Warning of attacks on Hikvision, Rockwell Automation and Apple products

The top IT security authority in the United States, CISA, warns of currently observed attacks on Hikvision, Rockwell Automation, and Apple products. The exploited vulnerabilities are, in part, almost a decade old.

In the warning message, CISA writes that attacks on a vulnerability in Hikvision surveillance cameras, for example, have been observed. These are authentication deficiencies, allowing unauthorized individuals to escalate their privileges and gain access to sensitive information (CVE-2017-7921, CVSS [3.0] 10.0, risk “critical”). Updates from Hikvision have been available since 2017, patching the vulnerabilities.

The CISA warning about Hikvision apparently has a current geopolitical background. As Check Point Research writes in an article, suspected Iranian actors have been massively scanning IP address spaces in countries such as Israel, Qatar, and the United Arab Emirates since the end of February. They are searching for cameras with patches for four vulnerabilities, including CVE-2017-7921. Security researchers suspect that Iran wants to misuse their images for propaganda and target identification purposes. The Financial Times outlined a similar approach by the CIA and Mossad in the deadly attack on Iranian leader Ali Khamenei.

Criminals are also exploiting vulnerabilities in Rockwell Automation Logix controllers. Unauthenticated users from the network can bypass login and access Logix controllers. With additional tools, they can manipulate the configuration or the code running on the machines, thus injecting malicious code – here too, guidance for correction has been available since 2021 on how IT admins can close the gaps in the products. The tricky part here is that while Rockwell advises installing updates, these are not sufficient to close the vulnerability. CISA names further countermeasures that must be taken by admins to avert the danger posed by the vulnerability (CVE-2021-22681, CVSS 9.8, risk “critical”).

Various older Apple vulnerabilities under attack

Several older security vulnerabilities in various Apple products are also under attack. They allow attackers to inject and execute malicious code from the network. CISA names the vulnerabilities, not explained in detail, CVE-2021-30952 (CVSS 8.8, risk “high”), CVE-2023-41974 (CVSS 7.8, risk “high”), and CVE-2023-43000 (CVSS 8.8, risk “high”). The operating systems tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, as well as watchOS 8.3 close the first vulnerability, iOS 17 and iPadOS 17 the second, and finally macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6 the last mentioned security vulnerability.

CISA only reports on attacked software. The authority does not elaborate on the extent of the attacks or how they specifically proceed. Therefore, there are no tips for admins on how to recognize indicators of compromise (IOC). Just on Wednesday this week, CISA warned of attacks on vulnerabilities in VMware Aria Operations.

(dmk)