Cybersecurity

CISA has published an advisory on a missing authentication for critical function vulnerability in Siemens LOGO! All versions of LOGO!8 BM (including SIPLUS variants) are affected. Successful exploitation of this vulnerability could allow an attacker to read and modify device configurations and obtain project files from affected devices. Siemens recommends applying defense-in-depth concepts, including the protection concept outlined in the system manual. CISA also recommends a series of measures to mitigate the vulnerability.

Microsoft has released its monthly update to address vulnerabilities in its software. For this month, Microsoft has released security updates for Microsoft Windows, Microsoft Edge (EdgeHTML and Chromium-based in IE Mode), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, HoloLens, Adobe Flash Player, Apps for Android, Windows App Store, System Center, and Android Center.

According to an article from Threatpost, BEC attacks in general represent a small portion of the total “email attack pie,” constituting just five percent of this activity overall. And yet, they disproportionately represent the greatest financial risk. Having led to $26 billion in losses for organizations and individuals over the past three years according to the FBI’s Internet Crime Complaint Center (IC3). Unfortunately, losses from water and wastewater utilities are included in those figures, with WaterISAC continuing to receive reports of these attacks affecting the sector.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available and functional proof-of-concept (PoC) code that exploits CVE-2020-0796 in unpatched systems. Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports.