This week in InfoSec takes us on a trip down Infosec memory lane Rant of the Week is a cryptographic surprise Billy Big Balls is again celebrates young criminals Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week lifts the veil on a career in infosec.
This week in InfoSec
October 12 1988 (a mere 34 years ago)
Hailed by Steve Jobs as a computer “five years ahead of its time”, NeXT, Inc. introduces their NeXT Computer. Due to its cube-shaped case, the computer was often referred to as “The Cube” or “The NeXT Cube”, which led to the subsequent model offically being named “NeXTcube“. The new computer introduced several innovations to personal computers, such as including an optical storage disk drive, a built-in digital signal processor for voice recognition, and an object-oriented development environment that was truly years ahead of its time.
While not a commercial success, the NeXT Computer and the technology developed for it have a long and storied history. Tim Berners-Lee developed the first world wide web server and web browser on a NeXT computer, crediting the NeXT development tools for allowing him to rapidly develop the now ubiquitous Internet system. After Apple purchased NeXT in 1997, they used the operating system of the NeXT computers to form the base of Mac OS X. Eventually Apple’s iOS, which runs the iPhone and iPad, was itself based upon Mac OS X and hence draws its lineage to NeXT. Finally, the object-oriented development environment that Berners-Lee used to create the World Wide Web is the forerunner of the development environment that today’s programmers use to develop iPhone and iPad Apps. If it wasn’t for the NeXT Computer back in 1988, Thom may not have his iPhone pro max 14 today.
RANT of the Week
https://www.infosecurity-magazine.com/news/claroty-found-cryptographic-keys/
Claroty Found Hardcoded Cryptographic Keys in Siemens PLCs Using RCE
Team82, the research arm of New York-based industrial cybersecurity firm Claroty, revealed on October 11, 2022, that they managed to extract heavily guarded, hardcoded cryptographic keys embedded within SIMATIC S7-1200/1500s, a range of Siemens programmable logic computers (PLCs), and TIA Portal, Siemens’ automated engineering software platform.
They deployed a new remote code execution (RCE) technique targeting the central processing units (CPUs) of SIMATIC S7-1200 and S7-1500 PLCs, for which they used a vulnerability uncovered in previous research on Siemens PLCs (CVE-2020-15782) that enabled them to bypass native memory protections on the PLC and gain read/write privileges.
They were able not only to extract the internal, heavily guarded private key used across the Siemens product lines but also to implement the full protocol stack, encrypt and decrypt protected communications and configurations.
“An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access-level protections. [They] could [also] use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way,” Team82 warned in the research paper.
CVE-2022-38465 has been assigned to the new vulnerability found by Team82, and given a CVSS v3 score of 9.3.
Team82 disclosed all technical information to Siemens, which released new versions of the affected PLCs and engineering workstation that address this vulnerability, urging users to move to current versions.
In its advisory, Siemens also provided a series of key protection updates, workarounds and mitigations.
This disclosure has led to the introduction of a new TLS management system in TIA Portal v17, ensuring that configuration data and communications between Siemens PLCs and engineering workstations is encrypted and confidential.
Billy Big Balls of the Week
Police arrest teen for using leaked Optus data to extort victims
The Australian Federal Police (AFP) have arrested a 19-year old in Sydney for allegedly using leaked Optus customer data for extortion.
More specifically, the suspect used 10,200 records leaked last month by the Optus hackers and contacted victims over SMS to threaten that their data would be sold to other hackers unless they paid AUD 2,000 ($1,300) within two days.
The scammer used a Commonwealth Bank of Australia account to receive the ransom money. The AFP identified the account and obtained from the bank information about the holder.
According to the AFP, the arrested young man allegedly sent blackmailing messages to 93 individuals whose personal information was exposed Optus data leak. None of them paid the ransom, though.
The suspect now faces charges for:
Using a telecommunication network with the intent to commit a serious offense (blackmail), contrary to section 474.14 (2) of the Criminal Code Act 1995 (Cth), punishable by up to 10 years of imprisonment
Dealing with identification information, contrary to section 192K of the Crime Act 1900 (NSW), punishable by a maximum of 7 years in prison
The hackers behind the Optus breach have not been identified but AFP's investigation is still underway as part of "Operation Hurricane."
"The Hurricane investigation is a high priority for the AFP, and we are aggressively pursuing all lines of inquiry to identify those behind this attack," stated Assistant Commissioner Gough.
Announcing the international operation was apparently enough to discourage the threat actors from continuing their extortion, even leading to them declaring that all data stolen from Optus had been deleted.
Two days ago, Optus published an update on the results of its ongoing internal investigation, confirming that 9.8 million customers were variably impacted, and 2.1 million of them had their government ID numbers compromised.
Many of these people will need new IDs issued now. The Australian government is demanding Optus to cover the costs for this process.
Industry News
Lloyd's of London cuts off network after dodgy activity detected
Malicious WhatsApp Mod Spotted Infecting Android Devices
Chinese APT WIP19 Targets IT Service Providers and Telcos
Budworm Espionage Group Returns, Targets US State Legislature
IP Cameras, VoIP and Video Conferencing Revealed as Riskiest IoT Devices
UK Government Urges Action to Enhance Supply Chain Security
Singtel's Australian IT Firm Dialog Suffers Data Breach
#DTX2022: Cyber Needs to Redress the Defensive-Offensive Balance Following Russia-Ukraine
Lloyd's of London says no evidence found of data compromise from cyberattack
Tweet of the Week
https://twitter.com/SwiftOnSecurity/status/1579575774784688128