A vulnerability has been identified in Opcenter Quality V13.1 (All versions < V13.1.20220624), Opcenter Quality V13.2 (All versions < V13.2.20220624). The affected applications do not properly validate login information during authentication. This could lead to denial of service condition for existing users or allow unauthenticated remote attackers to successfully login without credentials.

%PDF-1.5 %���� 54 0 obj << /Length 2921 /Filter /FlateDecode >> stream x���r�H�=\_����ƍ���vBTf�0�5��r�·�d2����\[�ecʰU�����>}�v=DI�������+a"C�b\*M#��T�HC$��h}�o�|�/����4����r0�2.�on�|򵨖0ɓ�O��f����\\N�����f�G��F��\]���sF�$�\[$ќF��٧��h�~��M=ٕ�HHN��0�E�g�%���l�D�T$I�!�� F� H��"ʉZ7$ �\*��=!�d�w �Rʎ9�%DP�9�BK�Hy��2��٦�����E\]���X.v a���A�Rb�߻���M�"D&$1�!��!/�����E�sN���s!���(=�Ӥ:�= S���(�l���}1C�!D0�0��)�n��G��2�js��yGE��I�0�4�#ǁP4� ފ��Ѿ^����-Y�R!�%M�bǸ�ę;��u��wבu\\t �$�����:�Y�\[�f\_fu�r\*X�Ɔ�R��q;��n�U��s���\]RS��\]�N��i�e��nAS�$������m� �w�Y��H1^���V26D핂C��@A��� �����+Q^ �woߞ�d���w4�v�R \`q4���$��1�2���7��l�\_�fb�L����OA#�K�t��I��v������n�ι�k=�}�j}ʀ�j�WL�i��ca�ey��i�y��zfI�q6�-�<�����C֌ǹ;^y�e���ժ��0aY�q����I�(���

CVE-2022-33736

A vulnerability has been identified in EN100 Ethernet module DNP3 IP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.40), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). Affected applications contains a memory corruption vulnerability while parsing specially crafted HTTP packets to /txtrace endpoint manupulating a specific argument. This could allow an attacker to crash the affected application leading to a denial of service condition

%PDF-1.5 %���� 60 0 obj << /Length 2522 /Filter /FlateDecode >> stream x��Z\[S�H~�W�Q�Z7}����I1;����yPl��+�0��s�"#�±G�JZm��s�Υ�G������\*2�H\*��\]�0�RF�$�����s<���t^�T�x�NV�\`HD�������)+0�p���z�X~�/��Iyz~3��ǃ?ƿ����D�!�R�D�ǣ��h ��aČ��ݛ� �\`<�FG�=�A��o��O ����hj���k�N?H0d�Ru ���AA�����1�fS ""t�� E����5R\[f�#l� @�B�����5 �Fې�R��a�l��ֺCJ5�D�"��6 ,1�IS��E���e��o �0FX�>0��;�Q3Ą�&�%�0m �q q����<��ͬsm�a\`'�{�a\`k.w��Vf�@��3d�#�E�9QH��@�"Doc�S�5�ϯ��K���b

CVE-2022-30938

Advice comes as cost of cybercrime ‘increases’

Advice comes as cost of cybercrime ‘increases’

  

The UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have released a joint letter urging the legal industry not to pay ransomware demands.

The letter (PDF) was released following an increase in the number of ransomware payments as tracked by both organizations and a growing suspicion that solicitors are advising their clients to give in to extortionate demands.

“In their letter, the NCSC – which is a part of GCHQ – and the ICO state that they have seen evidence of a rise in ransomware payments, and that in some cases solicitors may have been advising clients to pay, in the belief that it will keep data safe or lead to a lower penalty from the ICO,” it reads.

“The two organizations ask the Law Society to clarify to its members that this is not that case, and that they do not encourage or condone paying ransoms, which can further incentivise criminals and will not guarantee that files are returned.”

**Billion-pound industry**

The statement claims that the cost of cybercrime is “in the billions”, citing figures from the Economic and Social Costs of Crime report that estimated there was an overall cost of £1.1bn ($1.19bn) from computer misuse incidents against individuals in England and Wales in the 2015/16 financial year.

Signed by John Edwards, UK information officer at the ICO, and Lindy Cameron, CEO at the NCSC, the letter also encourages those working in the legal industry to work together with the two bodies to “collaborate further” in issues surrounding cybercrime.

Read more of the latest ransomware news

Cameron said: “Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations.

“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.

“Cyber security is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”

Edwards commented: “We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks.”

He added: “I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”

YOU MAY ALSO LIKE SMEs slow to adopt MFA – study

UK NCSC and ICO urge legal sector to discourage businesses from paying ransomware demands

Unsophisticated campaigns use off-the-shelf RATs and other tools to exfiltrate data and demand a ransom to keep it private.

A little social engineering and commercially available remote administration tools (RATs) and other software are all the new Luna Moth ransom group has needed to infiltrate victims' systems and extort payments.

The threat group is essentially pulling off ransom attacks without the ransomware, according to researchers at Sygnia, who today published their findings on Luna Moth.

With co-opted branding from Zoho Masterclass and Duolingo, Luna Moth launches a classic phishing campaign to compromise victim devices and exfiltrate any available data. Phishing emails request a payment for a subscription and offer a PDF attachment with a cell phone number to call for more information. When the victim calls to discuss the invoice, the call is answered by the threat actor, who will try to trick the victim into installing Atera, a widely available RAT, giving the attackers full device control.

The researchers observed Luna Moth abusing other off-the-shelf remote administration tools including Splashtop, Syncro, and AnyDesk for device takeover. In addition to RATs, commercially available tools like SoftPerfect Network Scanner, SharpShares, and Rclone were used to access and exfiltrate data, the researchers added.

"The tools are stored on compromised machines under false names masquerading as legitimate binaries," Sygnia said it in its report on Luna Moth. "These tools, in addition to the RATs, provide the threat actors with the means to conduct basic reconnaissance activities, access additional available assets, and exfiltrate data from compromised networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Luna Moth' Group Ransoms Data Without the Ransomware

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

Axie Infinity, a popular destination for 3 million traders of in-game collectible non-fungible tokens, reportedly lost $540M in cryptocurrency in a recruiting-themed spear phishing attack. The perpetrators of the crime are believed to be an advanced persistent threat group with ties to North Korean.

The report comes from the publication The Block, which said on March 23rd hackers took control of private keys tied to four validator nodes. Those nodes, according to the report, belong to the Ronin Network – which Axie runs on. The second node belongs to the Axie DAO – a decentralized organization that supports the game’s ecosystem.

A private key, similar to a password, is a secret number that is used in blockchain cryptography. Validator nodes are computers that, together, maintain a blockchain network by, among other things, validating and processing transactions.

Ronin is supported by nine validators so, by controlling five, the attacker possessed majority control over the network. Axie and Ronin are developed by Sky Mavis.

“Axie systems relied on a relatively small number of validators,” Ryan Spanier, vice president of Innovation at Kudelski Security, explained to Threatpost via email. “This is not a typical practice for public chains, although we do see this in permissioned chains similar to Axie,” he said.

The problem wasn’t just that there were too few validators, but that those validators were all concentrated in one place. “The validators were not well distributed between independent organizations,” Spanier continued, “which means the attacker only truly had to compromise one organization. Essentially, they had a decentralized blockchain model but were vulnerable to a centralized threat vector.”

With majority control, the attackers were able to effectively write checks to themselves, Spanier said. They stole 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC) in all. At the time, that added up to approximately $540 million  in value.

The following month, the U.S. Treasury Department tied the Ethereum wallet address behind the attack to North Korea’s Lazarus Group. What wasn’t clear until this week is how did the attackers gain control over those validators?

**A Malicious Job Offer**

On March 30, the Ronin Network newsletter stated that “all evidence points to this attack being socially engineered, rather than a technical flaw.” The disclosure did not elaborate further. Now two anonymous sources have come forward who claim “direct knowledge of the matter” are share with reporters at The Block the unconfirmed inside story about what happened.

Sources told The Block earlier in the year some Sky Mavis staff were approached with job opportunities by recruiters on LinkedIn. One engineer, following “multiple rounds of interviews,” was offered a job “with an extremely generous compensation package.” The offer came in the form of a PDF which, once the engineer clicked to open, downloaded spyware to his computer. From there, the attackers moved laterally into Ronin’s IT systems, allowing them to steal those coveted validator private keys, according to The Block.

Mollie MacDougall, director of threat intelligence at Cofense, put it bluntly in an email to Threatpost. “Blockchain platforms should do what every other organization should do: implement an effective phishing defense program that combines technology with the human layer of security.”

“Imagine only one of those employees had reported that email to Axie’s security team. Then imagine that the team could have identified, removed, and notified any other recipients of that email. It could have stopped the attack early in its tracks.”

Popular NFT Marketplace Phished for $540M

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.16.0 doesn't escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks.

CVE-2022-2092

The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.

%PDF-1.7 %���� 1 0 obj <>/Metadata 374 0 R/ViewerPreferences 375 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��W�n�6�o�����Q�\_��@b'Y�� /C�j+��X��\[io�C9���2�Z�Цh��;�|�䰪gW٤F�a\]g�/�\]$�r�)�-��,��Y=+�$\]~����y6ͫ���(9M5�������(���Z�� e)�W�JF�BU����\*���u ������-������<������ۛ{o�:��ޣ1=a������c���&V"�,��AEװ�4u |�N����Oh���;�k^"����\`���u\]��mzR��7��XYK�ܠ,S��DX��\]M@U��O.�??�v+��J���H�����(�8����P+|Z��e$��bG�kt\`���l���5����ne�/�1��C 8� �4�U|���~/��c(IY� �~�v�h�KV\\#��oi�cC� R���|x@)��J�Y��{���\`�P��G&1?����.�\\C˔%.��ю�j� 3������ɥ���5�І|��������9i)i�s���|�/�Ydq ��.��O/S�<��?�\[�^���B����\`}�'��Ǉ\\�g�<�����q\]=n����~@�ڨP=�p.:G#%҄�<� b�l�j\[ϖ�of��\_�ço���{�QM8ߎ� t�}o�v�0�1!{�Aw�uH�&� pA�=�|�}uŕ#6���N�{F�>�^���rmj�볜@�V\\.^�A��p�+G4��Uf��\`=�H�)\[r�s�j�a�p�4�BT�\*q�-� eZ<�dYF��śu����r!(�9rG�����Й3�㣕�G�n��"��3 ��#9�����ƾ���H������y�=C,.��˶x�@7Q��%,H<�o�S����s� ,.�s?�Z�ICw7-�ݭ�i\_�+�w�=�����N��}��Α�uѱ��� �#�����i�)�&$�82mZno�\[ϖ���怒���n7�@+�TUܵPIT�̻��P�\[8���0���V$Ha@i���j��C1C$az �����W$.��Q:Eʷ��-τoj/K���/T�\_�rq+ endstream endobj 5 0 obj <> stream ����JFIF\`\`��JExifMM\*2:(\`\`��XICC\_PROFILEHLinomntrRGB XYZ � 1acspMSFTIEC sRGB���-HP cprtP3desc�lwtpt�bkptrXYZgXYZ,bXYZ@dmndTpdmdd��vuedL�view�$lumi�meas$tech0rTRC<gTRC<bTRC<textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ �Q�XYZ XYZ o�8��XYZ b����XYZ $����descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view��\_.���\\�XYZ L VPW�meas�sig CRT curv #(-27;@EJOTY^chmrw|������������������������� %+28>ELRY\`gnu|����������������&/8AKT\]gqz������������!-8COZfr~���������� -;HUcq~��������� +:IXgw��������'7HYj{�������+=Oat�������2FZn�������  % : O d y � � � � � �  ' = T j � � � � � �"9Qi������\*C\\u����� & @ Z t � � � � �.Id���� %A^z���� &Ca~����1Om����&Ed����#Cc����'Ij����4Vx���&Il����Ae����@e���� Ek���\*Qw���;c���\*R{���Gp���@j���>i���  A l � � �!!H!u!�!�!�"'"U"�"�"�# #8#f#�#�#�$$M$|$�$�% %8%h%�%�%�&'&W&�&�&�''I'z'�'�( (?(q(�(�))8)k)�)�\*\*5\*h\*�\*�++6+i+�+�,,9,n,�,�--A-v-�-�..L.�.�.�/$/Z/�/�/�050l0�0�11J1�1�1�2\*2c2�2�3 3F33�3�4+4e4�4�55M5�5�5�676r6�6�7$7\`7�7�88P8�8�99B99�9�:6:t:�:�;-;k;�;�<'

CVE-2022-1794

In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected.

%PDF-1.7 %���� 1 0 obj <>/Metadata 381 0 R/ViewerPreferences 382 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��Wmo�6�n������N�$v��X��2A���z�-ϑ��'�\_�v�4����3�)��=����s�('7ٰ$GG��̆\_��������~�w>f��,+'Ŭ�.?���s���E�KN�=�9O-ߵ\[�\[�q�x����"!&1L�\`ސE�n����\[�~��3��í'�i��y;�ƹ!�����zXW�07���=��3A�X2�i�D�!���k�Ϥ&0�����I���y�uEI�޵\[���K��Xr��Q�Г�,�i�Oϊ��������-d�aN��2�=�\]5�\*���6��W���\] @��֯h/��C?r�4�5M#����bC��4\]�5������� ��U�cI-��r� ��� A� 0Q:�a�LW��<�߶\[�#�t��P\`�{o��w~�fcB�Y�\[����~����,U1<�\\j�5�Y���-\\.W�kaW� ��ˣu�t� �Za

CVE-2022-30792

The $540 million hack of Axie Infinity's Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged. 
According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing

The $540 million hack of Axie Infinity's Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged.

According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF.

"After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package," the Block reported.

The offer document subsequently acted as a conduit to deploy malware designed to breach Ronin's network, ultimately facilitating one of the crypto sector's biggest hacks to date.

"Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised," the company said in a post-mortem analysis in April.

"This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes."

In April 2022, the U.S. Treasury Department implicated the North Korea-backed Lazarus Group in the incident, calling out the adversarial collective's history of attacks targeting the cryptocurrency sector to gather funds for the hermit kingdom.

Bogus job offers have been long employed by the advanced persistent threat as a social engineering lure, dating back as early as August 2020 to a campaign dubbed by Israeli cybersecurity firm ClearSky as "Operation Dream Job."

In its T1 Threat Report for 2022, ESET noted how actors operating under the Lazarus umbrella have employed fake job offers through social media like LinkedIn as its strategy for striking defense contractors and aerospace companies.

While Ronin's Ethereum bridge was relaunched in June, three months after the hack, the Lazarus Group is also suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge.

The findings also come as blockchain projects centered around Web 3.0 have lost more than $2 billion to hacks and exploits in the first six months this year, blockchain auditing and security company CertiK disclosed in a report last week.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Used Fake Job Offer to Hack and Steal $540 Million from Axie Infinity

By Deeba Ahmed
Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity…
This is a post from HackRead.com Read the original post: Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity

****Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity and Axie DAO suffered the largest crypto hack against a decentralized finance network reported to date.****

In May 2022, the United States issued an advisory according to which highly skilled hackers from North Korea were trying to get employed by posing as IT freelancers. Now, it has been revealed that Axie Infinity hacking was socially engineered in which North Korean government-backed hacker group Lazarus used a fake job offer to infiltrate Sky Mavis’ network by sending one of the company’s employees a PDF file containing spyware.

Lazarus’ involvement in such a high-profile hack should not come as a surprise. In January 2022, researchers from different crypto security firms concluded that North Korean hackers have so far stolen $1.3 billion from cryptocurrency exchanges across the globe, while their prime suspect in these hacks was the infamous Lazarus gang.

**Axie Infinity Hack**

The employee, an ex-senior engineer at the company, took the bait and thought that it was a high-paying job offer from another company and opened the PDF. However, in reality, this company didn’t exist. During the recruiting process, the ex-employee gave away critical personal information, which attackers used to steal from the company.

Sky Mavis explained that its employees are constantly threatened by “advanced spear-phishing attacks on various social channels.” In this instance, one employee was fooled, who doesn’t even work at Sky Mavis anymore.

It is worth noting that the play-to-earn game Axie Infinity is a Pokemon-inspired game developed by Sky Mavis and rakes in approximately $15 million in revenue daily.

**How was Ronin Hacked?**

According to The Block, when the hacking took place, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin.

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

The attacker had to capture five out of nine validators to infiltrate the company’s networks. The spyware-laced PDF helped the attacker control 4 validators and access the community-run Axie DAO (Decentralized Autonomous Organization), from where they got control of the 5th validator.

After compromising the network, the attackers stole $25 million worth of USDC stablecoin and 173,600 ether (roughly $597 million) from Axie Infinity’s treasury, collectively stealing crypto worth around $625 million.

Nevertheless, Ronin sidechain increased the number of validators to 11 to enhance security, whereas Sky Mavis is reimbursing Axie Players who lost crypto due to the attack. The company underwent a $150 million funding round back in April 2022.

**Lazarus Hackers**

The US government claims that the notorious North Korean hacker group Lazarus is responsible for the attack. This group specializes in such attacks.

This isn’t the first time that Lazarus has targeted the blockchain industry. However, this is uncommon for Lazarus to use social engineering to invade a company’s networks. In fact, in June 2020, Slovak internet security company ESET warned LinkedIn users of Lazarus’ involvement in a sophisticated LinkedIn recruiter scam targeting military and aerospace firms.

**More Lazarus Gang Hacks**

1.  US-Cert warns of North Korean BLINDINGCAN malware
2.  Lazarus Group’s AppleJeus MacOS malware targeting crypto exchanges
3.  NK Hackers infect authentic 2FA apps to infect Mac devices with malware
4.  LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users
5.  Lazarus hackers use Magecart attack to steal card data from EU, and US sites

Tag

#pdf