in a File or on Disk, Use of Hard-coded Credentials, Insufficiently Protected Credentials, Missing Encryption of Sensitive Data, Authentication Bypass by Capture-replay
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to tamper with the device, access sensitive information and credentials, or perform a replay attack.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Motorola Vigilant License Plate Readers are affected:
Vigilant Fixed LPR Coms Box (BCAV1F2-C600): Versions 3.1.171.9 and prior
The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.
An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.
Utilizing default credentials, an attacker is able to log into the camera's operating system which could allow changes to be made to the operations or shutdown the camera requiring a physical reboot of the system.
The Michigan State Police Michigan Cyber Command Center (MC3) reported these vulnerabilities to CISA.
4. MITIGATIONS
Motorola Solutions recommends the following for each identified vulnerability:
CVE-2024-38279:
Use secure boot implementation with an edit-resistant GRUB partition.
Additional mitigation consists in limiting the physical access to the device by following the best practices for device mounting.
Edit-resistant grub partition has been remediated for all vulnerable systems. Motorola Solutions will release a secure boot implementation in Fall 2024. All customers will receive the update through OTA (over the air) mechanisms. No further actions are required by customers.
CVE-2024-38280:
Apply encryption to all Criminal Justice Information (CJI) data.
Apply full disk encryption with LUKS encryption standards and add password protection to the GRUB Bootloader.
Perform column-level encryption for sensitive data in the database.
All devices shipped after May 10, 2024 are already using full disk encryption. All devices that are not able to have full disk encryption applied have had all CJI data encrypted. No further actions are required by customers.
CVE-2024-38281:
Remove the hard-coded credential to access the wireless access point and disable the access point if not needed.
Set a unique SSID and password if the access point is needed.
Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.
CVE-2024-38282:
Remove the hard coded credentials.
Use a unique CJIS compliant password per device.
Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.
CVE-2024-38283:
Remove the hotlist data from the device.
Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.
CVE-2024-38284:
Delete the log files.
Install updated software not logging the credentialed web request.
Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.
CVE-2024-38285:
Delete the log files.
Motorola Solutions has already remediated this vulnerability for all vulnerable systems. No further actions are required by customers.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Financial Services, Government Facilities, Healthcare and Public Health, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Achmea Security Assessment Team reported this vulnerability to Siemens.
4. MITIGATIONS
Siemens recommends users update the product to following versions:
Mendix Applications using Mendix 9: Update to V9.24.22 or later version
Mendix Applications using Mendix 10: Update to V10.11.0 or later version
Mendix Applications using Mendix 10 (V10.6): Update to V10.6.9 or later version
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
Set the runtime setting StrictReferenceChecks to false; note however, that this comes at the price of making the reference checks less secure
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
For more information see the associated Siemens security advisory SSA-540640 in HTML and CSAF. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
Vulnerabilities: Integer Overflow or Wraparound, Double Free, Improper Certificate Validation, Inefficient Regular Expression Complexity, Improper Check for Unusual or Exceptional Conditions, Improper Input Validation, NULL Pointer Dereference, Missing Encryption of Sensitive Data, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose information, cause a denial-of-service (DoS) condition, or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products, are affected:
Siemens ST7 ScadaConnect (6NH7997-5DA10-0AA0): Versions prior to 1.1
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()function.Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial-of-Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial-of-Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial-of-Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial-of-Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial-of-Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.
The HTTP/2 protocol allows a denial-of-service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
ST7 ScadaConnect (6NH7997-5DA10-0AA0): Update to V1.1 or later version.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Successful exploitation of this vulnerability could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices.
Siemens PowerSys insufficiently protects responses to authentication requests. This could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices.
Turek Witold from Polskie Sieci Elektroenergetyczne reported this vulnerability to Siemens.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
PowerSys: Update to V3.11 or later version As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
Vulnerabilities: Inadequate Encryption Strength, Improper Restriction of Operations within the Bounds of a Memory Buffer, Race Condition, Injection, Double Free, Integer Overflow or Wraparound, Improper Locking, NULL Pointer Dereference, Use-After-Free, Improper Input Validation, Improper Certificate Validation, Missing Release of Memory after Effective Lifetime, Out-of-bounds Read, Infinite Loop
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to leak memory, create a denial-of-service condition, or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:
Siemens SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0): All versions prior to V2.3
Siemens SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0): All versions prior to V2.3
Siemens SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0): All versions prior to V2.3
Siemens SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0): All versions prior to V2.3
Siemens SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0): All versions prior to V2.3
Siemens SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0): All versions prior to V2.3
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.
A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.
A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability.
Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial-of-service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
Guests can trigger deadlock in Linux netback driver [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).
Guests can trigger deadlock in Linux netback drive. The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).
handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial-of-Service.
handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.
The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial-of-service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does notenable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()function.Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() withthe X509_V_FLAG_POLICY_CHECK flag argument.Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
The webserver implementation of the affected products does not correctly release allocated memory after it has been used. An attacker with network access could use this vulnerability to cause a denial-of-service condition in the webserver of the affected product.
An issue was discovered in lldpd before 1.0.17. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. This occurs in cdp_decode in daemon/protocols/cdp.c.
The web server of affected products, if configured to allow the import of PKCS12 containers, could end up in an infinite loop when processing incomplete certificate chains. This could allow an authenticated remote attacker to create a denial of service condition by importing specially crafted PKCS12 containers.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Vulnerabilities: Out-of-bounds Write, Insufficient Session Expiration, Cross-Site Request Forgery (CSRF), Insufficiently Protected Credentials, Exposed Dangerous Method or Function, Cleartext Transmission of Sensitive Information, Sensitive Cookie in HTTPS Session Without 'Secure' Attribute, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, disclose sensitive information, or modify files.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:
SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): Versions prior to V1.2
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
The web interface of the affected devices are vulnerable to Cross-Site Request Forgery (CSRF) attacks. By tricking an authenticated victim user to click a malicious link, an attacker could perform arbitrary actions on the device on behalf of the victim user.
The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as "Secure", "HttpOnly", or "SameSite").
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): Update to V1.2 or later version
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Vulnerability: Incorrect Permission Assignment for Critical Resource
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow low-privilege users to edit scripts, bypassing access control lists, and potentially gain further access within the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports that the following versions of FactoryTalk Software are affected:
A privilege escalation vulnerability exists in FactoryTalk View SE. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.
Rockwell Automation reported this vulnerability to CISA.
4. MITIGATIONS
Rockwell Automation has corrected this problem in V14.0 and later
Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.
Use the Secure Install option when installing FactoryTalk Services Platform.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
CISA released twenty Industrial Control Systems (ICS) advisories on June 13, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
Affected devices are using a predictable IP ID sequence number. This leaves the system susceptible to a family of attacks which rely on the use of predictable IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition.
CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
Restrict access to the network where the affected products are located by introducing strict access control mechanisms.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a decimal point. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.
mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when copying the trailing number. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.
mstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a ‘\0' character. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.
Siemens recommends users to update to the latest version:
SITOP UPS1600 10 A Ethernet/ PROFINET (6EP4134-3AB00-2AY0): Update to V2.5.4 or later version
SITOP UPS1600 20 A Ethernet/ PROFINET (6EP4136-3AB00-2AY0): Update to V2.5.4 or later version
SITOP UPS1600 40 A Ethernet/ PROFINET (6EP4137-3AB00-2AY0): Update to V2.5.4 or later version
SITOP UPS1600 EX 20 A Ethernet PROFINET (6EP4136-3AC00-2AY0): Update to V2.5.4 or later version
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.
Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.
If you suspect you are a target of an impersonation scammer claiming to be a CISA employee: • Do not pay the caller. • Take note of the phone number calling you. • Hang up immediately. • Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.
CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Fortinet has released security updates to address a vulnerability in FortiOS. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Users and administrators are encouraged to review the following Fortinet Security Bulletin and apply the necessary updates:
Microsoft has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
Users and administrators are encouraged to review the following advisory and apply the necessary updates:
There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:
(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later: From OSI Soft Customer Portal, search for "Asset Framework" and select "PI Asset Framework (AF) Client 2023 Patch 1" or later.
(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later: From OSI Soft Customer Portal, search for "Asset Framework" and select either "PI Asset Framework (AF) Client 2018 SP3 Patch 5" or later.
AVEVA further recommends users follow general defensive measures:
Run PI System Explorer as a least privilege interactive account when possible.
Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.
For additional information please refer to AVEVA-2024-004
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
CISA released six Industrial Control Systems (ICS) advisories on June 11, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault (MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port. If exploited, the availability of the device would be compromised.
Rockwell Automation reported this vulnerability to CISA.
4. MITIGATIONS
Rockwell Automation offers users the following solutions:
ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
GuardLogix 5580: corrected in V34.014, V35.013, V36.011 and later
1756-EN4: corrected in V6.001 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5480: corrected in V34.014, V35.013, V36.011 and later
Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.
Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.
An anonymous individual reported this vulnerability to CISA.
4. MITIGATIONS
Intrado has provided a patch to mitigate the vulnerability. Any EGWs deployed on older revisions will need to be upgraded to the 5.5/5.6 branch to apply the patch. For assistance in obtaining the patch, contact Intrado's technical support group at 1-888-908-4167 or E911Support@intrado.com.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Login
