US and UK warn of Russian attacks on OT

The alert, entitled Defending OT Operations Against Ongoing Pro-Russian Hacktivist Activity, was developed by the U.S. Cyber and Infrastructure Security Agency (CISA) in conjunction with the U.K.’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (CCCS), and several other U.S. agencies.

Russian hacktivists have been targeting small OT systems in the water, dams, energy, food and agriculture sectors since 2022 using outdated remote access software (VNC) and weak/default passwords.

Some victims have experienced minor tank overflow events. However, most victims reverted to manual control immediately afterwards and quickly resumed operations.

Critical zero-day vulnerabilities in OpenVPN affect millions of installations worldwide

Microsoft security researcher Vladimir Tokarev will detail a number of critical zero-day vulnerabilities in OpenVPN at the upcoming Black Hat USA 2024 conference.

The vulnerabilities, codenamed OVPNX internally, affect a wide range of operating systems including Windows, iOS, macOS, Android and BSD.

The presentation titled “OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe” identifies four zero-day vulnerabilities in OpenVPN.

The chain of exploits begins with an RCE attack targeting the OpenVPN plugin mechanism. From there, the vulnerabilities quickly expand to include Local Privilege Escalation and Kernel Code Execution.

The Black Hat USA 2024 event will be held at the Mandalay Bay Convention Center August 3 to 8, 2024.


Dropbox hacked, user data leaked

Dropbox has revealed a large-scale attack on its systems in which attackers gained access to customers’ personal data.

In a report to regulators, management learned of the attack last week – on April 24.

The attacker gained access to data relating to all Dropbox Sign users, such as emails and usernames. For some users, the attacker also gained access to phone numbers, hashed passwords and authentication information such as API keys, OAuth tokens and multi-factor authentication.

Dropbox did not see evidence that its other products were affected. This may be because the Dropbox Sign infrastructure is separate from Dropbox’s other services.


UK becomes the first country in the world to ban default guessable usernames and passwords on IOT devices

On Monday, the UK became the first country in the world to ban default guessable usernames and passwords on IOT devices. Unique passwords installed by default are still allowed.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum security standards for manufacturers. Under PSTI, weak or easily guessed default passwords such as “admin” or “12345” are explicitly prohibited, and manufacturers are also required to publish contact information so users can report bugs.

“As everyday life becomes increasingly dependent on internet-connected devices, the threats are increasing. From today, consumers will have greater confidence that their smart devices are protected from cyber criminals because we are the first in the world to introduce laws to ensure their security,” said Viscount Camrose Minister responsible for cyber


Critical vulnerability exploited to deploy malware on Palo Alto Firewall

A newly disclosed critical vulnerability in CVE-2024-3400 allows attackers to gain remote control of vulnerable firewalls.

The vulnerability is based on manipulation of the “SESSID” cookie in PAN-OS, which inadvertently allows the creation of files with root-level access during each session. Attackers exploit this vulnerability to execute malicious code

Shortly after the vulnerability was discovered, a proof-of-concept (PoC) was discovered, followed by active exploit attempts. Cybersecurity firm Cato Networks announced that it intercepted several attempts aimed at installing XMRig malware for cryptocurrency mining using this vulnerability.

Attackers deliver the malicious ldr.sh script to the compromised firewall. This script disables security services and removes any existing malware, clearing the way for the installation of the XMRig malware.

Organizations that rely on Palo Alto firewalls should immediately apply available updates.