Weekly CyberTip: The Importance of Asset Inventory
Maintaining a detailed and current digital asset inventory is a key foundational element of your cybersecurity program. Having a complete view of your digital fleet supports organized patch management, streamlines incident response, puts you in a stronger compliance posture, and helps facilitate risk analysis when major software vulnerabilities are announced.
Family of Bluetooth vulnerabilities could affect billions of devices
Researchers from the Singapore University of Technology and Design have published a study revealing a family of Bluetooth security vulnerabilities that could affect billions of devices.
Nicknamed “Braktooth”, the vulnerabilities are not inherent flaws with Bluetooth per se but are rather mainly caused by the manufacturers’ non-compliance with Bluetooth core specifications and protocols in the implementation of so-called “system-on-a-chip” (SoC) circuits. The study, which analyzed 13 Bluetooth devices from 11 different vendors, revealed a total of 16 new vulnerabilities. 20 Common Vulnerability Exposures (CVE) have been assigned to track the flaws, with an additional four CVEs awaiting input from Intel and Qualcomm. A minimum of 1400 different devices are affected, with many observers expecting more to be discovered. The list of devices involved includes laptops and desktops from Dell (OptiPlex, Alienware), Microsoft Surface tablets (Go 2, Pro 7, Book 3), and smartphones (e.g., Xiaomi Pocophone F1, OPPO Reno 5G).
The researchers have informed all vendors about the vulnerabilities, and have delayed publishing full technical details on the flaws until October in order to allow enough time for fixes to be implemented. Many vendors have already provided patches, but a handful have indicated that fixes may not be made available. The researchers have established a website at https://www.braktooth.com that provides more information on the study, and a status of available fixes for the bugs.
While the footprint of the vulnerabilities is large, the risk is somewhat mitigated by the complexity of exploiting the flaws. Of the 16 BrakTooth vulnerabilities, CVE-2021-28139 is thought to present the greatest risk because it could potentially allow arbitrary code execution on a compromised device. The risks presented by the other vulnerabilities include denial of service by crashing the device firmware, or creating operating conditions that prevent Bluetooth communications from working at all.
Bluetooth technology appears in a wide variety of home and work devices, including smartphones, laptops and desktops, audio devices, peripherals like printers, mice, and keyboards, and a wide range of industrial IoT devices. Users are encouraged to review the list of potentially affected devices regularly for the status of patch availability.
Gatineau, QC transit system suffers cyber attack
The Société de transport de l’Outaouais (STO) – the transit authority serving Gatineau, Quebec – suffered a cyber attack late September 3. While the STO website is silent on the incident, according to a French-only bulletin posted on STO’s Facebook and Twitter accounts confirms the attack, while praising the “vigilance of the operations team” and the “expertise of the IT team” for getting control of the situation quickly.
Bus services were not affected by the attack, though some online resources (including the STO website for a brief period, online transit card purchases, online trip planning, and para-transit service bookings) remain offline.
STO’s analysts have been working through the weekend to take “the necessary measures to secure the computer environment and to determine the nature and extent of the attack as well as restore [their] systems.” STO has committed to providing further details as the situation progresses.
Netgear issues urgent patch advisory for 20 smart switches
On September 3, networking manufacturer Netgear issued a bulletin advising of the release of firmware updates for a score of its family of smart network switches. Aside from listing the models affected and the new recommended patch levels, the advisory contained no information about the nature of the vulnerabilities. Netgear, however, “strongly recommends that you download the latest firmware as soon as possible.”
For information about the bugs, the researcher who discovered the flaws has published details himself. Google IT security engineer Gynvael Coldwind posted an analysis on his personal blog site.
The first vulnerability, coded PSV-2021-0140 and nicknamed “Demon’s Cries”, involves an authentication bypass that could result in an attacker being able to change an admin password resulting in a full compromise of a device. A prerequisite for exploiting this bug is that the Netgear Smart Control Center (SCC) feature must be active; default switch configurations have it turned off.
The second, coded PSV-2021-0144 and nicknamed “Draconian Fear”, involves authentication hijacking that could allow an attacker with the same IP address as the switch to take over administration of the device.
The third vulnerability, coded as PSV-2021-0145 and nicknamed “Seventh Inferno”, will be documented by Coldwind on September 13, according to the blog.
ICYMI: Proofpoint and Ponemon release Cost of Phishing report
Research firm Ponemon and email security provider Proofpoint have jointly issued the latest update to their “Cost of Phishing” report series. First conducted in 2015, the study reveals the significant and growing costs of phishing to organizations of all sizes.
The study group consisted of 591 IT professionals, 56% of whom represented companies under 1000 employees. The report illustrates the significant increase in phishing attacks – and the costs that go with them – as companies have shifted to more remote or hybrid work. The different “flavours” of email threats are discussed, ranging from malware and credential attacks; business email compromise (BEC) and ransomware; and fund misdirection.
Key findings in the report include:
+ The cost of phishing has more than tripled since 2015, with the average annual cost rising from $3.8 million (all figures USD) in 2015 to $14.8 million so far in 2021.
+ Documentation and pre-incident planning represent the least time-consuming tasks, while cleaning and repairing infected systems and conducting forensic investigations can be the most time-consuming.
+ Lost employee productivity represents a significant component of the cost of phishing, rising from an average of $1.8 million in 2015 to $3.2 million in 2021.
+ The cost of resolving malware infections doubled with the average total cost rising from $338,098 in 2015 to $807,506 in 2021