Industrial Security Bulletin - Week 28 - July 14, 2020

Industrial Security Bulletin - Week 28 - July 14, 2020

14 Jul 2020

Industrial Cyber Attacks - Attacks against industries, production infrastructure and OT

3 major industrial companies have been attacked by maze ransomware, data leaked to Dark Web:

  • X-fab, German semiconductors manufacturer
    VOXX International, global manufacturer, and supplier of automotive electronic products
  • MI Metals Inc, Florida-based aluminum extrusion company

Non-Industrial Cyber Attacks - Covering notable, interesting attacks worldwide

According to a new ESET report, Evilnum APT aims to harvest financial information from fintech companies, mainly British and European. The group has been operating for at least 2 years.

A new release of the Lampion trojan banker, hitting mostly Portugal and Brazil, contains improvement in the VBS file that when executed serves as a downloader for the infection chain.

ICS Vulnerabilities

New CISA ICS advisories include Mitsubishi Electric GOT2000 Series, Rockwell Automation Logix Designer Studio 5000 and Phoenix Contact Automationworx Software Suite

IT vulnerabilities

Citrix issued patches for 11 security flaws affecting Citrix Application Delivery Controller (ADC), Gateway, and WANOP networking products. Successful exploitation of these flaws allows attackers to perform code injection, information disclosure, and DoS attacks against the GW or the authentication virtual servers.

Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability affecting F5 Networks' BIG-IP multi-purpose networking devices to install coin-miners, IoT malware, or to scrape administrator credentials from the hacked devices. Shodan shows around 8,500 vulnerable F5 BIG-IP web interface devices available on the internet, nearly 40% of which are in the U.S. These exposed devices are considered to be high risk.

Advanced Reading Suggestions of the Week

Exploit Kits are not as prevalent as they were a few years ago but they are still part of the threat landscape. The Purple Fox downloader malware was first reported by Trend Micro in September 2019. This malware abuses PowerShell and is capable of file-less infection. The malware originally was delivered by the “Rig exploit kit”.  But now, by building their own exploit kit for distribution, the authors of the Purple Fox malware are able to save money and enable greater control over what the exploit kit actually loads.

In the new version of Purple Fox, the authors added attacks against both CVE-2020-0674 and CVE-2019-1458, two vulnerabilities that came out at the end of 2019 and early 2020. This tells us that the authors of Purple Fox are staying up to date on viable exploitable vulnerabilities and updating when they become available. It’s reasonable to expect that they will continue to update as new vulnerabilities are discovered.

Ran Finkelstein
Threat Intelligence Researcher

For more information contact us at [email protected].

04 May 2020 Industrial Cyber-Security During COVID-19: From a Hackers’ Paradise to Resilient Remote Operations more...
26 Mar 2020 Coronavirus: Time for Remote Connection Solutions for ICS more...
18 Mar 2020 COVID-19 is a Wake-up Call for Manufacturing SMBs more...
loader
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue