Category: Security Feeds

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low Attack Complexity
Vendor: Schneider Electric
Equipment: EcoStruxure Foxboro DCS Core Control Services
Vulnerabilities: Out-of-bounds Write, Improper Validation of Array Index, Improper Input Validation

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could lead to a loss of system functionality or unauthorized access to system functions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:

EcoStruxure Foxboro DCS Core Control Services: Versions 9.8 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability exists that could cause local denial of service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5679 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
3.2.2 IMPROPER VALIDATION OF ARRAY INDEX CWE-129
An improper validation of array index vulnerability exists that could cause local denial of service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5680 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
3.2.3 IMPROPER INPUT VALIDATION CWE-20
An improper input validation vulnerability exists that could cause local denial of service, privilege escalation, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5681 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Services and Facilities, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Vladimir Tokarev, Microsoft Defender for IoT reported these vulnerabilities to Schneider Electric.
4. MITIGATIONS
Schneider Electric has made Patch HF97872598 available for v9.5 to v9.8 of EcoStruxure Foxboro DCS Core Control Services that includes a fix for these vulnerabilities.
Users should contact the local service representative or Schneider Electric Process Automation Global Customer Support Center for information on how to download and install this fix. Reboot is needed.
Users should employ appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and evaluating the impact of these patches in a test and development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if you need assistance removing a patch. If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:
As the identified vulnerabilities require local user account access, EcoStruxure Foxboro DCS workstations should be installed in a secure location to prevent physical access by unauthorized personnel, and appropriate password protections put in place to prevent remote access by unauthorized personnel.
To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service.
Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For more information, see Schneider Electric Security Notification “SEVD-2024-191-02 EcoStruxure Foxboro DCS Core Control Services”
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

December 10, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low Attack Complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Foxboro DCS Core Control Services
• Vulnerabilities: Out-of-bounds Write, Improper Validation of Array Index, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to a loss of system functionality or unauthorized access to system functions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• EcoStruxure Foxboro DCS Core Control Services: Versions 9.8 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An out-of-bounds write vulnerability exists that could cause local denial of service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

CVE-2024-5679 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

3.2.2 IMPROPER VALIDATION OF ARRAY INDEX CWE-129

An improper validation of array index vulnerability exists that could cause local denial of service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

CVE-2024-5680 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists that could cause local denial of service, privilege escalation, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

CVE-2024-5681 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Services and Facilities, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Vladimir Tokarev, Microsoft Defender for IoT reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has made Patch HF97872598 available for v9.5 to v9.8 of EcoStruxure Foxboro DCS Core Control Services that includes a fix for these vulnerabilities.

Users should contact the local service representative or Schneider Electric Process Automation Global Customer Support Center for information on how to download and install this fix. Reboot is needed.

Users should employ appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and evaluating the impact of these patches in a test and development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if you need assistance removing a patch. If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

As the identified vulnerabilities require local user account access, EcoStruxure Foxboro DCS workstations should be installed in a secure location to prevent physical access by unauthorized personnel, and appropriate password protections put in place to prevent remote access by unauthorized personnel.

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For more information, see Schneider Electric Security Notification “SEVD-2024-191-02 EcoStruxure Foxboro DCS Core Control Services”

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• December 10, 2024: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: MOBATIME
Equipment: Network Master Clock – DTS 4801
Vulnerability: Use of Default Credentials

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to take control of the operating system for this product.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Network Master Clock – DTS 4801, a primary clock used to synchronize with secondary clocks, are affected:

Network Master Clock – DTS 4801: FW Version 00020419.01.02020154

3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Default Credentials CWE-1392
MOBATIME Network Master Clock – DTS 4801 allows attackers to use SSH to gain initial access using default credentials.
CVE-2024-12286 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-12286. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Mate Csorba and Zoltan Kato from DNV reported this vulnerability to CISA.
4. MITIGATIONS
MOBATIME recommends users update to the latest firmware version from their homepage.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

December 10, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: MOBATIME
• Equipment: Network Master Clock – DTS 4801
• Vulnerability: Use of Default Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to take control of the operating system for this product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Network Master Clock – DTS 4801, a primary clock used to synchronize with secondary clocks, are affected:

• Network Master Clock – DTS 4801: FW Version 00020419.01.02020154

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Default Credentials CWE-1392

MOBATIME Network Master Clock – DTS 4801 allows attackers to use SSH to gain initial access using default credentials.

CVE-2024-12286 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12286. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Mate Csorba and Zoltan Kato from DNV reported this vulnerability to CISA.

4. MITIGATIONS

MOBATIME recommends users update to the latest firmware version from their homepage.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 10, 2024: Initial Publication

 Read More

 ​Cisco released security updates to address a vulnerability in Cisco NX-OS software. A cyber threat actor could exploit this vulnerability to take control of an affected system. 
CISA encourages users and administrators to review the following advisory and apply the necessary updates:

Cisco NX-OS Software Image Verification Bypass Vulnerability 

Cisco released security updates to address a vulnerability in Cisco NX-OS software. A cyber threat actor could exploit this vulnerability to take control of an affected system. 

CISA encourages users and administrators to review the following advisory and apply the necessary updates:

• Cisco NX-OS Software Image Verification Bypass Vulnerability

 Read More

 ​CISA released two Industrial Control Systems (ICS) advisories on December 5, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-340-01 AutomationDirect C-More EA9 Programming Software
ICSA-24-340-02 Planet Technology Planet WGS-804HPT

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on December 5, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-340-01 AutomationDirect C-More EA9 Programming Software
• ICSA-24-340-02 Planet Technology Planet WGS-804HPT

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: AutomationDirect
Equipment: C-More EA9 Programming Software
Vulnerabilities: Stack-based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in memory corruption; a buffer overflow condition may allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
AutomationDirect reports that the following versions of C-more EA9 series programming software are affected:

C-More EA9 Programming Software: version 6.78 and prior

3.2 Vulnerability Overview
3.2.1 Stack-based Buffer Overflow CWE-121
A file parsing stack-based buffer overflow remote code execution vulnerability is a serious software flaw that arises when an application or system improperly handles input files, leading to a stack-based buffer overflow. If exploited, this vulnerability allows attackers to execute arbitrary code remotely, often resulting in system compromise or unauthorized control.
CVE-2024-11609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11609. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Stack-based Buffer Overflow CWE-121
A file parsing memory corruption remote code execution vulnerability occurs when an application fails to safely handle data during the parsing of files, resulting in memory corruption. If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely, potentially compromising the target system.
CVE-2024-11610 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11610. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Stack-based Buffer Overflow CWE-121
A file parsing memory corruption remote code execution vulnerability occurs when an application fails to safely handle data during the parsing of files, resulting in memory corruption. If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely, potentially compromising the targeted system.
CVE-2024-11611 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11611. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Andrea Micalizzi aka rgod (@rgod777) working with Trend Micro Zero Day Initiative reported these vulnerabilities to AutomationDirect.
4. MITIGATIONS
To resolve these vulnerabilities AutomationDirect recommends that users update C-MORE EA9 HMI to V6.79.
If an immediate update is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:

Isolate the Engineering Workstation:

Disconnect the workstation from external networks (e.g., internet or corporate LAN) to limit exposure to external threats.
Use dedicated, secure internal networks or air-gapped systems for communication with programmable devices.

Control Access:

Restrict physical and logical access to the workstation to authorized personnel only.
Implement multi-factor authentication (MFA) and robust password policies for user accounts.

Implement Whitelisting:

Use application whitelisting to allow only pre-approved and trusted software to execute on the workstation.
Block untrusted or unauthorized applications.

Apply Endpoint Security Measures:

Use antivirus or endpoint detection and response (EDR) tools to monitor for and mitigate threats.
Ensure that host-based firewalls are properly configured to block unauthorized access.

Monitor and Log Activity:

Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions.
Regularly review logs for suspicious activity.

Harden the Workstation:

Remove or disable unnecessary services and software to reduce the attack surface.
Implement security configurations, such as disabling autorun for USB drives or restricting administrative privileges.

Use Secure Backup and Recovery:

Regularly back up the workstation and its configurations to a secure location.
Test recovery procedures to ensure minimal downtime in the event of an incident.

Conduct Regular Risk Assessments:

Continuously assess the risks posed by the outdated software and adjust mitigation measures as necessary.

For more information, see the AutomationDirect security advisory.
CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

December 5, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: AutomationDirect
• Equipment: C-More EA9 Programming Software
• Vulnerabilities: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in memory corruption; a buffer overflow condition may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

AutomationDirect reports that the following versions of C-more EA9 series programming software are affected:

• C-More EA9 Programming Software: version 6.78 and prior

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

A file parsing stack-based buffer overflow remote code execution vulnerability is a serious software flaw that arises when an application or system improperly handles input files, leading to a stack-based buffer overflow. If exploited, this vulnerability allows attackers to execute arbitrary code remotely, often resulting in system compromise or unauthorized control.

CVE-2024-11609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11609. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Stack-based Buffer Overflow CWE-121

A file parsing memory corruption remote code execution vulnerability occurs when an application fails to safely handle data during the parsing of files, resulting in memory corruption. If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely, potentially compromising the target system.

CVE-2024-11610 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11610. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Stack-based Buffer Overflow CWE-121

A file parsing memory corruption remote code execution vulnerability occurs when an application fails to safely handle data during the parsing of files, resulting in memory corruption. If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely, potentially compromising the targeted system.

CVE-2024-11611 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11611. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Andrea Micalizzi aka rgod (@rgod777) working with Trend Micro Zero Day Initiative reported these vulnerabilities to AutomationDirect.

4. MITIGATIONS

To resolve these vulnerabilities AutomationDirect recommends that users update C-MORE EA9 HMI to V6.79.

If an immediate update is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:

1. Isolate the Engineering Workstation:

• Disconnect the workstation from external networks (e.g., internet or corporate LAN) to limit exposure to external threats.
• Use dedicated, secure internal networks or air-gapped systems for communication with programmable devices.

2. Control Access:

• Restrict physical and logical access to the workstation to authorized personnel only.
• Implement multi-factor authentication (MFA) and robust password policies for user accounts.

3. Implement Whitelisting:

• Use application whitelisting to allow only pre-approved and trusted software to execute on the workstation.
• Block untrusted or unauthorized applications.

4. Apply Endpoint Security Measures:

• Use antivirus or endpoint detection and response (EDR) tools to monitor for and mitigate threats.
• Ensure that host-based firewalls are properly configured to block unauthorized access.

5. Monitor and Log Activity:

• Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions.
• Regularly review logs for suspicious activity.

6. Harden the Workstation:

• Remove or disable unnecessary services and software to reduce the attack surface.
• Implement security configurations, such as disabling autorun for USB drives or restricting administrative privileges.

7. Use Secure Backup and Recovery:

• Regularly back up the workstation and its configurations to a secure location.
• Test recovery procedures to ensure minimal downtime in the event of an incident.

8. Conduct Regular Risk Assessments:

• Continuously assess the risks posed by the outdated software and adjust mitigation measures as necessary.

For more information, see the AutomationDirect security advisory.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• December 5, 2024: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Planet Technology
Equipment: Planet WGS-804HPT
Vulnerabilities: Stack-based Buffer Overflow, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Integer Underflow (Wrap or Wraparound)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Planet WGS-804HPT, an industrial switch, are affected:

Planet WGS-804HPT: Version v1.305b210531

3.2 Vulnerability Overview
3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121
The affected product is vulnerable to a stack-based buffer overflow. An unauthenticated attacker could send a malicious HTTP request that the webserver fails to properly check input size before copying data to the stack, potentially allowing remote code execution.
CVE-2024-48871 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48871. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
CVE-2024-52320 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-52320. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
CVE-2024-52558 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-52558. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER
Tomer Goldschmidt of Claroty Research – Team82 reported this vulnerability to CISA.
4. MITIGATIONS
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

December 05, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Planet Technology
• Equipment: Planet WGS-804HPT
• Vulnerabilities: Stack-based Buffer Overflow, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Integer Underflow (Wrap or Wraparound)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Planet WGS-804HPT, an industrial switch, are affected:

• Planet WGS-804HPT: Version v1.305b210531

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow. An unauthenticated attacker could send a malicious HTTP request that the webserver fails to properly check input size before copying data to the stack, potentially allowing remote code execution.

CVE-2024-48871 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48871. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.

CVE-2024-52320 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-52320. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191

The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.

CVE-2024-52558 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-52558. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Tomer Goldschmidt of Claroty Research – Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Planet Technology recommends users upgrade to version 1.305b241111 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• December 05, 2024: Initial Publication

 Read More

 ​Today, CISA—in partnership with the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), and other international partners—released updates to a Secure by Design Alert, Choosing Secure and Verifiable Technologies. Partners that provided recommendations in this alert include:

The Canadian Centre for Cyber Security (CCCS).
United Kingdom’s National Cyber Security Centre (NCSC-UK).
New Zealand’s National Cyber Security Centre (NCSC-NZ).
Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Centre (NCSC).

Cyber threats to user privacy and data are growing, requiring customers to evaluate their processes for acquiring products and services from technology manufacturers. Proactive integration of security mitigations into the procurement process can assist in managing risks present within the technology supply chain and reduce costs for organizations. This guidance aids procuring organizations and manufacturers of digital products and services in choosing and developing technology that is secure by design. This is an update to previously released guidance (Secure by Design Choosing Secure and Verifiable Technologies).
CISA and partners encourage all organizations to read the guidance to assist with making secure and informed choices when procuring digital products and services. Software manufacturers are also encouraged to incorporate the secure by design principles and practices found in the guidance. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. 

Today, CISA—in partnership with the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), and other international partners—released updates to a Secure by Design Alert, Choosing Secure and Verifiable Technologies. Partners that provided recommendations in this alert include:

• The Canadian Centre for Cyber Security (CCCS).
• United Kingdom’s National Cyber Security Centre (NCSC-UK).
• New Zealand’s National Cyber Security Centre (NCSC-NZ).
• Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Centre (NCSC).

Cyber threats to user privacy and data are growing, requiring customers to evaluate their processes for acquiring products and services from technology manufacturers. Proactive integration of security mitigations into the procurement process can assist in managing risks present within the technology supply chain and reduce costs for organizations. This guidance aids procuring organizations and manufacturers of digital products and services in choosing and developing technology that is secure by design. This is an update to previously released guidance (Secure by Design Choosing Secure and Verifiable Technologies).

CISA and partners encourage all organizations to read the guidance to assist with making secure and informed choices when procuring digital products and services. Software manufacturers are also encouraged to incorporate the secure by design principles and practices found in the guidance. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.

 Read More

 ​Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an updated public version of the Continuous Diagnostics and Mitigation (CDM) Data Model Document. Version 5.0.1 aligns with fiscal year 2023 Federal Information Security Modernization Act (FISMA) metrics.
The CDM Data Model Document provides a comprehensive description of a common data schema to ensure that prescribed diagnostic activities within CDM solutions are consistent across all participating federal agencies. Agencies leverage the common data schema to accomplish these critical objectives: 

Reduce agency threat surface.
Increase visibility into the federal cybersecurity posture.
Improve federal cybersecurity response capabilities.
Streamline FISMA reporting.

Vendors also can benefit from the CDM Data Model Document.
For additional information, visit the Continuous Diagnostics and Mitigation (CDM) Program web page. 

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an updated public version of the Continuous Diagnostics and Mitigation (CDM) Data Model Document. Version 5.0.1 aligns with fiscal year 2023 Federal Information Security Modernization Act (FISMA) metrics.

The CDM Data Model Document provides a comprehensive description of a common data schema to ensure that prescribed diagnostic activities within CDM solutions are consistent across all participating federal agencies. Agencies leverage the common data schema to accomplish these critical objectives: 

• Reduce agency threat surface.
• Increase visibility into the federal cybersecurity posture.
• Improve federal cybersecurity response capabilities.
• Streamline FISMA reporting.

Vendors also can benefit from the CDM Data Model Document.

For additional information, visit the Continuous Diagnostics and Mitigation (CDM) Program web page.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-51378 CyberPanel Incorrect Default Permissions Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-51378 CyberPanel Incorrect Default Permissions Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

​In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies. 

In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.

Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with at least three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies, U.S. prosecutors allege.

Russia’s interior ministry last week issued a statement saying a 32-year-old hacker had been charged with violating domestic laws against the creation and use of malicious software. The announcement didn’t name the accused, but the Russian state news agency RIA Novosti cited anonymous sources saying the man detained is Matveev.

Matveev did not respond to requests for comment. Daryna Antoniuk at TheRecord reports that a security researcher said on Sunday they had contacted Wazawaka, who confirmed being charged and said he’d paid two fines, had his cryptocurrency confiscated, and is currently out on bail pending trial.

Matveev’s hacker identities were remarkably open and talkative on numerous cybercrime forums. Shortly after being identified as Wazawaka by KrebsOnSecurity in 2022, Matveev published multiple selfie videos on Twitter/X where he acknowledged using the Wazawaka moniker and mentioned several security researchers by name (including this author). More recently, Matveev’s X profile (@ransomboris) posted a picture of a t-shirt that features the U.S. government’s “Wanted” poster for him.

The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka wrote in January 2021 on the Russian-language cybercrime forum Exploit. “Mother Russia will help you. Love your country, and you will always get away with everything.”

Still, Wazawaka may not have always stuck to that rule. At several points throughout his career, Wazawaka claimed he made good money stealing accounts from drug dealers on darknet narcotics bazaars.

Cyber intelligence firm Intel 471 said Matveev’s arrest raises more questions than answers, and that Russia’s motivation here likely goes beyond what’s happening on the surface.

“It’s possible this is a shakedown by Kaliningrad authorities of a local internet thug who has tens of millions of dollars in cryptocurrency,” Intel 471 wrote in an analysis published Dec. 2. “The country’s ingrained, institutional corruption dictates that if dues aren’t paid, trouble will come knocking. But it’s usually a problem money can fix.

Intel 471 says while Russia’s court system is opaque, Matveev will likely be open about the proceedings, particularly if he pays a toll and is granted passage to continue his destructive actions.

“Unfortunately, none of this would mark meaningful progress against ransomware,” they concluded.

Although Russia traditionally hasn’t put a lot of effort into going after cybercriminals within its borders, it has brought a series of charges against alleged ransomware actors this year. In January, four men tied to the REvil ransomware group were sentenced to lengthy prison terms. The men were among 14 suspected REvil members rounded up by Russia in the weeks before Russia invaded Ukraine in 2022.

Earlier this year, Russian authorities arrested at least two men for allegedly operating the short-lived Sugarlocker ransomware program in 2021. Aleksandr Ermakov and Mikhail Shefel (now legally Mikhail Lenin) ran a security consulting business called Shtazi-IT. Shortly before his arrest, Ermakov became the first ever cybercriminal sanctioned by Australia, which alleged he stole and leaked data on nearly 10 million customers of the Australian health giant Medibank.

In December 2023, KrebsOnSecurity identified Lenin as “Rescator,” the nickname used by the cybercriminal responsible for selling more than 100 million payment cards stolen from customers of Target and Home Depot in 2013 and 2014. Last month, Shefel admitted in an interview with KrebsOnSecurity that he was Rescator, and claimed his arrest in the Sugarlocker case was payback for reporting the son of his former boss to the police.

Ermakov was sentenced to two years probation. But on the same day my interview with Lenin was published here, a Moscow court declared him insane, and ordered him to undergo compulsory medical treatment, The Record’s Antoniuk notes.

 

​Read More