Cyber Security News — Past 24 hours | 02.05.2021
Microsoft Warns of 25 Critical Vulnerabilities in IoT, Industrial Devices
Dubbing the newly discovered family of vulnerabilities «BadAlloc,» Microsoft’s Section 52 — which is the Azure Defender for IoT security research group–said the flaws have the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center .«Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,» according to the report. On a positive note, Microsoft Section 52 said it has not seen any of the vulnerabilities as yet exploited in the wild. Researchers have disclosed their findings with the vendors whose devices are affected through responsible disclosure led by the MSRC and the Department of Homeland Security , leaving vendors now to investigate and patch the vulnerabilities, if appropriate.A separate advisory by the Cybersecurity Infrastructure and Security Agency includes a full list of affected devices, which comprise a number of products from Texas Instruments as well as others from ARM, Samsung and Amazon, among other vendors.
If administrators running networks on which affected devices are present can’t apply patches to fix the problem, the CISA and Microsoft have recommended other mitigations.
The CISA recommends minimizing network exposure for all control system devices and/or systems to ensure that they are not accessible by the internet, which makes them low-hanging fruit for threat actors.
The agency also advised that system administrators practice network segmentation, isolating system networks and remote devices from the business network as well as putting them behind firewalls.
BigBasket Data Leak — Over 20 Million Personal Records Published on Hacking Forum
We have already reported a previous BigBasket data leak last in November 2020, in which Over 20 Million BigBasket Customers Data Exposed in DarkWeb.According to the reports, earlier when in Nov 2020 BigBasket itself has confirmed this data breach, at that time ShinyHunter tried to trade this stolen database in the private sales of the hackers’ forums.Apart from this, the CEO of the BigBasket, Hari Menon affirmed that the experts urged them to not reveal any information regarding this data breach, as this could impede the investigation.Generally, ShinyHunter sells all the older breached databases privately in private sales of hackers’ forums. But, now according to the reports, ShinyHunter has recently released the whole database for free that contains more than 20 million personal information and passwords of the BigBasket users.The security experts have professed that ShinyHunter is also implicated in other data breaches like Tokopedia, TeeSpring, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, and it goes on.The other members of the forum where ShinyHunter posted the leaked database of 20 million users have managed to decode 2 million passwords, and not only that even another member of that forum also claimed that more than 700k users of this leaked database have used “password” as their password for BigBasket account.So, as a security measure, the analysts have recommended all the users of BigBasket to immediately change their passwords of BigBasket accounts, and also on the sites where they are using these same leaked passwords.
Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks
An «aggressive» financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. «UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,» Mandiant researchers said. On January 22, The Hacker News exclusively revealed that SonicWall had been breached by exploiting «probable zero-day vulnerabilities» in its SMA 100 series remote access devices. UNC2447 attacks involving ransomware infections were first observed in the wild in October 2020, initially compromising targets with HelloKitty ransomware, before swapping it for FIVEHANDS in January 2021.
Incidentally, both the ransomware strains, written in C++, are rewrites of another ransomware called DeathRansom. «Based on technical and temporal observations of HelloKitty and FIVEHANDS deployments, HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021,» the researchers said. FIVEHANDS also differs from DeathRansom and HelloKitty in the use of a memory-only dropper and additional features that allow it to accept command-line arguments and utilize Windows Restart Manager to close a file currently in use prior to encryption.
Microsoft Finds ‘BadAlloc’ Flaws Affecting Wide-Range of IoT and OT Devices
Microsoft researchers on Thursday disclosed two dozen vulnerabilities affecting a wide range of Internet of Things and Operational Technology devices used in industrial, medical, and enterprise networks that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash. «These remote code execution vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems,» said Microsoft’s ‘Section 52’ Azure Defender for IoT research group. The flaws have been collectively named «BadAlloc,» for they are rooted in standard memory allocation functions spanning widely used real-time operating systems , embedded software development kits , and C standard library implementations. A lack of proper input validations associated with these memory allocation functions could enable an adversary to perform a heap overflow, leading to the execution of malicious code on a vulnerable device.
«Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution,» the U. NXP MQX, Versions 5. Samsung Tizen RT RTOS, versions prior 3.0. Texas Instruments CC32XX, versions prior to 4.40.00.07.
Texas Instruments SimpleLink MSP432E4XX
Microsoft said it has found no evidence of these vulnerabilities being exploited to date, although the availability of the patches could allow a bad actor to use a technique called «patch diffing» to reverse engineer the fixes and leverage it to potentially weaponize vulnerable versions of the software.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT