16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.
The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022- Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Check if you’re in Google Chrome’s third-party cookie phaseout test
Google has started testing the phasing out of third-party cookies on Chrome, affecting about 1% of its users or approximately 30 million people. Learn how to check if you are part of the initial test. […] Read More
Hackers Attacking Power Generator Systems to Infect With Ransomware
A new variant of SystemBC malware was found to be deployed to a critical infrastructure target. This malware was responsible for the DarkSide Colonial Pipeline Incident in 2021. There have been several Ransomware attacks during the second quarter of 2023.
Threat actors target several organizations and infrastructures with ransomware attacks. But only a few ransomware attacks were targeting electric utilities.
More than 56% of the targets reported that they faced a loss of private information or an outage in their Operational Technology (OT) Environment.
In addition to this, recent reports indicate that a south african electric utility infrastructure was targeted with Cobalt Strike Beacon and DroxiDat, which was discovered to be the new variant of SystemBC payload.
This incident was found to be targeted during the third and fourth week of March 2023 and was part of a small wave attack across the world.
API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar
Technical Details
The current variant of SystemBC has a proxy-capable backdoor and changes maliciously. System BC has been available since 2018 which acts as “Malware as a service” (MaaS) and is sold on various underground forums.
SystemBC has three parts: a C2 web server with an admin panel, a C2 proxy listener on the server side, and a backdoor payload on the target.
DroxiDat acts as the payload component of SystemBC and previously had a size of 15-30kb+ which is now compacted to ~8kb.
DroxiDat does not act as a download and execute type payload as in the previous versions but can connect to remote listeners to pass the data between the C2 and the target and change the system registry.
There were two instances of DroxiDat found at C:perflogs alongside the CrowdStrike Beacon on multiple systems.
The current variant of SystemBC has many important capabilities like Retrieving machine names or usernames, session creation with C2 by decrypting the settings, encrypted communication with C2, and creating or deleting registry keys.
It is highly suspected that this was done by a Russian-speaking RaaS cybercrime unit. Expected threat actors also include Pistachio Tempest or FIN12. A complete report has been published by Securelist, which provides detailed information about the current variant of SystemBC and its activities.
AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records
A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain. Read More