Cybersecurity

The NCCIC has released an advisory on improper authentication and cross-site scripting vulnerabilities in ControlByWeb X-320M. Versions 1.05 and prior are affected. Successful exploitation of these vulnerabilities may allow arbitrary code execution and could cause the device being accessed to require a physical factory reset to restore the device to an operational state. ControlByWeb has released a firmware update to address the vulnerabilities found on the X-320M. The NCCIC also advises on a series of mitigating measures for this vulnerability.

An upward trend has been recorded with business email compromise (BEC) scams where fraudsters trick human resource departments into changing an employee's direct deposit information to divert paychecks into an account they control. In a typical BEC scam, the fraudster sends an email to an employee authorized to make wire transfers and deceives them into sending the money into an unauthorized account. The underlying principle remains the same, only this time the victim could be anyone in the company.

Oracle has released its Critical Patch Update for January 2019 to address 284 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The NCCIC encourages users and administrators to review the Oracle January 2019 Critical Patch Update and apply the necessary updates.

NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) and the Water Information Sharing and Analysis Center (WaterISAC) launched a new security partnership aimed at enhancing cross-sector coordination and taking advantage of the interdependencies of the electricity and water industries.