Colonial Pipeline faces nearly $1m fine one year after ransomware attack

Plus: Unpatched DNS bug puts IoT devices at risk, SolarWinds hackers set up new digs, and a CEO faces hard time for massive mining fraud


In Brief Colonial Pipeline is facing an almost $1 million fine for control room management failures after the US Department of Transportation alleged they contributed to the nation's fuel disruption in the wake of the 2021 ransomware attack.

On Thursday, the department's Pipeline and Hazardous Materials Safety Administration issued a Notice of Probable Violation and Proposed Compliance Order to the fuel-pipeline operator, which suggests multiple violations of federal safety regulations. The proposed civil penalties total $986,400.

Following the agency's inspection of Colonial Pipeline's control room management procedures and records, it said the company was in "probable violation" of several pipeline safety rules, including a seeming failure to adequately plan and prepare for manual shutdown and restart of its pipeline system. 

This, it alleges, contributed to the East Coast fuel shortage when the pipeline remained out of service for five days following the May 2021 attack. Fights broke out at US gas stations as supplies of fuel were delayed in some areas by the incident.

The operators of the Colonial Pipeline – which stretches 5,500 miles between Texas and New York, and can carry up to 3 million barrels of fuel per day – reportedly ended up paying $5 million to regain access to their systems.

Unpatched DNS bug puts IoT devices at risk

An unpatched bug in a popular C programming language library for IoT devices makes them vulnerable to DNS cache-poisoning attacks, according to Nozomi Networks.

The vulnerability, tracked as ICS-VU-638779, VU#473698, affected the domain name system implementation of all versions of uClibc and uClibc-ng, the operational technology security company said.

However, the library maintainer wasn't able to fix the problem, so there's no patch, wrote security researchers Giannis Tsaraias and Andrea Palanca.

"For this reason, we are not disclosing the details of the devices on which we were able to reproduce the vulnerability," they added.

The security researchers discovered the flaw when they were reviewing domain name system (DNS) requests performed by IoT devices that use the C standard libraries. The libraries generate these requests, and each one to DNS includes a parameter called a transaction ID – a unique number in each DNS response and corresponding request.

"It is vital that these two parameters are as unpredictable as possible, because if they are not, a poisoning attack could be possible," they explained. 

The flaw is caused by the transaction IDs being too predictable, and that may allow miscreants to perform DNS poisoning attacks against a target device. 

"Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server," Tsaraias and Palanca wrote. 

CEO charged in $62m crypto mining scam

The US Justice Department has filed charges against the CEO of Mining Capital Coin (MCC) for allegedly orchestrating a $62 million global investment fraud scheme. He now faces 45 years behind bars.

According to the indictment, 44-year-old Luiz Capuci Jr of Florida misled investors about his cryptocurrency mining and investment program. Capuci allegedly sold them on Mining Capital Coin's "international network" of mining machines that he claimed could generate "substantial" profits — if investors handed over their money to mine for more cryptocurrency. 

MCC also boasted its own cryptocurrency, Capital Coin, which Capuci is said to have claimed was "stabilized by revenue from the biggest cryptocurrency mining operation in the world." 

According to the feds, all of this was a massive scam. Instead of generating returns for his investors, Capuci diverted the funds to his own cryptocurrency wallets.

He has been charged with conspiracy to commit wire fraud, securities fraud and international money laundering. If convicted of all counts, he faces a maximum total penalty of 45 years in prison. 

SolarWinds perps set up new digs

Nobelium, the Kremlin-backed cybercrime gang behind the SolarWinds attack, has set up new command-and-control infrastructure, likely in a move to jump back into the cyber-espionage game, according to researchers at Recorded Future.

This group of miscreants, also known as APT29 and Cozy Bear, breached nesarly 100 US government and private-sector networks in 2020 after exploiting SolarWinds' Orion software. 

The threat intel company said it has been tracking the gang's rise since mid-2021, and has observed the crime ring using its same old tools and tricks: same network infrastructure, its favorite unique Cobalt Strike variations, typosquatted domains and related misuse of brands across multiple industry verticals, especially in the news and tech industries.

Using email addresses or websites that look like a legitimate organization's domain makes it easier to conduct successful phishing campaigns and redirect victims to malicious websites. 

"This tactic has also been reported recently in open sources in connection with intrusions targeting entities in Ukraine, likely in support of Russia's invasion of the country," the security researchers noted.

Nomelium carries out the dirty work for Russia's Foreign Intelligence Service (SVR). While Putin's Main Intelligence Directorate (GRU) focuses on military operations, the SVR focuses on political intelligence, Recorded Future explained.  

Avast, AVG bugs put "dozens of millions" at risk

Two high-severity flaws in Avast and AVG security products — Avast acquired AVG in 2016 — went undiscovered for years, putting "dozens of millions" of users at risk, according to SentinelOne researchers who discovered the bugs.

The vulnerabilities, tracked as CVE-2022-26522 and CVE-2022-26523, allow attackers to escalate privileges, execute code in kernel mode and take complete control of the device. 

SentinelOne bug hunters reported the flaws to Avast in December 2021, and Avast fixed the holes in early February. While most users automatically received the patched version 22.1, customers using air-gapped or on-premises versions need to apply the patch ASAP.

Neither company is aware of any in-the-wild exploits yet.

"Avast is an active participant in the coordinated vulnerability disclosure process, and we appreciate that SentinelOne has worked with us and provided a detailed analysis of the vulnerabilities identified," an Avast spokesperson told The Register.

"We recommend our Avast and AVG users constantly update their software to the latest version to be protected. Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program." 

The two similar flaws affect an anti-rootkit driver that both products use. Both are vulnerable functions in socket connection handlers in the kernel driver aswArPot.sys. And both functions double fetch the length field from a user-controlled pointer, allowing an attacker to modify the length variable.

"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," SentinelOne security researcher Kasif Dekel wrote. "For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities." ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022