5G Connectivity and its Impact on Industry 4.0: Maturity and Evolution

Gabriel Álvarez Corrada    12 November, 2020

One of the factors that indicates the maturity of some branches of technology is the incorporation of improvements as this technology evolves, which are different from those considered at the beginning. Thus, for example, the beginning of the evolution of microprocessors was based on gross power and a progressive, and slow, miniaturisation (mainly due to heat generation and cost issues). As the technology matured, other improvements were introduced, such as the use of several cores within the same processor, power segmentation, reduction in consumption, more effort in miniaturisation… This indicator of maturity in the wireless connectivity of the mobile network has been the 5G standard: the commitment to other improvements with an impact above the usual increase in speed typical of each evolution.

However, this post will not analyse the benefits of 5G connectivity. For that we already have some great articles on our blog. In this one we are going to talk about how this maturity impacts on the industry 4.0 environment.

As we discussed in our previous article, in which we spoke about the approach to cyber security in Industry 4.0, in recent years industry has undergone an intense process of transformation that has been called the “fourth industrial revolution” or “Industry 4.0”. This process of digitalisation and development of new technologies seeks to implement improvements such as real time access to data and business intelligence, which will transform the current perspective in which production processes are carried out, moving one step further towards the so-called “Smart Factories”.

Embracing Industry

The new 5G standard proposes improvements in access to and communication between industrial processes, as well as in the creation of new models and use cases. According to ABI Research, these improvements could reduce maintenance costs by a 30% and increase overall efficiency by a 7%. This is not by chance. As can be seen in the image below, the 5G protocol stands on 3 basic pillars, which offer solutions to the great challenges and advances that the fourth industrial revolution poses.

The triangle of the 5G in Industry 4.0
Image 1 – The triangle of the 5G in Industry 4.0. (Source: Spanish National 5G Observatory)

What technologies do they apply in each pillar and what do they consist of? Let’s get into it:

  • High bandwidth: eMMB (evolved Mobile Broadband Communications), which enables high transmission speeds. It means that there are no bottlenecks in the transmission of large amounts of information.
  • Low latency: URLLC (Ultra Reliable Low Latency Communications), which allows for low latency connections of less than 1 millisecond and high reliability, with a percentage of at least 5 nines (99.999%), equating in performance to connections only attainable through wiring. This is especially relevant in M2M environments, since it minimises the possibility of two machines working in synchronisation being blocked due to latency in the transmission of information or because the connection is not stable.
  • High density: mMTC (massive Machine-Type Communications), which allows a high number of devices to be connected simultaneously. In cases where many devices requiring connection are deployed (e.g. sensors) this technology allows the control of the devices at the same time, without causing disconnections or exclusions of any of them.

What About Security?

The heterogeneity of the OT ecosystem means that classic practices such as fault patching or network segmentation (restricting internet access to some of these segments) sometimes become ineffective or directly impossible in the face of the diversity of proprietary devices and protocols, or simply due to the peculiarities of each industrial process.

In addition, a “Smart Factory” requires communication protocols ready to integrate IT, OT and IOT devices. This implies the implementation of different communication networks, both wired and wireless, with their own vulnerabilities and security challenges in an environment (once very isolated) that is not prepared to assume the sudden entry of several devices from other fields.

However, 5G is the enabling technology for this hybridisation that will allow key communications in industry 4.0 to be unified. The great advantage of this generation, in addition to its adoption by all the areas involved, is the implementation of security from the design, as a fundamental point of this standard. Likewise, 5G security not only focuses on individual solutions, but also considers the main risks and environmental threats, analysing the scope of each threat and the cost of its mitigation and remediation.

Some of the most relevant features implemented by 5G are the following:

  • Radio interface: in order to prevent manipulation of user data, adaptive protection of user data integrity has been designed, in addition to end-to-end encryption.
  • User privacy: unlike 4G, user identification information, such as IMSI (International Mobile Subscriber Identity), is not transmitted in plain text, but encrypted on the radio interface.
  • Authentication: the 5G access authentication process is designed to support the Extensible Authentication Protocol (EAP) specified by the IETF, through a new version of the “Authentication and Key Agreement” (AKA) already used in other previous standards.
  • Roaming Security: 5G’s service-based architecture defines the security edge protection proxy to implement E2E (end-to-end) security protection for inter-carrier signalling at the transport and application layers. This prevents third-party operator devices from accessing sensitive data.

Such practices are very important, but even more important is that 5G service providers are committed to maintaining a chain of reliability that strengthens the security embedded in the 5G standard. In this sense, Telefónica declares in its Digital Manifesto that security is primary. Its executive president, José María Álvarez-Pallete, declared regarding the “Clean Network” initiative that “Telefónica is proud to be a company with a clean 5G access route”. Currently, both Telefónica España and O2 (United Kingdom) are totally clean networks, while Telefónica Deutschland (Germany) and Vivo (Brazil) will soon be so. This implies that suppliers throughout the supply chain will be reliable, thus minimising a common problem in the area of cyber security.

To Sum Up…

5G connectivity is the necessary element to lead the “fourth industrial revolution”. It is a strategic, well-planned standard that implements the necessary steps to demonstrate that it is a mature technology that is willing to facilitate that leap that makes the use of the technology transparent to the user. In this way, the paradigm of ubiquity in technology, of which Mark Weiser is the creator, will be fulfilled: “the most entrenched technologies are those that disappear”.

We are on track…

ElevenPaths Radio English #4 – Privacy and Personal Data Protection

ElevenPaths    11 November, 2020

Privacy and personal data protection are two of the greatest concerns today due to the large amount of information leaking out to the media every day. Practically all big companies today have large amounts of personal data on their customers.

In this new episode of ElevenPaths Radio English, our Chief Security Ambassador Carlos Ávila addresses the main doubts of these issues and talks about the major personal data leaks and the changes generated from these breaches. Why aren’t all they public? What have countries done about these scandals?

Fourth episode of ElevenPaths Radio English now available

Discover more episodes of ElevenPaths Radio English:

ElevenPaths Radio English #3 – Why is Cybersecurity So Necessary Today?
ElevenPaths Radio English #2 – Secure Homeworking
ElevenPaths Radio English #1 – Skills of a Cybersecurity Professional

¿Ransomware in Pandemic or Ransomware Pandemic?

Gabriel Bergel    9 November, 2020

No one imagined what could happen in the field of cyber security during the Covid-19 pandemic. Perhaps some colleagues were visionary, or others were basically guided by the statistics of recent years regarding incidents and security breaches, which have been steadily increasing. I hope everyone understands that no one is free from a cyber incident nowadays.

A Little Bit of History

The beginnings of ransomware do not date back to the 2000’s as most people believe. As early as December 1989, when the first website had not even been created yet, 20,000 diskettes of 5¼” were sent from London to companies in the UK and abroad, to subscribers to PC Business World magazine and also to participants at an AIDS conference organised by the World Health Organisation. On the sticker of these diskettes was written AIDS Information Introductory Diskette, it was and said to be from the PC Cyborg Corporation. All of this was a deceit, it encrypted the hard drive of the computers and asked for a ransom. AIDS was the first ransomware to also spread globally, reaching over 90 countries by postal mail.

Nowadays, 31 years have passed, and ransomware has already become an industry, with incredible advances in the field. The Covid-19 pandemic has only accelerated the development of infection campaigns. The numbers and incidents that have occurred in the pandemic, I would say, are unprecedented. Remote working could be one of the causes, as cyber security controls are weaker in the home than in the corporate environment, but mainly it has to do with our anxiety and uncertainty, which makes us more “prone” to fall into a phishing operation containing ransomware. However, this increase in numbers in the region is already evident in several studies since last year:

Ransomware by country. Source: Symantec

The Ransomware Business

Not long ago, ransomware was classified as an incident (DBIR) rather than a breach, because data encryption does not necessarily involve a disclosure of confidentiality. However, that has changed: the business of ransomware is no longer so much about encryption but about making money from the threat of information leakage, and there are cases to back this statement up.

Not long ago, ransomware was classified as an incident (DBIR) rather than a breach, because data encryption does not necessarily involve a disclosure of confidentiality. However, that has changed: the business of ransomware is no longer so much about encryption but about making money from the threat of information leakage, and there are cases that demonstrate this.

At Elevenpaths, we have been tracking the several ransomware campaigns that exist and shared them with the community through our weekly briefings and cyber security research reports.

I also talked about it a month ago, after giving many interviews about the incident at Banco Estado de Chile, allegedly provoked by Sodinokibi. A ransomware whose campaigns, we at ElevenPaths, had already been following since January this year.

On the other hand, advances in ransomware development are evident. For example, Conti occupies 32 CPU threads in parallel during the infection process of a computer. Sergio de los Santos wrote a highly recommended post called ” What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You?” which may be useful to understand what is happening in this new era.

To sum up, the non-profit volunteer hacker initiative called the CTI League (Cyber Threat Intelligence League), a global community of emergency response volunteers who defend and neutralize cyber security threats and vulnerabilities to life-saving sectors related to the current Covid-19 pandemic, should be highlighted for the great work they have done in helping and preventing more health institutions from being affected by these types of cyber attacks.

Just a question: what will be the next level in this battle?

Download our new guide created in partnership with Palo Alto to help you prepare, plan, and respond to Ransomware attacks

Cyber Security Weekly Briefing 31 October – 6 November

ElevenPaths    6 November, 2020

Apple fixes 3 0-day vulnerabilities

Apple, with the launch of the new iOS 14.2 version, has corrected three 0-day vulnerabilities that would be actively exploited and that would affect iPhone, iPad and iPod devices. These bugs were notified to Apple by Google Project Zero’s team of security analysts, who are also credited with the discovery of the recently reported 0-day vulnerabilities in Chrome and Windows.

  • CVE-2020-27930: This is a remote code execution (RCE) bug and is due to a memory corruption flaw when the FontParser library processes a malicious source.
  • CVE-2020-27932: This is a 0-day kernel privilege escalation vulnerability that would allow malicious applications to execute arbitrary code with those privileges.
  • CVE-2020-27950: would allow malicious applications to access kernel memory due to a flaw initializing the kernel.

It is recommended to upgrade to iOS 14.2 as soon as possible.

Cyberattacks on the industrial sector through remote management systems

In 2018, was reported on a phishing campaign aimed at industrial sector entities, especially in manufacturing, which was intended to spread malware. Recently, since summer of 2019 until this autumn, they have been able to detect a new wave of this campaign which includes improved attack techniques. The threat agents use as a pretext in the phishing emails documents that detail the configuration of equipment, industrial processes, etc. all of which have been stolen from the victim company itself or from one of its collaborators. The distributed malware allows attackers to use remote administration tools, hiding their usage from the user, and even applying them as C2, as is the case with the web interface of the RMS platform in the cloud. The use of apyware and Mimikatz for the theft of credentials and lateral movement to other systems on the network has also been seen. The ultimate goal it’s still the achievement of economic benefits.

Active exploitation of the 0-day vulnerability in Windows not yet corrected

Google discloses Windows 0-day vulnerability (CVE-2020-17087), which is not yet patched, used as part of an exploit chain that also includes a Google Chrome 0-day (CVE-2020-15999) already patched in the 86.0.4240.111 version. The Chrome 0-day was used to allow attackers to run malicious code inside Chrome, while the Windows 0-day allows sandbox escape where threat actors could escape Chrome’s secure container and run code on the underlying operating system. The Google Project Zero team notified Microsoft and gave the company seven days to patch the bug before to disclose the vulnerability details and a proof of concept exploit. According to Google’s report, the 0-day is a bug in the Windows kernel that can be exploited to elevate an attacker’s code with additional permissions and the vulnerability impacts all Windows versions between Windows 7 and the most recent Windows 10 release. The vulnerability is expected to be patched on November 10, which is the date of Microsoft’s next Patch Tuesday.

Windows virtual machines new RegretLocker ransomware target

The new ransomware called RegretLocker, which was discovered in October by MalwareHunterTeam researchers, has the peculiarity of not using a ransom note and uses an email for communications instead of a web page in Tor. When encrypting the files, RegretLocker adds the extension .mouse to the names of the encrypted files. Although apparently simple, this ransomware has advanced features that are not common in its family of malware infections, it is able to encrypt Windows virtual machines and close open files for encryption. When ransomware encrypts files on a computer, it does not usually encrypt very large files such as virtual machines as it slows down the entire encryption process. However, RegretLocker uses the Windows Virtual Storage API, OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath to encrypt virtual machines. It also uses the Windows Restart Manager API to terminate Windows processes or services that keep a file open during encryption.

Data on 34 million stolen users from 17 companies for sale

According to the specialist technology media BleepingComputer, a malicious player has released 34 million user records, claiming that they come from information leaks from 17 different companies. The vendor created a thread in a hacker forum on October 28th, detailing the type of information exposed in each of the databases. This information includes e-mails, passwords in different formats, user names, phone numbers, dates of birth, addresses and other sensitive data. The companies affected belong to a wide range of professional sectors and geographical locations. None of them had reported recent data leaks, and only two of them have done so after being contacted by the authors of the article: Singapore’s online supermarket RedMart and Thailand’s review page Wongai.

Homeworking and Pandemics: a Practical Analysis on BlueKeep Vulnerability in Spain and Latin America

Andrés Naranjo    5 November, 2020

“It is not the strongest of the species that survives, not the most intelligent that survives. It is the one that is the most adaptable to change”.

Charles Darwin

One of the greatest and most rapid changes in recent human history is this “new normality” caused by the Covid-19 pandemic since it started in March. In this change, most companies had to find a way to maintain their activity at whatever the price, at least as far as possible.

This subject, which is not easy, is critical whenever we talk about technology companies: We see many companies whose previous success and strength have been of no use when having to face the current market or financial scenario. They have gone from the greatest of successes (their previous strength) to the most resounding of failures. Failure to adapt to change can mean being sentenced to death or long agony: let´s recall the case of Nokia, for example, which at the beginning of the century was comfortably established on the hegemonic throne of mobile telephony, both in terms of production and reputation, and nowadays it is no longer what it used to be, after smartphones arrived.

But going back to March of this year 2020, as we were saying, companies in most countries that have suffered lockdowns had to have the means to maintain their activity. And often these urgent processes never consider the necessary protective measures. To a large extent, this adaptation has meant enabling the possibility of homeworking, which it seems has arrived to stay since governments are trying to regulate this type of work. However, as we will show down below, this capacity to manage remotely and/or to enable teleworking has meant a greater number of assets exposed to well-known vulnerabilities.

BlueKeep vulnerability

The study presented here is based on the CVE-2019-0708 vulnerability which is known as “BlueKeep”. A vulnerability of remote code execution in Remote Desktop Services (previously known as Terminal Services) when an unauthenticated attacker connects to the target system via RDP and sends specially designed requests. This remote code execution can mean total control and compromise of the system.

The reason for studying this vulnerability in particular is because the RDP protocol enables easy remote access by simply opening the 3389 port to the desired machine. But each open port, as we know, is an entry vector, especially in the case that basic system protection measures have not been taken. Likewise, it is actually not a recent vulnerability (dating from May 2019) and we must also bear in mind that it affects obsolete Microsoft operating systems: XP, Vista, Windows Server 2008 that are not properly updated.

César Farro has collaborated in this study, and in May last year he published the first exhibition study on “BlueKeep”. Public tools such as masscan and rdpscan, both written by Robert Graham, have been used for this purpose.

BlueKeep Vulnerability Study – May 2019
BlueKeep Vulnerability Study – May 2019

The methodology for this work has been simple:

  • The IP range for each country has been scanned using public sources where the IPv4 ranges assigned to each are published, such as Lacnic and RIPE.
  • The tools described above have been used to analyse whether the asset exposed under the 3389 open port is vulnerable. It should be noted that the analysis is not decisive and there are several undiagnosable assets, which are listed as “unknown”.
  • We establish a comparison between January 2020 and August 2020, to compare the number of assets with the open port and to draw conclusions regarding the level of exposure.

Let’s see for example, data in Spain before and after the pandemic:

Taking the percentages as data, we can see a clear evolution:

We can draw the following conclusions for the case of Spain:

  • While the number of assets with the 3389 port has almost doubled, the percentage of assets objectively vulnerable to this vulnerability has clearly fallen from 11% to 4% of the assets exposed.
  • 3745 devices could still be considered a very high number of easily accessible machines and therefore vulnerable to a security flaw published more than a year ago.
  • The increase in cases labelled as unknown is mainly due to a correction of the query methods from unknown IP’s and should be attributed to a better configuration. This can be done, for example, by limiting RDP access to certain IPs, which results in a more secure access.

You can check all the data for the 12 countries under study in the following table:

In summary

The new normality imposed by the pandemic has forced many companies and agencies to enable remote access resources to maintain their business. But like everything has changed, it must be done while maintaining our security strategy to ensure business continuity.

The use of RDP or other remote access methods must always be planned and executed from security by design so that our adaptation to this change is carried out without putting our entity at risk. As a tip, it is a good idea to have our assets properly listed with their corresponding versions of operating systems and software and/or services running, always keeping an eye out for security updates.

The Smart Train – The key to future sustainable mobility

Patrick Buckley    5 November, 2020

Governments know that a functional and efficient transport system is key to economic growth and social development. Well run transport infrastructure unlocks the productive potential of an economy. Naturally, a more mobile workforce will spend less time commuting and more time working, thus allowing the population to produce a higher level of economic output. 

As governments roll out transport infrastructure projects, they must choose technologies which will stand the test of time. New transport infrastructure must have the capacity to adapt to increased future demand due to growing populations, be efficient and environmentally sustainable. The Smart Train is the answer to all of this! 

The need for Automation In Train Operations – ATO

If you want to go somewhere quickly and happen to be In a global capital, your best bet is usually to take the Metro. These systems are crucial to residents who depend on them to commute and go about their daily lives.

Usually metro systems run frequently and efficiently worldwide, but human error and staff disorganisation or industrial action can lead to rail accidents, delays in services and reductions in frequencies.  This is why we need ATO sysems.

The arrival of ATO systems (Automation of  Train Operation), powered partly by artificial intelligence (AI) technology, removes the need for the train driver and therefore elimates the costs associated with human error.  It is these efficiency gains, however slight, that allow for the necessary increases in service frequency and capacity to adapt to population growth in some of the world’s busiest cities. 

ATO technology, in itself, is nothing new. According to the European Parliamentary Research Service (EPRS), in 2018 the world was home to 1 000 km of the automated metro lines in 41 cities around the world.  Amongst the most well-known ATO systems include the Singapore Mass Rapid Transit Line and the terminal connector at Dubai International Airport (DXB). 

Current AI applications within ATO. 

As I write this post in late 2020, the full power of AI in Automatic Train Operations has not been fully realised. At present the main applications of AI across the industry are focussed on administrative processes such as arrival and departure board management, intelligent scheduling (based on demand insights provided by Big Data) and security monitoring systems.

In many cases, AI technology can assist in the process of train acceleration/deceleration as the onboard computer recognises stop locations and speed limits.  AI technology  can even provide speed optimisation insights. For example,  The European Train Control System (ETCS) is an automatic monitoring system that informs train drivers in participating EU networks of speed restrictions and protocols.

A Future Application of AI in Automatic Train Operations – Smart Sensing

Systems are currently being developed to sense imperfections on the railway line and of the train itself.  So called  ‘Smart Sensing’ technology will soon be installed inside train wheels to detect material fatigue of infrastructure and predict maintenance needs. This not only allows for enhanced rail safety but it also allows train operators to plan service and infrastructure upgrades in a cost-effective and timely way, making sure that service capacity remains sufficient at all times. 

Conclusion

The train is here to stay and the smart train is getting smarter! Governments prioritise rail infrastructure projects due to the long-term sustainability and ability to accommodate the mobility needs of a growing population. Currently, artificial intelligence plays a key role in the running of rail networks mainly in an administrative capacity. Smart sensing of trains and rail networks is the next AI powered industry break through!

 LUCA visit our website, subscribe to LUCA Data Speaks or follow us on TwitterLinkedIn or YouTube .

ZoomEye: Extending TheTHE With More Plugins

Carlos Ávila    3 November, 2020

Those who follow the developments carried out by the Innovation and Laboratory team will be familiar with our theTHE platform, which specialises in Threat Hunting, IoC analysis and is very useful specially for equipment and SOCs. Even if this tool does not fit all needs, new plugins can always be developed. If you dare… Keep reading!

At ElevenPaths we have developed over 30 plugins that you can use from now on and that are included in the latest version of the platform in our GitHub repository. We also have a more advanced private version for SOCs. In any case, creating a plugin is very easy, let’s see it with a practical example. In this case we will work on a simple plugin that allows us to consult the API of the ZoomEye search service by means of some IP address that we are investigating.

The structure of the project and the files you should create should be as follows:

  1. The first thing is to clone the code repository from the ElevenPaths GitHub: git clone https://github.com/ElevenPaths/thethe
  2. Regarding the structure of the project, it must be taken into account that the tool is “dockerised” and mainly developed in Python3 as a backend. VueJS is used to display the data on the web (frontend) and the data is stored in a MongoDB database. This way, we have:
  • Backend (the-the/thethe_server/server/plugins/): this directory is where they store the plugins developed in Python for the platform. In the same directory you have a ‘TEMPLATE.py’ file with all the respective documentation to take as a basis for the development of a new plugin.
  • Frontend (the-the/thethe_frontend/src/components/templates/): in this directory you must create a folder with the name of the plugin and within it generate a index.vue file  where we will develop the part where the data will be shown through VueJS on the web.

Backend Development

We generate a zoomeye.py file with all the appropriate programming for the consumption of the platform´s API based on the ZoomEye API service documentation. For the interaction with this API, we use the official ZoomEye SDK:

At the end, the data from the consultation carried out is stored in the project’s Mongo base. Then, basically the backend sends as a result a JSON type object from Python to be displayed in the frontend.

Frontend Development

A folder is created with the name of the plugin, in this case zoomeye, and inside it an index.vue file must be generated, where the part where the data will be shown through VueJS on the web will be developed. The data shown come from the file developed in the backend.

We Try the Plugin

We hope that this mini-guide will encouraged many more people to create plugins that will contribute to the project and the community. In fact, you can not only use third party APIs, but also create your own scripts that consume own services as we have done with our DIARIO and Tacyt platforms. We will continue developing the tool and, in the same way, we hope that the diverse experiences of the community and their comments will help to enrich it.

Cybersecurity Weekly Briefing October 24-30

ElevenPaths    30 October, 2020

Critical vulnerability in Hewlett Packard Enterprise SSMC

Hewlett Packard Enterprise has fixed a critical authentication evasion vulnerability (CVE-2020-7197, CVSS 10) affecting its StoreServ Management Console (SSMC) storage management software. HPE SSMC is present in the HPE Primera and HPE 3PAR StoreServ storage platforms. The flaw has been classified by the company as highly critical because it is an easily exploitable vulnerability, which does not require user interaction and can be exploited by an unprivileged attacker. In addition, HPE has corrected 64 vulnerabilities affecting HPE Intelligent Management Center (iMC). HPE strongly recommends updating SSMC to 3.7.1.1 version or higher.

More details: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbst04045en_us

KashmirBlack Botnet attacks content management systems

Imperva security researchers, after analysing the KashmirBlack botnet, have discovered that it would be infecting thousands of websites by attacking their content management systems (CMS). KashmirBlack controls hundreds of bots, each of which communicates with the C&C to receive new targets and perform brute-force attacks, install backdoors and expand the size of its network. According to researchers, the main objective of this botnet would be to infect websites and then use their servers to mine cryptocurrencies or redirect legitimate traffic to spam sites, among others. To spread, KashmirBlack looks for websites with CMSs such as WordPress, Magento or Joomla that run vulnerable software and use known exploits to exploit these bugs.

All the info: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/

TrickBot extends its activity to Linux devices

On October 12th, Microsoft reported that a conglomerate of technology companies had participated in a joint action to eliminate the TrickBot botnet. Days later, Redmond company published that 94% of the infrastructure had been eliminated, but warned that the threat agents behind the botnet would reactivate its operations. As a result, Netscout research team has shared new findings where they explain who TrickBot authors have extrapolated parts of their code to Linux, in order to extend the reach of their victims. To do so, they are using a new TrickBot backdoor called Anchor, discovered in late 2019 by Cybereason researchers, which would now be used on Linux devices to allow communication with their Command & Control. Anchor stands out for using the DNS protocol to communicate with C2 servers in a stealthy way, and each part of the communication made to C2 follows a sequence of 3 different DNS queries, the last one being in charge of sending commands to the bot to execute a payload. According to researchers, these characteristics show great complexity in terms of communication with Anchor’s C2, and in addition, the payloads that the bot can execute reflect a constant capacity for innovation, as evidenced by its change to Linux.

More: https://www.netscout.com/blog/asert/dropping-anchor

Attempts to exploit a recent critical bug in Oracle WebLogic

On October 20th, Oracle published its security newsletter correcting a critical bug in Oracle WebLogic servers that would allow remote code execution without authentication, CVE-2020-14882 (CVSS 9.8). Shortly after the code of exploitation of this vulnerability was made public, the SANS Institute of Technology detected attacks against its honeypots in which this bug was to be exploited. In these actions, the threat agents only verified whether the system was vulnerable. As a result, the application of the corresponding patches is strongly recommended to correct this vulnerability which would affect the following versions of Oracle WebLogic Server: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0. The attacks came from 4 IP addresses – 114,243,211[.]18 (China Unicom), 139,162,33[.]228 (Linode, USA), 185,225,19[.]240 (MivoCloud, Moldova) and 84,17,37[.]239 (DataCamp Ltd, Hong Kong) – and according to SANS, the exploit they used was based on the technical specifications of a Vietnamese blog post posted on Wednesday by security researcher @testanull.

Info: https://isc.sans.edu/diary/26734

Malware campaigns lead to ransomware infection

FireEye security researchers have made a publication compiling new campaigns from malware families that always work as droppers to end up with a ransomware infection. One of the characteristics is their methodology of action, since the threat agents carry out their attack within the first 24 hours of the initial compromise. It should also be noted that the different malware used, like Kegtap/Beerbot, Singlemalt/Stillbot and Winekey/Corkbot, use the same Command & Control infrastructure. The operators of these campaigns have so far targeted individuals from organisations in different sectors and geographical locations. The entry vector for these campaigns starts with the forwarding of malicious emails that simulate generic corporate communications and provide links to documents hosted on Google Docs, which include a new URL from which the malware is downloaded. Once this is executed in the host of the initial victim, the authors use useful loads such as Powetrick and/or Cobalt Strike to carry out network and host reconnaissance. In this way they can get to know the affected organisation internally and facilitate lateral movements, scale privileges, and in some cases, download and execute ransomware such as Ryuk.

More: https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

Telefónica, Gradiant and Incibe Improve Companies’ Cyber Security

ElevenPaths    30 October, 2020
  • The agreement boosts knowledge transfer to the private sector
  • TEGRA continues on the path to consolidate Galicia’s position as a major player in the European field of cyber security

Telefónica, Gradiant and the Spanish National Cyber Security Institute (Incibe) will facilitate the transfer of knowledge in cyber security to Galician companies. In addition, they will promote the retention of specialised cyber security talent and raise awareness of the need for digital security in Galician society. This was set out in the agreement that the three institutions have signed this week and which will be developed through TEGRA, the cyber security centre that ElevenPaths, Telefónica’s cyber security company, and Gradiant created in 2018 – which emerged from the joint research unit IRMÁS – to develop products and services that improve the security of companies’ information.

The agreement setting out the objectives of the three institutions was signed this week by ElevenPaths CEO Pedro Pablo Pérez García, Gradiant CEO Luis Pérez Freire and Incibe CEO Rosa Díaz Moles. The activities to be developed include the preparation of a biennial research report with the aim of transferring knowledge to the business world, the realization of STEM conferences to foster vocations for science studies, especially aimed at girls in Galicia or the realization of conferences to promote entrepreneurship in cyber security.

“This agreement reinforces Incibe’s commitment to protecting citizens and companies, promoting talent, R+D and the cyber security industry in Spain. We are committed to supporting the attraction of innovative talent related to TEGRA’s specialisation and to promoting this initiative on the cyber security R+D map”, says Rosa Díaz Moles, CEO of Incibe.

Renewing the Alliance in Cyber Security

Telefónica and Gradiant have renewed their alliance in the joint development of R+D projects and applications linked to the improvement of cyber security. Through the IRMÁS Mixed Research Unit, which is supported by the Xunta de Galicia, both entities consolidate their position to place Galicia as a relevant agent in the field of cyber security. A new period now begins with IRMÁS 2.0, in which TEGRA will maintain its leadership position (with Telefónica and Gradiant at the forefront) and where work will be carried out in three essential areas for business cyber security: information protection, protection against digital fraud and cyber intelligence.

The agreement was signed in person and virtually
The agreement was signed in person and virtually

The consolidation of TEGRA will serve as a driving force and a pole of job creation in this emerging sector, allowing confidence in current information systems to increase. “This consolidation means securing a pole of innovation in cyber security in Galicia that provides us with international projection in technologies that are essential pillars for companies to carry out their digital transition with all the guarantees” states Luis Pérez Freire, CEO of Gradiant.

Pedro Pablo Pérez García, CEO of ElevenPaths, adds that “the success of TEGRA as a model of innovation centre in cyber security specialised in information protection, has served as a mirror for the launch of other specialised centres such as C4IN (Industry/OT security) in León and SOTH (IOT security and regulatory compliance) in Valencia”. Likewise, “the acceleration of digitalisation by organisations due to the current situation requires products and services that mitigate the risks of greater exposure of corporate information. TEGRA, with its specialisation in the protection of information, creates technologies that allow to keep balance”. The mixed research unit in cyber security IRMAS 2.0, which will give continuity to the work initiated by TEGRA, is supported by the Axencia Galega de Innovación and is co-financed by the European Union Operational Programme ERDF 2014-2020, which aims to promote technological development, innovation and quality research.

Press Release

Click to access telefonica-gradiant-incibe-improve-companies-cybersecurity.pdf

Waste Management in a Smart City – The Smart Bin

Patrick Buckley    30 October, 2020

In today’s post, I will share with you how Waste Management is set to be revolutionised by Big Data and IoT (Internet of Things) technology. 

The  Social Importance of Waste Management 

Waste management is increasingly becoming a priority for governments around the world. As populations continue to grow exponentially, urban areas become increasingly over-crowded and levels of public litter inevitably increase.

It is estimated by the UK based consultancy MapleCroft that 2.3 billion tons of waste is produced  every year globally. This is expected to increase to  3.4 billion tons by 2050. It is therefore important that we become aware of waste patterns in order to optimise management strategies and sustainably manage populations. 

The Smart Bin 

 IoT connected devices and Big Data technology are set to play a critical role in the future of waste management. Currently, the most well-known example of  Smart Waste Management infrastructure is the Smart Bin.  The Smart Bin is a connected device, equipped with IoT powered sensors which monitor bin usage and encourage sustainable waste management.

Route Optimisation 

As urban environments and populations continue to grow, public space littering and bin overflow continues to be an issue which plagues cities around the world.

By monitoring bin overflow through the use of sensors, the Smart Bin sends signals to monitoring systems operated by local councils and waste management companies. This means that bin collection routes can be organised to optimise bin capacity and ultimately reduce the level of street litter. 

Other benefits of informed route planning include reduced fuel costs for waste managemnet companies and decreased working hours of employees.

This technology has already been rolled out in many cities such as Singapore, Dubai and Hong Kong. In most cases, this technology is developed by private sector companies such as Sensoneo.  

Encouraging Recycling

Smart Bin technology can also be used to inform members of the public of the importance of recycling. Sensors which detect human contact initiate information displays promoting pedestrians to recycle correctly. Further to this, by collecting data on how many times bins are emptied, households and councils can become more informed on waste , allowing for a greater understanding of how one may be able to cute waste output and contribute towards sustainable outcomes.

As we become increasingly socially aware of the importance of recycling and cutting down on food waste, households will increasingly value the insights that a Smart Bin in the home will provide. Equally, there is potential for government’s and councils to use this insight to monitor recycling habits and apply pressure to those who refuse to recycle through, for example, government-imposed restrictions or fines.

Unlocking the power of Data Analytics in Waste Management.

As we start to see the Smart Bin concept being rolled out in towns and cities worldwide, waste-management data will become increasingly influential to local councils and governments.

The possibilities for this data to be used for social good are never-ending.  For example, governments could be able to target specific geographic areas or social cohorts with educational campaigns regarding the importance of recycling.  Councils will be able to more accurately predict waste levels on a national scale and respond accordingly with infrastructure upgrades.

 When this data is combined on a global scale, the global community will be able to track recycling habits and progress towards a future of sustainable waste management. 

 Conclusion

There is great potential for the Smart Bin to revolutionise the way in which we manage our waste on a global scale. IoT and Big Data technology is already advanced enough to provide valuable insights to local councils and governments. This technology is already being rolled out in public spaces around the world.  There is great potential for smart waste-management systems to provide further insights, especially if they are incorporated into the domestic waste-management market.

To keep up to date with Telefónica’s Internet of Things area, visit our web site or follow us on TwitterLinkedIn YouTube