Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Breach Roundup: Still Too Much ICS Exposed on the Internet

Also, Apple and Qualcomm Issue Emergency Patches
Breach Roundup: Still Too Much ICS Exposed on the Internet
Let's hope these systems aren't connected to the open internet. (Image: Shutterstock)

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Bitsight found a lot of internet-exposed industrial control systems, Apple issued new patches, Sony confirmed a data breach, Google and Yahoo tackled spam, Qualcomm patched three zero-days, Cisco revealed zero-day exploits in VPN, and the FBI warned of twin attacks.

See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience

Bitsight Identifies Thousands of Exposed Control Systems Online

Cybersecurity firm Bitsight found nearly 100,000 industrial control systems across the globe exposed to the public internet. Industrial control systems manage processes such as water flows and electricity transmission in power grids.

Concerns over the hacking of operational technology including ICS have mounted in tandem with worries that state actors could turn to destructive hacks - fears amplified by power grid hacks in Ukraine and a 2021 ransomware attack against U.S. company Colonial Pipeline that resulted in temporary gasoline shortages.

Bitsight said some of the exposed control systems it found belong to Fortune 1000 companies. Sectors with the highest ICS exposure included education, technology and government. If there's good news, it's that Bitsight says the trend line of ICS exposure is headed downward.

"From 2019 to June 2023, we observed a decline in the number of ICSs exposed to the public internet. This is a positive development, suggesting that organizations may be properly configuring, switching to other technologies, or removing previously exposed ICSs from the public internet," the company wrote in a Monday blog post.

Apple Issues More Patches

Apple responded to an actively exploited zero-day flaw in iOS and iPadOS on Wednesday with the release of security patches. The identified vulnerability, tracked as CVE-2023-42824, exists in the kernel and may allow an attacker to elevate privileges. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said.

The update also addresses CVE-2023-5217, a WebRTC component issue. WebRTC is an open-source project that supports real-time computing between browsers and mobile applications, powering uses such as video and voice calling.

This marks Apple's 17th patch for an actively exploited zero-day this year. The release follows recent fixes for three vulnerabilities reportedly exploited by the Israeli spyware company Cytrox. Apple did not mention any connections between the new patches to the previously addressed kernel vulnerability.

Sony Confirms Data Breach

Sony Interactive Entertainment alerted around 6,800 individuals about a cybersecurity breach. The intrusion resulted from an unauthorized party exploiting a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit file transfer platform. This critical-severity SQL injection flaw, leading to remote code execution, was used by the Clop ransomware gang in widespread attacks in late May. Sony discovered the compromise on June 2, took the platform offline and remediated the vulnerability. The incident, limited to the specific software platform, did not affect other systems. Sensitive information of individuals in the U.S. was compromised, prompting Sony to offer credit monitoring and identity restoration services through Equifax until Feb. 29, 2024.

Google, Yahoo Tackle Spam

Yahoo and Google last week announced measures to curb spam and enhance email security. Yahoo plans to enforce rules on bulk senders, requiring robust email authentication using industry standards such as SPF, DKIM, and DMARC by the first quarter of 2024. Yahoo will also mandate one-click unsubscribe, demanding senders honor requests within two days.

Google will now require stronger authentication from bulk senders, which are those sending over 5,000 messages daily to Gmail. Both companies aim to prevent malicious exploits by ensuring proper system configuration and enforcing spam rate thresholds.

Qualcomm Patches 3 Zero-Days

Semiconductor and mobile platform maker Qualcomm released security updates on Monday for three actively exploited zero-days, and a total of 17 vulnerabilities in various components. In response to Google's Threat Analysis Group and Project Zero detection of these actively exploited vulnerabilities, Qualcomm issued patches for flaws affecting Adreno GPU and Compute DSP drivers. Specifics of the remaining exploited flaws will be disclosed in December 2023.

Cisco Reveals Zero-Day Exploits in VPN

Cisco said customers running its tunnel-less VPN for wide area networks should patch after revealing that attackers attempted to take advantage of a zero-day flaw. The routing giant said the flaw in its Group Encrypted Transport VPN, tracked as CVE-2023-20109, allows attackers to execute arbitrary code provided they already have access to a GET VPN group member router or to the key server.

Cisco rates the flaw as medium criticality. Exploiting the flaw would require an attacker to already have administrative control of a group member or the key server.

The company identified two potential methods for exploiting the vulnerability. The first scenario requires the attacker to seize control of the key server and alter keying protocol Group Domain of Interpretation or G-IKEv2 packets sent to group members. Alternatively, the attacker could build and install their own key server and direct WAN traffic to it rather than the legitimate key server.

FBI Warns of Twin Attacks

Ransomware affiliates are employing a new tactic, deploying multiple strains within a 48-hour window to double-encrypt victims' systems, according to an FBI alert. In recent months, threat actors have used a combination of dual ransomware variants, including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum and Royal. This two-pronged approach results in complex data encryption, exfiltration and increased ransom payments. Cybercriminals are also incorporating custom data theft tools, wipers, and malware with dormant data-wiping capabilities, adding complexity to recovery efforts. The FBI recommends security measures including identity access management, protective controls and improved vulnerability management.

With reporting from Information Security Media Group's Mihir Bagwe in Mumbai


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.