WordPress Releases Security Update - Updated June 11, 2020
June 11, 2020
Cybersecurity
OSIsoft PI Web API 2019 (ICSA-20-163-01) – Product Used in the Water and Wastewater and Energy Sectors
CISA has published an advisory on a cross-site scripting vulnerability in OSIsoft PI Web API 2019. PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions are affected. Successful exploitation of this vulnerability could allow a remote authenticated attacker with write access to a PI Server to trick a user into interacting with a PI Web API endpoint that executes arbitrary JavaScript in the user’s browser, resulting in view, modification, or deletion of data as allowed for by the victim’s user permissions.
FBI IC3 Releases Alert on Mobile Banking Apps
The FBI’s Internet Crime Complaint Center (IC3) has released an alert warning consumers of cyber risks associated with mobile banking apps. As more consumers rely on mobile apps for banking, malicious cyber actors are likely to increasingly target them with app-based banking Trojans and fake banking apps. The alert discusses the kinds of malicious that have been observed and that are likely to occur and offers tips for individuals to protect themselves and their organizations. Additionally, with the release of this advisory the U.S.
OSISoft PI System (Update A) (ICSA-20-133-02)
June 9, 2020
CISA has updated this advisory with additional details on the affected products and mitigation measures. Read the advisory at CISA.
May 13, 2020
Siemens SINUMERIK (ICSA-20-161-06) – Products Used in the Water and Wastewater and Energy Sectors
CISA has published an advisory on buffer underflow, heap-based buffer overflow, improper initialization, out-of-bounds read, stack-based buffer overflow, access of memory location after end of buffer, off-by-one error, improper null termination, and improper initialization vulnerabilities in Siemens SINUMERIK products. The vulnerabilities affect numerous versions of SINUMERIK products. Successful exploitation of these vulnerabilities could allow remote code execution, information disclosure, and denial-of-service attacks under certain conditions.
Siemens LOGO! (ICSA-20-161-03) – Product Used in the Water and Wastewater and Energy Sectors
CISA has published an advisory on a missing authentication for critical function vulnerability in Siemens LOGO! All versions of LOGO!8 BM (including SIPLUS variants) are affected. Successful exploitation of this vulnerability could allow an attacker to read and modify device configurations and obtain project files from affected devices. Siemens recommends applying defense-in-depth concepts, including the protection concept outlined in the system manual. CISA also recommends a series of measures to mitigate the vulnerability.
Advantech WebAccess Node (ICSA-20-161-01) – Product Used in the Water and Wastewater and Energy Sectors
CISA has published an advisory on a stack-based buffer overflow vulnerability in Advantech WebAccess Node. Versions 8.4.4 and prior are affected. Successful exploitation of this vulnerability could crash the application being accessed; a buffer overflow condition may allow remote code execution. Advantech has released a patch to address the reported vulnerability. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.
Microsoft Releases June 2020 Security Updates
Microsoft has released its monthly update to address vulnerabilities in its software. For this month, Microsoft has released security updates for Microsoft Windows, Microsoft Edge (EdgeHTML and Chromium-based in IE Mode), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, HoloLens, Adobe Flash Player, Apps for Android, Windows App Store, System Center, and Android Center.
CERT/CC Reports Vulnerability in Universal Plug and Play Protocol
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) advised that the CERT Coordination Center (CERT/CC) has released information on a vulnerability – CVE-2020-12695 – affecting versions of the Universal Plug and Play (UPnP) protocol released before April 17, 2020. UPnP protocol allows networked devices to discover and connect with each other. A remote attacker could exploit this vulnerability to cause a distributed denial-of-service condition.
BEC Scams Represent a Disproportionately High Financial Risk
According to an article from Threatpost, BEC attacks in general represent a small portion of the total “email attack pie,” constituting just five percent of this activity overall. And yet, they disproportionately represent the greatest financial risk. Having led to $26 billion in losses for organizations and individuals over the past three years according to the FBI’s Internet Crime Complaint Center (IC3). Unfortunately, losses from water and wastewater utilities are included in those figures, with WaterISAC continuing to receive reports of these attacks affecting the sector.
Pages
