SecurityWeek reports that threat actors could exploit a critical security vulnerability in Siemens programmable logic controllers involving the acquisition of global private keys that could then be leveraged for PLC hacking.
The flaw, tracked as CVE-2022-38465, has been identified by Claroty researchers who were able to secure a private key following exploitation of another bug, tracked as CVE-2020-15872, to obtain direct memory access, as well as enable total PLC control and man-in-the-middle attack capabilities. Such findings have been confirmed by Siemens, which noted that the new vulnerability has stemmed from inadequate cryptographic key protections that could prompt attacks against the whole product line with the same private key. "Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing," said Siemens, which has already announced fixes for the flaw. While unique passwords and TLS 1.3 communications protections have been implemented by Siemens, the company noted that applying firmware updates alone is insufficient. "In addition, the hardware configuration in the TIA Portal project (V17 or later) must also be updated to the corresponding CPU version and downloaded to the PLC," the company added.
Massive personal and bodily data collection required by the metaverse poses a significant data privacy risk, which could only be addressed through substantial efforts from both technology providers and lawmakers, according to The Record, a news site by cybersecurity firm Recorded Future.
California-based software development firm Retool has attributed the compromise of 27 client accounts, all of which were cryptocurrency organizations, in late August to the new sync functionality in Google Authenticator, according to BleepingComputer.
California lawmakers have approved the Delete Act, which is the first-ever legislation across the U.S. that would establish a centralized mechanism for refusing information collection among data brokers, CyberScoop reports.