Summary According to theregister.co.uk researchers at Singapore University disclosed 12 security vulnerabilities affecting certain Bluetooth Low Energy (BLE) software development kits (SDKs) from system-on-a-chip (SoC) vendors. The vulnerabilities...

Summary

According to theregister.co.uk [hXXps://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/] researchers at Singapore University disclosed 12 security vulnerabilities affecting certain Bluetooth Low Energy (BLE) software development kits (SDKs) from system-on-a-chip (SoC) vendors. The vulnerabilities may allow attackers to “crash or… bypass pairing security to gain arbitrary read and write access to device functions.” Proof-of-concept code and a video demonstrating the crash of a device (Fitbit) are publicly available.

Analysis

The register article quoted Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang with the following statement: "SWEYNTOOTH potentially affects IoT products in appliances such as smart-homes, wearables and environmental tracking or sensing." Their full research paper can be found here [hXXps://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf].

Patches have been made available for some of the devices that are known to be vulnerable.

The E-ISAC recommends members evaluate IOT devices in use that are BLE enabled and may be vulnerable. Below is a list of the CVEs released with the research:

Vulnerability

CVE(s)

Vendor

Link Layer Length Overflow

CVE-2019-16336 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16336]
CVE-2019-17519 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17519]

Cypress
NXP

LLID Deadlock

CVE-2019-17061 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17061]
CVE-2019-17060 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17060]

Cypress
NXP

Truncated L2CAP

CVE-2019-17517 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17517]

Dialog

Silent Length Overflow

CVE-2019-17518 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17518]

Dialog

Public Key Crash

CVE-2019-17520 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17520]

Texas Instruments

Invalid Connection Request

CVE-2019-19193 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19193]

Texas Instruments

Invalid L2CAP Fragment

CVE-2019-19195 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19195]

Microchip

Sequential ATT Deadlock

CVE-2019-19192 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19192]

STMicroelectronics

Key Size Overflow

CVE-2019-19196 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19196]

Telink

Zero LTK Installation

CVE-2019-19194 [hXXps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19194]

Telink

For the complete article with additional information, including proof-of-concept code and a video demonstrating the exploitation and crashing of a Fitbit device, please refer to the original article and research paper.

hXXps://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/

hXXps://asset-group.github.io/disclosures/sweyntooth/

hXXps://asset-group.github.io/disclosures/sweyntooth/sweyntooth.pdf

hXXps://youtu.be/Iw8sIBLWE_w

 

 

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of...

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of five Remote Code Execution vulnerabilities, as well as one Denial of Service vulnerability. CDPwn utilizes the Cisco Discovery Protocol (CDP), which is a layer-2 networking protocol that Cisco devices use to gather information about devices connected to the same network. The CDPwn vulnerabilities could potentially be utilized for the purposes of breaking network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, and data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras. Armis Security relayed information about CDPwn to Cisco soon after discovery.

On February, 5th, 2020, Cisco released patches for devices vulnerable to CDPwn exploitation. Cisco said that they are not aware of any malicious use of the CDPwn as of yet. In order to exploit the vulnerabilities, attackers would first need to establish a foothold inside a target’s network, and then hop from device to device (via CDPwn exploitation) to gain significant access and/or control over a network and potentially execute code or cause denial of service.

Many of the vulnerable Cisco products—such as desk phones, web cameras, and network switches—do not auto-update, and need manual patching to receive protection. Enterprise switches and routers are often behind on patches and updates due to avoidance of network downtime. CDP is implemented in virtually all Cisco products, including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. According to Cisco, over 95 percent of Fortune 500 companies use Cisco Collaboration solutions.

Cisco device owners should look up whether or not their devices are listed by Cisco as being susceptible to CDPwn exploitation by going to Cisco’s website. If they are listed as containing CDPwn vulnerabilities, device owners should immediately download and manually install patches from Cisco’s website. Routine updates are recommended for all Cisco devices in order to avoid possible exploitation by malicious actors relying on utilizing unpatched devices as attack vectors for infiltrating enterprise systems.

The following fix action is recommended for Cisco device owners: please refer to the “Affected Products” section of the attached “CISCO CDP vulnerability for DoS.pdf” to determine whether or not your device(s) are listed as having CDPwn vulnerabilities and, if so, refer to the “Fixed Releases” section, and download and install the patch for the device.  A table containing both the affected devices series and links to their respective vulnerability patch instructions has been included below.

Recommendation: Partners and Client organizations should have cyber security teams determine which affected devices they have and patch accordingly.

Recommendation: More frequent updating of Cisco devices.

Affected Cisco Device(s)

Vulnerability Patch Instructions Link

IP Conference Phone 7832

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Conference Phone 7832 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96060

IP Conference Phone 8832

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96071

IP Conference Phone 8832 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96064

IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96065

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96067

IP Phone 7811, 7821, 7841, 7861 Desktop Phones

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96739

IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform

Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96063

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96066

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96058

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96059

Unified IP Conference Phone 8831

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96738

Unified IP Conference Phone 8831 for Third-Party Call Control

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96057

Wireless IP Phone 8821 and 8821-EX

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96070

Firepower 4100 series and Firepower 9300 security appliances

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15083

IOS XR software

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr150824

MDS 9000 Series Multilayer Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073

Nexus 1000 Virtual edge for VMware vSphere

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078]

Nexus 1000V Switch for Microsoft Hyper-V

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078]

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976]

Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079]

Nexus 7000 Series Switches

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073]

Nexus 9000 Series Fabric Switches in ACI Mode

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072]

UCS 6200, 6300, and 6400 Series Fabric Interconnects

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082]  

hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111 [hXXps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111]  

August 19, 2019:  According to Mexico News Daily, there have been over 61,000 vandalism incidents so far in 2019 in Mexico that have triggered electricity outages. The outages have occurred in Sinaloa, Tamaulipas, Michoacán, Sonora,...

August 19, 2019: According to Mexico News Daily, there have been over 61,000 vandalism incidents so far in 2019 in Mexico that have triggered electricity outages. The outages have occurred in Sinaloa, Tamaulipas, Michoacán, Sonora, Hidalgo, Chihuahua, México state, Tabasco and Baja California. This number is higher than combined outages in the same time period for both 2017 and 2018. The article also noted that the Federal Electricity Commission (CFE) increased land and air patrol areas by 60% last year in response to the increase vandalism.

 

Source: hXXps://mexiconewsdaily.com/news/vandalism-triggered-power-outages/

On May 9 th , threat-research company Advanced Intelligence, LLC, published a report on threat actors “Fxmsp,” who claim to have breached three leading antivirus companies. According to the article, on April 24 th Fxmsp extracted source...

On May 9th, threat-research company Advanced Intelligence, LLC, published a report [hXXps://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies] on threat actors “Fxmsp,” who claim to have breached three leading antivirus companies. According to the article, on April 24th Fxmsp extracted source code from antivirus software, artificial intelligence, and security plugins from those three companies. Fxmsp offered screenshots of the companies’ folders (30 TB), which appeared to contain information about their development documentation, artificial intelligence model, web security software, and antivirus software base code.

The article states that Fxmsp’s known TTPs include accessing network environments via remote desktop protocol servers and exposed Active Directory. The E-ISAC is unaware of matching activity found in the electricity sector.

More information can be found here [hXXps://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/].

A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for...

A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

The researchers demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting. 

They subsequently added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks. 

While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.

"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."

The Centers for Disease Control and Prevention (CDC) has made a connection between COVID-19 and Multi-System Inflammatory Syndrome in Children (MIS-C).    The U.S. Centers for Disease Control and Prevention (CDC) on Thursday released...

The Centers for Disease Control and Prevention (CDC) has made a connection between COVID-19 and Multi-System Inflammatory Syndrome in Children (MIS-C). 

 

The U.S. Centers for Disease Control and Prevention (CDC) on Thursday released guidance that schools, businesses, and other organizations can use as states reopen from coronavirus shutdowns.

 

CDC issued a health advisory to doctors across the country Thursday advising them to be on the lookout for a troubling new syndrome that may be associated with COVID-19 infection.

 

The syndrome, called multisystem inflammatory syndrome in children (MIS-C), has been seen in children across Europe and in at least 18 states, plus Washington, D.C.

 

"In early May 2020, the New York City Department of Health and Mental Hygiene received reports of children with multisystem inflammatory syndrome," the CDC health advisory said. "There is limited information currently available about risk factors, pathogenesis, clinical course, and treatment for MIS-C," it said.

 

"CDC is requesting healthcare providers report suspected cases to public health authorities to better characterize this newly recognized condition in the pediatric population," the advisory said.

 

 

 

 

 

Traditional Media Sources 

 

 

http://tinyurl.com/y9hpfea6

 

https://www.healthychildren.org/

According to multiple sources, China is believed to be the nation behind ongoing cyber-attacks on Australian institutions, including hospitals and state-owned utilities. The ongoing cyber-attacks are targeting all levels of government institutions,...

According to multiple sources, China is believed to be the nation behind ongoing cyber-attacks on Australian institutions, including hospitals and state-owned utilities. The ongoing cyber-attacks are targeting all levels of government institutions, as well as private businesses.  Australian officials believe they are being targeted for banning Huawei and other companies from involvement in their 5G network, as well as Australia pushing for an international inquiry into the course and spread of COVID-19.While the Australia determined last March that China was responsible for a hacking attack on Australia’s parliament, the attacks have intensified in recent weeks.  On Friday, China’s government rejected suggestions of a large-scale hacking attack.  Scott Morrison, the Australian Prime Minister, would not take the formal step of publicly naming which state actor he believed to be behind the attacks, but senior sources confirmed China is believed to be behind the malicious attacks. The Prime Minister emphasized the attacks "hadn't just started", and were ongoing

The E-ISAC Watch Operations Team will continue to monitor and update the organization as information is received on this matter. 

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued a document describing steps for company executives to consider in order to reduce physical, cyber, and supply chain issues resulting from...

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued a document describing steps for company executives to consider in order to reduce physical, cyber, and supply chain issues resulting from COVID-19. The document is intended for widest distribution and may assist in preparing for any potential impacts to your company.

The document is attached to this post for your convenience. It is important to note that this was distributed broadly to critical infrastructure owners and operators, and not being specifically aimed at our industry.

The Department of Homeland Security has developed a fact sheet entitled “Countering Unmanned Aircraft Systems Legal Authorities” designed to assist in implementing the Preventing Emerging Threats Act of 2018 . The fact sheet highlights...

The Department of Homeland Security has developed a fact sheet entitled “Countering Unmanned Aircraft Systems Legal Authorities” designed to assist in implementing the Preventing Emerging Threats Act of 2018. The fact sheet highlights how DHS will implement the act appropriately to counter UAS that may present a threat, including information such as defense techniques, authorized locations, privacy considerations, and next steps. We have attached the factsheet for members’ continued awareness of UAS and Counter UAS activities.

According to multiple open source websites, the Country of Georgia was hit with a cyber-attack that knocked out thousands of websites, as well as a national television station.  Court websites containing case materials and personal data have...

According to multiple open source websites, the Country of Georgia was hit with a cyber-attack that knocked out thousands of websites, as well as a national television station. 

Court websites containing case materials and personal data have also been attacked, as well as the presidential website.  The origin of the attack, and who was behind it, are not yet known at this time.

At present, the energy sector infrastructure has not been targeted; however, the E-ISAC will continue to monitor for additional developments and provide updates when necessary.