Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks.
“Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by

Legion is an emerging Python-based credential harvester and hacking tool that allows operators to break into various online services. Cado Labs researchers recently discovered a new Python-based credential harvester and hacking tool, named Legion, which was sold via Telegram. At this time, the sample analyzed by Cado Labs has a low detection rate of 0 […]

The post Experts warn of an emerging Python-based credential harvester named Legion appeared first on Security Affairs.

A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control (C2).
“Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors,” cybersecurity company Uptycs said in a report published last week.
“Once the

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity 
• Vendor: Mitsubishi Electric India 
• Equipment: GC-ENET-COM 
• Vulnerability: Signal Handler Race Condition  

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a communication error and may result in a denial-of-service condition.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric India Ethernet communication Extension unit GC-ENET-COM, are affected: 

• Mitsubishi Electric India GC-ENET-COM: Models with the beginning serial number 16XXXXXXXXX. 

3.2 VULNERABILITY OVERVIEW

3.2.1 SIGNAL HANDLER RACE CONDITION CWE-364 

A vulnerability exists in the Ethernet communication Extension unit (GC-ENET-COM) of GOC35 series due to a signal handler race condition. If a malicious attacker sends a large number of specially crafted packets, communication errors could occur and could result in a denial-of-service condition when GC-ENET-COM is configured as a Modbus TCP Server. 

CVE-2023-1285 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
• COUNTRIES/AREAS DEPLOYED: Worldwide 
• COMPANY HEADQUARTERS LOCATION: India 

3.4 RESEARCHER

Faruk Kazi and Parul Sindhwad of COE-CNDS lab, VJTI, Mumbai India, reported these vulnerabilities to Mitsubishi Electric India. 

4. MITIGATIONS

Mitsubishi Electric India has released the following countermeasure/mitigation: 

• The firmware of Extension unit GC-ENET-COM where the first 2 digits of the 11-digit serial number starting with “17” have been fixed. The firmware update in Extension unit GC-ENET-COM is only available from the vendor. Users should contact a local Mitsubishi Electric India representative. 

Mitsubishi Electric India recommends users take the following mitigations to minimize the risk of attackers exploiting this vulnerability if the mentioned countermeasures cannot be implemented. 

• Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when internet access is required. 
• Locate control system networks and remote devices behind firewalls and isolate them from the business network to restrict access from untrusted networks and hosts. 
• Restrict physical access to your computer and network equipment on the same network. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.  

1. EXECUTIVE SUMMARY

• CVSS v3 5.5
• ATTENTION: Exploitable remotely/low attack complexity 
• Vendor: B. Braun Melsungen AG 
• Equipment: Battery Pack SP with Wi-Fi 
• Vulnerability: Improper neutralization of directives in dynamically evaluated code (‘Eval Injection’) 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a sophisticated and authenticated attacker to compromise the security of the Space communication device Battery Pack SP with Wi-Fi. An attacker could escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following B. Braun products are affected: 

• Battery pack SP with Wi-Fi (SN 138853 and higher) with software 053L000091 (global) / 054U000091 (U.S.) and 053L000092 (global) / 054U000092 (U.S.) 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF DIRECTIVES IN DYNAMICALLY EVALUATED CODE (‘EVAL INJECTION’) CWE-95 

An improper neutralization of directives in dynamically evaluated code vulnerability in the Wi-Fi Battery embedded web server versions L90/U70 and L92/U92 can be used to gain administrative access to the Wi-Fi communication module. An authenticated user, having access to both the medical device Wi-Fi network (such as a biomedical engineering staff member) and the specific B. Braun Battery Pack SP with Wi-Fi web server credentials, could gain administrative (root) access on the infusion pump communication module. This could be used as a vector to launch further attacks. 

CVE-2023-0888 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare, Public Health 
• COUNTRIES/AREAS DEPLOYED: Worldwide 
• COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Tom Johnston, a cyber security consultant, reported this vulnerability to B. Braun. 

4. MITIGATIONS

B. Braun has released software updates to mitigate the reported vulnerabilities: 

• Battery pack SP with Wi-Fi: software 053L000093 (global) / 054U000093 (U.S.) 
  • Facilities in Canada utilizing “U” versions of software should follow the U.S. version.  
  • Facilities in Canada utilizing non-“U” versions (e.g. L) should follow the global version. 

The infusion pumps are not directly affected. However, the interrupted network communication might prevent certain features of the device from functioning properly. Specifically, an impacted device may be unable to receive infusion orders from EMR/PDMS systems, receive a drug library update, or communicate with DoseTrac. 

For more information, see the B. Braun Vulnerability Advisory. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity 
• Vendor: Siemens  
• Equipment: JT Open and JT Utilities 
• Vulnerability: Out-of-bounds Read 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens software is affected: 

• JT Open: All versions prior to V11.3.2.0 
• JT Utilities: All versions prior to V13.3.0.0 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125 

The affected applications contain an out-of-bounds read vulnerability past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. 

CVE-2023-29053 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple 
• COUNTRIES/AREAS DEPLOYED: Worldwide 
• COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

• Do not open untrusted files using JT Open Toolkit or JT Utilities. 
• JT Utilities: Update to V13.3.0.0 or a later version. 
• JT Open: Update to V11.3.2.0 or a later version. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals. 

Additional information regarding Siemens Industrial Security can be found here. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-642810 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

• Do not click web links or open attachments in unsolicited email messages. 
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

• CVSS v3 6.7
• ATTENTION: Exploitable with adjacent access 
• Vendor: Siemens 
• Equipment: SCALANCE X-200IRT Devices 
• Vulnerability: Inadequate Encryption Strength 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

• SCALANCE X200-4P IRT (6GK5200-4AH00-2BA3): All versions prior to V5.5.2 
• SCALANCE X201-3P IRT (6GK5201-3BH00-2BA3): All versions prior to V5.5.2 
• SCALANCE X201-3P IRT PRO (6GK5201-3JR00-2BA6): All versions prior to V5.5.2 
• SCALANCE X202-2IRT (6GK5202-2BB00-2BA3): All versions prior to V5.5.2 
• SCALANCE X202-2IRT (6GK5202-2BB10-2BA3): All versions prior to V5.5.2 
• SCALANCE X202-2P IRT (6GK5202-2BH00-2BA3): All versions prior to V5.5.2 
• SCALANCE X202-2P IRT PRO (6GK5202-2JR00-2BA6): All versions prior to V5.5.2 
• SCALANCE X204IRT (6GK5204-0BA00-2BA3): All versions prior to V5.5.2 
• SCALANCE X204IRT (6GK5204-0BA10-2BA3): All versions prior to V5.5.2 
• SCALANCE X204IRT PRO (6GK5204-0JA00-2BA6): All versions prior to V5.5.2 
• SCALANCE XF201-3P IRT (6GK5201-3BH00-2BD2): All versions prior to V5.5.2 
• SCALANCE XF202-2P IRT (6GK5202-2BH00-2BD2): All versions prior to V5.5.2 
• SCALANCE XF204-2BA IRT (6GK5204-2AA00-2BD2): All versions prior to V5.5.2 
• SCALANCE XF204IRT (6GK5204-0BA00-2BF2): All versions prior to V5.5.2 
• SIPLUS NET SCALANCE X202-2P IRT (6AG1202-2BH00-2BA3): All versions prior to V5.5.2 

3.2 VULNERABILITY OVERVIEW

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326 

The secure shell (SSH) server on affected devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. 

CVE-2023-29054 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple 
• COUNTRIES/AREAS DEPLOYED: Worldwide 
• COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Siemens has released updates for the affected products and recommends updating to the latest versions: 

• Update all affected products to V5.5.2 or later. 

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk identified in the vulnerability overview:  

• Configure the SSH clients to use strong key exchange ciphers. 
• Add only trusted SSH client public keys to the responding operating system (ROS) and allow access to those clients only. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.  

For more information, see the associated Siemens security advisory SSA-479249 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.