InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite.
This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.
The XSS Vulnerability
Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.
The XSS Vulnerability
When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy.
This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.
If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.
The server responds with information, including the video’s title, description, and the HTML iframe tag.
The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation.
As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.
Exploitation
To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report.
Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.
Exploitation
Here is a simplified overview of the steps an attacker would take to exploit this flaw:
Create a YouTube video with a payload in the title.
Insert the URL of the malicious video into a Word document.
Set up a web server to serve malicious JavaScript code.
Implications
This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played.
While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.
Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI).
This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents.
Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.
Atlassian fixed a critical zero-day flaw in its Confluence Data Center and Server software, which has been exploited in the wild.
Software giant Atlassian released emergency security updates to address a critical zero-day vulnerability, tracked as CVE-2023-22515 (CVSS score 10), in its Confluence Data Center and Server software.
The flaw CVE-2023-22515 is a privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later. A remote attacker can trigger the flaw in low-complexity attacks without any user interaction.
The company is aware that the vulnerability has been exploited in attacks.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” reads the advisory published by the company.
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.”
According to the advisory, the vulnerability doesn’t impact Atlassian Cloud sites. If customer’s Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.” reads a post published by Rapid7. “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.”
If admins are unable to upgrade their Confluence instances, as an interim measure the company recommends restricting external network access to them.
Atlassian also recommends mitigating known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances.
The software firm also recommends checking instances for the following indicators of compromise:
unexpected members of the confluence-administrator group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
In September 2022, threat actors were observed targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign.
Trend Micro researchers warned of a crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 RCE vulnerability disclosed in early June 2022.
A critical Zip Slip vulnerability was discovered in the open-source data cleaning and transformation tool ‘OpenRefine’, which allowed attackers to import malicious code and execute arbitrary code.
OpenRefine is a strong Java-based, free, open-source tool for handling messy data. This includes cleaning it, converting it into a different format, and expanding it with web services and external data.
According to SonarCloud, the Zip Slip vulnerability in OpenRefine allows attackers to overwrite existing files or the extraction of contents to unexpected locations. This vulnerability is caused by insufficient path validation while extracting archives.
Details of the OpenRefine Zip Slip Vulnerability
The project import feature of OpenRefine versions 3.7.3 and earlier is vulnerable to a Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8.
Although OpenRefine is only intended to execute locally on a user’s computer, a user can be tricked into importing a malicious project file. Once this file is imported, the attacker will be able to run arbitrary code on the victim’s computer.
Web Interface of OpenRefine Tool
“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more”, researchers said.
Fix Available
OpenRefine Version 3.7.4, published on July 17, 2023, has a fix for the issue.
In light of this, Users are recommended to update to OpenRefine 3.7.4 as soon as feasible.
The National Student Clearinghouse (NSC) reported that nearly 900 colleges and universities across the U.S. had data stolen during attacks by a Russia-based ransomware gang exploiting the popular MOVEit file-sharing tool.
The nonprofit manages educational reporting, data exchange, verification, and research services for 3,600 colleges and universities as well as 22,000 high schools.
In June, the organization first confirmed that it was affected by exploitation of the tool, which was targeted via several critical vulnerabilities by the ransomware gang Clop.
Dozens of schools published notices confirming that student and alumni data was accessed in the breach but it was never clear just how many colleges or universities were affected.
In filings with California regulators last week, the National Student Clearinghouse provided a list of affected schools totalling nearly 890 — covering almost every state and including several of the largest, most prominent universities in the U.S.
The U.S. Department of Education requires 3,600 colleges and universities nationwide to use the MOVEit tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools.
The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.
NSC says it notified law enforcement after discovering the incident and told regulators in Maine on August 31 that it is sending breach notification letters to 51,689 people. NSC also sent letters to each school affected by the breach.
“The unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment, which may have included information from the student record database on current or former students,” NSC said in an advisory released this summer. “We have no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.”
Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. Several class action lawsuits have been filed against Progress Software, the company behind MOVEit.
Sean Matt, one of the lawyers behind the lawsuits, called it a “cybersecurity disaster of staggering proportions.”
“Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern,” he said.
“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect.”
Over the years, numerous individuals have sounded the alarm about the increasing cyber threats, and several have provided insightful guidance on enhancing an organization’s security and resilience. To gauge the adequacy of your efforts, consider the following three questions: Firstly, have you recently engaged in a cyber tabletop exercise? Secondly, is the contact information for your chief information security officer stored in a location other than your work phone or computer? (Keep in mind that if your company’s networks fall victim to a ransomware attack, your work devices might be unreachable.) Lastly, are you aware of your government liaison in the event of a cybersecurity incident?
On May 7, 2021, Colonial Pipeline, a crucial fuel supply network for the eastern United States, suffered a ransomware attack and chose to halt its operations. This decision triggered a broader crisis, resulting in fuel shortages and skyrocketing gas prices at thousands of gas stations. The incident highlighted the intricate connection between physical and digital infrastructures.
In response, the U.S. government took action, with Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Energy Jennifer Granholm addressing the public on May 11, 2021. They reassured the American people and explained the government’s efforts to mitigate the attack’s impact, urging against panic buying of gasoline as the pipeline was expected to be operational again soon. This incident underscored the vulnerability of critical infrastructure to cyber threats and the importance of a coordinated response.
Significant Implications:
The Colonial Pipeline ransomware attack had significant geopolitical implications. It prompted direct engagement between President Biden and Russian President Vladimir Putin, highlighting the seriousness of the situation. This incident emphasized the critical need for stronger cybersecurity measures, especially for vital infrastructure like Colonial Pipeline. It served as a stark reminder that cyber threats can have far-reaching real-world consequences. The incident has had lasting effects, reshaping the roles of CEOs and industry leaders and influencing future cybersecurity considerations.
One notable outcome is the way CEOs are reevaluating their roles and responsibilities. The CEO of Colonial Pipeline, Joseph Blount, faced the difficult decision of paying a $4.3 million Bitcoin ransom to hackers, describing it as the most challenging choice in his 39-year career. This dilemma of whether to pay ransom or risk severe disruption has garnered attention from CEOs, who are keen to avoid public scrutiny and congressional hearings.
In light of this and other recent incidents, here are six recommendations for CEOs to consider:
Prioritize cybersecurity as a top-level concern.
Invest in robust cybersecurity measures and incident response plans.
Foster a culture of cybersecurity awareness within the organization.
Establish clear communication channels and relationships with relevant authorities.
Assess the potential impact of cyber incidents on critical operations.
Develop a strategy for handling ransomware demands that aligns with both legal and ethical considerations.
These recommendations are essential in an era where cyber incidents can quickly escalate to national security crises, demanding the attention of the U.S. president, and where the role of CEOs in responding to such threats is under increased scrutiny.
Exercise caution when communicating with the public.
A run on banks is a classic example of how public reactions and group psychology can exacerbate a crisis. Recent instances such as the rush for toilet paper during the Covid-19 pandemic and the panic at gas stations following the ransomware attack demonstrate that this issue goes beyond financial institutions.
Being cautious in how and what you communicate to the public doesn’t mean avoiding public communication altogether; it’s a necessity. However, companies must approach this with careful consideration. The Colonial Pipeline incident serves as an example, highlighting that even companies not accustomed to regular public engagement may suddenly find it necessary.
Collaborate with government authorities.
Colonial Pipeline’s swift decision to shut down its pipeline system was necessary, but it could have allowed for consultation with U.S. government experts. The shutdown, regardless of infection, would lead to days of disruption in the fuel supply chain, necessitating government intervention due to the serious consequences. Effective coordination with the government is crucial to prevent an unintentional worsening of a crisis.
Be aware of who to get in touch with.Updated Incident handling decision tree.
CEOs must have the knowledge of the appropriate government contacts to facilitate informed decision-making and effective coordination. Contacting entities like NATO or the military, as some anecdotes have indicated, is not the correct approach. However, at times, the government may not make it straightforward for external parties to determine the right person or agency to reach out to, underscoring the government’s responsibility to offer clear guidance in this regard.
Establish a Incident Handling plan and put it into practice.
This point is paramount, as it serves as the foundation for achieving other objectives. Besides creating and maintaining a plan, ideally under the CEO’s supervision, it’s crucial to conduct annual practice sessions, such as tabletop exercises. These exercises help company leaders and employees develop the necessary “muscle memory” for responding efficiently during actual crises.
Know your infrastructure.
Ideally, a CEO should possess a high-level understanding of how a company’s business IT networks and operational technology (OT) networks interact. In cases where systems are isolated (air-gapped), it may not be necessary to shut down the OT network if a compromise is limited to the IT network. However, the Colonial Pipeline ransomware attack illustrated that even the incapacitation of business IT networks can have substantial repercussions. In scenarios where a company is unable to generate invoices, identify customers, or establish contact with them, the resulting disruption can be as disruptive as a complete production halt. This was evident to anyone who has been stranded at an airport due to an airline’s IT system outage, experiencing firsthand the disruptive consequences.
Demonstrate humility and actively seek expertise from professionals.
Cybersecurity is a complex and multifaceted challenge that varies significantly across different sectors, such as pipelines, finance, healthcare, education, and transportation. Recognizing the limits of expertise, including that of cybersecurity professionals, is a crucial insight gained from years of cross-sector cyber incidents. CEOs should not hesitate to seek external assistance when developing, testing, or refining cybersecurity plans or reviewing existing processes and policies within their organizations. Additionally, there are numerous detailed resources available, including guides and checklists tailored for CEOs, board members, and Chief Information Security Officers (CISOs). The U.S. government, through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), offers resources like Stopransomware.gov and Shields Up, designed to cater to companies at different levels of cybersecurity maturity. These resources are valuable tools for enhancing cybersecurity preparedness.
An Executive Self-Assessment:
In addition to the numerous warnings and valuable advice regarding the growing cyber threats, three key questions can serve as a practical self-check to assess an organization’s cybersecurity readiness:
Have you recently participated in a cyber tabletop exercise?
Is the contact information of your chief information security officer stored outside your work phone or computer to ensure accessibility during a network compromise?
Do you have IHP one page summary and know your contact for cybersecurity incident reporting?
If the response to any of these questions is “no,” it’s essential to take action to enhance your organization’s cybersecurity preparedness. This proactive approach can significantly improve protection, prevent potential crises, and contribute to national security.
The Internet of Things (IoT) is currently at its peak, with a rapid expansion of capabilities. This involves converting everyday items like light bulbs and plugs into smart devices controlled via smartphones. The number of IoT devices exceeded 13.8 billion in 2021, expected to quadruple by 2025, but this growth also introduces security risks exploited by cybercriminals. Researchers have discovered that even smart light bulbs, like the Tp-Link Tapo Smart Wi-Fi Multicolor Light Bulb, can be hacked to gather Wi-Fi credentials. They employed PETIoT, an IoT-focused Kill Chain, to assess vulnerabilities in these bulbs. This situation highlights challenges for cybersecurity experts dealing with the growing threats in the IoT landscape.
Because it is a cloud-enabled multicolor smart bulb, the Tapo L530E may be operated using the Tapo app on an Android or iOS device without the need for a hub. Instead, it connects directly to the home Wi-Fi network. According to the findings of the researchers, this particular kind of smart bulb is susceptible to each of the following four vulnerabilities:
LACK OF AUTHENTICATION OF THE SMART BULB WITH THE TAPO APP (8.8 CVSS SCORE, HIGH SEVERITY)
HARD-CODED, SHORT SHARED SECRET (7.6 CVSS SCORE, HIGH SEVERITY)
LACK OF RANDOMNESS DURING SYMMETRIC ENCRYPTION (4.6 CVSS SCORE, MEDIUM SEVERITY)
INSUFFICIENT MESSAGE FRESHNESS (5.7 CVSS SCORE, MEDIUM SEVERITY)
The examination and testing carried out by the security experts indicate the proximity-based attacks that were carried out on the smart bulb that was the target.The attack scenario that causes the greatest concern is one in which an attacker impersonates a bulb and retrieves information about a Tapo user account by exploiting vulnerabilities.
After that, the attacker may extract the victim’s WiFi SSID and password by using the Tapo app, allowing them to obtain access to any and all other devices that are connected to the victim’s network.
In order for the attack to be successful, the device in question must first be put into setup mode. However, the attacker has the ability to deauthenticate the bulb, which will need the user to re-configure it in order to get the light to work again.The researchers also investigated an MITM (Man-In-The-Middle) attack using a configured Tapo L530E device. This form of attack takes advantage of a vulnerability to intercept and control the connection between the app and the bulb, as well as to capture the RSA encryption keys that are used for further data transmission.
MITM attacks are also possible with unconfigured Tapo devices by leveraging a vulnerability once again by connecting to the WiFi during the setup process, bridging two networks, and routing discovery messages. This will eventually allow the attacker to retrieve Tapo passwords, SSIDs, and WiFi passwords in an easily decipherable base64 encoded form. Last but not least, a further flaw enables attackers to conduct what are known as “replay attacks.” These attacks involve recreating communications that have been sniffed in the past in order to bring about functional changes in the device.
In response, TP-Link gave the researchers their assurance that the issues that were found in their software as well as the firmware of the bulb will be fixed.
One of Mississippi’s largest hospital systems, Singing River Health System, suffered a cyberattack last week, leading to the shutdown of various internal services. The hospital system, which operates multiple hospitals and clinics along the Gulf Coast, detected unusual activity on its network and is cooperating with law enforcement. As a result of the attack, certain internal systems were taken offline to ensure their integrity during the investigation. The hospital’s IT security team is working to restore the offline systems, but the process is expected to take time. The hospital has not confirmed whether the attack involved ransomware or if a ransom will be paid. Patient services, including lab test results and radiology exams, are facing delays due to the attack. The incident highlights the ongoing challenges that hospitals face from cyberattacks, as this year has seen several healthcare institutions targeted by such attacks.
The article discusses a new cyberattack targeting Apache Tomcat servers, a popular open-source web server environment written in Java. Apache Tomcat supports various technologies and is widely used by developers.
The attack is orchestrated by the Mirai botnet and bitcoin miners, specifically targeting improperly configured Apache Tomcat servers lacking sufficient security measures. The research, conducted by Aqua, involved setting up Tomcat server honeypots to monitor the attacks over a two-year period.
During the research, more than 800 attacks were recorded, with an overwhelming 96% of them linked to the Mirai botnet. Out of these attempts, 20% (152 attacks) utilized a web shell script named “neww,” originating from 24 different IP addresses. Interestingly, 68% of these attacks were attributed to a single IP address, 104.248.157[.]218. Fortunately, the attacks using the “neww” web shell script were unsuccessful in compromising the targeted servers.
A brute force attack was carried out by the threat actor against the scanned Tomcat servers in order to acquire access to the web application management using a variety of different credential combinations.
After successfully gaining entrance, threat actors will install a WAR file containing a web shell called ‘cmd.jsp’ on the Tomcat server that has been hacked. This will allow for remote command execution.
The “downloading and running” of the “neww” shell script is an integral part of the whole attack chain. The “rm -rf” command is then used to remove the script once it has been executed. The software then retrieves 12 binary files that are customized to the architecture of the system that is being attacked.
While all of these components work together to expedite the web app deployment on compromised Tomcat servers in an effective manner.
The last step of the malware is a variation of the Mirai botnet that uses infected systems for the purpose of coordinating distributed denial-of-service (DDoS) assaults.
Threat actor infiltrates web app manager by using legitimate credentials, uploads disguised web shell in WAR file, remotely executes commands, and starts the attack.The statistics shed light on the profitable expansion of cryptocurrency mining, which is projected to have a 399% increase and 332 million cryptojacking assaults worldwide in H1 2023.
Recommendation In order to protect against attacks of this kind, specialists in the field of cybersecurity suggested the following measures:
Make sure that each of your environments has the appropriate configuration. Be careful to do regular scans of your servers to look for any dangers. Cloud-native tools that scan for vulnerabilities and misconfigurations should be made available to your development, DevOps, and security teams so that they can better do their jobs. It is imperative that you use runtime detection and response technologies.
This attack method can help attackers surpass all barriers to exploit side channels, which so far were not possible.
This ground-breaking method can help adversaries extract encryption keys from a device simply by analyzing the video footage of its power LED.
The cybersecurity researchers from the Ben-Gurion University of the Negev and Cornell University have revealed how a side-channel attack targeting a smart card reader’s power LED can recover encryption keys.
This ground-breaking method can help adversaries extract encryption keys from a device simply by analyzing the video footage of its power LED. This happened because the CPU’s cryptographic computations can change the power consumption of a device and impact the brightness of its power LED.
This ingenious attack method leverages the connection between a device’s power consumption and the brightness of its power LED. Adversaries can obtain secret keys from the RGB values as the LED’s brightness changes when the CPU performs cryptographic operations.
They exploited the flickering of the power LED during this operation and used their understanding of the card reader’s inner workings to decode the keys and gain access.
The team conducted two side-channel cryptanalytic timing attacks using this video-based cryptanalysis method. After examining the video footage of the power LED, they recovered a 256-bit ECDSA key from the smart card using a compromised internet-connected security camera. They placed the camera at a distance of 16 meters from the smart card reader.
Next, they recovered a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing the video footage of the power LED of Logitech Z120 USB speakers connected to the USB hub they used to charge the Galaxy S8.
“This is caused by the fact that the power LED is connected directly to the power line of the electrical circuit, which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation with the power consumption,” researchers explained in their report.
But, this technique is not as simple as it seems because merely observing the LED with a camera cannot help recover security keys, even if the frame rate is considerably high. To record the rapid changes in an LED’s brightness using a standard webcam or smartphone camera, turning on the rolling shutter effect is essential, as this is when camera sensors start recording images line by line.
In a regular setting, the camera will record the entire image sensor. Using the same technique, attackers can exploit the video camera of an internet-connected security camera or even an iPhone 13 camera to obtain cryptographic keys. Cybersecurity researchers have shown concerns as this attack method will help attackers surpass all barriers to exploit side channels, which so far were not possible. The method’s non-intrusiveness makes it even more sinister.
However, as with every attack, there are some limitations to this one. For example, apart from being placed at a 16m distance, the camera should be in the direct line of sight view of the LED, and signatures should be recorded for 65 minutes.
Countering such attacks is possible if LED manufacturers add capacitors to reduce power consumption fluctuations. An alternate solution is covering the power LED with black tape to prevent information exposure.
Researchers have shared their explosive findings in a paper titled “Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED,” available here (PDF).
Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why it’s essential to use malware removal at all times.
Tip #1: Keep Your Operating System and Software Up to Date
One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.
To ensure that your operating system and software are up to date, it’s important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.
Tip #2: Use Antivirus and Anti-Malware Software
Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.
When it comes to antivirus and anti-malware software, it’s crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.
Tip #3: Use a Firewall
A firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.
Most operating systems come with a built-in firewall that you can enable by going to your system’s settings. However, you can further increase your computer’s security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.
Tip #4: Use Strong and Unique Passwords
Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computer’s security.
To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.
Tip #5: Be Wary of Phishing Scams
Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.
To avoid falling victim to phishing scams, it’s important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the sender’s email address to ensure that it is from a legitimate source.
If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.
Tip #6: Use Two-Factor Authentication
Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.
Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.
Tip #7: Back Up Your Data Regularly
The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.
In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines. Use anti-virus and anti-malware software.
A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.
When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.
WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.
By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.
According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.
Adversary Can Abuse the Power-Save Mechanisms
The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.
Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.
The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.
Attack Diagram
In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.
Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.
By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.
“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.
Network Device Models That Are Known To Be Vulnerable:
“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.
“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”
The researchers warn that these attacks may be exploited to inject malicious content, such as JavaScript, into TCP packets.
Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.
“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.
The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.
“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.
The Near-Ultrasound Invisible Trojan, or NUIT, was developed by a team of researchers from the University of Texas at San Antonio and the University of Colorado Colorado Springs as a technique to secretly convey harmful orders to voice assistants on smartphones and smart speakers.
If you watch videos on YouTube on your smart TV, then that television must have a speaker, right? According to Guinevere Chen, associate professor and co-author of the NUIT article, “the sound of NUIT harmful orders will [be] inaudible, and it may attack your mobile phone as well as connect with your Google Assistant or Alexa devices.” “That may also happen in Zooms during meetings. During the meeting, if someone were to unmute themselves, they would be able to implant the attack signal that would allow them to hack your phone, which was placed next to your computer.
The attack works by playing sounds close to but not exactly at ultrasonic frequencies, so they may still be replayed by off-the-shelf hardware, using a speaker, either the one already built into the target device or anything nearby. If the first malicious instruction is to mute the device’s answers, then subsequent actions, such as opening a door or disabling an alarm system, may be initiated without warning if the first command was to silence the device in the first place.
“This is not only a problem with software or malicious software. It is an attack against hardware that makes use of the internet. According to Chen, the non-linearity of the microphone design is the flaw that has to be fixed by the manufacturer in order to eliminate the vulnerability. “Among the 17 smart gadgets we evaluated, [only] Apple Siri devices need the user’s voice to be hijacked, while other voice assistant devices may be triggered by using any voice or a robot voice,” the study’s authors write.
Using headphones is Chen’s recommendation for anybody worried about the NUIT attack, despite the fact that a genuine defense against NUIT would involve the usage of customized hardware. She indicates that the risk of being attacked by NUIT is reduced if you do not utilize the speaker to emit sound. “When using earphones, there is a limit to the amount of sound that can be sent to the microphone since the volume of the sound coming from the earphones is too low. In the event that the microphone is unable to pick up the subversive inaudible order, the underlying voice assistant won’t be able to be maliciously triggered by NUIT.
Over the last several years, endpoints have played a crucial role in cyberattacks. While there are several steps organizations can take to help mitigate endpoint threats – such as knowing what devices are on a network (both on-premises and off-site), quarantining new or returning devices, scanning for threats and vulnerabilities, immediately applying critical patches, etc. – there is still much to be done to ensure endpoint security.
To achieve that, it’s important to understand some of the primary attack vectors hackers use against endpoints.
Phishing/spear-phishing
Phishing, especially spear-phishing, is an effective way for gaining access to endpoints to harvest user credentials.
It is not itself an exploit, but a method that threat actors use to deliver a payload – whether it’s a link to a fake Microsoft 365 web portal (for credential harvesting), or a macro-enabled word document with a malware payload that executes on opening.
Because of this nuance, it’s critical that security analysts implement not only email filtering (a crude defense, at best) but endpoint tools that would block the deployment of malware payloads delivered by email: antivirus (AV) and antimalware (AM). Implementing AV/AM products creates a safety net, blocking malware execution if a phishing email successfully bypasses corporate email filters.
We recently saw how threat actors deployed phishing to infect user endpoints at a massive scale with the IceXLoader malware. The malware is bundled into an innocent-looking ZIP file delivered as an email attachment. Once opened, the malware extracts itself to a hidden file directory on the C drive of an endpoint, providing a beachhead for the attacker to perform additional attacks to further breach the corporate network.
OS vulnerability exploitation
Vulnerabilities are made possible by bugs, which are errors in source code that cause a program to function unexpectedly, in a way that can be exploited by attackers. By themselves, bugs are not malicious, but they are gateways for threat actors to infiltrate organizations. These allow threat actors to access systems without needing to perform credential harvesting attacks and may open systems to further exploitation. Once they are within a system, they can introduce malware and tools to further access assets and credentials.
For attackers, vulnerability exploitation is a process of escalation, whether through privileges on a device or by pivoting from one endpoint to other assets. Every endpoint hardened against exploitation of vulnerabilities is a stumbling block for a threat actor trying to propagate malware in a corporate IT environment.
There are routine tasks and maintenance tools that allow organizations to prevent these vulnerabilities getting exploited by attackers. Patch management tools can scan devices, install patches (fixes), and provide reports on the success or failure of these actions. In addition, organizations can leverage configuration management tools to maintain OS configuration files in the desired secure state.
Software vulnerability exploitation
Software vulnerabilities exist in products (software) installed within an OS environment. For example, Google Chrome gets frequent patches from Google, primarily because it is a massive target for exploitation.
As with OS vulnerabilities, the best defense against exploits are the frequently released third-party patches/updates, the implementation of which can be facilitated by endpoint management tools.
Additionally, enforcing acceptable use policies can help reduce the opportunities for end users to engage in behaviors that could put their endpoints and company assets at risk.
And beyond security information and event management (SIEM) and antivirus tools, organizations can drastically decrease the impact caused by a successfully executed ransomware attack by:
Implementing data loss prevention (DLP) solutions
Creating off-site backups
Taking advantage of data storage solutions in the cloud
Conclusion
The changing cyberattack landscape requires IT and security departments to be nimble and evolve in tandem with threats. The fixes of yesterday may not work today – while the threats could be the same, their tactics are likely different. When working to mitigate network threats, do not forget the increasingly vital role endpoints play.
ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.
Understanding Attack Surface Management
Here are some key terms in ASM:
Attack vectors are vulnerabilities or methods threat actors use to gain unauthorized access to a network. These vulnerabilities include vectors such as malware, viruses, email attachments, pop-ups, text messages and social engineering.
An attack surface is the sum of attack vectors that threat actors can potentially use in a cyberattack. In any organization, all internet-connected hardware, software and cloud assets add to the attack surface.
Shadow IT is any software, hardware or computing resource being used on a company’s network without the consent or knowledge of the IT department. Quite often, shadow IT uses open-source software that is easy to exploit.
Attackers use sophisticated computer programs and programming techniques to target vulnerabilities in your attack surface, like shadow IT and weak passwords. These cyber criminals launch attacks to steal sensitive data, like account login credentials and personally identifiable information (PII).
Minimize human error by building a security-conscious culture where people are more aware of emerging cyber threats.
Prioritize your risk. You can get familiar with attack patterns and techniques that threat actors use.
How Attack Surface Management Works
There are four core processes in attack surface management:
Asset discovery is the process of automatically and continuously scanning for entry points that threat actors could attack. Assets include computers, IoT devices, databases, shadow IT and third-party SaaS apps. During this step, security teams use the following standards:
CVE (Common Vulnerabilities and Exposures): A list of known computer security threats that helps teams track, identify and manage potential risks.
CWE (Common Weakness Enumeration): A collection of standardized names and descriptions for common software weaknesses.
Classification and prioritization is the process of assigning a risk score based on the probability of attackers targeting each asset. CVEs refer to actual vulnerabilities, while CWEs focus on the underlying weaknesses that may cause those vulnerabilities. After analysis, teams can categorize the risks and establish a plan of action with milestones to fix the issues.
Remediation is the process of resolving vulnerabilities. You could fix issues with operating system patches, debugging application code or stronger data encryption. The team may also set new security standards and eliminate rogue assets from third-party vendors.
Monitoring is the ongoing process of detecting new vulnerabilities and remediating attack vectors in real-time. The attack surface changes continuously, especially when new assets are deployed (or existing assets are deployed in new ways).
Anyone who works in attack surface management must ensure the security team has the most complete picture of the organization’s attack vectors — so they can identify and combat threats that present a risk to the organization.
Hiring companies look for people with a background and qualifications in information systems or security support. The minimum expectations typically include the following:
Strong technical security skills
Strong analytical and problem-solving skills
Working knowledge of cyber threats, defenses and techniques
Working knowledge of operating systems and networking technologies
Proficiency in scripting languages, like Perl, Python or Shell Scripting
Experience with attack surface management and offensive security identity technologies.
What’s Next in Attack Surface Management?
Cyber Asset Attack Surface Management (CAASM) is an emerging technology that presents a unified view of cyber assets. This powerful technology helps cybersecurity teams understand all the systems and discover security gaps in their environment.
There is no one-size-fits-all ASM tool — security teams must consider their company’s situation and find a solution that fits their needs.
Some key criteria include the following:
Easy-to-use dashboards
Extensive reporting features to offer actionable insights
Comprehensive automated discovery of digital assets (including unknown assets, like shadow IT)
Options for asset tagging and custom addition of new assets
Continuous operation with little to no user interaction
Collaboration options for security teams and other departments.
With a good ASM solution, your security team can get a real cyber criminal’s perspective into your attack surface. You can find, prioritize and solve security issues quickly and continuously. Ultimately, a diligent attack surface management strategy helps protect your company, employees and customers.
The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.
Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.
The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.
DC Health Link: A Significant Breach
In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.
“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.
Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.
A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.
IntelBroker’s Resume of Previous Breaches
This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service.
Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.
Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.
IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says.
“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.
In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.
“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.
Is House Members’ PII a National Security Threat?
Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).
The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.
“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.
Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”
There has been a new eavesdropping attack developed by a team of security experts for Android devices which has been dubbed “EarSpy.” With the help of this attack, attackers can detect the following things:-
Caller’s gender
Caller’s identity to various degrees
Speech content
As part of its exploratory purpose, EarSpy aims to capture motion sensor data readings generated by the reverberations from the ear speaker in mobile devices in order to create new methods of eavesdropping.
Universities Involved in this Project
Cybersecurity researchers from five American universities have undertaken this academic project called EarSpy. These are all the names of the universities that are affiliated with this project:-
Texas A&M University
New Jersey Institute of Technology
Temple University
University of Dayton
Rutgers University
Evolution of Smartphone Tech
Smartphone loudspeakers have been explored as a potential target for such attacks. As a result of this, the ear speakers are incapable of generating enough vibration to allow eavesdropping to be executed properly for the side-channel attack.
While the audio quality and vibrations of modern smartphones have improved greatly as a result of more powerful stereo speakers.
Even the tiniest resonance from a speaker can be measured by a modern device because it has more sensitive motion sensors and gyroscopes.
It is remarkable how little data is recorded on the spectrogram from the earphones of a 2016 OnePlus 3T, while a stereo ear speaker on the 2019 OnePlus 7T produces a significant amount of information.
As part of their experiments, the researchers used a OnePlus 7T device as well as a OnePlus 9 device. Both of these devices were used by the researchers to play pre-recorded audio through their ear speakers only using a variety of pre-recorded audio sets.
Although the results of the tests varied according to the dataset and device, they indicated that eavesdropping via ear speakers can be accomplished successfully.
To Check more on Detection Performance & Recommendation:
It has recently been discovered by researchers that Windows has a vulnerability that allows code execution that rivals EternalBlue in terms of potential. It is possible for an attacker to execute malicious code without authentication by exploiting this newly-tracked vulnerability CVE-2022-37958.
It is possible to exploit this vulnerability in a wormable way, which can lead to a chain reaction that can impact other systems that are vulnerable, and a new attack can be launched.
A greater range of network protocols is affected by this vulnerability as opposed to the earlier version, which gave attackers more flexibility.
Successful exploitation of this vulnerability allows any Windows application protocol that accesses the NEGOEX protocol may enable an attacker to remotely execute arbitrary code.
Despite the list of protocols that have been identified, there could be other protocols and standards that are affected as well.
On a target system, there is no user input or authentication required by a victim in order for this vulnerability to succeed. This vulnerability has been classified by Microsoft as “Critical,” with a maximum severity for all categories.
As a result, CVSS 3.1 now has an overall score of 8.1 out of 10. It is important to note that systems with unpatched default configurations are vulnerable to this flaw.
The reclassification was performed by X-Force Red in accordance with its responsible disclosure policy with Microsoft.
Recommendations
For the time being, IBM won’t release the full technical details regarding the vulnerabilities and patches until Q2 2023, in order to give defenders a chance and enough time to apply them.
Security Intelligence recommends that users and administrators apply the patch as soon as possible due to the widespread use of SPNEGO, which ensures that they are protected.
All systems running Windows 7 and newer are compatible with this fix, which is part of the security updates for September 2022.
Moreover, X-Force Red recommends the following additional recommendations:-
Identify which services are exposed to the internet, such as SMB and RDP.
You should continuously monitor your attack surface, including Windows Authentication-enabled servers.
In the event that the patch cannot be applied, set Kerberos or Net-NTLM as the default authentication providers on Windows and remove Negotiate as the default authentication provider.
A security flaw in the Galaxy Store allows attackers to trigger remote code execution on affected smartphones.
The now patched vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.
Vulnerability Details
The now-patched vulnerability is related to a cross-site scripting (XSS) flaw that occurs when handling specific deep links and it affects Galaxy Store version 4.5.32.4. The problem was first reported by an independent security researcher.
Particularly, deeplink can be called from another application or from a browser. The store receives appropriate deeplinks, it will process and show them in a webview.
In this case, by failing to secure the deeplink, the attacker is able to run JS code in the Galaxy Store application’s webview context whenever a user hits a link from a website that contains the deeplink.
The expert focuses on deep links configured for Samsung’s Marketing & Content Service (MCS).
Although the Samsung MCS Direct Page website was extracting the argument from the url and displaying it on the website, it did not encrypt, which resulted in an XSS problem.
“We can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.” reads the advisory published by SSD Secure Disclosure.
Experts observed two functions ‘downloadApp’ and ‘openApp’ here these two functions will get the app id and download them from the store or open them.
This indicates that these two functions can be called using JS code. In this case, an attacker has the ability to execute arbitrary code by injecting it into the MCS website.
“To be able to successfully exploit the victim’s server, it is necessary to have HTTPS and CORS bypass of Chrome,” advisory published by SSD Secure Disclosure
Affected Products and Patch Available
The vulnerability impacts Galaxy Store version 4.5.32.4.
Therefore, Samsung has issued patches that are now in wide circulation for all Samsung devices.
More docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.
Source: Hans-Joachim Aubert via Alamy Stock Photo
Evidence indicates that the world’s ports are returning to pre-pandemic levels. During the first 11 months of 2021, the value of US international freight increased by more than 22% (PDF) compared with the same 11 months in 2020. More freight means more ships docking at port. And not only are more ships docking, but their dwell times are increasing as well. The average container vessel dwell time at the top 25 US container ports was estimated at 28.1 hours in 2020. In the first half of 2021, average container vessel dwell times increased to 31.5 hours.
While this increase in activity is undoubtedly welcome, more docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.
The Cyber-Risk to Ships
The maritime industry is especially vulnerable to cyber incidents. There are multiple stakeholders involved in the operation and chartering of a ship, which often results in a lack of accountability for the IT and OT system infrastructure and the ship’s networks. The systems may rely on outdated operating systems that are no longer supported and cannot be patched or run antivirus checks.
Going forward, this threat is expected to increase. Critical ship infrastructure related to navigation, power, and cargo management has become increasingly digitized and reliant on the Internet to perform a broad range of legitimate activities. The growing use of the Industrial Internet of Things (IIoT) will increase the ships’ attack surface.
Common ship-based cyber vulnerabilities include the following:
Obsolete and unsupported operating systems
Unpatched system software
Outdated or missing antivirus software and protection from malware
Unsecured shipboard computer networks
Critical infrastructure continuously connected with the shore side
Inadequate access controls for third parties including contractors and service providers
Inadequately trained and/or skilled staff on cyber-risks
Troubled Waters?
Maritime cybersecurity has become a significant issue affecting ports around the world. According to the firm Naval Dome, cyberattacks on maritime transport increased by 400% in 2020. Cybersecurity risks are especially problematic to ports around the globe since docked ships regularly interact digitally with shore-based operations and service providers. This digital interaction includes the regular sending of shipping documents via email or uploading documents via online portals or other communications with marine terminals, stevedores, and port authorities.
For example, many port authorities require a Port State Control (PSC) survey to be completed by foreign ships docking in their ports. Among other activities, this survey verifies several ship certificates and approximately 40 different documents required by international maritime authorities.
Some past examples of port-based cyber breaches:
Port of Rotterdam: In June 2017, the port of Rotterdam was hit with a ransomware attack that paralyzed the activities of two container terminals operated by APMT, a subsidiary of the Møller-Maersk group. Note that the port of Rotterdam had completely automated its operations as part of a Smart Port strategy.
Port of Shahid Rajaee: In May 2020, the port of Shahid Rajaee, Iran, suffered a cyberattack that almost totally shut down its operations. The Washington Post reported that the “computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility.” This cyberattack was presumed to be Israel’s response to an attack on its water network.
Port of Kennewick: In November 2020, the port of Kennewick, Wash., was hit with ransomware that completely locked access to its servers. Even with the small size of this port, it took nearly a week for port authorities to access their data. Malware injected via a phishing email is thought to be the cause of this attack.
Knowing that they are vulnerable to cyber breaches does not help alleviate the challenge to ports that have no choice but to accept documents originating from these ships. If ports block these documents, the ships cannot dock, and this ultimately causes delays in global logistics and the supply chain.
The Danger
Ports have no choice but to accept the ships’ documents. Refusal to accept these documents means loss of port revenue and blockages in the smooth flow of the supply chain. Document sending must proceed. But file-borne threats pose a significant challenge for ports. Malware is designed to access or damage a computer without the owner’s knowledge. Hackers embed malicious code into seemingly innocent files. When those files are opened, the malware automatically executes and allows the hackers to gain access to valuable data or cause damage to the maritime industry.
Many of these threats first enter the ship through email phishing schemes — attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails or uploading malicious documents to website portals. These “hacks” often exploit vulnerabilities in the ships’ networks, using the vessel to gain access to the ship’s partners, including the port.
