Over a dozen security flaws have been discovered in baseboard management controller (BMC) firmware from Lanner that could expose operational technology (OT) and internet of things (IoT) networks to remote attacks.

BMC refers to a specialized service processor, a system-on-chip (SoC), that's found in server motherboards and is used for remote monitoring and management of a host system, including performing low-level system operations such as firmware flashing and power control.

Nozomi Networks, which analyzed an Intelligent Platform Management Interface (IPMC) from Taiwanese vendor Lanner Electronics, said it uncovered 13 weaknesses affecting IAC-AST2500.

All the issues affect version 1.10.0 of the standard firmware, with the exception of CVE-2021-4228, which impacts version 1.00.0. Four of the flaws (from CVE-2021-26727 to CVE-2021-26730) are rated 10 out of 10 on the CVSS scoring system.

In particular, the industrial security company found that CVE-2021-44467, an access control bug in the web interface, could be chained with CVE-2021-26728, a buffer overflow flaw, to achieve remote code execution on the BMC with root privileges.

"When also considering that all processes run with root privileges on the device, the combined weaknesses enable an unauthenticated attacker to completely compromise both the BMC and the managed host," the company said in a write-up published last week.

Lanner has since released an updated firmware that addresses the vulnerabilities in question following responsible disclosure.

"BMCs represent an attractive way to conveniently monitor and manage computer systems without requiring physical access, in the IT as well as in the OT/IoT domain," the researchers said.

"Nevertheless, their usability comes at the expense of a broader attack surface, and that may lead to an increase of the overall risk if they are not adequately protected."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over a Dozen New BMC Firmware Flaws Expose OT and IoT Devices to Remote Attacks

Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group.
Slovak cybersecurity company ESET, which dubbed the new ransomware strain RansomBoggs, said the attacks against several Ukrainian entities were first detected on November 21, 2022.
"While the malware written in .NET is new, its deployment is

Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group.

Slovak cybersecurity company ESET, which dubbed the new ransomware strain **RansomBoggs**, said the attacks against several Ukrainian entities were first detected on November 21, 2022.

"While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm," the company said in a series of tweets Friday.

The development comes as the Sandworm actor, tracked by Microsoft as Iridium, was implicated for a set of attacks aimed at transportation and logistics sectors in Ukraine and Poland with another ransomware strain called Prestige in October 2022.

The RansomBoggs activity is said to employ a PowerShell script to distribute the ransomware, with the latter "almost identical" to the one used in the Industroyer2 malware attacks that came to light in April.

According to the Computer Emergency Response Team of Ukraine (CERT-UA), the PowerShell script, named POWERGAP, was leveraged to deploy a data wiper malware called CaddyWiper using a loader dubbed ArguePatch (aka AprilAxe).

ESET's analysis of the new ransomware shows that it generates a randomly generated key and encrypts files using AES-256 in CBC mode and appends the ".chsch" file extension.

Sandworm, an elite adversarial hacking group within Russia's GRU military intelligence agency, has a notorious track record of striking critical infrastructure over the years.

The threat actor has been linked to the NotPetya cyberattacks against hospitals and medical facilities in 2017 and the destructive assaults against the Ukrainian electrical power grid in 2015 and 2016.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue.

@@ -12,7 +12,9 @@ import com.intellij.uiDesigner.core.Spacer; import org.apache.log4j.LogManager; import org.apache.log4j.Logger; import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor;  
import javax.swing.\*; import javax.swing.border.TitledBorder; @@ -224,7 +226,7 @@ public void reloadConfig(boolean init, boolean reset) { } configTemplate = configStr;  
Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); configObj = yaml.load(configStr);  
try { @@ -684,7 +686,7 @@ public void initPluginSave() { }  
public void refreshConfig() { Yaml yaml = new Yaml(); Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); StringWriter writer = new StringWriter(); yaml.dump(configObj, writer); configStr = writer.toString();

CVE-2022-41958: yaml rce · 4ra1n/super-xray@4d0d596

By Habiba Rashid
So far, researchers have identified approximately 50 phishing websites, all targeting MSI Afterburner to deliver malware. 
This is a post from HackRead.com Read the original post: Watch Out Gamers: Hackers Exploiting MSI Afterburner to Deliver Coin Miner

Cyble Research & Intelligence Labs (CRIL) recently uncovered a phishing campaign used by threat actors to deliver cryptocurrency miner softwares using utility software tools.

This particular campaign exploited the well-known MSI Afterburner, used widely by gamers and other high-performance computing users. Due to being one of the better-known graphics card software used to monitor system performance, allow users to modify the hardware settings to enhance the system’s performance and to overclock the best graphics cards on the market.

The threat actors employ various methods to distribute the malware including the use of emails, online advertisements, forums, and other mediums. In the last three months, Cyble has identified approximately 50 phishing websites, all targeting MSI Afterburner to deliver malware. 

One of the phishing websites (Image: Cyble)

The threat actors who created these websites made sure to design sophisticated phishing pages that mimicked the legitimate MSI Afterburner sites to lure users into downloading coin-miner malware that performed the crypto-mining process.

However, fraudulent websites can be spotted by looking at the domain names. Cyble has identified some of the fake domains, such as (MSI-afterburner-download.site), (msi-afterburner.download) and (mslafterburners dot com.) Some are already offline, but more are likely to show up.

The payload of malware is delivered bundled with legitimate MSI Afterburner installers and after installation, it starts the process of hijacking the victim’s computer, collecting sensitive information such as computer name, username, GPU, CPU, and other details from the system. The technical details are explained in Cyble’s analysis report. 

Infection chain

Crypto mining requires dedicated hardware like GPUs because it is a power and resource-intensive activity. By hijacking the processing power of the victim’s machine, the threat actors can mine cryptocurrencies without their consent. This severely decreases the victim’s overall system performance and drains their system resources, significantly affecting the productivity of the victim user or organization. 

There are quite a few measures that users can take to ensure that their device does not become a victim of such a phishing campaign. It is advised that you check your system performance and CPU usage periodically, avoid downloading pirated software from Warez/Torrent and rely on official websites only.

Moreover, turn on the automatic software update feature on your devices, use reputed antivirus, refrain from opening untrusted links and email attachments and monitor endpoints and servers for unexpected spikes in CPU and RAM utilization that could reveal potential malware infection. 

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Watch Out Gamers: Hackers Exploiting MSI Afterburner to Deliver Coin Miner

New users and monetization methods are increasingly profitable for gaming industry, but many companies find they have to stem growth in cheats, hacks, and other fraud to keep customers loyal.

The video game industry has been booming of late — and cybercriminals are drawn to it as an expanding threat surface, seeing players as a potentially less cautious group of victims. As such, cybersecurity has risen in profile as a major business priority and differentiator for many in the industry.

There's been an influx of casual gamers drawn to new mobile platforms during the pandemic, and companies have found increasingly profitable ways of monetizing in-game items and social experiences. Gaming studios and affiliated games companies seek to keep those users playing while maintaining that growth and profitability in the post-pandemic era.

But with so much entertainment competition out there — not just from other games, but also streaming and digital platforms — it's easy enough for players hacked or cheated one too many times to drop one game and pick up another one instead. Gaming industry insiders like Jonathan Shroyer say that if gaming companies are lax in security, "their games will not succeed."

"Players of games depend on trust, credibility, and predictability when leveraging a brand's game," says Shroyer, chief CX innovation officer for Arise Gaming, a consulting firm that helps gaming companies improve customer satisfaction and gamer engagement in their platforms. "If they find out there was a hack, or fraud, or other security issues, you will see a dramatic drop in gameplay and spend."

He says this is especially true in mobile gaming as these are the least sticky and most casual games in the industry. But the impact of cyber trust is felt across console, PC, virtual reality (VR), and streaming customers as well.

**More Gamers, More Attacks & More Customer Expectations**

There's a lot of money at stake for gaming companies planning for the future. According to a recent study by PwC earlier this year, the video gaming industry will earn $235.7 billion in 2022. That's following a massive tear over the last few years, with the combination of PC, console, and casual gaming companies increasing their revenue by an astonishing 32% from 2019 through 2021. PwC says it expects gaming revenue to keep ticking up from now through 2026 by a healthy 8.4% compound annual growth rate.

As the money has been flowing into everything from eSports to hyper-casual gaming, so, too, have the attacks. Akamai reported recently that cyberattacks on player accounts and gaming companies has increased "dramatically" in the past year, with Web application attacks rising by 167%. The firm says gaming is the industry most hit by distributed denial-of-service (DDoS) attacks, making up 37% of all DDoS globally. That's double the volume of attacks lobbed at the financial sector, which is the second-most DDoS-attacked vertical industry.

Account takeovers, cheating hacks, and fraud are all growing problems, and gamers are taking note of which companies are addressing these cybersecurity issues and which aren't. A study of attitudes from 10,000 gamers worldwide that was released last week by Kaspersky showed that 70% of regular gamers think hacking is a big problem in the gaming world. Around 63% of respondents said their accounts aren't safe enough from attacks — with one in three reporting that their accounts have been hacked in the last two years. And 89% of gamers said they want game developers to pay more attention to cybersecurity issues.

These stats point to why cybersecurity is fast becoming a huge engagement pillar for game studios right alongside designing creative gameplay and immersive worlds. It's a tricky proposition for security executives in this world, because gamers also have big expectations when it comes to gameplay and the overall ambiance of a gaming environment, says Julie Tsai, a longtime cybersecurity executive with deep expertise in the gaming world.

"Users and the community expect things at a high level. They expect things to be intuitive, they expect things to be in the spirit of the gaming — and also sometimes in the spirit of the culture of the particular gamer community they're in," says Tsai, who was head of security for Roblox for the past three years prior to recently venturing on her own as a security consultant. "They're very, very passionate and attached to these things. And also for a security professional, it means that you're going to be dealing with some of the strongest attackers and the adversaries that you can think of because they're very creative and often gamers themselves."

**Today's Biggest Cyberthreats to Gaming**

Like any other vertical industry, games companies are tasked with protecting their organizations from all nature of cybersecurity threats to their business. Many of them are large enterprises with the same concerns for the protection of internal systems, financial platforms, and employee endpoints as any other firm.

"Gaming companies have the same responsibility as any other organization to protect customer privacy and preserve shareholder value. While not specifically regulated like hospitals or critical infrastructure, they must comply with laws like GDPR and CaCPA," explains Craig Burland, CISO for Inversion6, a managed security service provider and fractional CISO firm. "Threats to gaming companies also follow similar trends seen in other segments of the economy — intellectual property (IP) theft, credential theft, and ransomware."

IP issues are heightened for these firms, like many in the broader entertainment category, as content leaks for highly anticipated new games or updates can give a brand a black eye at best, and at worst hit them more directly in the financials. The industry saw this kind of fallout in full effect in September when a hack of Take-Two Interactive and subsequent public leak of Grand Theft Auto 6 resulted in a 2.3% stock drop for the firm.

Layered on top of all of those typical enterprise cybersecurity concerns are unique eccentricities in protecting gaming platforms and player ecosystems. The gaming platforms are their brands — financial and customer service engines all rolled into one. And they're supremely juicy targets for all nature of malfeasance.

Some of the most common concerns gaming companies must contend with are cheaters who seek to take advantage of technical or bugs or design flaws to their advantage, spammers finding ways to blast out links to gamers to everything from snake-oil products to porn, scammers seeking to take advantage of and steal from younger gamers. And then, of course, most common of all are the everyday cyber fraudsters cashing in on account theft.

"What you have to realize is that criminals attack games for one of three reasons: status, ideology, or cash," says Brett Johnson, chief criminal officer for Arkose Labs and a former cybercriminal who before he went straight ran ShadowCrew, the forerunner to today's Dark Web marketplaces. "Most attacks — 98% or more — are cash driven. So criminals are looking for the easiest access that gives the largest return on investment."

The black-hat ROI prospects have especially grown now that gaming companies have monetized in-game assets through means like direct purchase, voluntary advertising views, and recurring subscriptions. This presents endlessly more new ways to commit financial fraud and launder money through gaming platforms. From a gaming cyber defender's perspective, this means that cheating and hacks now not only threaten gameplay experience, but create more financial and legal risks.

"Any time real money value is tied to in game assets, you will see a spike in fraud and other bad actors," Shroyer explains.

Attackers are turning up the heat on game users and platform with credential stuffing attacks and social engineering scams to break into accounts and access in-game currency and unique items. They leverage third-party marketplaces to sell these in-game assets off the platform for real currency to other gamers who want to bolster their characters or speed up their progress. This creates an ideal situation to not only fence stolen in-game assets, but to launder money stolen elsewhere online.

A lot of this criminal activity is powered by bots and click farms to scale up the profitability of their criminal enterprise, Johnson says.

"The problem is, from an attacker point of view, it's not really worth it to me to attack people manually. If you consider most of these accounts, the dollar amounts are not high enough for me to do that," he says. "So I need to find a way to scale that without me having to manually sign on or try to take over to account. And the answer to that is bots."

**The Culture Wildcard**

Many of the criminal ploys targeting games will also play upon the emotional mindset of gamers, who just want to have as much fun as possible. It makes them more likely to maybe fall for a phishing lure in hopes of getting a sneak peek at a new feature, or go to great lengths to buy items from a third-party marketplace that could speed up their progress.

"The gamer almost immediately is not acting out of reason or logic — it's a knee-jerk type of emotional thing. They want to play that game," Johnson says. "It's much easier for me as an attacker to use that to my advantage because they're already going through that door of reacting emotionally."

This highlights the big balancing act that gaming companies generally have to manage when it comes to protecting their platforms and their users. They've got to design better technical controls and more cyber resilience in their systems without damaging player experience or the vibrancy of the gaming culture built up around their brands and their gaming titles.

As Tsai alluded, gamers are passionate and they're also often curious hackers by nature. That includes the creative and benign type, but also the black hats.

The game industry has always been a place where everyone from script kiddies to budding cybercriminals have come to cut their teeth. For the most part, though, the cohort is usually mostly made up of customers who want to be able to develop and share their custom mods and who are willing to spend a lot of engaged time and money on their games, building up a community that buoys up successful games and studio brands.

This means that a lot of the work of security executives is in detangling the malicious elements from that creative and loyal group of gamers. This takes user education and outreach, foresight in design, and engineering work.

**Engineering Good Choices for Gamers**

On the latter front, some of the easiest and most low-hanging fruit can come through layered protection measures that just make it more expensive for attackers to run roughshod over platform with automated bot attacks.

"If a security product can increase the cost of the attack, the chances of the criminal staying on that platform, not very good," Johnson says. "That criminal's going to find someplace else where they can profit easier and not have to have the investment to get the attack to be successful."

According to Shroyer, the industry is in a lot better place now with moderating and managing mods and curbing cheating because there's more technical measures available to developers.

"Gaming brands now have more tools in their toolkit to prevent these activities," he says. "A few examples are unique online accounts that  require the latest software update to play games, new tech and security placed in gaming data centers that make hacking more difficult, and the ability to turn off access via games online if bad behaviors are noticed. These don't eradicate the issues, but similar to how Netflix and Hulu curbed illegal movie downloading, these tools have had a similar effect in the gaming space."  

More fundamentally at the design level, though, Tsai says that security teams and gaming developers also have to work to create player journeys and experiences less hackable. This doesn't mean shutting off the faucet for mods and other beneficial hacking in the platform. Instead, it means doing better threat modeling of platforms, locking down the riskiest areas and providing guardrails for user "developers" almost in the same way that a DevSecOps team would do so for internal developers.

"There's a saying in engineering with regards to user centricity, which is 'Make me make good choices,'" she says. "And so in that respect, you want to create technology that either encourages or only allows users to make good choices."

This kind of effort takes significant effort and a security-first mentality for game development. However, it's an investment that has a definite ROI for gaming firms, she says.

"Security ties to how users in the community think of your integrity and trust you. These are long-term assets," she says. "If you gain credibility over the years, it can absolutely be a business value-add."

For Gaming Companies, Cybersecurity Has Become a Major Value Proposition

As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti.
Are you experiencing slow bug bounty lead times, gaps in security skills, or low-quality reports from researchers? Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat.
Join the likes of Intel,

_As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti._

Are you experiencing slow bug bounty lead times, gaps in security skills, or low-quality reports from researchers? Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat.

Join the likes of Intel, Yahoo, and Sixt who levelled up their security with Intigriti to enjoy higher quality bug bounty reports, faster lead times, and an intuitive platform.

Our expert triage team, renowned community management, and impact-focused customer support are enabling businesses to protect themselves against emerging cybersecurity threats.

****Build a better bug bounty program****

Intigriti is more than a bug bounty platform. Our managed security service takes the pain out of vulnerability disclosure and uses our active hacking community to suit your exact security needs.

Moving bug bounties can feel like mammoth task, with several daunting questions facing businesses when they're considering things like security, pricing, and the handover process.

But have no fear! Moving to Intigriti is as simple as saying "VDP". Founded by hackers, for hackers back in 2016, our platform is set up to make the onboarding process simple, with an emphasis on finding the most impactful areas of improvement.

Some of the benefits of moving your bug bounty program to Intigriti include:

****—** **Industry Leading Community Management****

The number of 50,000+ hackers is one thing, but we believe strongly in effective community management. By engaging and motivating our community we ensure it remains one of the most active in the industry. Moreover, we provide services that allow you to continue using some of your most trusted hackers.

****—** **Clear Pricing****

Intigriti's pricing model ensure there are no unforeseen costs. You pay for the impact of vulnerabilities found, achieving far greater cost-efficiency. Additionally, our Bug Bounty Calculator is a tool unique to Intigriti that allows you to understand quickly the potential cost of your bounty.

****—** **Transparent and Highly Secure Infrastructure****

As a security company, we understand the importance of maintaining the same high standards for ourselves. Our Trust Center is a live dashboard directly connected to our security controls that display our security posture in real time, while also providing all relevant security resources and documentation.

****—** **Dedicated Onboarding and Success Management****

Our success lies in ensuring your programs are successful. Before migrating, we offer a full audit on your current program to identify any improvement areas. From then on, our customer success team work closely with you to ensure a frictionless move.

****Crunch the numbers****

Intigriti's Bug Bounty Calculator is just one of our many unique toolkits that allow you to optimize your vulnerability disclosure program and ensure it receives the attention it deserves.

This free-to-use tool allows you to set the best bug bounty rates for your sector, giving you actionable, benchmarked data and helping you to stand out from the crowd.

Interested in learning more about Intigriti? Visit our website to find out how our unique approach to vulnerability disclosure and data breach protection is helping protect businesses across dozens of sectors.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Boost Your Security with Europe's Leading Bug Bounty Platform

Unique conditions contribute to outsized telecom fraud across the continent, but working together can bring solutions.

With the digital transformation of the post-pandemic world, Africa is seeing a massive technology revolution, especially in the telecom industry, which has shifted network infrastructure away from traditional services to more advanced commercial routers, switches, and servers. But this move hasn't been without some challenges — notably cybersecurity risks. Mordor Intelligence predicts that the entertainment and telecommunication market in Africa will register a compound annual growth rate (CAGR) of 11.2% between 2021 and 2026, but the industry must fiercely combat telecom fraud if it hopes to scale.

A persistent problem in Africa, telecom fraud was one of the central discussions at the recent Africa Tech Festival 2022, held Nov. 14-16 in Cape Town, South Africa. The event, produced by Informa Tech, focuses on technology developments and industry trends in Africa, elevating those at the forefront of digital inclusion.

In 2020, a report by the Sierra Leonean National Telecommunication Commission stated, "Africa is losing around $1.59 billion yearly to telecoms fraud." There's a huge market for attackers to exploit here, and unless organizations rethink their approach to telecom fraud, they'll fall behind the attackers. While this is a worrisome reality, it isn't all bleak for Africa.

**Telecom Fraud Thriving in Africa**

Telecom fraud is growing everywhere, but Africa has its own special conditions that leave it even more exposed to the growing threat. Termination rates to African countries are among the highest in the world, making international calls very expensive.

"The cost differential between international and national calls is frequently quite dramatic," Africa Tech attendee Gavin Stewart, vice president of sales at Oculeus, says. "Therefore, fraudsters commonly apply manipulation so that international traffic masquerades as local/national calls and therefore get cheaper rates. This is achieved by pushing the traffic down illegitimate routings, impersonating a local number ID, or both. This 'bypass' fraud activity is particularly endemic across Africa."

In roaming fraud, for example, fraudsters get hold of SIM cards and use them from overseas markets to call international revenue share numbers. It takes a minimum of three to four hours for the call records to arrive back at the home network for analysis, providing these cybercriminals ample time to fully exploit this revenue stream. The fraud can equally occur by way of a sim box where illegal international voice-over-IP (VoIP) calls are diverted onto local mobile networks. The criminals benefit from the international call charges, but because the call appears to be local, the operator is only paid for a local rate call.

Global telecom fraud usually involves CLI refiling, which Stewart describes as "a kind of bypass fraud where the identifying number of a call is deliberately manipulated to benefit from cheaper termination rates unfairly." He notes that these cheaper rates are commonly offered for national calls or calls between country pairs that have negotiated a special arrangement, or even calls between members of a large telco multi-country group. "As telco networks have largely migrated to newer SIP-based networks, the technology has inadvertently made it much easier to achieve such manipulations," he adds.

**Fighting Fire With Fire**

McKinsey reports that the African domestic e-payments market is expected to see revenues grow by approximately 20% yearly, reaching around $40 billion by 2025. Most of these payments are powered by banks and nonbank players innovating to reduce friction in domestic and cross-border payments to benefit consumers and businesses. The nonbank players in Africa are primarily telecommunications service providers and fintech organizations. The large volume of transactions in the industry is an appealing target for fraudsters.

"Africa has been a global pioneer in mobile money transactions. Equally, this new money transfer channel attracts new and complex fraud use cases. Whereas the traditional banking sector benefits from multiple security layers and controls, a fraudster or cybercriminal targeting mobile money transactions needs only to access a mobile network in order to appropriate funds," Stewart says.

The future, he opines, will be to turn the advanced techniques used by bad actors against the cybercriminals. "Since fraudsters are manipulating SIP protocols, it follows that SIP level real-time protection is vital. AI (artificial intelligence) is also widely employed by fraudsters to disguise their methods in increasingly subtle ways that can evade the logic of outmoded anti-fraud systems. It is incumbent on telcos to implement AI-based technologies if they are to have any hope of successfully detecting and mitigating AI-driven frauds today," Stewart says.

**Collaborating for a Common Cause**

Telecom fraud in Africa cuts across several strata, from multiple opt-in frauds to text messages and international call fraud, with the motherlode being mobile money transactions. However, Stewart believes anti-fraud professionals can band together to deal with the elephant in the room.

"Cybersecurity and anti-fraud professionals have a culture of mutual cooperation, even where they are working for rival companies. It's normal to share intelligence collaboratively since this is an industrywide fight. With the resumption of face-to-face networking, security professionals will exchange intelligence, in many cases concerning new fraud attack types which were themselves powered up by the pandemic conditions," he notes.

Beyond employing new technologies in the fight against fraud, companies in the telecoms industry must actively seek collaboration. "Fraudsters are extremely clever, highly organized, and will always exploit the weakest link. The telecoms community must work together to tackle the common threat and invest in innovative solutions to fight it. Telecoms networks that are not equipped with the highest quality security, insights and fraud protection will be the softest targets," says Clémentine Fournier, Africa regional vice president of sales for BICS.

Why Africa's Telecoms Must Actively Collaborate to Combat Fraud

By Habiba Rashid
Boa was discontinued in 2005 but remained popular and is now becoming a crisis because of the complex nature of how it was built into the IoT device supply chain.
This is a post from HackRead.com Read the original post: Retired Software Exploited To Target Power Grids, Microsoft

A recent alarming report by Microsoft reveals the risks attached to common Internet of Things (IoT) devices using the discontinued Boa web server. Hackers are exploiting vulnerabilities in the software to target organizations in the energy sector.

On Tuesday, Microsoft researchers revealed in an analysis their discovery of a vulnerable open-source component in the Boa web server, used widely in a range of routers and security cameras as well as popular software development kits (SDKs).

Despite the software’s retirement in 2005, it remained popular and is now becoming a crisis because the complex nature of how it was built into the IoT device supply chain is making it difficult to mitigate the Boa flaws. 

Microsoft reports that attackers are continuing their attempts to exploit the flaws of the Boa web servers which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833). An unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.

“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have a much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” Microsoft said.

Microsoft’s initial discovery of the vulnerable component was made while it was investigating a suspended Indian electric grid intrusion. This followed a report in 2021 by the threat intelligence company Recorded Future detailing that a Chinese threat group was targeting operational assets within India’s power grid.

In April 2022, the firm published a new report describing attacks from another Chinese state-sponsored threat actor using IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems. 

Needless to say, the damage caused by this vulnerable component could be immense since Microsoft has identified one million internet-exposed Boa server components globally over the span of one week.

Another major concern is the fact that due to often being included in popular SDKs, the presence of a Boa server in a product is unknown by many of the users. Realtek SDK is one example of a software development kit that is provided to companies that make routers, access points, and other gateway devices and includes the Boa web server. 

Microsoft warns about the supply chain risk posed by flaws in widely-used network components as it continues to witness attacks targeting Boa vulnerabilities. 

1.  Microsoft Warns of Evolving Toll Fraud Android Malware
2.  Microsoft warns of Hackers Using Malicious IIS Extensions
3.  Microsoft Office Most Exploited Software in Malware Attacks
4.  New Spam Attack Abusing OAuth Apps to Target MS Exchange
5.  Scammers Leveraging Microsoft Team GIFs in Phishing Attacks

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Retired Software Exploited To Target Power Grids, Microsoft

Chinese threat actors have already used the vulnerable and pervasive Boa server to infiltrate the electrical grid in India, in spate of malicious incidents.

Microsoft this week identified a gaping attack vector for disabling industrial control systems (ICS), which is unfortunately pervasive throughout critical infrastructure networks: the Boa Web server.

The computing giant has identified vulnerabilities in the server as the initial access point for successful attacks on the Indian energy sector earlier this year, carried out by Chinese hackers. But here's the kicker: It's a Web server that's been discontinued since 2005.

It may seem strange that a nearly 20-year-old end-of-life server is still hanging around, but Boa is included in a range of popular software developer kits (SDKs) that Internet of Things device developers use in their design of critical components for ICS, according to Microsoft. As such, it's still used across myriad IoT devices to access settings, management consoles, and sign-in screens for devices on industrial networks — which leaves critical infrastructure vulnerable to attack on a large scale.

These include SDKs released by RealTek that are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters, researchers noted.

In April, Recorded Future reported on attacks on the Indian power sector that researchers attributed to a Chinese threat actor tracked as RedEcho. The activity targeted organizations responsible for carrying out real-time operations for grid control and electricity dispatch within several northern Indian states, and it occurred throughout the year.

It turns out that the vulnerable component in the attacks was the Boa Web server. According to a Microsoft Security Threat Intelligence blog post published Nov. 22, the Web servers and the vulnerabilities they represent in the IoT component supply chain are often unbeknownst to developers and administrators who manage the system and its various devices. In fact, admins often don't realize that updates and patches aren't addressing the Boa server, the researchers said.

"Without developers managing the Boa Web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files," researchers wrote in the post.

**Making the Discovery**

It took some digging to identify that the Boa servers were the ultimate culprit in the Indian energy-sector attacks, the researchers said. First they noticed that the servers were running on the IP addresses on the list of indicators of compromise (IoCs) published by Recorded Future at the time of the release of the initial report last April, and also that the electrical grid attack targeted exposed IoT devices running Boa, they said.

Moreover, half of the IP addresses returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool that Recorded Future identified was used in the attack, the researchers noted.

Further investigation of the headers indicated that more than 10% of all active IP addresses returning the headers were related to critical industries — including the petroleum industry and associated fleet services — with many of the IP addresses assigned to IoT devices with unpatched critical vulnerabilities. This highlighted "an accessible attack vector for malware operators," according to Microsoft.

The final clue was that most of the suspicious HTTP response headers that researchers observed were returned over a short time frame of several days, which linked them to likely intrusion and malicious activity on networks, they said.

**Gaping Security Vulnerabilities in the Supply Chain**

It's no secret that the Boa Web server is full of holes — notably including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) — that are unpatched and need no authentication to exploit, the researchers said.

"These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the 'passwd' file from the device or accessing sensitive URIs in the Web server to extract a user's credentials," they wrote.

"Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek's SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks," they said.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities — factors that also make the existence of Boa Web servers in ICS ripe for exploitation, researchers added.

**Current Threat Activity and Mitigation**

Microsoft's research indicates that Chinese attackers have successfully targeted Boa servers as recently as late October, when the Hive threat group claimed a ransomware attack on Tata Power in India. And in their continued tracking of the activity, researchers continued to see attackers attempting to exploit Boa vulnerabilities, "indicating that it is still targeted as an attack vector" and will continue to be one as long as these servers are in use.

For this reason, it's crucial for ICS network administrators to identify when the vulnerable Boa servers are in use and to patch vulnerabilities wherever possible, as well as take other actions to mitigate risk from future attacks, researchers said.

Specific steps that can be taken include using device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments that identify unpatched devices in the network and set workflows for initiating appropriate patch processes with solutions.

Administrators also should extend vulnerability and risk detection beyond the firewall to identify Internet-exposed infrastructure running Boa Web server components, researchers said. They also can reduce the attack surface by eliminating unnecessary Internet connections to IoT devices in the network, as well as applying the practice of isolating with firewalls all IoT and critical-device networks.

Other actions to consider for mitigation include using proactive antivirus scanning to identify malicious payloads on devices; configuring detection rules to identify malicious activity whenever possible; and adopting a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility to detect and alert when IoT devices with Boa are used as an entry point to a network.

Microsoft: Popular IoT SDKs Leave Critical Infrastructure Wide Open to Cyberattack

New laws have made the current US privacy landscape increasingly complex.

With 65% of the global population expected to have its personal data covered under modern privacy regulations by 2023, respecting data privacy has never been more critical. As an example, the introduction of the federal American Data Privacy and Protection Act (ADPPA), along with the recent passage of a patchwork of state-level privacy laws, has made the current US privacy landscape increasingly complex. This results in challenges for organizations, both in managing exploding volumes of data and understanding how specific data privacy regulations apply to them.

As businesses of all sizes try to remain on top of ever-changing data privacy laws and proactively monitor relevant rules, they should also be taking necessary steps to map where consumer and employment data lives, and the potential risks to that data. By bolstering cybersecurity defenses, organizations can be better prepared for data privacy regulations, now and in the future.

Let's remember why this has become so vital. First, consumers and employees are more informed than ever about personal rights and how data privacy regulations apply to them. This is an important and positive development, considering the dramatic increase in the risk of fines and litigation for noncompliance — one of the foundations necessary for protecting individual rights.

The convergence of personally identifiable information (PII) and protected health information (PHI) also represents data risks. For example, payment information from an insurance claim, along with an email address and other digital breadcrumbs found on the Internet, can be used to steal identities or result in data exfiltration. In addition, the adoption and long-term acceptance of hybrid work models can create challenges. Some organizations ask their employees very focused questions about behaviors and work-from-home arrangements for measuring productivity. Depending on the specific questions, there could be further privacy implications.

**Landscape of Confusion**

Given the vast varieties and jurisdictions of the current data privacy and protection regulations, there can be some confusion. For example, US companies located in North Dakota that conduct business domestically may be somewhat less preoccupied with rules that apply overseas. By contrast, for US organizations offering goods and services in the UK or EU, regulations such as the General Data Protection Regulation (GDPR) — along with the potential for penalties if they are breached — may well apply.

Additionally, in some organizations preconceptions related to the size of the company could cause compliance or regulatory issues, such as believing a company is too small for the data privacy regulations to apply. While it's true that most of the newer regulations focus on companies of a certain size, the actual sizing criteria may relate to a range of factors, such as the number of employees or annual revenue. Whether data privacy regulations apply or not might also depend on the volume of consumer information an organization handles.

The point is, every set of regulations has nuances, which is why it's important to understand both the relevance and boundaries of each. This should be monitored under regular review, particularly as organizations grow and regulations begin to apply where they didn't before. For instance, there have been recent developments around the new EU–UK Data Privacy Framework, also known as Privacy Shield 2.0, concerning intelligence activities.

A good rule of thumb is to follow best practices as soon as possible, so when the need for formal compliance arrives, everything is in place. The risk of getting it wrong is serious, with organizations potentially facing massive fines for non-compliance. That says nothing of the impact to brand reputation when a serious breach is revealed, including loss of consumer, employee, or investor confidence, where the effects can be prolonged and painful.

**Time for Federal Laws?**

New data privacy laws are being proposed on a regular basis. There are five US states set to have key regulations going into effect in 2023: California, Virginia, Colorado, Connecticut, and Utah. With 10% of US states to be covered by data privacy legislation by the end of next year, it's clear that a federal law would be useful.

In particular, federal legislation could play a critical role in aligning the US with other countries on the subject of data privacy. It would also provide vendors and users with much-needed clarity on how to use, store, and manage sensitive data. This alone would go a long way in clearing up the widespread confusion that abounds due to the existing patchwork of regulation. While the exact timing of federal legislation like the proposed ADPPA is unclear, it's not a matter of if, but when.

Overall, data and the laws that govern its protection exist within a rapidly evolving regulatory ecosystem. Further change — both domestically and internationally — is inevitable. Therefore, organizations must focus on the short- and long-term responsibilities of handling and safeguarding data. It's not just the right thing to do ethically and morally, it also represents sound decision making for the health of the business.

Tag

#intel