Security Wrap-Up (July 13th, 2021)

Happy Tuesday! I have some great security news available below, and I didn’t know we’d see SolarWinds so soon… check out the articles below -

Unpatched critical RCE bug allows industrial and utility takeovers
A critical remote code execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs), titled ‘ModiPwn,’ allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare, and enterprise environments. The vulnerability (CVE-2021-22779) takes advantage of undocumented commands in device code and impacts the Modicon M340, M580, and other models from the Modicon series. If exploited, it could impact production lines, conveyor belts, elevators, HVACs, and other automated devices. The vulnerability is rated 9.8 out of 10 on the CVSS vulnerability-rating scale, making it critical. At the moment, Schneider has released a set of mitigations for the bug but no full patch is available yet.

Google’s Certificate Authority Service (CAS) now widely available
Google CAS is a scalable service for managing and deploying private certificates via automation, as well as managing public key infrastructure (PKI). Google has said they created the platform to “address the unprecedented growth in certificates in the digital world” that has come from cloud services, Internet of Things (IoT), smart devices, and more. Clients have implemented CAS for use cases such as identity management and digital signature services.

SolarWinds issues hotfix for zero-day flaw under active attack
SolarWinds has issued a hotfix for a zero-day remote code execution (RCE) vulnerability that was already under active attack on some of the company’s customers. The flaw affects its Serv-U Managed File Transfer Server and Serv-U Secured FTP products. This vulnerability exists in the latest Serv-U version 15.2.3 HF1 released on May 5th, as well as all prior versions. According to Microsoft, they demonstrated how a threat actor could exploit the vulnerability to run arbitrary code with privileges. At the moment, SolarWinds does not know how many customers may be directly affected by the flaw, nor has it identified the ones who were targeted.

Scam artists exploit Kaseya security woes to deploy malware
Last Friday, Kaseya was hit by REvil, a ransomware group that managed to exploit vulnerabilities in the firm’s VSA software. In response, Kaseya pulled VSA and SaaS servers offline and roughly 50 direct clients and up to 1,500 businesses down the chain have been impacted. Samples of fake, emailed Kaseya advisories urge recipients to download and execute an attachment called “SecurityUpdates.exe” to resolve a vulnerability in Kaseya and to protect themselves against ransomware. The attachment, a Windows executable, is actually a Cobalt Strike package - which could be used to set up a connection with a command-and-control (C2) server.

Let me know what you think about this week’s news and to share any of your own below!

1 Like