Cyber Security

BillQuick says patch coming after Huntress report identifies vulnerabilities utilized in ransomware assault

Particular function

Cyberwar and the Future of Cybersecurity

At present’s safety threats have expanded in scope and seriousness. There can now be hundreds of thousands — and even billions — of {dollars} in danger when data safety is not dealt with correctly.

Read More

BillQuick has stated a short-term patch might be launched to handle among the vulnerabilities recognized this weekend by Huntress. 

In a blog post on Friday, Huntress safety researcher Caleb Stewart stated the corporate’s ThreatOps workforce “found a essential vulnerability in a number of variations of BillQuick Internet Suite, a time and billing system from BQE Software program.” 

“Hackers had been in a position to efficiently exploit CVE-2021-42258 — utilizing it to achieve preliminary entry to a US engineering firm — and deploy ransomware throughout the sufferer’s community. Contemplating BQE’s self-proclaimed person base of 400,000 customers worldwide, a malicious marketing campaign concentrating on their buyer base is regarding,” Stewart stated. 

“This incident highlights a repeating sample plaguing SMB software program: well-established distributors are doing little or no to proactively safe their purposes and topic their unwitting clients to vital legal responsibility when delicate information is inevitably leaked and/or ransomed.”

Huntress additionally discovered eight different vulnerabilities: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742.

In an announcement to ZDNet, BQE Software program stated their engineering workforce is conscious of the problems with BillQuick Internet Suite, which clients use to host BillQuick, and stated that vulnerability had been patched. 

“Huntress additionally recognized further vulnerabilities, which we now have been actively investigating. We count on a short-term patch to the BQE Internet Suite vulnerabilities to be in place by the top of the day on 10/26/2021 together with a agency timeline on when a full repair might be carried out,” the spokesperson added. 

“The problem with BQE Internet Suite impacts fewer than 10% of our clients; we might be proactively speaking to every of them the existence of those points, once they can count on the problems to be resolved, and what steps they’ll take within the interim to reduce their publicity.”

Huntress defined how they had been in a position to recreate the SQL injection-based assault, which they confirmed can be utilized to entry clients’ BillQuick information and run malicious instructions on their on-premises Home windows servers.

Huntress stated it labored with BQE Software program on the difficulty and recommended the corporate for being responsive whereas additionally taking the problems severely.

However the weblog submit notes that the bug may simply be triggered by “merely navigating to the login web page and getting into a single quote (`’`).”

“Additional, the error handlers for this web page show a full traceback, which may include delicate details about the server-side code,” Stewart wrote. 

CVE-2021-42258 was patched by BQE Software on October 7 in WebSuite 2021 model However the eight different points nonetheless want patches. 

Stewart informed BleepingComputer that unnamed hackers used CVE-2021-42258 as an entry level into the US engineering firm as a part of a ransomware assault that came about over the Columbus Day weekend. The information outlet reported that the ransomware group didn’t go away a ransom notice and didn’t have a readily identifiable identify.

Source link

Cyber Security

ICS Patch Tuesday: Siemens and Schneider Electrical Tackle Over 50 Vulnerabilities

Industrial giants Siemens and Schneider Electrical on Tuesday launched practically a dozen safety advisories describing a complete of greater than 50 vulnerabilities affecting their merchandise.

The businesses have launched patches and mitigations to handle these vulnerabilities.


Siemens has launched 5 new advisories protecting 33 vulnerabilities. The corporate knowledgeable prospects that an replace for its SINEC community administration system patches 15 flaws, together with ones that may be exploited for arbitrary code execution. Whereas a few of them have been assigned a excessive severity ranking, exploitation requires authentication.

For its ​​SCALANCE W1750D controller-based direct entry factors, Siemens launched patches and mitigations protecting 15 vulnerabilities, together with important weaknesses that may permit a distant, unauthenticated attacker to trigger a DoS situation or execute arbitrary code on the underlying working system. The W1750D is a brand-labeled machine from Aruba, and a majority of the failings exist within the ArubaOS working system.

The corporate has additionally knowledgeable prospects a couple of important authentication vulnerability within the SIMATIC Course of Historian. An attacker can exploit the flaw to insert, modify or delete knowledge.

The 2 remaining advisories tackle high-severity denial of service (DoS) vulnerabilities in SINUMERIK controllers and RUGGEDCOM ROX gadgets. Within the case of the RUGGEDCOM gadgets, an unauthenticated attacker may trigger a everlasting DoS situation in sure circumstances.

Schneider Electrical

Schneider Electrical has launched 6 new advisories protecting 20 vulnerabilities. One advisory describes the influence of 11 Home windows flaws on the corporate’s Conext solar energy plant merchandise. The safety holes had been patched by Microsoft in 2019 and 2020 and plenty of of them have important or excessive severity rankings.

One other advisory describes two important, one high-severity and one medium-severity vulnerabilities affecting Schneider’s IGSS SCADA system. The corporate says the worst case exploitation state of affairs “may lead to an attacker having access to the Home windows Working System on the machine working IGSS in manufacturing.”

The corporate additionally knowledgeable customers a couple of high-severity data disclosure vulnerability affecting spaceLYnk, Wiser For KNX, and fellerLYnk merchandise, and a high-severity command execution concern within the ConneXium community supervisor software program.

The final advisory describes the influence of two AMNESIA:33 vulnerabilities on Modicon TM5 modules. AMNESIA:33 is the title assigned to 33 flaws recognized final 12 months throughout 4 open supply TCP/IP stacks.

Associated: ICS Patch Tuesday: Siemens and Schneider Electric Address 100 Vulnerabilities

Associated: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 40 Vulnerabilities

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in laptop methods utilized in electrical engineering.

Earlier Columns by Eduard Kovacs:

Source link

Cyber Security

Cisco Patches Excessive-Severity Vulnerabilities in Safety Home equipment, Enterprise Switches

Cisco this week launched patches for a number of high-severity vulnerabilities affecting its Net Safety Equipment (WSA), Intersight Digital Equipment, Small Enterprise 220 switches, and different merchandise.

Profitable exploitation of those vulnerabilities might enable attackers to trigger a denial of service (DoS) situation, execute arbitrary instructions as root, or elevate privileges.

Two high-severity points (CVE-2021-34779, CVE-2021-34780) had been discovered within the Hyperlink Layer Discovery Protocol (LLDP) implementation for Small Enterprise 220 sequence good switches, resulting in the execution of arbitrary code and a denial of service situation.

The software program replace launched for the enterprise swap sequence additionally resolves 4 medium-severity safety flaws that would end in LLDP reminiscence corruption on an affected machine.

One other extreme vulnerability is an inadequate enter validation within the Intersight Digital Equipment. Tracked as CVE-2021-34748, the safety gap might result in the execution of arbitrary instructions with root privileges.

This week Cisco additionally resolved two high-severity vulnerabilities within the ATA 190 sequence and ATA 190 sequence multiplatform (MPP) software program. Tracked as CVE-2021-34710 and CVE-2021-34735, the issues may very well be exploited for distant code execution and to trigger a denial of service (DoS) situation, respectively.

One among these vulnerabilities was reported to Cisco by firmware safety firm IoT Inspector, which described its findings in an advisory revealed on Thursday.

Cisco additionally addressed an improper reminiscence administration flaw in AsyncOS for Net Safety Equipment (WSA) that would result in DoS, in addition to a race situation within the AnyConnect Safe Mobility Shopper for Linux and macOS that may very well be abused to execute arbitrary code with root privileges.

One other high-severity flaw addressed this week is CVE-2021-1594, an inadequate enter validation within the REST API of Cisco Id Providers Engine (ISE). An attacker in a man-in-the-middle place in a position to decrypt HTTPS site visitors between two ISE personas on separate nodes might exploit the flaw to execute arbitrary instructions with root privileges.

Cisco additionally launched patches for a number of medium-severity flaws affecting TelePresence CE and RoomOS, Good Software program Supervisor On-Prem, 220 sequence enterprise switches, Id Providers Engine, IP Cellphone software program, Electronic mail Safety Equipment (ESA), DNA Heart, and Orbital.

Cisco has launched patches for these vulnerabilities and says it isn’t conscious of exploits for them being publicly disclosed. Further particulars on the resolved points could be discovered on Cisco’s security portal.

Associated: Cisco Patches Critical Vulnerabilities in IOS XE Software

Associated: Cisco Patches High-Severity Security Flaws in IOS XR

Associated: Cisco Patches Critical Enterprise NFVIS Vulnerability for Which PoC Exploit Is Available

view counter

Ionut Arghire is a world correspondent for SecurityWeek.

Earlier Columns by Ionut Arghire:

Source link