Search This Blog

Showing posts with label Positive Technologies. Show all posts

Seven-Fold Surge in Dark Web Ads Providing Corporate Network Access


In the latest study, researchers at Positive Technologies have documented the evolution of hacker-placed ads on the Dark Web from 2020 to early 2021. It has transformed into a thriving marketplace for cybercriminals who want to buy or sell illegal and malicious goods and services. 

The number of ‘access-for-sale’ ads on the dark web has increased seven-fold compared with previous years. Researchers have identified as many as 590 new offers in the first quarter of 2021 alone, which is 83% of all offers in 2020. A contributing factor to this increase is a jump in ransomware attacks, according to the report.

Security specialists at the company believe that the profile of threat actors is changing in many ways. The profile of an outside intruder who gains first access to a corporate network is different from a criminal who tracks an attack after breaking inside. Most importantly, the two have different skillsets. 

Positive Technologies researchers note that ads promising access on dark web forums increased with each quarter throughout the observed period. In the first quarter of 2021, the number of users who placed ads for buying and selling access and also for seeking hacking partners tripled compared to Q1 2020.

“The market for access to corporate networks has evolved in the past few years. It could be assessed as mature as early as the beginning of 2020. A factor that contributed to this level of development is an increase in ransomware attacks: members of ransomware partner programs often use offers available on the initial access market,” Vadim Solovyov, a senior information security analyst at Positive Technologies stated.

Around $600,000 worth of corporate network access is sold on the Dark Web each quarter. Though that number seems low, selling prices on the Dark Web tend to be cheap, and the average cost keeps going down. This may reflect mass entry into the market by novice attackers. 

“As we can see, most companies who had access to their networks put up for sale by cybercriminals belong to the services (17%), manufacturing (14%), and research and education (12%) industries. Note that the share of industrial companies and financial institutions, whose networks are typically more expensive to hack, decreased somewhat. This may be attributed to the fact that the initial access market is served by lower-skilled actors who prefer easier victims,” Yana Yurakova, a  security analyst at Positive Technologies explained.

WAGO Controller Flaws Can Allow Hackers to Interrupt Industrial Processes


According to Russian cybersecurity firm Positive Technologies, a lot of vulnerabilities found in industrial controllers made by WAGO can be abused to obstruct technological processes, which in some cases could lead to industrial accidents. 

WAGO is a German company that manufactures components for electrical connections and electronic components for decentralized automation. 

The vulnerabilities were discovered in the WAGO PFC200 programmable logic controller (PLC), which the vendor has now addressed. One of the issues, tracked as CVE-2021-21001, has been defined as a path traversal issue involving a CODESYS component utilized by the device and is graded critical severity. 

It allows a network-connected attacker with elevated capabilities to access the target device's file system by delivering specially designed packets. 

Vladimir Nazarov, head of ICS security at Positive Technologies explained, “By exploiting this vulnerability, attackers can access the controller file system with read and write rights. Changes in the PLC file system may cause disruption of technological processes and even lead to industrial accidents.” 

The second vulnerability, CVE-2021-21000, is a medium-severity problem that affects WAGO's iocheckd service, which is used to check PLC input/output and demonstrate the PLC configuration. This weakness can be exploited by an unauthenticated intruder with network access to the device to cause a DoS condition. 

“Exploitation may cause a sudden shutdown of the controller, and in turn interrupt technological processes,” Positive Technologies explained. 

These flaws, along with ten others uncovered by Positive Technologies in CODESYS industrial automation software, were disclosed by Germany's VDE CERT in May. 

The 10 CODESYS flaws, the majority of which were rated critical or high severity, affected ICS systems from more than a dozen vendors who use CODESYS software. 

The US government recently sanctioned Positive Technologies for allegedly assisting Russian intelligence agencies. However, the company stated that it will continue to responsibly disclose vulnerabilities discovered by its employees in major U.S. corporations' products.

Serious Flaws Identified in CODESYS Industrial Automation Software


Cybersecurity researchers at Russian cybersecurity firm Positive Technologies discovered as many as ten critical flaws impacting CODESYS automation computer software that could be exploited to remote code execution on programmable logic controllers (PLCs). 

The Russian cybersecurity firm initially discovered the vulnerabilities in a programmable logic controller (PLC) available by WAGO, but further investigation revealed that the issues were actually introduced by CODESYS software that is used by more than a dozen automation technology firms including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian companies.

CODESYS offers a better environment for programming controller programs used in industrial control systems. The German software organization credited Vyacheslav Moskvin, Denis Goryushev, Anton Dorfman, Ivan Kurnakov, and Sergey Fedonin of Good Technologies and Yossi Reuven of SCADAfence for identifying the vulnerabilities.

“To exploit the vulnerabilities, an attacker does not need to have a username or password obtaining network obtain to the industrial controller is ample. The main result of the vulnerabilities is insufficient verification of enter information, which may well itself be triggered by failure to comply with the protected improvement tips,” scientists from Positive Technologies stated.

Six of the most critical flaws were discovered in the CODESYS V2.3 web server component used by CODESYS WebVisu to visualize a human-device interface (HMI) in a web browser. The flaws could perhaps be leveraged by an adversary to send specifically-designed web server requests to trigger a denial-of-support condition, publish or study arbitrary code to and from a manage runtime system’s memory. 

All the 6 flaws have been rated critical on the CVSS scale — 
• CVE-2021-30189 – Stack-dependent Buffer Overflow 

• CVE-2021-30190 – Improper Accessibility Handle 

• CVE-2021-30191 – Buffer Copy without Checking Sizing of Input 

• CVE-2021-30192 – Improperly Executed Security Examine 

• CVE-2021-30193 – Out-of-bounds Publish 

• CVE-2021-30194 – Out-of-bounds Examine 

“Their exploitation can guide to distant command execution on PLC, which could disrupt technological procedures and result in industrial incidents and financial losses. The most infamous illustration of exploiting very similar vulnerabilities is by applying Stuxnet,” explained Vladimir Nazarov, Head of ICS Security at Beneficial Technologies. 

CODESYS has published an advisory for its CODESYS V2 web server, Runtime Toolkit, and PLCWinNT products to address the vulnerabilities. The company has published separate advisories for the critical, high, and medium-severity issues while recommending users to install the updates. 

Last month, the Treasury Department of the U.S. government sanctioned Positive Technologies for allegedly supporting Kremlin intelligence agencies. However, the company said it will continue to responsibly disclose the flaws discovered by its employees in the products of major U.S. firms.

Positive Technologies reported on the impact of U.S. sanctions on its IPO plans

Positive Technologies head Yury Maksimov positively assessed the impact of sanctions against the company on its plans to go public. It may shorten the timing of the IPO, and the "realized threat" of sanctions has ceased to be a threat

Positive Technologies, a cybersecurity company, plans to shorten the time of a stock exchange listing due to the U.S. sanctions imposed on it. Its CEO Yuri Maksimov told about it. He did not name specific placement dates, but specified that in a month or two "the panic will pass" and "the professional community will understand how the company will develop further".

In the middle of March, E Hacking News reported about the plans of Positive Technologies to conduct an IPO at the Moscow Stock Exchange, placing up to 10 percent of the shares. The volume of the offering may be up to $200-300 million if the company's value reaches $2-4 billion by the end of 2021. According to the Telegram channel SecAtor, Positive Technologies values itself at $1 billion, while Forbes quoted a figure of $580 million.

Maksimov specified that the IPO is one of the possible tools to make the company public. He considers a direct listing, when the company's shareholders may start operations on the stock exchange, as a more likely option. "In a classical IPO a mass sale is assumed, with a greater focus on funds," but the goal of making Positive Technologies public is not to attract investments, but to find co-owners who can bring "advice, examples, awareness" to the business. In particular, the company expects that IT people will be buyers of the shares.

Another goal of a public offering is to turn the stock into a liquid instrument so that it is possible to take out large loans against it and motivate employees.

Yury Maksimov "positively" assessed the influence of sanctions on the IPO plans of Positive Technologies. According to him, when a company in the cyber security industry is listed on the stock exchange, the very risk of sanctions being imposed on it provokes fear in investors and leads to a discount in the price. If, however, sanctions are imposed on such a company before the offering, "the realized threat ceases to be a threat."

The first IPO of a cybersecurity company is being prepared in Russia

Russian cybersecurity company Positive Technologies is about to conduct an initial public offering (IPO) on the Moscow Stock Exchange. In Russia, firms from this segment have not yet been listed on the stock exchange.

Positive Technologies plans to go for an IPO. The company plans to float about 10 percent of its shares on the Moscow Stock Exchange, which may correspond to $200-300 million if the company is valued at $2-4 billion by the end of 2021. Positive Technologies declined to comment.

Apart from Russia, Positive Technologies is also present in Europe, the United States, the CIS and Africa. According to the Telegram channel SecAtor, the company values itself at $1 billion. Forbes has rated Positive Technologies as one of the most valuable Runet companies at $580 million.

The company relies on the active participation of individuals in the IPO. It should be noted that Positive Technologies primarily considers investors in the IT-sphere to be its target audience. 

Yandex, Group and Ozon are present on the Moscow Stock Exchange, but so far there is no cyber security company, said Andrey Konusov, general director of Avanpost. "This is a new move for the Russian market, and it is a very right and timely idea," he believes. 

According to Oleg Zhelezko, the founder and managing partner of Da Vinci Capital Management, any technology company will be in great demand from investors, because it is currently the most promising segment.

Positive Technologies' competitors are still skeptical about the company's decision. "The bureaucratization of public companies often prevents them from making quick decisions, which is a critical condition for the development of innovations in the cybersecurity market," said Eugene Kaspersky, CEO of Kaspersky Lab. According to him, Kaspersky Lab has enough internal resources for financing and does not need to raise additional investments, so it is not planning an IPO.

Positive technologies: fraudsters can steal money from every second mobile bank

According to the research of Positive technologies, every second mobile banking application has a vulnerability through which fraudsters can steal the money of its users.

The company selected 14 mobile apps for the Android and IOS operating systems, which were downloaded more than 500 thousand times from the Google Play and App Store.

It is noted that in 13 out of 14 applications, access to personal user data is possible. Hackers can exploit 76% of vulnerabilities in mobile banks without physical access to the device.

"None of the studied mobile banking applications has an acceptable level of security. In every second mobile Bank, fraudulent transactions and theft of funds are possible. In five out of seven applications, logins and passwords from user accounts are threatened, and bank card data may be stolen in every third application,” experts conclude.

The company's experts advise users to set a PIN code to unlock the device to limit the ability of attackers to gain physical access and never click on links from strangers in SMS and messengers.

Group-IB regularly finds vulnerabilities in banking applications, but in practice, these weaknesses are rarely used because it is easier and cheaper for hackers to use social engineering, says Andrey Bryzgin, head of the Audit and Consulting Department of the Group-IB.

Previously, Positive Technologies identified 23% more cyberattacks in the first quarter of 2020 compared to the fourth quarter of last year. The increase in cybercrime is associated with the coronavirus COVID-19.

Moreover, the number of virtual crimes began to grow. Fraudsters send emails about COVID-19 with links that lead to fake sites where users are asked to enter data from Bank cards.

Security Experts say number of network nodes in the Russian Federation accessible via RDP

Positive Technologies experts said that the number of network nodes in the Russian Federation accessible via the Remote Desktop Protocol (RDP) for three weeks (since the end of February 2020) increased by 9% and reached over 112,000.

It is enough for hackers to send a special RDP request to vulnerable Remote Desktop Services (RDS) to attack. Authentication is not required. If successful, an attacker can install and delete programs on a compromised system, create accounts with the highest level of access, and read and edit confidential information. The vulnerabilities affect Windows 7, Windows Server 2008, and Windows Server 2008 R2 operating systems.

According to Alexey Novikov, director of Positive Technologies security expert center, attacks on the network perimeter of domestic companies have begun to grow. Hackers are trying to get access over servers and get into the local network. This boom is caused by the transfer of employees to remote work.

For a secure remote connection, employees need to use a special gateway. For RDP connections needs a RDG, for VPN requires a VPN Gateway. Experts do not recommend connecting directly to the workplace.

Experts warn that opening access to individual subnets to all VPN users at once significantly reduces the security of the organization and not only gives broad opportunities to an external attacker but also increases the risk of an insider attack. Therefore, IT professionals need to maintain network segmentation and allocate the required number of VPN pools.

Positive Technologies experts emphasize the threat of remote access channels to business-critical networks and systems, for example, production and energy technology networks, ATM management networks or card processing in banks.

In addition, Positive Technologies recommends paying attention to a critical vulnerability (CVE-2019-19781) in Citrix software that is used in corporate networks. The vulnerability in PHP 7 (CVE-2019-11043), which, according to Positive Technologies, was included in the list of the most dangerous by the end of 2019, should be eliminated.