USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world's premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell's "2024 USB Threat Report," attackers are "clearly" turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they're leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

**Why USBs?**

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won't cut it.

"A lot of operational facilities are entirely air gapped," explains Matt Wiseman, director of OT product marketing at OPSWAT. "Those more modern approaches like email-based attack — something over the network — aren't really as effective when \[the OT systems\] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they're the only threat you can pick up in your pocket and carry beyond that air gap."

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell's detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell's report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

**Defending Against USB Threats**

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren't necessarily the solution. "You can always go with the fundamentals," Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, "You go back a number of years, there was an honor system. 'Hey, did you scan that?' Now you have technology that can check to make sure. If you plug something in, it's not going to work unless it has been scanned and checked by some type of formal security solution."

This technology often takes the form of a kiosk or "sanitation station" for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

"We're seeing more mature conversations now. What's our mobile program? What's the process for employees? What's the process for guests? How do we manage these devices? How do we view the activity that's occurring? And how do we ensure that we're ahead of it going forward?" he says. "There's definitely a massive realization of the threat that these devices can pose."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

To Damage OT Systems, Hackers Tap USBs, Old Bugs &amp; Malware

Thousands of planes and ships are facing GPS jamming and spoofing. Experts warn these attacks could potentially impact critical infrastructure, communication networks, and more.

The disruption to GPS services started getting worse on Christmas Day. Planes and ships moving around southern Sweden and Poland lost connectivity as their radio signals were interfered with. Since then, the region around the Baltic Sea—including neighboring Germany, Finland, Estonia, Latvia, and Lithuania—has faced persistent attacks against GPS systems.

Tens of thousands of planes flying in the region have reported problems with their navigation systems in recent months amid widespread jamming attacks, which can make GPS inoperable. As the attacks have grown, Russia has increasingly been blamed, with open source researchers tracking the source to Russian regions such as Kaliningrad. In one instance, signals were disrupted for 47 hours continuously. On Monday, marking one of the most serious incidents yet, airline Finnair canceled its flights to Tartu, Estonia, for a month, after GPS interference forced two of its planes to abort landings at the airport and turn around.

The jamming in the Baltic region, which was first spotted in early 2022, is just the tip of the iceberg. In recent years, there has been a rapid uptick in attacks against GPS signals and wider satellite navigation systems, known as GNSS, including those of Europe, China, and Russia. The attacks can jam signals, essentially forcing them offline, or spoof the signals, making aircraft and ships appear at false locations on maps. Beyond the Baltics, war zone areas around Ukraine and the Middle East have also seen sharp rises in GPS disruptions, including signal blocking meant to disrupt airborne attacks.

Now, governments and telecom and airline safety experts are increasingly sounding the alarm about the disruptions and the potential for major disasters. Foreign ministers in Estonia, Latvia, and Lithuania have all blamed Russia for GPS issues in the Baltics this week and said the threat should be taken seriously.

“It cannot be ruled out that this jamming is a form of hybrid warfare with the aim of creating uncertainty and unrest,” Jimmie Adamsson, the chief of public affairs for the Swedish Navy, tells WIRED. “Of course, there are concerns, mostly for civilian shipping and aviation, that an accident will occur creating an environmental disaster. There is also a risk that ships and aircraft will stop traffic to this area and therefore global trade will be affected.”

“A growing threat situation must be expected in connection with GPS jamming,” Joe Wagner, a spokesperson from Germany’s Federal Office for Information Security, tells WIRED, saying there are technical ways to reduce its impact. Officials in Finland say they have also seen an increase in airline disruptions in and around the country. And a spokesperson for the International Telecommunication Union, a United Nations agency, tells WIRED that the number of jamming and spoofing incidents have “increased significantly” over the past four years, and interfering with radio signals is prohibited under the ITU’s rules.

**On the Upswing**

Attacks against GPS, and the wider GNSS category, come in two forms. First, GPS jamming looks to overwhelm the radio signals that make up GPS and make the systems unusable. Second, spoofing attacks can replace the original signal with a new location—spoofed ships can, for example, appear on maps as if they’re at inland airports.

Both types of interference are up in frequency. The disruptions—at least at this stage—mostly impact planes flying at high altitudes and ships that can be in open water, not people’s individual phones or other systems that rely on GPS.

The Dangerous Rise of GPS Attacks

Verizon, AT&T, and T-Mobile USA are being fined for sharing location data. They plan to appeal the decision, which is the culmination of a four-year investigation into how carriers sold customer data to third parties.

Source: Wavebreak Media ltd via Alamy Stock Photo

The Federal Communications Commission (FCC) has fined the top US wireless carriers a collective $200 million for sharing access to customers' location information without consent, the culmination of an action proposed four years ago as authorities continue to grapple with how to reel in companies' handling of sensitive personal data. For carriers, who note that the fines are based on outdated programs that no longer exist, the action represents unsettled regulatory waters as requirements for handling customer data security and privacy in the modern era continue to shake out.

Specifically, the FCC fined Sprint and T-Mobile USA, which have merged since the investigation began, more than $12 million and $80 million, respectively; AT&T more than $57 million; and Verizon almost $47 million.

The agency proposed the fines in 2020 based on an investigation that started after reports that a Missouri sheriff consistently used a "location-finding service" operated by Securus, a company that provides and monitors telecommunications service in correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.

The case ultimately revealed that the four telecom providers had programs in place at the time that were selling customer-location data to two data-aggregation firms, who then resold access to this data to other entities.

"This action demonstrated the carriers offloading obligations to obtain customer consent onto downstream recipients of location information," which in many instances meant customers did not actually consent to releasing their data, according to an FCC press release (PDF) on the decision. For their part, the carriers say that the data was shared with the third parties in order to enable location-based safety services such as roadside assistance.

"Our communications providers have access to some of the most sensitive information about us," said FCC Chairwoman Jessica Rosenworcel in a statement on the fines. "These carriers failed to protect the information entrusted to them."

This is likely not the end of the fines: The commission also said that it plans to continue to resolve these types of older privacy cases regarding customer data, holding "all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data," she said.

**Wireless Cos Push Back on FCC Privacy Fines**

All of the carriers confirmed to Dark Reading that they will go to court to appeal the decision, which was based on a provision of the Communications Act of 1934 that requires US wireless carriers to take reasonable steps to safeguard specific customer data, such as location information.

Generally, the companies claim the action by the FCC is based on outdated scenarios at the telecom providers that have since been remedied, and they no longer allow third parties to access sensitive customer location-based data.

Verizon spokesman Rich Young says the order concerns an old program at Verizon that required customers to opt in and was shut down more than five years ago. The program "was intended to support services like roadside assistance and medical alerts," he tells Dark Reading, and Verizon shuttered it when the company discovered it was being used fraudulently.

"Verizon is deeply committed to protecting customer privacy," Young says. "Unfortunately, the  FCC's order gets it wrong on both the facts and the law, and we plan to appeal this decision."

For its part, T-Mobile USA gave Dark Reading a statement to much the same effect: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T too plans to appeal the fines, which apply for a service that was discontinued in 2019.

"The FCC order lacks both legal and factual merit," a spokesperson says. "It unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

A spokesman for CTIA, a telecommunications industry trade association representing US carriers and resellers, also criticized the fines, citing a "broken enforcement process" on the part of the FCC that deserves examination by Congress.

"After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA's request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them," said CTIA senior vice president and chief communications officer Nick Ludlum, in a media statement.

**Carrier Uncertainly: Customer-Privacy Worries Persist**

Complaints that the FCC is behind the times may indeed be justified, as the commission is not known for moving quickly on clarifying how telecom and VoIP providers handle customer privacy.

For instance, it took the FCC 16 years to update how telecom and VoIP providers report data-breaches, issuing new rules in February of this year that they must notify customers whenever there's personally identifiable information (PII) involved in a cyber incident. The new rules — which also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery — were the first since 2007 to be issued by the commission regarding data-breach notifications.

Meanwhile, the issue of customer privacy when it comes to carriers continues to be a worry, and the fines appear to demonstrate a heavy hand by the FCC in holding communications providers accountable when private customer data leaks. Abroad, other privacy troubles concerning how carriers handle customer data also are brewing.

For example, a huge swathe of telecom customers in Namibia recently were faced with losing their phone service if they didn't hand over sensitive biometric data to the country's premier telco, Mobile Telecommunications Ltd. The potential privacy threat occurred after a well-intentioned plan to combat mobile fraud and identity theft went astray.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Wireless Carriers Face $200M FCC Fine As Data Privacy Waters Roil

Proof of concept code that demonstrates how the Windows kernel suffers from a privilege escalation vulnerability due to a double-fetch in PspBuildCreateProcessContext that leads to a stack buffer overflow.

Windows PspBuildCreateProcessContext Double-Fetch / Buffer Overflow

Proof of concept code that demonstrates how the Windows kernel suffers from a privilege escalation vulnerability due to a double-fetch in NtQueryInformationThread that leads to an arbitrary write.

Windows NtQueryInformationThread Double-Fetch / Arbitrary Write

This is the full Windows privilege escalation exploit produced from the blog Exploiting the NT Kernel in 24H2: New Bugs in Old Code and Side Channels Against KASLR.

undefinedExploiting The NT Kernel In 24H2undefined

osCommerce version 4 suffers from a cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to CraCkEr in November of 2023.

    # Exploit Title: osCommerce 4 - Reflected XSS# Exploit Author: skalvin# Date: 22/04/2024# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/furniture/# Tested on: Windows 11 Pro# Impact: Manipulate the content of the site# CVE: CVE-2024-4348# VDB: VDB-262488# CWE: CWE-79 / CWE-74 / CWE-707# CAPEC: CAPEC-10 / CAPEC-209 / CAPEC-250# ATT&CK: T1059.007## DescriptionAttacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsGET parameter 'cat' is vulnerable to RXSSPath: /furniture/catalog/all-productshttps://demo.oscommerce.com/furniture/catalog/all-products?cat=[XSS]https://demo.oscommerce.com/watch/catalog/all-products?cat=[XSS]## Live POC:https://demo.oscommerce.com/furniture/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1https://demo.oscommerce.com/watch/catalog/all-products?cat=1&bhl4n%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253eiyehb=1[-] Done

osCommerce 4 Cross Site Scripting

Ubuntu Security Notice 6758-1 - It was discovered that the JSON5 parse method incorrectly handled the parsing of keys named __proto__. An attacker could possibly use this issue to pollute the prototype of the returned object, setting arbitrary or unexpected keys, and cause a denial of service, allow unintended access to network services or have other unspecified impact, depending on the application's use of the module.

    ==========================================================================Ubuntu Security Notice USN-6758-1April 30, 2024node-json5 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:JSON5 could allow unintended access to network services or have otherunspecified impact.Software Description:- node-json5: JSON for the ES5 eraDetails:It was discovered that the JSON5 parse method incorrectly handled the parsingof keys named __proto__. An attacker could possibly use this issue to pollutethe prototype of the returned object, setting arbitrary or unexpected keys, andcause a denial of service, allow unintended access to network services or haveother unspecified impact, depending on the application's use of the module.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   node-json5                      2.2.0+dfsg-1ubuntu0.1~esm1                                   Available with Ubuntu ProUbuntu 20.04 LTS   node-json5                      0.5.1-3ubuntu0.1Ubuntu 18.04 LTS   node-json5                      0.5.1-1ubuntu0.1~esm1                                   Available with Ubuntu ProAfter a standard system update you may need to restart any services that usethe library to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6758-1   CVE-2022-46175Package Information:   https://launchpad.net/ubuntu/+source/node-json5/0.5.1-3ubuntu0.1

Ubuntu Security Notice USN-6758-1

Ubuntu Security Notice 6761-1 - It was discovered that Anope did not properly process credentials for suspended accounts. An attacker could possibly use this issue to normally login to the platform as a suspended user after changing their password.

==========================================================================  
Ubuntu Security Notice USN-6761-1  
April 30, 2024

anope vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Anope could be made to bypass authentication checks for suspended accounts.

Software Description:  
- anope: an open source set of IRC Services

Details:

It was discovered that Anope did not properly process credentials for  
suspended accounts. An attacker could possibly use this issue to normally  
login to the platform as a suspended user after changing their password.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   anope                           2.0.12-1ubuntu1

Ubuntu 23.10  
   anope                           2.0.12-1ubuntu0.23.10.1

Ubuntu 22.04 LTS  
   anope                           2.0.9-1ubuntu0.1

Ubuntu 20.04 LTS  
   anope                           2.0.6-1ubuntu0.1

Ubuntu 18.04 LTS  
   anope                           2.0.4-2ubuntu0.1~esm1  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   anope                           2.0.3-1ubuntu0.1~esm1  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6761-1  
   CVE-2024-30187

Package Information:  
   https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu1  
   https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/anope/2.0.9-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/anope/2.0.6-1ubuntu0.1

Ubuntu Security Notice USN-6761-1

Ubuntu Security Notice 6759-1 - It was discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious server, a remote attacker could possibly use this issue to cause FreeRDP to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6759-1April 29, 2024freerdp3 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in FreeRDP.Software Description:- freerdp3: RDP client for Windows Terminal ServicesDetails:It was discovered that FreeRDP incorrectly handled certain memoryoperations. If a user were tricked into connecting to a malicious server, aremote attacker could possibly use this issue to cause FreeRDP to crash,resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   libfreerdp3-3                   3.5.1+dfsg1-0ubuntu1After a standard system update you need to restart your session to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-6759-1   CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661,   CVE-2024-32662Package Information:   https://launchpad.net/ubuntu/+source/freerdp3/3.5.1+dfsg1-0ubuntu1

Latest News