In short Colonial Pipeline faces a $ 1 million fine for control room management failures after the U.S. Department of Transportation allegedly contributed to the country’s fuel disruption following the 2021 ransomware attack.
On Thursday, the department’s Pipeline and Hazardous Materials Safety Administration issued a Notice of Probable Violation and Proposed Compliance Order to the pipeline operator, suggesting multiple violations of federal safety regulations. The proposed civil sanctions total $ 986,400.
After the agency’s inspection of Colonial Pipeline’s control room procedures and management records, it said the company was in “probable violation” of several pipeline safety rules, including an apparent failure to properly plan and prepare for manual shutdown and restart your pipeline system.
This, he claims, contributed to the shortage of east coast fuel when the pipeline remained out of service for five days after the May 202 attack. Fights erupted at U.S. gas stations as fuel supplies were delayed in some areas by the incident.
Operators on the Colonial Pipeline – which stretches 5,500 miles between Texas and New York, and can carry up to 3 million barrels of fuel a day – have ended up paying $ 5 million to regain access to their systems.
A patchless DNS error puts IoT devices at risk
According to Nozomi Networks, an unchecked bug in a popular library of C programming languages for IoT devices makes them vulnerable to DNS cache poisoning attacks.
The vulnerability, which was tracked as ICS-VU-638779, VU # 473698, affected the implementation of the domain name system of all versions of uClibc and uClibc-ng, the operating technology security company said.
However, the maintainer of the library was not able to fix the problem, so there is no patch, wrote security researchers Giannis Tsaraias and Andrea Palanca.
“For this reason, we are not revealing the details of the devices on which we were able to reproduce the vulnerability,” they added.
Security researchers discovered the flaw when reviewing domain name system (DNS) requests made by IoT devices that use standard C libraries. Libraries generate these requests, and each DNS includes a parameter called a transaction ID. : A unique number in each DNS response and corresponding request.
“It is vital that these two parameters be as unpredictable as possible, because if they are not, an intoxication attack could be possible,” they explained.
The failure is because transaction IDs are too predictable, and this can allow malicious people to perform DNS poisoning attacks on a target device.
“Since the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response coming from the DNS server,” Tsaraias wrote. Lever.
The CEO charged a $ 62 million cryptocurrency mining scam
The U.S. Department of Justice has filed charges against the CEO of Mining Capital Coin (MCC) for allegedly orchestrating a $ 62 million global investment fraud scheme. He now faces 45 years behind bars.
According to the indictment, Luiz Capuci Jr., of Florida, 44, misled investors about his mining and cryptocurrency investment program. Capuci allegedly sold them to Mining Capital Coin’s “international network” of mining machines, which he said could generate “substantial” profits if investors turned their money over to the mine for more cryptocurrency.
MCC also boasted of its own cryptocurrency, Capital Coin, that Capuci claimed was “stabilized by revenue from the world’s largest cryptocurrency mining operation.”
According to the feds, all this was a massive scam. Instead of generating returns for its investors, Capuci diverted funds to its own cryptocurrency portfolios.
He has been charged with conspiracy to commit online fraud, securities fraud and international money laundering. If convicted of all crimes, he faces a maximum total sentence of 45 years in prison.
SolarWinds officials have set up new excavations
Nobelium, the Kremlin-backed cybercrime gang behind the SolarWinds attack, has created a new command and control infrastructure, likely in a move to return to the cyberespionage game, according to researchers at Recorded Future.
This group of criminals, also known as APT29 and Cozy Bear, breached thousands of U.S. government and private sector networks in 2020 after exploiting SolarWinds’ Orion software.
The threat intelligence company said it has been tracking the rise of the gang since mid-2021 and observed the criminal gang using its same old tools and tricks: the same network infrastructure, its only favorite variations of Cobalt Strike, typosquat domains and misuse of trademarks worldwide. multiple industry verticals, especially in the news and technology industries.
The use of email addresses or websites that appear to be the legitimate domain of an organization facilitates successful phishing campaigns and redirects of victims to malicious websites.
“This tactic has also been reported recently in open sources in connection with intrusions aimed at entities in Ukraine, probably in support of the Russian invasion of the country,” security researchers said.
Nomelium does the dirty work for the Russian Foreign Intelligence Service (SVR). While Putin’s Main Intelligence Directorate (GRU) focuses on military operations, the SVR focuses on political intelligence, Recorded Future explained.
Avast and AVG bugs put “tens of millions” at risk.
Two major glitches in Avast and AVG security products (Avast acquired AVG in 2016) have not been discovered for years, putting “tens of millions” of users at risk, according to SentinelOne researchers who discovered the bugs.
Vulnerabilities, traced as CVE-2022-26522 and CVE-2022-26523, allow attackers to increase privileges, run code in kernel mode, and take full control of the device.
SentinelOne bug hunters reported Avast crashes in December 2021, and Avast fixed the holes in early February. Although most users have automatically received patched version 22.1, customers using open or local versions should apply the patch as soon as possible.
Neither company is aware of any wild exploitation yet.
“Avast is an active participant in the coordinated vulnerability disclosure process, and we are grateful that SentinelOne has worked with us and provided a detailed analysis of the vulnerabilities identified,” an Avast spokesman said. The Register.
“We encourage our Avast and AVG users to constantly update their software to the latest version to protect. Coordinated disclosure is a great way to prevent risks from being attacked and we encourage you to participate in our bug fix program.” .
The two similar bugs affect an anti-rootkit driver used by both products. Both are vulnerable functions in socket connection drivers in the aswArPot.sys kernel driver. And both functions retrieve the length field of a user-controlled pointer, allowing an attacker to modify the length variable.
“Due to the nature of these vulnerabilities, they can be triggered from the sandbox and can be exploited in contexts other than escalating local privileges,” wrote SentinelOne security researcher Kasif Dekel. “For example, vulnerabilities could be exploited as part of a second-phase browser attack or to perform a sandbox escape, among other possibilities.” ®