1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Criminals could hack these zero-day flaws and hijack your office

    From TechnologyDaily@1337:1/100 to All on Mon Jun 13 18:00:04 2022
    Criminals could hack these zero-day flaws and hijack your office

    Date:
    Mon, 13 Jun 2022 16:51:53 +0000

    Description:
    Zero-day found in industrial control system could unlock the doors to your office.

    FULL STORY ======================================================================

    An industrial control system (ICS) was found to be carrying multiple high-severity flaws, which would allow potential threat actors to not only access the target endpoint - but to enable physical access to otherwise off-limits premises.

    Cybersecurity researchers from Trellix recently dug into Carriers LenelS2 access control panels, manufactured by HID Mercury and, as per the researchers, used by organizations across healthcare, education, transportation, and government physical security.

    What they found was a total of eight vulnerabilities, one of which even has the maximum vulnerability score of 10.

    Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 . Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/10.99. Attacking the hardware

    For this project, we anticipated a strong potential for finding vulnerabilities, knowing that the access controller was running a Linux Operating System and root access to the board could be achieved by leveraging classic hardware hacking techniques, the researchers said in a blog post.

    While we believed flaws could be found, we did not expect to find common, legacy software vulnerabilities in a relatively recent technology.

    They first attacked the hardware, namely the built-in ports , which allowed them to access on-board debugging ports. From there, they managed to access the firmware and system binaries, which gave them the ability to reverse-engineer and live debug the firmware.

    Its then that the researchers found six unauthenticated and two authenticated vulnerabilities, all of which could be exploited remotely. Read more

    Mitigating rising vulnerabilities in industrial control systems


    Critical US infrastructure 'can be hacked by anyone'


    Dubai becomes the first city in UAE to apply security standards for ICS

    By chaining just two of the vulnerabilities together, we were able to exploit the access control board and gain root level privileges on the device remotely, the researchers further said.

    With this level of access, we created a program that would run alongside of the legitimate software and control the doors. This allowed us to unlock any door and subvert any system monitoring.

    Besides CVE-2022-31481, which has a severity score of 10, the researchers
    also discovered CVE-2022-31479, and CVE-2022-31483, with severity scores of 9.0 and 9.1, respectively.

    Trellix, whose product was vetted by the US federal government, urged all customers to apply vendor-issued patches immediately.



    ======================================================================
    Link to news story: https://www.techradar.com/news/criminals-could-hack-these-zero-day-flaws-and-h ijack-your-office/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)