Ειδοποιήσεις

The U.S. Department of Homeland Security on Thursday issued an advisory, warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk.

Cardioverter Defibrillator is a small surgically implanted device (in patients’ chests) that gives a patient’s heart an electric shock (often called a countershock) to re-establish a normal heartbeat.

While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world’s largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities.

Discovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices.

“Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,” warns the advisory released by DHS.

The vulnerabilities reside in the Conexus Radio Frequency Telemetry Protocol—a wireless communication system used by some of Medtronic defibrillators and their control units to wirelessly connect to implanted devices over the air using radio-waves.

 

Flaw 1: Lack of Authentication in Medtronic’s Implantable Defibrillators

According to an advisory published by Medtronic, these flaws affect more than 20 products, 16 of which are implantable defibrillators and rest are the defibrillators’ bedside monitors and programmers.

The more critical flaw of the two is CVE-2019-6538 which occurs because the Conexus telemetry protocol does not include any checks for data tampering, nor performs any form of authentication or authorization.

The successful exploitation of this vulnerability could allow an attacker within the radio range of the affected device and right radio gear to intercept, spoof, or modify data transmitting between the device and its controller, which could potentially harm or perhaps even kill the patient.

“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” the DHS says.

 

Flaw 2: Lack of Encryption in Medtronic’s Implantable Defibrillators

The Conexus telemetry protocol also provides no encryption to secure the telemetry communications, making it possible for attackers within the range to eavesdrop on the communication. This issue has been assigned CVE-2019-6540.

However, Medtronic said the vulnerabilities would be hard to take advantage of and harm patients since it requires the following conditions to be met:

  • An unauthorized individual would need to be in close proximity of up to 6 meters (20 feet) to the targeted device or clinic programmer.
  • Conexus telemetry must be activated by a healthcare professional who is in the same room as the patient.
  • Outside of the hospital activation times of devices are limited, which vary patient to patient and are difficult to be predicted by an unauthorized user.

The medical technology giant also assures its users that “neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities” to this date.

Medtronic also noted that its line of implanted pacemakers, including those with Bluetooth wireless functionality, as well as its CareLink Express monitors and CareLink Encore programmers (Model 29901) used by some hospitals and clinics are not vulnerable to either of these flaws.

Medtronic has already applied additional controls for monitoring and responding to the abuse of the Conexus protocol by the affected implanted cardiac devices and is working on a fix to address the reported vulnerabilities.

The security fix will soon become available, and in the meantime, Medtronic urged “patients and physicians continue to use these devices as prescribed and intended.”

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Elsevier, publisher of scientific journals such as The Lancet, has left its users’ passwords and email addresses lying around online.

What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.

Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.

To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?

For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.

According to Motherboard’s Joseph Cox, the credentials were displayed on Kibana, a popular tool for visualizing and sorting data.

 

Motherboard verified that the credentials were valid by asking Hussein to reset his own password to a specific phrase fed to him by Motherboard. Cox writes:

A few minutes later, the plain text password appeared on the exposed server.

Elsevier secured the server after getting a heads-up from Motherboard and details from Hussein. An Elsevier spokesperson sent Motherboard a statement in which the publisher blamed a misconfigured server:

The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.

As others have pointed out, saying that the passwords are no longer exposed doesn’t explain why they were stored in plain text to begin with. Hopefully, Elsevier will pay attention to that, as well as to the misconfigured server that left them hanging on the line like a discarded beach towel.

 

If you’re an Elsevier user

Reset your passwords, and if you know you’ve used the same password on other website – change those too!

Also if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too.

 

The information contained in this website is for general information purposes only. The information is gathered from Naked Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store.

Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.

SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.

“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its contentleading to the fact that this campaign was not targeting a specific county or developed by the same developer.” reads the analysis published by the experts.

“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The domain ‘addroider[.]com’ was registered via GoDaddy the ownership is masqueraded by the privacy protection service, RiskIQ’s PassiveTotal reveals that the domain expired 7 months ago.  By accessing the domain users get a login page that appears similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.

Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.

Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.

“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.

“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

 

 

According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:

  1. Snow Heavy Excavator Simulator (10,000,000 downloads)
  2. Hoverboard Racing (5,000,000 downloads)
  3. Real Tractor Farming Simulator (5,000,000 downloads)
  4. Ambulance Rescue Driving (5,000,000 downloads)
  5. Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  6. Fire Truck Emergency Driver (5,000,000 downloads)
  7. Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  8. Car Parking Challenge (5,000,000 downloads)
  9. Speed Boat Jet Ski Racing (5,000,000 downloads)
  10. Water Surfing Car Stunt (5,000,000 downloads)

The full list of malware-infected apps is available here.

This is the campaign in order of time leveraging the Google store, previously reported massive attacks involved CopyCat and Gooligan malware.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The popular SSH client program PuTTY has released the latest version of its software that includes security patches for 8 high-severity security vulnerabilities.

PuTTY is one of the most popular and widely used open-source client-side programs that allows users to remotely access computers over SSH, Telnet, and Rlogin network protocols. Almost 20 months after releasing the last version of its software, the developers of PuTTY earlier this week released the latest version 0.71 for Windows and Unix operating systems.

According to an advisory available on its website, all previous versions of the PuTTY software have been found vulnerable to multiple security vulnerabilities that could allow a malicious server or a compromised server to hijack client’s system in different ways.

Below are listed all 8 vulnerabilities with brief information that PuTTY 0.71 has patched:

1) Authentication Prompt Spoofing

Since PuTTY doesn’t have a way to indicate whether a piece of terminal output is genuine, the user-interface issue could be exploited by a malicious server to generate a fake authentication prompt at the client side, prompting victims to enter their private key passphrases.

“If the server had also acquired a copy of your encrypted key file (which, for example, you might have considered safe to copy around because it was securely encrypted), then this would give it access to your private key,” the advisory explains.

2) Code Execution via CHM Hijacking

When a user launches the online help within the PuTTY GUI tools, the software tries to locate its help file alongside its own executable.

This behavior could allow an attacker to trick the user into executing malicious code on the client system via the hijacking CHM file.

“If you were running PuTTY from a directory that unrelated code could arrange to drop files into, this means that if somebody contrived to get a file called putty.chm into that directory, then PuTTY would believe it was the real help file, and feed it to htmlhelp.exe.”

3) Buffer Overflow in Unix PuTTY Tools

According to the advisory, if a server opens too many port forwardings, PuTTY for Unix does not bounds-check the input file descriptor it collects while monitoring the collections of active Unix file descriptors for activity, leading to a buffer overflow issue.

“We don’t know if this was remotely exploitable, but it could at least be remotely triggered by a malicious SSH server, if you enabled any of the options that allow the server to open a channel: remote-to-local port forwarding, agent forwarding or X11 forwarding,” the advisory says.

4) Reusing Cryptographic Random Numbers

This issue resides in the way cryptographic random number generator in PuTTY, occasionally using the same batch of random bytes twice.

“This occurred because of a one-byte buffer overflow in the random pool code. If entropy from an external source was injected into the random pool exactly when the current-position index was pointing at the very end of the pool, it would overrun the pool buffer by one byte and overwrite the low byte of the position index itself.”

5) Integer Overflow Flaw

All prior versions of PuTTY suffers an Integer overflow issue due to missing key-size check-in RSA key exchange.

A remote server can trigger the vulnerability by sending a short RSA key, leading to an integer overflow and uncontrolled overwriting of memory.

PuTTY developers are not sure if this flaw can be exploited to gain control over the client, but since the issue occurs during key exchange and happens before host key checking, the overflow can be induced by a MitM attack even if the middle man does not know the correct host key.

So even if you trust the server you think you are connecting to, you are not safe.”

6, 7 and 8) Terminal DoS Attacks

Last three vulnerabilities in PuTTY allows a server to crash, or slow down client’s terminal by sending different text outputs.

Servers can send a long unbroken string of Unicode characters to the client’s terminal, which could lead to a denial-of-service attack by causing the system to allocate potentially unlimited amounts of memory.

The second DoS attack can be triggered by sending combining characters, double-width text, an odd number of terminal columns, and GTK to the client’s terminal in output.

In the third DoS attack, by sending width-2 characters used by Chinese, Japanese and Korean to the client, PuTTY’s terminal emulator can be forced to crash.

If you use PuTTY, make sure you download and use the latest version of it.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

One of the world’s largest producers of aluminum has been forced to shut down several of its plants across Europe and the U.S. after an “extensive cyber attack” hit its operations, leaving companies’ IT systems unusable.

According to a press release shared by Aluminum giant Norsk Hydro today, the company has temporarily shut down several plants and switched to manual operations, “where possible,” in countries including Norway, Qatar, and Brazil in an attempt to continue some of its operations.

The cyber attack, that began in the U.S.,was first detected by the company’s IT experts around late Monday evening CET and the company is working to neutralize the attack, as well as investigating to know the full extent of the incident.

“Hydro’s main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents,” the company says.

In an 18-minute-long video press conference, Norsk Hydro CFO Eivind Kallevik revealed that Norsk Hydro systems have been hit by a relatively new strain of ransomware malware, known as LockerGoga, which encrypts all files on the targeted computers and then demands a ransom to unlock them, just as other ransomware viruses do.

“The situation is quite severe. The entire worldwide network is down, affecting all production as well as our office operations,” Kallevik said.

During the press conference, the Norwegian National Security Authority (NNSA) also said that the agency is helping Norsk Hydro with the incident and cooperating with other sectors and international agencies.

According to the reports published local public broadcaster NRK and Reuters, says that according to researchers, LockerGoga is not a widely spread malware and was also used to target French engineering consultancy Altran Technologies earlier this year.

“It is too early to indicate the operational and financial impact, as well as timing to resolve the situation,” the company says.

Norsk Hydro is the latest victim of so-called ransomware attack that has crippled many major companies in the past few years.

At this time it’s unknown if the company has lost any significant data in the attack, and if yes, would it pay or already consider paying the ransom to the cybercriminals responsible for the attack whose identity is yet unknown.

But for now, the company said Hydro has cyber insurance and its main plan is to restore systems using back-up data.

Headquartered in Oslo, Norsk Hydro is one of the largest aluminum companies worldwide, with operations in some 50 countries around the world and active on all continents. The company’s shares went down around 1% at the time of writing due to the incident.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.