CISA issued an advisory March 16 warning of critical vulnerabilities in GE’s Universal Relay power management devices. GE has released patches for 9 vulnerabilities affecting numerous relay models. Exploitation of these unpatched flaws could let attackers reboot the UR, access sensitive information, gain privileged access to go deeper and cause more harm, or create a denial of service condition. Also of note is firmware versions prior to 8.1x were found using weak encryption and MAC algorithms for SSH communication (trust me not good) so they were more vulnerable to brute-force attacks for initial access.
Critical infrastructure, like power utilities, is essential to our daily lives, but most people don’t realize there isn’t just standard IT in use, but specialized operational tech systems, often left in place for years with the mindset “if it ain’t broke don’t fix it”. As these once-sequestered systems get increasingly connected or exposed to the Internet, they are less patched and more susceptible to compromise than standard IT.
There has been a steady increase in both the size of the target and the ransom demanded. Sierra Wireless, a major global IoT solutions provider, disclosed they were hit March 20. The company sells products and services a number of verticals: healthcare, industry, energy, technology and more. The company is not sharing more except that they shut down manufacturing plants worldwide and they have “a clear separation between its internal IT and customer facing products and services”.
Telecom communications are critical infrastructure, and never more so than during a pandemic. We know attackers will aim for the pain points to ensure payment. I expect more attacks will be delivering disruptions to essential services at mass scale.
Patch It Now: Google reports targeted exploitation of unpatched devices with Qualcomm chipsets. CVE-2020-11261 It isn’t world on fire and local access to the device is needed – watering hole delivery of evil code will also work.