Your password hygiene remains atrocious, says NordPass
ALSO: FCC cracks down on SIM-swap scams, old ZeroLogon targeted by new ransomware, and critical vulnerabilities
Infosec in brief It's that time of year again – NordPass has released its annual list of the most common passwords. And while it seems some of you took last year's chiding to heart, most of you arguably swapped bad for worse.
Password manager vendor NordPass, which is well aware of the poor quality of passwords, reported that last year's top password flop – "password" – fell to number seven, but previous leaders remain in the top spots.
"123456" ranked the most popular across the globe, followed by "admin," the oh-so secure "12345678," and its cousin "123456789." Strings of sequential numbers starting with the number one from four to ten characters were generally high on the list, as was UNKNOWN, which actually stood out from the group - most passwords NordPass ranked could be cracked in under a second, but UNKNOWN would require a full 17 minutes.
If you want to get local about things, NordPass customers in the US seem more likley to use generic passwords, with only one truly unique one – "shitbird" – in the top 20. UK residents prefer to show their team pride, with "liverpool," "arsenal," "chelsea," and the more-generic "football" all in the top 20, along with "cheese" and "dragon."
According to NordPass, streaming platforms seem to be relegated to the bottom of the password priority list for most users, with users adopting particularly poor passwords compared to other credential categories it catalogs.
As we seemingly need to remind you every year, longer passwords are always better, as are ones that combine upper and lower-case characters with numbers and symbols. For best results, use a password generator that can give you a long, random string that's harder to guess than 123456 – or even UNKNOWN, for that matter.
And for the love of your IT team's sanity, don't reuse passwords. Get yourself a good password manager, too – be it NordPass or some other one. Just use something. Please.
Critical vulnerabilities: A sticky week for Siemens
Remember the quintet of Juniper firewall vulnerabilities we reported in September that, individually, were all quite low risk but combined into a CVSS 9.8 that gave attackers the ability to remotely execute code on vulnerable devices? Well, now they're being exploited in the wild, says CISA. Get patching.
The CVSS 9.8 vulnerability in SysAid helpdesk software we reported earlier this month has also been added to CISA's known exploited vulnerabilities database (in the same alert as the Juniper ones), so be sure those patches are installed, too.
Otherwise, most of the big vulnerabilities of the week were covered in this month's Patch Tuesday roundup, but companies running lots of Siemens products better still pay attention to this list of ones we didn't include:
- CVSS 10.0 – Multiple CVEs: The firmware in several Red Lion Sixnet Remote Terminal Units are failing to challenge TCP/IP traffic, enabling RCE attacks.
- CVSS 9.8 – Multiple CVEs: All versions of Siemens COMOS software contain 16 vulnerabilities that could allow RCE, DoS, data infiltration, and access control violations.
- CVSS 9.8 – Multiple CVEs: Siemens SIPROTEC 4 7SJ66 control and monitoring devices running software prior to v4.41 are vulnerable to a series of exploits that could cause DoS, RCE, etc.
- CVSS 9.8 – Multiple CVEs: Siemens SINEC PNI software prior to v2.0, used to initialized Siemens devices on a network, is improperly validating input and vulnerable to OOB write.
- CVSS 9.8 – Multiple CVEs: Siemens SIMATIC MV500 optical reader software versions prior to v3.3.5 are at risk for DoS, RCE, and privilege escalation thanks to a series of vulnerabilties.
- CVSS 9.1 – Multiple CVEs: Several versions of Siemens Desigo CC software are vulnerable to heap-based buffer overflows and buffer over-read, enabling RCE attacks and DoS.
- CVSS 9.1 – Multiple CVEs: Several series of Siemens Scalance switches running software prior to version 4.5 are vulnerable to a bunch of exploits that could give an attacker near total control over devices.
- CVSS 8.4 – CVE-2022-47522: Siemens Scalance W700-series WAPs are improperly validating input, allowing attackers to steal sessions and disclose information.
- CVSS 8.1 – Multiple CVEs: Siemens Ruggedcom APE1808 devices are improperly validating input and are vulnerable to SQL injection attacks.
- CVSS 8.0 – Multiple CVEs: Siemens SIMATIC PCS neo versions prior to 4.1 are rife with vulnerabilities that can lead to an attacker generating privileged tokens, executing SQL statements, and the like.
FCC cracks down on SIM swap, port-out scams with new rules
The US Federal Communications Commission has enacted rules to combat the growing security risks of Subscriber Information Module (SIM) swapping and port-out fraud.
In a report and order [PDF] adopted Wednesday, the FCC declared it would begin requiring wireless providers to "use secure methods of authenticating customers prior to performing SIM changes and number ports" – one method of which would entail notifying customers in some other manner of a SIM change or port-out request. Telcos will also be required to give customers the option to block SIM swaps and ports on their accounts, and provide notice to all customers of such protections.
Wireless providers will also have to adopt processes for responding to failed authentication requests (so be sure you don't forget that account PIN), make it easier for customers to report SIM and port-out fraud, and require providers to keep records of all SIM change requests and the methods they use to authenticate users.
New ransomware targets vulnerability you should have patched years ago
CISA, the FBI and the Multi-State Information Sharing and Analysis Center are warning that a new(ish) ransomware strain known as Rhysida is active, persistent and relying on some well-established vulnerabilities to break into weak networks.
Rhysida, first spotted in May, mostly targets the education, healthcare, manufacturing, IT and government sectors – critical ones, in other words – and once in a network lives off the land and double-extorts victims.
As is often the case, the criminals behind Rhysida aren't turning to cutting edge, zero-day vulnerabilities to compromise networks. They're attacking opportunistically and relying on old exploits like ZeroLogon – a vulnerability in Microsoft's Netlogon discovered and patched in 2020. If you haven't patched that yet, first things first: Why? Second, get it done.
Along with targeting very well known vulnerabilities, Rhysida's controllers are leveraging other external-facing remote services, particularly VPN access points at organizations not using MFA by default. Phishing is also being used to trick victims into installing the malicious kit. ®