CISO Intelligence for 5th November 2024

Welcome to this issue of CISO Intelligence for the 5th November 2024.

1. Unpatchy Situations: ABB's VulnCheck Drama
2. DDoS Siege at the Local Level: Pro-Russia Hackers Demolish UK Council Websites
3. FakeCall Wants to Drop In on Your Bank Chat: Android's Latest Malware
4. The Pacific Rim Time Machine: Keeping Pace with Cyber Shenanigans
5. Rogue Ads Redirect Visitors: The Greatest Show on the Web
6. Intrusions, Sprays, and Threats: A Chinese Recipe for Cyber Chaos

Our goal is to ensure we provide timely, accurate information on topics that CISOs of all organisations can use immediately. To that end, each briefing note comprises:

• A Board Briefing Summary
• The challenge for the CISO’s team to meet
• Questions for suppliers
• Insight into the issue being discussed through a short note

This briefing is a more advanced companion to the free LinkedIn newsletter CISO Intelligence.

We hope you find this interesting and enjoyable and if you have any questions, comments, or feedback, let us know! We’re a small startup and your support really does mean a lot to us.

Unpatchy Situations: ABB's VulnCheck Drama

BOARD BRIEFING

ABB building automation software's unpatched vulnerabilities leave crucial installations like museums and universities open to security breaches—urgent action is recommended to ensure patch application and system security enhancement.

TEAM CHALLENGE

Ensure all systems using ABB Cylon ASPECT are patched immediately to mitigate unauthorised access and credential theft risks. Conduct an audit of other systems for similar vulnerabilities.

SUPPLIER QUESTIONS

1. Is ABB planning any further software updates to enhance security measures, particularly concerning authentication enforcement?
2. How does ABB plan to address systems that remain unpatched despite the availability of updates since 2022?

CISO FOCUS: Industrial Control Systems Security

Sentiment: Negative

Time to Impact: Short (3-18 months)

"When patchwork becomes patchless work, vulnerabilities bask in the chaos."

Vulnerabilities Expose Critical Infrastructure Risks in ABB Software

In a digital age where securing systems is as fundamental as the infrastructure they support, the discovery of two notable vulnerabilities in ABB’s building automation and energy management software, ABB Cylon ASPECT, has sent a ripple through the cybersecurity landscape. Researchers from VulnCheck have exposed these critical security gaps, raising alarms for industries reliant on Industrial Control Systems (ICS).

Vulnerabilities on Display

Two distinct vulnerabilities, CVE-2023-0636 and CVE-2024-6209, have been identified within the ABB Cylon ASPECT system. This software is integral to facilities such as the American Museum of Natural History and universities like UC Irvine, accentuating the urgent need for cybersecurity teams to spring into action. Despite the availability of patches since 2022, the reality that 214 out of 265 discovered systems remain unpatched is concerning.

• CVE-2023-0636: This flaw permits command injection, potentially allowing unauthorized remote code execution. Although ABB reports that authentication is mandatory, VulnCheck's research indicates a lack of consistency in enforcement.

• CVE-2024-6209: This vulnerability facilitates unauthenticated file disclosure, providing attackers with the ability to extract plain-text credentials. This can pivot into additional compromises within the network.

Why It Matters

The impact of these vulnerabilities is further amplified by the scope and scale of ABB Cylon systems, which manage and automate significant infrastructure components. With proof-of-concept exploits already available in the public domain, although current exploitation activity remains low, the potential for future threats is unambiguously high.

ABB’s software is deployed in sectors that form the backbone of societal functions—from education to cultural institutions. This makes the immediate patching and ongoing vigilance an imperative for reducing potential exposure to cyber threats.

Exploring the Patching Paradox

Acknowledging the inherent risk isn't just about understanding the vulnerabilities but also addressing why so many systems remain unpatched. A systemic issue in the cybersecurity field is the patch management process that can be cumbersome, leaving gaps open long after solutions are available.

The reluctance or delay in updating these systems may stem from operational constraints, lack of awareness, or mismanagement. Such holds create a ripe environment for cyber adversaries to exploit vulnerabilities in a realm that forms critical infrastructure.

Immediate Steps for Protection

Cybersecurity teams need to undertake the following crucial actions:

1. Conduct a thorough audit of all systems running ABB Cylon ASPECT to identify those that are yet to be patched.
2. Develop a rigorous patch management strategy that ensures prompt application of security updates.
3. Alleviate reliance on manual processes for authentication checks to ensure consistent enforcement of access controls.
4. Engage in regular security training and updates for teams to maintain an uplifted security posture.

Looking Ahead

As the industry grapples with these exposures, there is a broader lesson on the significance of cybersecurity in ICS management. Constant vigilance and proactive measures are no longer options but essential mandates for any organization handling sensitive infrastructure management.

This incident is a clarion call, underscoring the urgency for robust defenses against the ever-escalating cyber threat landscape. With the prominence of ICS in modern infrastructure, aligning cybersecurity measures with operational priorities is crucial to thwart potential compromises.

As researchers, vendors, and companies work collaboratively to address these issues, ensuring adherence to the security patch lifecycle becomes a cornerstone of an organization's security strategy. By linking vulnerabilities to action, the path toward more resilient operational systems becomes not just a possibility, but a necessity.

It's time to transform patchwork chaos into a structured defense, ensuring our critical systems operate under the fortress of strengthened cybersecurity practices.