Tag: Kybernetická bezpečnost

A dangerous development: the rise of zero-click exploits is also becoming a threat to ordinary users

Cyber attacks through zero-click exploits are nothing new. What is a new trend, however, is that even ordinary users are becoming targeted.

A zero-click exploit is the exploitation of a security flaw in software that allows an attacker to remotely attack a device without any user interaction. This technique can be used for purposes such as espionage, device control, malware distribution, and even extortion. Overall, this is a dangerous technique that can have a significant impact on the security and privacy of users. The bad news is that users have very limited defences against such attacks.

“The fact that the number of groups specializing in this kind of attack is growing is very worrying. Attackers have adopted techniques previously used only by high-profile actors, such as state or government organizations and secret services. Cybercriminals are using the Exploit as a Service model (i.e. selling the exploit for a single payment) to also attack the private sector and ordinary users, rather than just high-profile or politically exposed individuals, government organizations, and other targets with valuable information,” says Petr Kocmich, the Global Cyber Security Delivery Manager at Soitron. That is why he believes it is important for businesses and users to follow models of best practice and procedures recommended in cybersecurity and to make sure they properly protect their devices from potential attacks.

The impact of vulnerabilities

One of the most well-known and well-described zero-click exploits was the ENDOFDAYS spyware, which was used to compromise iPhones, specifically iCloud calendar invitations.

“ENDOFDAYS is an exemplary case where an attacker is able to take control of an entire device without any interaction with the user. This includes the exfiltration of call recordings through access to the microphone and controlling access to the GPS location of the device. The attacker also gains access to both the front and back cameras and the ability to search files stored in the device. They can also disguise the spyware to avoid detection. The spyware enters the device in a mundane way – by sending a specifically crafted invitation to the iCloud calendar with older timestamps (an invitation that has already taken place in the past),” says Kocmich.

Such an invitation is automatically added to the user’s calendar without any notification or prompting, allowing the ENDOFDAYS exploit to run with no user interaction and making the attack undetectable to the target. The vulnerability has been patched in new versions of the system, but the flaw affected all versions of iOS from 1.4 to 14.4.2 and, according to research, was exploited primarily in 2021.

Despite this awareness, these exploits still exist, and very advanced applications evading detection in the system are written for specific vulnerabilities. “This clearly shows why it is necessary to update your device regularly. A zero-click exploit can be present on a device for a long period of time without the user being aware of it. That is why it is necessary to respect the principles of cybersecurity and ensure that the software is always up to date and that additional security measures are in place,” warns Kocmich.

Others are also being targeted

For Apple, this is not the first or last zero-click exploit that has been discovered. In 2020, a vulnerability was discovered in the iMessage app that could be exploited by attackers to remotely execute a malicious code on users’ devices without any need to click a link or open an attachment. The Android operating system and individual mobile apps are also far from safe from these flaws.

“Some exploitable vulnerabilities in the current versions of operating systems and applications are not even known yet, even though they may already have been exploited. Until these vulnerabilities are discovered, they can first be exploited for espionage and ‘higher interest’ purposes before being monetized by selling the Exploit as a Service to customers on the dark web,” adds Kocmich. It turns out that even ordinary users may be vulnerable to zero-click exploits.

The sophistication of the attackers is increasing

Zero-click attacks are usually based on vulnerabilities in software, including operating systems, applications, and services. The question is whether these are just unintended bugs, or whether they are deliberate.

“The faster new software is developed, the higher the need will be to manage and secure the code and the entire software development cycle. We automate testing, include additional security tests in the early stages of development (Shift-Left) in the CI-CD pipeline, perform static and dynamic code reviews, use artificial intelligence to find bugs in the code, and subject the final result to both automated and manual penetration testing; however, it would be foolish to assume that all types of vulnerabilities are caused by common errors in the code. The question is whether some vulnerabilities are actually deliberate backdoors, serving specific purposes,” concludes Kocmich.

PV management systems are becoming a ticking time bomb among publicly accessible online control systems

Local companies have started to upgrade the protection of their control systems. According to data from Soitron’s Void Security Operations Centre (SOC), the number of devices exposed and visible on the internet has dropped by 21% since the beginning of 2022; however, the current situation is still not desirable. In particular, the control systems of industrial and domestic photovoltaic (PV) power stations are becoming an alarming danger.

In a year-on-year comparison (01/2022 vs 01/2023), the total number of publicly available Industrial Control Systems (ICS) with at least one of the eight monitored protocols – such as Moxa, Modbus, and Tridium – has been reduced. This was the finding of Soitron’s team of Void SOC analysts. “This is a slight improvement, but in absolute figures it still means there are more than 1,500 vulnerable systems in various organizations, which is still a significant risk. And we’re only talking about the eight most commonly used protocol types. If we expand the set to a few dozen types of protocols, we can find more than 2,300 vulnerable systems,” says Martin Lohnert, the director of the Void SOC. He alsoadds that it would be great if the downward trend was due to the increasing level of security of these industrial systems, which would make them disappear from this report.

Often, however, the opposite is true. An ICS disappears from the internet only after it has been exploited by attackers and has stopped functioning. When bringing it back to life, operators are more careful not to repeat the original mistakes. Unfortunately, they are often just a response to the damage already done.

The PV phenomenon has given rise to a new problem

Despite the overall reduction and a slight improvement in the situation, new vulnerable systems are still being added. “Last year these were mostly control systems for photovoltaic power stations. And that includes both industrial stations with hundreds of installed solar panels as well as home installations,” says Lohnert. In his view, it should be in the interest of operators to make sure that their equipment is protected from internet security threats. Essential steps include changing default login credentials, restricting access, regularly updating firmware, and monitoring for misuse or login attempts.

The potential problem lies in the deactivation of this system, losses due to solar power generation disruption, and the cost of repair. At the same time, a successful penetration into a poorly secured industrial system can allow an attacker, often undetected, to attack more important systems essential for a company’s operation. This may cause the organization to stop functioning completely, with losses running into millions of Czech crowns.

The Czech Republic is lagging behind, but there is a solution

Although Soitron’s Void SOC has recently seen a positive trend, it is very likely that the number of potential risks will increase. In the Czech Republic and Slovakia, the major digitalization of industry is yet to take place. Both countries still lag far behind other EU countries in many aspects of digital transformation. Out of the twenty-seven EU countries, Slovakia is ranked 24th and the Czech Republic is ranked 20th in the Digital Economy and Society Index (DESI), which has been tracked by the European Commission since 2014. With the progress of digitalization, new technologies are gradually being introduced, such as production control systems, various sensors, programmable logic elements, and human-machine interfaces. If care is not taken to secure them, the figures in this survey will rise.

It is also clear that in order for digitalization to significantly shift the current state of cybersecurity, many industrial enterprises will need to invest in the tools, technology, and specialists to operate them; however, in most organizations (especially SMEs) this is not possible. “The most common reasons are insufficient funding and a general lack of qualified cybersecurity professionals. We therefore expect that the situation is likely to worsen before there is more awareness and a shift for the better. The safest solution is to use services of experts who will fully take care of the security of your business systems and infrastructure. Our monitoring centre can have everything under control 24 hours a day, 365 days a year,” adds Lohnert.

Preventing the OT Network from Becoming Vulnerable

The security of industrial networks is nowadays a key concern for companies and therefore they pay more attention to this issue. They are well aware that cyber attacks on operational technology (OT), sometimes also referred to as industrial control systems (ICS), are becoming more frequent and sophisticated. This increases not only the risk of attacks and data loss, but more importantly, production downtime, which can cost companies tens of millions of Czech crowns.

In the past, OT was primarily focused on controlling and automating industrial technologies and processes. The systems were designed to process large amounts of data in real time, with an emphasis on reliability and fault tolerance. It is therefore increasingly important to integrate OT with IT to create a secure link between the two systems. This enables industrial companies to better manage their processes and improve productivity.

Relevance of the Purdue model

Back in the 1990 a model named the Purdue model (also known as PERA) was developed in the USA, and it is still considered one of the most widely used architectural models in operational technology.

The Purdue model provides a comprehensive framework for industrial process control and automation, allowing functions and responsibilities to be segmented into various levels of control and automation. Cyber threats are constantly evolving, and the interconnection of factory IT and OT systems plays into the hands of attackers. Many manufacturing and industrial companies have become targets of massive ransomware attacks precisely due to the lack of proper segmentation. That is why it is essential to segment industrial networks and constantly monitor them, as well as update security measures in response to the latest threats and trends in cyber security.

The most common threats in the industry include:

  • Compromising and the subsequent pivoting of an endpoint in an industrial network;
  • Fraudulent credentials and abuse of authorised remote access;
  • Attack on wireless connections;
  • Gaining physical access to the production network and equipment;
  • Installing a foreign physical component to obtain or modify transmitted data.

Five basic security principles and pillars

There are several basic security principles and pillars that are effective and crucial for ensuring cyber security in the industry. It is not surprising that due to the fusion of the IT world into the OT world, these pillars are adopted from the IT world (but supplemented with OT specifics – such as proprietary ICS protocols, etc.) The main principles and pillars include:

Visibility – you can’t protect what you can’t see. That is why it is advisable to keep an up-to-date list of all devices connected to the network and perform a behavioural analysis of their communications. Another prerequisite is the regular scanning of the status and versions (OT/IT) of devices. Any discovered vulnerabilities must be patched.

Segmentation – another pillar is the isolation, filtering, and inspection of network traffic. It requires NGFW (OT) deployment for the proper (micro)segmentation and filtering of network traffic. IPS/IDS (OT) and virtual patching should be used. Another aspect that should not be overlooked is securing of email and Internet traffic, and the screening of unknown files.

Endpoints –EDR/XDR solutions allow you to collect information about what is happening on devices (including USB device management).

Access Management –thecentralized management of user/machine identities is also recommended, but with strict separation of industry and corporate identities. Jump Servers (+MFA) should be used for network and device management and systems designed for network access control (NAC, 802.1x) should be implemented.

Auditing, backups, compliance, IRP, risk management, SIEM/SOC shouldbe centralized, and their respective security logs should be evaluated. A robust backup strategy allows you to prepare for unexpected situations. Regular training of administrators and staff should not be omitted. Definitely, do not underestimate risk analysis, which can be addressed by implementing or at least taking inspiration from the IEC 62443 standard. And, of course, require contractors to comply with security policies.

Expert approach

Industrial control systems combine a lot of complex hardware and software, often unfortunately very outdated. To maintain the highest level of cyber security readiness in OT, manufacturing companies must be both proactive and reactive in implementing protection. Specialized teams can help you with this. So don’t hesitate, schedule a consultation, and find out where your company stands.

Security experts are frustrated by system updates

Cybersecurity professionals find themselves trapped in an endless cycle of patching due to the relentless and rapidly evolving activities of cybercriminals. They are continuously working on enhancing the resilience of the systems they manage. For many organizations, the escalating level of risk is becoming unsustainable as the IT professionals responsible for safeguarding enterprise systems experience mounting frustration, which can ultimately lead to burnout.

Our smartphones and computers notify us of the need to install the latest updates, and computer networking hardware also needs regular software and firmware upgrades. This patching removes vulnerabilities that could otherwise lead to potential security incidents. A problem arises when cybersecurity experts face an avalanche of patches for various vulnerabilities, and currently this situation is worsening.

It’s getting worse and worse


Organizations around the world now find themselves in an endless loop of massive vulnerability patching. Patches are issued so often that by the time a patch is issued for a discovered bug, a new risk has already appeared. “This endless, even chronic, cycle of vulnerability patches is contributing to apathy among many enterprises and cybersecurity professionals,” says Petr Kocmich, the Global Cyber Security Delivery Manager at Soitron. Their resignation to the situation may be caused by various factors; most often it is due to a shortage of staff, particularly of cybersecurity experts, in organizations.

The identified vulnerabilities are only the tip of the iceberg; they are only around 10% of the potential threats that are discovered, known, and being addressed. Also, software, hardware, and IT systems developers working on eliminating existing vulnerabilities may create new ones by unintentionally introducing new bugs in the code.

frustrovana pouzivatelka PC ukazujuca na monitor

“Paradoxically, the deployment of the latest available updates by cybersecurity experts can often create more problems. While the majority of security patch installations can be automated effectively, there are additional processes necessary for upgrading and installing higher versions of individual systems and firmware.

“For instance, network element upgrades often require extensive testing and system downtime, as well as specific procedures, to switch over to a newly upgraded system functioning in high availability mode. These activities frequently cause frustration, and even instil a fear of system upgrades, as they don’t always maintain the stability and flawless performance claimed by vendors.

“This inconvenience holds true for nearly all modern products. The technology is becoming increasingly complex and, on top of that, in an effort to stay competitive, manufacturers sometimes incorporate unnecessary functions and integration elements, further complicating the code and escalating the risk of introducing errors.

“Automated testing conducted by the manufacturer in a simulated environment cannot possibly uncover all the errors that arise in specific configurations and complex real-world integrations. Consequently, this poses a significant risk to administrators and engineers, ultimately leading to burnout,”adds Kocmich.

Indeed, the commitment of professionals is decreasing significantly as they realize that organizations are more vulnerable.

A perpetual state of defence is unsustainable


This is a well-known reality for cybersecurity professionals. The speed and complexity of threats continue to increase, affecting privately-owned organizations as well as individuals and government entities. Cyber attackers are becoming more efficient, intelligent, and innovative, infiltrating computer systems at a pace that surpasses the ability of cybersecurity measures to respond.

As Kocmich states, “The cybersecurity industry will continue to play catch-up, reacting to current attack types and constantly chasing an elusive train with the attackers onboard; however, the positive news is that cybersecurity experts are not far behind. They are holding onto the boarding handrail of that train.” Recognizing this new reality, businesses must develop their own effective patch management policies, understanding that not all patches will benefit them. Deploying the wrong patches can lead to system outages or compatibility issues with other applications and systems.

“It is crucial to have a well-prepared and high-quality test environment that ideally mirrors the production environment (while acknowledging that this is neither easy nor inexpensive) to regularly and sufficiently test patches and upgrades,” adds Kocmich. One of the main contributors to a higher error rate is the accelerated release of many patches, including security-related ones as well as those implemented to keep up with the competition and offer similar features.

Although extensive testing, including penetration testing, is conducted before the release of patches and updates, it is impossible to guarantee their flawlessness. Having said that, implementing a proper testing methodology within your organization’s environment reduces the risk of your security team deploying a harmful patch.

Maintaining a positive mindset


Perhaps the uphill battle faced by cybersecurity experts is further complicated by a decline in optimism; this is why it is important not to give up and to continue the fight.

How can you balance this inherent disparity between hope and reality? It is vital to celebrate every small success, engage in continuous training (not just in cyber security), and rigorously monitor adherence to adequate and established processes. “Cybersecurity professionals should support each other by consistently and methodically expanding their knowledge and skills, actively contributing to the security community with their expertise and experience, and promoting security awareness,” says Kocmich.

The best Christmas presents this year will be enjoyed by hackers

This year’s Christmas winners will be hackers. Seriously. Cyber security is currently one of the main issues being addressed around the world. With many people being forced to stay at home due to the Covid pandemic, online shopping is growing. The growth of the e-commerce scene is a major impetus for hackers, who keep coming up with new and more sophisticated strategies. This is one of the reasons why Christmas scams are in full swing, and their rise is even more accelerated by a newly emerging trick which is set to fully appear on 26 November (Black Friday).

As online stores are getting ready for the expected increase in daily sales, we also need to be prepared for the increasing number of cyber-attacks in the upcoming period. This year, due to the ongoing pandemic, this will be true more than ever before. Christmas is a very lucrative time for hackers. With the holiday season and the end of the year approaching, the vigilance of shoppers is often reduced, and people let themselves be tricked by a variety of forms of online fraud.

Companies are under great handling pressure


This has been exploited by attackers for years, and their techniques now increasingly focus on abusing automated systems in order to take a specific action or obtain certain information – the principles of social engineering. In automatically sent phishing emails, fraudsters lure victims with attractive pre-Christmas loans and discounts on electronics, toys, and other Christmas presents in order to get access to cash and sensitive data. They have been increasingly using mobile phones for these schemes.

Re-delivery fees can be a problem

“We all get packages with ordered Christmas presents. However, with the growing number of these packages, we often lose track of what we have ordered and when it is due to be delivered. Hackers have taken advantage of this and invented a new type of attack where a customer receives an innocent-looking SMS message on their mobile phone,” says Martin Lohnert, the head of the Void Security Operations Centre and an IT specialist at Soitron.

The message says something along the lines that a package could not be delivered and that in order to book a new delivery date or pick up the package, you need to click on the following link. If the recipient does so, it takes them to what looks like the web page of a parcel service delivery company. Since we are usually not familiar with what the websites of shipping companies look like, and we do not even remember who should be delivering which package, it never occurs to us that this may be a fraudulent website.

What is interesting about all this is that if the link is opened from a computer, a genuinely looking website will appear. However, if the link is opened on a mobile phone, part of the website address is not displayed; most people do not notice that. The trick is that the fraudulent part of the address is hidden

“If the package recipient trusts the SMS message and clicks on the link, a phishing web page will appear saying that your package could not be delivered and that you need to specify where and when it should be delivered,” adds Lohnert.

After the victim enters their personal information, such as a name and an address, a message is displayed with an apology and a text that says for the package to be re-delivered, it is necessary to pay a small handling fee.

The hacker gets the complete package

In the pre-Christmas rush, people usually do not have much of a problem to pay a little extra money just to make sure they actually get a long-awaited package. Such payments are made by card. The trick is that after the card details are entered, the fraudsters do not deduct a small fee. They completely steal your identity instead.

At this point, the hackers have all they need. They have your mobile number, contact address, and your payment card – they know your identity and your payment details. Such a full-detail package has a high value on the black market. “Logically, these scams can be expected to appear the most on Black Friday and in the following two weeks,” says Lohnert in conclusion.