November 24, 2020

Malware Protection

Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

Public ICS Disclosures – Week of 10-17-20

We have one new vendor disclosure this week for products
from HMS. We also have three vendor updates for products from Rockwell and
Schneider (2). We also have news of a possible cyberattack on Softing, a
control system vendor.

HMS Advisory

HMS published an
advisory
discussing the BLURtooth
vulnerability. HMS reports that none of their products are affected by this
vulnerability.

NOTE: The BLURtooth vulnerability is a currently unpatched
vulnerability in some implementations of the Bluetooth standard that allows attacker-in-the-middle
exploits. I expect that we will be seeing more vendor communications about this
vulnerability in the coming weeks, especially from medical device manufacturers
where the use of Bluetooth is more common.

Rockwell Update

Rockwell published an
update
for their advisory on OSIsoft PI System vulnerabilities that was originally
published
on May 12th, 2020. The new information includes new
version information for vulnerability mitigation.

Schneider Updates

Schneider published an
update
for their Ripple20 
advisory. The new information includes:

• Adding remediation for
“EGX150/Link150 Ethernet Gateway”, “Acti9 PowerTag Link / HD”, “Acti9 Smartlink
SI D”, and “Acti9 Smartlink SI B”, and

• Adding PowerLogic EGX100 to
affected products list.

Schneider published an
update
for their APC by Schneider Electric Network Management Cards
advisory that was originally
published
on June 23rd, 2020 and most recently updated on
September 1st, 2020. The new information includes updated overview
section, available remediations and affected products tables (some affected
products were moved from the above advisory to this one).

Vendor News

When I checked the Softing
advisory
web page today an interesting popup appeared. It said:

“IMPORTANT NOTE:

“Softing AG fell victim to targeted
cyber attacks through no fault of its own. Unknown perpetrators have invaded
the internal networks. In order to avoid possible damage to the IT
infrastructure, we have severely restricted the external communication options.

“For urgent inquiries we are still
available to our customers under the following contact details:

“Softing Industrial Automation: +49
15119489547”

A brief Google® search reveals no news items about this
attack.

As always with an attack on a control system vendor we have
to be concerned about the potential product security problems that could arise
from the compromise of the system. Access to product source code could allow
for easier vulnerability detection by the attacker or even possible
modification of that source code to insert vulnerabilities. Access to vendor
web site code could allow for the establishment of drive-by code. None of the above
is a given, but it does provide an area for potential concern, particularly if
the company is not completely forthcoming about the extent of the attack. Hopefully
we are just be early in the news cycle on this attack and more information will
become publicly available in the coming days.