Tuesday, March 2, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Hackers are hijacking smart building access systems to launch DDoS attacks

February 3, 2020
in Internet Security
Hackers are hijacking smart building access systems to launch DDoS attacks
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: Nortek Security & Control, LLC

Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall.

The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control (NSC).

You might also like

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC

Scientists have built this ultrafast laser-powered random number generator

SolarWinds security fiasco may have started with simple password blunders

Linear eMerge E3 devices [1, 2, 3] fall in the hardware category of “access control systems.” They are installed in corporate headquarters, factories, or industrial parks. Their primary purpose is to control what doors and rooms employees and visitors can access based on their credentials (access codes) or smart cards.

In May 2019, researchers from Applied Risk, a cyber-security firm specialized in industrial security services, disclosed details about ten vulnerabilities impacting NSC Linear eMerge E3 devices.

NSC Linear eMerge E3 devices

Despite the fact that six of the ten vulnerabilities had a vulnerability severity (CVSSv3) score of 9.8 or 10 out of a maximum of 10, NSC failed to provide patches, according to an Applied Risk security advisory.

Applied Risk later released proof-of-concept exploit code in November.

CVE-2019-7256 exploitation

Now, in a report published last week, SonicWall researchers say that hackers are scanning the internet for exposed NSC Linear eMerge E3 devices and using one of the ten vulnerabilities.

The vulnerability they are using is CVE-2019-7256. Applied Risk described this vulnerability as a command injection flaw. It is one of the two that received a severity score of 10/10, meaning it can be exploited remote, even by low-skilled attackers without any advanced technical knowledge.

“This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges,” SonicWall said in a security alert published last week. “A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.”

Hackers are using CVE-2019-7256 to take over devices, download & install malware, and then launch DDoS attacks on other targets.

The first of these attacks began on January 9, this year, and were spotted by intelligence firm Bad Packets, and have continued in a steady stream ever since.

CVE-2019-7256 is actively being exploited by DDoS botnet operators.

This unauthenticated remote command injection vulnerability affects Linear eMerge E3 access control systems running firmware versions 1.00-06 and older.https://t.co/5VQbJshH6l#threatintel

— Bad Packets Report (@bad_packets) January 10, 2020

“Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most [attacks being] observed in U.S.,” SonicWall said.

The attack surface isn’t too large, though. SonicWall reports that only “2,375 Internet-accessible eMerge devices are listed by the Shodan search engine.”

This number is far lower than the millions of security cameras and home routers that are also available online. However, the small number of vulnerable devices has not dissuaded attackers so far, and exploitation attempts they’re likely to continue.

IoT devices used as entry points

But while having your smart building door system launch DDoS attacks on Steam or the PlayStation Network is one issue, a bigger threat is that these vulnerable systems can also be used as entry points into an organization’s internal networks.

In August last year, Microsoft reported that it observed a Russian state-sponsored hacking crew using Internet of Things (IoT) smart devices as launching points for other attacks on corporate networks.

The Russian hackers tried to exploit a VOIP phone, an office printer, and a video decoder, Microsoft said, but the NSC Linear eMerge E3 devices are just as attractive targets, primarily due to the high severity of the ten security bugs disclosed last year.

System administrators managing networks were NSC Linear eMerge E3 devices are installed are advised to take these systems off the internet, or at least limit access to these devices using a firewall or VPN.


Credit: Zdnet

Previous Post

Two New Free Books on Machine Learning

Next Post

First drug developed using machine learning enters clinical trials

Related Posts

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC
Internet Security

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC

March 2, 2021
Scientists have built this ultrafast laser-powered random number generator
Internet Security

Scientists have built this ultrafast laser-powered random number generator

March 2, 2021
SolarWinds security fiasco may have started with simple password blunders
Internet Security

SolarWinds security fiasco may have started with simple password blunders

March 2, 2021
Singapore eyes more cameras, technology to boost law enforcement
Internet Security

Singapore eyes more cameras, technology to boost law enforcement

March 2, 2021
Free cybersecurity tool aims to help smaller businesses stay safer online
Internet Security

Free cybersecurity tool aims to help smaller businesses stay safer online

March 2, 2021
Next Post
First drug developed using machine learning enters clinical trials

First drug developed using machine learning enters clinical trials

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Opportunity, Trends, Share, Top Companies Analysis (Based on 2021 COVID-19 Worldwide Spread) – NeighborWebSJ
Machine Learning

Opportunity, Trends, Share, Top Companies Analysis (Based on 2021 COVID-19 Worldwide Spread) – NeighborWebSJ

March 2, 2021
Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC
Internet Security

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC

March 2, 2021
DSC Weekly Digest 01 March 2021
Data Science

DSC Weekly Digest 01 March 2021

March 2, 2021
The case for Bayesian Learning in mining
Machine Learning

The case for Bayesian Learning in mining

March 2, 2021
Scientists have built this ultrafast laser-powered random number generator
Internet Security

Scientists have built this ultrafast laser-powered random number generator

March 2, 2021
Companies in the Global Data Science Platforms Resorting to Product Innovation to Stay Ahead in the Game
Data Science

Companies in the Global Data Science Platforms Resorting to Product Innovation to Stay Ahead in the Game

March 2, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Opportunity, Trends, Share, Top Companies Analysis (Based on 2021 COVID-19 Worldwide Spread) – NeighborWebSJ March 2, 2021
  • Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC March 2, 2021
  • DSC Weekly Digest 01 March 2021 March 2, 2021
  • The case for Bayesian Learning in mining March 2, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates