Cloud security company Orca has published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services, including two bugs that could have been exploited without authentication.

SSRF flaws, Orca explains, typically allow attackers to access the host’s IMDS (Cloud Instance Metadata Service), enabling them to view information such as hostnames, MAC addresses, and security groups.

Furthermore, such security defects could be exploited to retrieve tokens, execute code remotely, and move to another host.

Impacting Azure Functions and Azure Digital Twins, the two unauthenticated vulnerabilities could be exploited without an Azure account to send requests on behalf of the server.

The remaining two security issues, which were identified in Azure API Management and Azure Machine Learning, require authentication for successful exploitation.

All four vulnerabilities are non-blind SSRF (full SSRF) issues, allowing an attacker to fetch any request and retrieve the output, Orca’s researchers say. Such flaws can typically be exploited via XXE (XML external entity), SVG files, a proxy, PDF rendering, vulnerable query string in the URL, and more.

“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target,” Orca says.

The issues could be exploited to request any URL by abusing the server, but various mitigations that Microsoft has implemented prevented the researchers from exploiting the newly identified bugs to reach IMDS endpoints.

The unauthenticated flaw in the Azure DigitalTwins Explorer service was caused by a bug in the user input validation following a request, while the issue impacting the Azure Functions service resided in a NodeJS based function.

The authenticated vulnerability in Azure API Management allowed the researchers to enumerate all open ports on the vulnerable server, review all of them, and retrieve more sensitive data, including Git client version, the empty refs list, and the git-scm capabilities.

The Azure Machine Learning service bug, Orca says, allowed the researchers to retrieve any endpoint.

Orca reported the vulnerabilities to Microsoft between October and December 2022. Patches were released shortly after each report, with the last vulnerability addressed on December 20.

UPDATE: Microsoft has published its own blog post, clarifying that the vulnerabilities were “low risk as they do not allow access to sensitive information or Azure backend services.”

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters

Related: Azure Service Fabric Vulnerability Can Lead to Cluster Takeover

Related: Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/azure-services-ssrf-vulnerabilities-exposed-internal-endpoints-sensitive-data

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.

Generally available since November 2022, following a private preview period, GitHub Codespaces is a free cloud-based integrated development environment (IDE) that allows developers to create, edit, and run code in their browsers via a container-based environment that runs in a virtual machine (VM).

One of the features that GitHub Codespaces provides enables developers to share forwarded ports from the VM, either privately or publicly, for real-time collaboration purposes.

The private port can only be accessed via its URL, while publicly shared ports can be accessed by anyone with the URL, without any form of authentication.

According to Trend Micro, this collaboration feature can be abused by threat actors with accounts on GitHub to host malicious content, including scripts, ransomware, and other types of malware.

“Moreover, the barriers of costs in creating a Codespaces environment are now lower compared to creating a cloud service provider (CSP) account where you need a credit card to become a subscriber, be it in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and many others,” Trend Micro notes.

The cybersecurity firm says it was able to create a Python-based HTTP server on port 8080, shared the forwarded port publicly, and noticed that the URL could be accessed by anyone, as it did not include cookies for authentication.

Ports are typically forwarded on GitHub Codespaces via HTTP, but developers can change the protocol to HTTPS, which automatically makes the port private.

According to Trend Micro, an attacker could build a simple script to repeatedly create a codespace with a publicly exposed port and use it to host malicious content – essentially a webserver with an open directory containing malware – and set it to automatically delete itself after the URL has been accessed.

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created codespace has a unique identifier to it, the subdomain associated is unique as well. This gives the attacker enough ground to create different instances of open directories,” Trend Micro says.

The cybersecurity firm says there is no evidence that this technique has been abused for nefarious purposes, but notes that threat actors are known to abuse free cloud services and platforms in malicious campaigns.

“In a scenario abusing this [technique], the attacker can manipulate the publicly shared port to infiltrate and deploy malicious content in a victim’s environment since the domain associated with the exposed port is unique and likely have never been flagged by security tools,” Trend Micro concludes.

To mitigate the risk, developers are advised to only use code they can trust, to make sure they only use recognized and well-maintained container images, to secure their GitHub accounts with strong passwords and with two-factor authentication (2FA), and to follow the best practices for using GitHub Codespaces.

SecurityWeek has emailed GitHub for a comment on Trend Micro’s findings and will update this article as soon as a reply arrives.

UPDATE: GitHub has provided the following statement:

GitHub is committed to investigating reported security issues. We are aware of this report and plan to add a prompt to users to validate that they trust the owner when connecting to a codespace. We recommend users of GitHub Codespaces follow our guidelines to maintain security and minimize risk of their development environment.

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: GitHub Introduces Private Vulnerability Reporting for Public Repositories

Related: GitHub Account Renaming Could Have Led to Supply Chain Attacks

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-delivery

When the Supreme Court last June stripped away constitutional protections for abortion, concerns grew over the use of period tracking apps because they aren’t protected by federal privacy laws.

Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.

Some Washington state lawmakers want to change that and have introduced a bill related to how consumer data is shared, KUOW reported.

Democratic Rep. Vandana Slatter represents Washington’s 48th legislative district, which covers much of Redmond, Bellevue, and Kirkland. She is sponsoring House Bill 1155, which focuses on the collection, sharing, and selling of consumer health data.

“Someone can actually track you, and target you, in some way that can be really harmful,” Slatter said.

HIPAA, the 1996 Health Insurance Portability and Accountability Act, protects medical files at your doctor’s office but not the information that third-party apps and tech companies collect about you. Nor does HIPAA cover health histories collected by non-medical “crisis pregnancy centers, ” which are run by anti-abortion groups. That means the information can be shared with, or sold to, almost anyone.

The Supreme Court’s decision to overturn abortion rights piqued Slatter’s interest in health data privacy, she said. Her proposed measure would make it illegal to sell any type of health data.

Rep. Jim Walsh of Aberdeen said he supports protecting a person’s privacy, but said the bill focuses too much on what he called hot button issues.

“Why do we need to use incendiary language, like about abortion?” Walsh said.

The bill is set to be presented to the state House Civil Rights and Judiciary Committee. Its companion bill in the state Senate, SB 5351, is sponsored by Sen. Manka Dhingra, D-Redmond.

Related: The Potential and Pitfalls of a Federal Privacy Law

Related: EU Tells TikTok Chief To Respect Data Privacy Laws

Previous Columns by Associated Press:

Tags:

https://www.securityweek.com/bill-would-force-period-tracking-apps-follow-privacy-laws

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.

Written in Golang, BianLian emerged in August 2022 and has been used in targeted attacks against entertainment, healthcare, media, and manufacturing organizations.

Once it has been executed on a victim’s machine, the malware identifies all available drives to find files and encrypt them.

BianLian targets a total of 1,013 file extensions and features a particular encryption routine: it does not encrypt data at the beginning of a file, nor data at its end.

Known for its fast encryption capabilities, the ransomware appends the “.bianlian” extension to the affected files and drops a ransom note named “Look at this instruction.txt” in each folder on the machine. Once the encryption process has been completed, the malware deletes itself.

Avast warns that its decryption tool only works with files encrypted with a known variant of BianLian and that victims of more recent versions of the ransomware might need to provide a malware binary to be able to recover their data for free.

The BianLian decryptor (direct download) is available on Avast’s website. The cybersecurity firm also provides detailed instructions on how the tool should be used.

The MegaCortex ransomware initially emerged in January 2019, but did not rise to fame until May that year, when it was used in a global attack campaign.

The malware was used by the same cybercriminals who also distributed the Dharma and LockerGoga ransomware, and who are believed to have infected roughly 1,800 victims, mostly companies.

In 2020, MegaCortex was mentioned in a FireEye report as being one of the six ransomware families to use a ‘process kill list’ targeting over 1,000 processes, including industrial software.

In October 2021, Europol and Norwegian Police announced the arrest of 12 individuals believed to have been part of the cybercrime ring.

Earlier this month, Bitdefender announced the availability of a free decryption tool for the MegaCortex victims, built in cooperation with the NoMoreRansom Project, Europol, and Swiss law enforcement. The decryptor is available on Bitdefender’s website (direct download) and the company also provides a step-by-step guide to using the tool.

Related: Free Decryptor Available for LockerGoga Ransomware Victims

Related: Free Decryptors Released for AstraLocker Ransomware

Related: Can Encryption Key Intercepts Solve The Ransomware Epidemic?

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/free-decryptors-released-bianlian-megacortex-ransomware

Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.

The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.

According to researchers at automated penetration testing firm Horizon3.ai, the CVE-2022-47966 flaw is easy to exploit and a good candidate for so-called “spray and pray” attacks. In this case, the bug gives attackers complete control over the system or an immediate beachhead to launch additional compromises.

“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” the company said in a note documenting its work creating IOCs to help businesses hunt for signs of infection.

Horizon3.ai red-teamer James Horseman is calling attention to exposed attack surfaces that put thousands of organizations at risk. “Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled,” Horseman said, estimating that roughly 10% of all Zoho Management products may be sitting ducks for these attacks.

“Organizations that use SAML in the first place tend to be larger and more mature and are likely to be higher value targets for attackers,” Horseman warned.

Although Zoho issued patches late last year, Horseman notes that some organizations are still be tardy on deploying the fixes. “Given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched.”

“We want to highlight that in some cases the vulnerability is exploitable even if SAML is not currently enabled, but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product,” Horseman added.

Zoho boasts that about 280,000 organizations across 190 countries use its ManageEngine product suite to manage IT operations.  

The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, has struggled with zero-day attacks and major security problems that have been targeted by nation-state APT actors.

The US government’s cybersecurity agency CISA has added Zoho vulnerabilities to its federal ‘must-patch’ list because of known exploitation activity.

Related: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day 

Related: Zoho Working on Patch for Zero-Day ManageEngine Vulnerability

Related: CISA Adds Zoho Flaws to Federal ‘Must-Patch’ List 

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:

Tags:

https://www.securityweek.com/researchers-brace-zoho-manageengine-spray-and-pray-attacks

A series of vulnerabilities affecting industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to internal operational technology (OT) networks from the internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) last week published an advisory to inform organizations about five vulnerabilities identified by a researcher at industrial cybersecurity firm Otorio in InHand’s InRouter302 and InRouter615 cellular routers.

The vendor has released firmware updates that should patch these vulnerabilities.

According to CISA, most of the vulnerabilities are related to message queuing telemetry transport (MQTT) and their exploitation could lead to command/code execution and information disclosure.

One of the security holes has been assigned a ‘critical’ severity rating, two have been rated ‘high severity’ and two are medium-severity issues.

Matan Dobrushin, VP of research at Otorio, told SecurityWeek that the vulnerabilities impact both the cloud management platform and the device’s firmware.

“Chaining these vulnerabilities together can allow an attacker to remotely execute code as root on all connected InRouter302 and InRouter615 devices directly from the internet,” Dobrushin explained.

The affected devices are used for industrial robots, oil wells, elevators, medical equipment, electric car charging stations, and smart meters.

“We are certain that there are tens of thousands of devices that are impacted by these vulnerabilities, affecting thousands of critical sites around the globe,” Dobrushin warned.

Roni Gavrilov, the Otorio researcher credited for finding these flaws, provided additional information on impact in a LinkedIn post.

“Successful exploitation of industrial wireless IoT may allow an attacker to bypass all of the security layers protecting the internal OT network at once, enabling access directly to connected PLCs, HMIs and field devices on the attacked site, easily impacting the process and potentially propagating the attack to the control center,” the researcher said.

This is not the first time Otorio has found vulnerabilities in InHand routers. In 2021, the company reported finding more than a dozen security flaws in one of the vendor’s cellular routers.

In addition, in 2022, Cisco’s Talos threat intelligence and research unit reported finding 17 vulnerabilities in the InRouter302 product.

Related: 10 Vulnerabilities Found in Widely Used Robustel Industrial Routers

Related: Several Vulnerabilities Expose Phoenix Contact Industrial 4G Routers to Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/inhand-industrial-router-vulnerabilities-expose-internal-ot-networks-attacks

Canadian liquor distributor Liquor Control Board of Ontario (LCBO) has announced that a web skimmer injected into its online store was used to steal users’ personal data.

One of the largest liquor sellers in Canada, LCBO retails and distributes alcoholic beverages throughout the Ontario province, operating over 670 stores and employing more than 8,000 people.

Last week, the company abruptly took offline its online store and mobile application, only to later explain that it fell victim to a cyberattack in which a web skimmer was injected into LCBO.com.

“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” the retailer said.

According to LCBO, all individuals who provided their personal information on the online store’s check-out pages and made payments between January 5 and 10, 2023, are impacted.

The compromised personal information, the company says, includes names, addresses, email addresses, LCBO.com account passwords, Aeroplan numbers, and credit card information.

“This incident did not affect any orders placed through our mobile app or vintagesshoponline.com,” the company said.

The company did not share information on the number of impacted customers, but said that it disabled customer access to both the online store and mobile app as a precautionary measure, and that it also forced a password reset for all user accounts.

“LCBO.com and our mobile app have been restored and are fully operational. We have also reset all LCBO.com account passwords. Registered customers will be prompted to reset their password on login,” the company said.

Web skimmer attacks, also referred to as Magecart attacks, are typically the result of a misconfiguration or unpatched vulnerabilities that allow threat actors to inject information stealer malware into a website and harvest the information of unsuspecting users.

Magecart attacks have been around for years, with multiple groups operating under the umbrella and hundreds of online stores compromised to date. In 2019, a free service called URLscan.io was made available to help customers and retailers alike check for the presence of web skimmers.

Related: Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers

Related: Target Open Sources Web Skimmer Detection Tool

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/website-canadian-liquor-distributor-lcbo-infected-web-skimmer

The US Department of Defense (DoD) is getting ready to launch the third installment of its ‘Hack the Pentagon’ bug bounty program, which will focus on the Facility Related Controls System (FRCS) network.

Hack the Pentagon was launched in 2016 on HackerOne, when the DoD invited ethical hackers to find and report security defects in Pentagon’s public web pages.

In 2018, the DoD announced a continuous Hack the Pentagon program running year-long on Bugcrowd and targeting vulnerabilities in hardware and physical systems and other high-value assets.

According to a draft solicitation released on Friday, as part of Hack the Pentagon 3.0, DoD will rely on ethical hackers to identify vulnerabilities in FRCS.

The DoD’s FRCS includes control systems that are used to monitor and control equipment and systems related to real property facilities, such as HVAC, utilities, physical security systems, and fire and safety systems.

“The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” the draft reads.

Per the document, the DoD is looking to engage with a private organization that has expertise in commercial crowdsourcing, to select “a private community of skilled and trusted researchers, which may be limited to US persons only” to participate in the program.

For previous bug bounty programs – which also included Hack the Air Force, Hack the Army, Hack the Marine Corps and Hack the Defense Travel System – in addition to working with HackerOne and Bugcrowd, the DoD partnered with Synack to vet participating researchers.

The draft also makes it clear that the DoD will establish the eligibility criteria for the participating researchers, and that participants will have to be able to perform reverse engineering, source code analysis, and network and system exploitation.

“The bounty execution or ‘challenge phase’ itself is expected to last no more than 72 hours in person,” the draft reads.

Related: DoD Launches ‘Hack US’ Bounties for Major Flaws in Publicly Exposed Assets

Related: ‘Hack DHS’ Participants Awarded $125,000 for Over 100 Vulnerabilities

Related: DoD Announces Results of Vulnerability Disclosure Program for Defense Contractors

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/hack-pentagon-30-bug-bounty-program-focus-facility-control-systems

Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer’s laptop.

The incident was initially disclosed on January 4, when CircleCI urged customers to rotate their secret keys.

In an updated incident report on Friday, the company said that it was initially alerted of suspicious activity on December 29, 2022, and that on December 31 it started rotating all GitHub OAuth tokens on behalf of its customers.

On January 4, 2023, CircleCI learned that malware deployed on an engineer’s laptop on December 16 was used to steal a 2FA-backed SSO session, which allowed the attackers to access the company’s internal systems.

“Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” the company said.

The compromised employee account was used to generate production access tokens, which allowed the hackers to “access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys”.

The attackers, CircleCI said, performed reconnaissance on December 19 and exfiltrated the sensitive information on December 22.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the company said.

To contain the breach, the company shut down all access for the compromised employee account, shut down production access to nearly all employees, rotated all potentially exposed production hosts, revoked all project API tokens, revoked all personal API tokens created prior to January 5, rotated all Bitbucket and GitHub OAuth tokens, and started notifying customers of the incident.

“We have taken many steps since becoming aware of this attack, both to close the attack vector and add additional layers of security,” CircleCI said.

According to the company, both “both the attack vector and the potential of a lingering corrupted host” were eliminated through the rotation of all production hosts.

Due to the sensitive nature of the exfiltrated information, all CircleCI customers should rotate SSH keys, OAuth tokens, project API tokens, and other secrets, and should investigate any suspicious activity observed after December 16.

“Because this incident involved the exfiltration of keys and tokens for third-party systems, there is no way for us to know if your secrets were used for unauthorized access to those third-party systems,” the company said. “At the time of publishing, fewer than 5 customers have informed us of unauthorized access to third-party systems as a result of this incident.”

Cloud monitoring service Datadog, one of the impacted CircleCI customers, announced late last week that it had identified an old RPM GNU Privacy Guard (GPG) private signing key that was compromised in the incident, along with its passphrase.

“As of January 12th, 2023, Datadog has no indication that the key was actually leaked or misused, but we are still taking the following actions out of an abundance of caution,” Datadog said.

Related: LastPass Says Password Vault Data Stolen in Data Breach

Related: Toyota Discloses Data Breach Impacting Source Code, Customer Email Addresses

Related: Microsoft Confirms Data Breach, But Claims Numbers Are Exaggerated

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

https://www.securityweek.com/circleci-hacked-malware-employee-laptop

A hacktivist group has made bold claims regarding an attack on an industrial control system (ICS) device, but industry professionals have questioned their claims.

The hacktivist group known as GhostSec, whose recent operations have focused on ‘punishing’ Russia for its invasion of Ukraine, claims to have conducted the first ever ransomware attack against a remote terminal unit (RTU), a type of ICS device used for communications between field devices and supervisory control and data acquisition (SCADA) systems.

“We just encrypted the first RTU in history! A small device designed only for an ICS environment,” the hackers said. “The age of ransomware coded to attack ICS devices just became a thing, and we were the first.”

The group said the hacked device is located in Belarus, one of Russia’s biggest allies. While the attack was described as ransomware because files on the device were encrypted, there wasn’t an actual ransom demand.

Several experts, including ones from ICS security companies, analyzed the hacktivists’ claims based on the screenshots they made available. The screenshots show that the attackers managed to encrypt some of the files hosted on the device, just like in a ransomware attack.

The first aspect that most experts pointed out is that the targeted device is the Teleofis RTU968, a product described by the Russia-based vendor as a 3G router designed for connecting industrial and commercial facilities to the internet. While the device is labeled as an RTU and can technically be used as an RTU due to the fact that it supports industrial interfaces, it’s not specifically designed for this purpose.

In addition, unlike RTUs made by major vendors such as Siemens, which run operating systems that are custom-built for industrial applications, the Teleofis device runs OpenWrt, a widely used Linux operating system designed for embedded devices.

Ransomware that can encrypt files on a Linux device is not new and there is no indication that encrypting files on the Teleofis device is more difficult. In addition, hacking these types of communication gateways that provide remote connectivity to serial devices is also not new, pointed out industrial cybersecurity firm SynSaber.

“Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking,” explained Ron Fabela, the CTO of SynSaber.

Industrial cybersecurity company Otorio has also analyzed the hackers’ claims and noted, “In order to create a ransomware type of attack on a common RTU, it would require GhostSec to have deeper OT knowledge and resources, such as experimenting with real OT engineering tools and devices. The Teleofis device is OpenWrt based, which is basically Linux, and does not introduce any new, real OT capability.”

Otorio believes the attackers gained initial access to the router by leveraging weak authentication.

Cybersecurity company Claroty’s investigation reached the same conclusion. Its researchers found that the device has a pre-configured SSH service that can be accessed using a pre-configured root password that can be easily cracked.

Claroty has identified nearly 200 internet-exposed Teleofis RTU968 routers in Russia, Kazakhstan and Belarus, and 117 of them had the SSH service enabled.

 [ Read: Hacktivist Attacks Show Ease of Hacking Industrial Control Systems ]

Researcher Joe Slowik has also analyzed GhostSec’s claims and found that the hackers’ ransomware apparently wasn’t even able to encrypt all files running on the device — in-use files were not encrypted, which limits the impact of the attack.

This is not the first time GhostSec claims to have hacked ICS devices. In September, they claimed to have hijacked programmable logic controllers (PLCs) and a human-machine interface (HMI) in Israel, but their claims again seemed overblown.

While GhostSec’s claims may not be entirely accurate, ransomware attacks can and have caused serious problems for industrial organizations and the industrial systems they are using, even if ICS is in many cases not directly targeted.

In addition, researchers have shown that threat actors could in fact launch ransomware attacks aimed directly at ICS devices. Red Balloon Security showed one year ago how malicious actors could implement ransomware on a protection relay.

On the other hand, this research and the recent incidents do not necessarily mean that ransomware attacks directly targeting ICS devices will become common and widespread in the near future.

“The requirements and implications of ‘true’ industrial ransomware at the RTU or PLC level make this a very unlikely domain for criminals to operate in,” Slowik said. “The payoffs appear too meager to justify both the technical investment and political risk associated with such an action, as outlined above. Instead, it simply makes greater sense economically for such entities to remain in the same space that they’ve resided in for some time: impacting IT and IT-like systems to elicit payment from organizations while attempting to avoid ‘worst case’ societal impacts that bring greater attention from governments and law enforcement.”

Related: BlackCat Ransomware Targets Industrial Companies

Related: Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin

Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

https://www.securityweek.com/cybersecurity-experts-cast-doubt-hackers-ics-ransomware-claims