Infosec in brief It's that time of year afresh – NordPass has appear its anniversary account of the best accepted passwords. And while it seems some of you took aftermost year's accusation to heart, best of you arguably swapped bad for worse.
Password administrator bell-ringer NordPass, which is able-bodied acquainted of the poor affection of passwords, reported that last year's top countersign bomb – "password" – fell to cardinal seven, but antecedent leaders abide in the top spots.
"123456" ranked the best accepted above the globe, followed by "admin," the oh-so defended "12345678," and its accessory "123456789." Strings of consecutive numbers starting with the cardinal one from four to ten characters were about aerial on the list, as was UNKNOWN, which absolutely stood out from the accumulation - best passwords NordPass ranked could be absurd in beneath a second, but UNKNOWN would crave a abounding 17 minutes.
If you appetite to get bounded about things, NordPass barter in the US assume added likley to use all-encompassing passwords, with alone one absolutely different one – "shitbird" – in the top 20. UK association adopt to appearance their aggregation pride, with "liverpool," "arsenal," "chelsea," and the more-generic "football" all in the top 20, alternating with "cheese" and "dragon."
According to NordPass, alive platforms assume to be relegated to the basal of the countersign antecedence account for best users, with users adopting decidedly poor passwords compared to added credential categories it catalogs.
As we acutely charge to admonish you every year, best passwords are consistently better, as are ones that amalgamate high and lower-case characters with numbers and symbols. For best results, use a countersign architect that can accord you a long, accidental cord that's harder to assumption than 123456 – or alike UNKNOWN, for that matter.
And for the adulation of your IT team's sanity, don't reclaim passwords. Get yourself a acceptable countersign manager, too – be it NordPass or some added one. Just use something. Please.
Critical vulnerabilities: A adhesive anniversary for Siemens
Remember the quintet of Juniper firewall vulnerabilities we appear in September that, individually, were all absolutely low accident but accumulated into a CVSS 9.8 that gave attackers the adeptness to accidentally assassinate cipher on accessible devices? Well, now they're actuality exploited in the wild, says CISA. Get patching.
The CVSS 9.8 vulnerability in SysAid helpdesk software we reported beforehand this ages has additionally been added to CISA's accepted exploited vulnerabilities database (in the aforementioned active as the Juniper ones), so be abiding those patches are installed, too.
Otherwise, best of the big vulnerabilities of the anniversary were covered in this month's Patch Tuesday roundup, but companies active lots of Siemens articles bigger still pay absorption to this account of ones we didn't include:
- CVSS 10.0 – Multiple CVEs: The firmware in several Red Lion Sixnet Remote Terminal Units are declining to claiming TCP/IP traffic, enabling RCE attacks.
- CVSS 9.8 – Multiple CVEs: All versions of Siemens COMOS software accommodate 16 vulnerabilities that could acquiesce RCE, DoS, abstracts infiltration, and acceptance ascendancy violations.
- CVSS 9.8 – Multiple CVEs: Siemens SIPROTEC 4 7SJ66 ascendancy and ecology accessories active software above-mentioned to v4.41 are accessible to a alternation of exploits that could account DoS, RCE, etc.
- CVSS 9.8 – Multiple CVEs: Siemens SINEC PNI software above-mentioned to v2.0, acclimated to initialized Siemens accessories on a network, is break acceptance ascribe and accessible to OOB write.
- CVSS 9.8 – Multiple CVEs: Siemens SIMATIC MV500 optical clairvoyant software versions above-mentioned to v3.3.5 are at accident for DoS, RCE, and advantage accretion acknowledgment to a alternation of vulnerabilties.
- CVSS 9.1 – Multiple CVEs: Several versions of Siemens Desigo CC software are accessible to heap-based absorber overflows and absorber over-read, enabling RCE attacks and DoS.
- CVSS 9.1 – Multiple CVEs: Several alternation of Siemens Scalance switches active software above-mentioned to adaptation 4.5 are accessible to a agglomeration of exploits that could accord an antagonist abreast absolute ascendancy over devices.
- CVSS 8.4 – CVE-2022-47522: Siemens Scalance W700-series WAPs are break acceptance input, acceptance attackers to abduct sessions and acknowledge information.
- CVSS 8.1 – Multiple CVEs: Siemens Ruggedcom APE1808 accessories are break acceptance ascribe and are accessible to SQL bang attacks.
- CVSS 8.0 – Multiple CVEs: Siemens SIMATIC PCS neo versions above-mentioned to 4.1 are abounding with vulnerabilities that can advance to an antagonist breeding advantaged tokens, active SQL statements, and the like.
FCC cracks bottomward on SIM swap, port-out scams with new rules
The US Federal Communications Commission has allowable rules to action the growing aegis risks of Subscriber Information Module (SIM) swapping and port-out fraud.
In a report and order [PDF] adopted Wednesday, the FCC declared it would activate acute wireless providers to "use defended methods of acceptance barter above-mentioned to assuming SIM changes and cardinal ports" – one adjustment of which would entail advice barter in some added address of a SIM change or port-out request. Telcos will additionally be appropriate to accord barter the advantage to block SIM swaps and ports on their accounts, and accommodate apprehension to all barter of such protections.
Wireless providers will additionally accept to accept processes for responding to bootless affidavit requests (so be abiding you don't balloon that anniversary PIN), accomplish it easier for barter to address SIM and port-out fraud, and crave providers to accumulate annal of all SIM change requests and the methods they use to accredit users.
New ransomware targets vulnerability you should accept patched years ago
CISA, the FBI and the Multi-State Information Sharing and Analysis Center are admonishing that a new(ish) ransomware ache accepted as Rhysida is active, assiduous and relying on some absolute vulnerabilities to breach into anemic networks.
Rhysida, aboriginal spotted in May, mostly targets the education, healthcare, manufacturing, IT and government sectors – analytical ones, in added words – and already in a arrangement lives off the acreage and double-extorts victims.
As is generally the case, the abyss abaft Rhysida aren't axis to acid edge, zero-day vulnerabilities to accommodation networks. They're advancing opportunistically and relying on old exploits like ZeroLogon – a vulnerability in Microsoft's Netlogon apparent and patched in 2020. If you haven't patched that yet, aboriginal things first: Why? Second, get it done.
Along with targeting actual able-bodied accepted vulnerabilities, Rhysida's controllers are leveraging added external-facing alien services, decidedly VPN acceptance credibility at organizations not application MFA by default. Phishing is additionally actuality acclimated to ambush victims into installing the awful kit. ®