Cybersecurity

The NCCIC has published an advisory on an improper access control vulnerability in 3S-Smart Software Solutions GmbH CODESYS Control V3 Products. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could allow unauthorized access and exfiltration of sensitive data including user credentials. 3S-Smart Software Solutions GmbH recommends activating the CODESYS Control online user management and encryption of the online communication. 3S-Smart Software Solutions GmbH recommends updating to the latest software Version 3.5.14.0 or newer.

The NCCIC has published an advisory on missing authentication for critical function and cross-site scripting vulnerabilities in ABB GATE-E2. GATE-E1 (EOL 2013) and GATE-E2 (EOL OCT 2018) are affected. Successful exploitation of these vulnerabilities could allow unrestricted access to the administrative telnet/web interface of the device, enabling attackers to compromise the availability of the device, read or modify registers and settings, or change the device configuration. ABB will not be releasing updated firmware, as both GATE-E1 and GATE-E2 have reached end of life (EOL).

Dark Web intelligence firm, Gemini Advisory believes the Click2Gov breach originally disclosed by FireEye in September (covered in the WaterISAC Portal here) is more widespread than initially reported.

Late last week, organizations around the world, including in the U.S., Australia, and Canada, received emails claiming that an explosive device would detonate within their buildings unless a ransom in Bitcoin was paid. Samples of some of the emails show that the sender demanded $20,000 in payment, which was to be converted into Bitcoin and transferred to the sender’s Bitcoin wallet. The threats appear to have been a hoax – no detonations occurred and no devices were found.