Software development

26Dec, 2023

MySQL Servers, Docker Hosts Infected With DDoS Malware

Attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed denial-of-service (DDoS) attacks, according to a warning from researchers at the AhnLab Security Emergency Response Center.

According to AhnLab, attacks targeting MySQL on Windows have increased in frequency with vulnerable MySQL servers infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been around since at least 2016.

Malicious attackers, AhnLab warns, scan the internet for publicly-accessible MySQL servers using the TCP port 3306, and then attempt to compromise them either using weak credentials or exploiting known vulnerabilities.

The attackers then upload a malicious DLL as a UDF (User-Defined Function) library, which allows them to execute commands on the infected system and to deploy and execute the Ddostf malware.

Targeting both Linux and Windows environments, Ddostf achieves persistence and then collects system information and sends it to the command-and-control (C&C) server. It then waits for commands to launch DDoS attacks such as SYN, UDP, and HTTP GET/POST floods.

“Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” AhnLab explained.

The malware appears to be designed solely for launching DDoS attacks and the researchers believe the threat actor is operating a DDoS-for-hire service.

OracleIV DDoS-capable malware

Separately, Cado Security is warning in a new report that Docker hosts are being targeted with the OracleIV DDoS-capable malware, via the Docker Engine API, an HTTP API served by Docker Engine.

Attackers are scanning for publicly-exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.

According to Cado, the accidentally exposed Docker Engine API instances have been a popular target for attackers in recent years, especially for deploying cryptocurrency miners. “Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further,” the company said.

Cado said it observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it. The malicious Docker image, Cado says, has over 3,000 pulls and appears to be updated regularly.

Baked within the image, OracleIV supports commands for UDP, UDP_PPS, SSL, SYN, HTTP/GET, and SLOW flood attacks, although some of the functions are not working.

Resource : https://www.securityweek.com/mysql-servers-docker-hosts-infected-with-ddos-malware/

18Dec, 2023

MongoDB Suffers Security Breach, Exposing Customer Data

MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

16Dec, 2023

New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.

The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

“Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks,” security researcher Oskar Zeino-Mahmalat said.

“Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.”

Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.

A brief description of the flaws is given below –

CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser.

As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

“Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack,” Zeino-Mahmalat said.

Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.

The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code’s built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Resource : https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.html

6Dec, 2023

15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.

“More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes,” Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. “More than 6,000 repositories were vulnerable to repojacking due to account deletion.”

Collectively, these repositories account for no less than 800,000 Go module-versions.

Repojacking, a portmanteau of “repository” and “hijacking,” is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.

Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.

Modules written in the Go programming language are particularly susceptible to repojacking, as unlike other package manager solutions such as npm or PyPI, they are decentralized due to the fact that they get published to version control platforms like GitHub or Bitbucket.

“Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module’s details,” Baines said. “An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev.”

To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners’ accounts being renamed or deleted.

But VulnCheck noted that this protection isn’t helpful when it comes to Go modules as they are cached by the module mirror, thereby obviating the need for interacting with or cloning a repository. In other words, there could be popular Go-based module repositories that have been cloned less than 100 times, resulting in a bypass of sorts.

“Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on,” Baines said. “A third-party can’t reasonably register 15,000 GitHub accounts. Until then, it’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.”

The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Resource : https://thehackernews.com/2023/12/15000-go-module-repositories-on-github.html?&web_view=true

24Nov, 2023

Introducing Bambdas

You’ve might have heard of Lambdas. But have you heard of Bambdas? They’re a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java.

Changing the face of Burp Suite

The introduction of Bambdas exposes some of the core “behind the scenes” functionality of Burp Suite for the very first time. In essence, as the feature is rolled out across various tools within Burp Suite, you’ll be able to customize Burp to make it work in exactly the way that you want it to.

The possibilities contained within the Bambdas functionality are theoretically endless. As the feature develops, we believe it’ll enable you to replace the age-old frustrated cry of “Why can’t Burp do this?” with a shiny new phrase. “I wonder if I can create a Bambda to make this work the way I need it to?”.

How to work with Bambdas

The first Bambda we’ve introduced enables you to write custom filters for the Proxy HTTP history. To help you get to grips with the unique potential of this functionality, we’ve created some examples to showcase some interesting request and response filters you might want to try.

Find requests with a specific cookie value

//Find requests with a specific cookie value if (requestResponse.request().hasParameter("foo", HttpParameterType.COOKIE)) { var cookieValue = requestResponse .request() .parameter("foo", HttpParameterType.COOKIE) .value(); return cookieValue.contains("1337"); } return false;

Find JSON responses with wrong Content-Type

//Find JSON respones with wrong Content-Type //The content is probably json but the content type is not application/json var contentType = requestResponse.response().headerValue("Content-Type"); if (contentType != null && !contentType.contains("application/json")) { String body = requestResponse.response().bodyToString().trim(); return body.startsWith( "{" ) || body.startsWith( "[" ); } return false;

Find role within JWT claims

//Find role within JWT claims var body = requestResponse.response().bodyToString().trim(); if (requestResponse.response().hasHeader("authorization")) { var authValue = requestResponse.response().headerValue("authorization"); if (authValue.startsWith("Bearer ey")) { var tokens = authValue.split("\\."); if (tokens.length == 3) { var decodedClaims = utilities().base64Utils().decode(tokens[1], Base64DecodingOptions.URL).toString(); return decodedClaims.toLowerCase().contains("role"); } } } return false;

Some helpful Bambdas code snippets

Once you’re comfortable with the basics of how Bambdas work, there are a few tricks you might want to utilize to help you get even more value from the functionality. If you’re using something a lot, and want to save yourself some time, you can assign it to a variable. For example:var request = requestResponse.request();

If you want to check if a parameter exists, and if it’s value is present, you can request it by name and check it for null instead:var cookie = request.parameter("foo", HttpParameterType.COOKIE);

So that you can see how these code snippets can be applied, we’ve recreated the first example on finding requests with a specific cookie value.

Hear from the developers of Bambdas

Sean from the development team is here to introduce you to Bambdas, a unique new way to customize Burp Suite on the fly with small snippets of Java. You’ll learn what a Bambda is, why we’ve built them into Burp Suite, and see a couple of examples of how Bambdas work.

Resource : https://portswigger.net/blog/introducing-bambdas

10Nov, 2023

New BlazeStealer Malware in PyPI Targets Developers

A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer, reported Checkmarx.

Diving into details

The campaign started in January 2023 and includes eight packages – Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood.
The BlazeStealer malware can execute a number of malicious actions on the infected host, including harvesting sensitive information such as passwords and screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus.
The malware runs a Discord bot to facilitate communication between the threat actor and the infected system.
Most downloads originated from the U.S., China, and Russia, followed by Ireland, Hong Kong, Croatia, France, and Spain.

Related incidents

Phylum uncovered a set of npm modules—puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow–that can stealthily deliver a next-stage malware.
In October, Checkmarx observed a sophisticated attacker deploying malicious packages in PyPi and npm, accumulating nearly 75,000 downloads. The campaign was launched in April.

The bottom line

Open-source software provides a rich environment for germinating new ideas, but it also requires a healthy dose of skepticism. Developers must stay alert and thoroughly assess the reliability and safety of packages before incorporating them into their work.

Resource : https://cyware.com/news/new-blazestealer-malware-in-pypi-targets-developers-666fe1bd

10Nov, 2023

GitHub Enhances Security Capabilities With AI

Microsoft-owned code hosting platform GitHub today announced the public preview of three AI-powered features in GitHub Advanced Security.

Available for GitHub Enterprise Cloud and Enterprise Server customers, Advanced Security provides a series of features to help maintain and improve the quality of code. Some of these features, such as Dependabot, are also available for public repositories.

In a push for proactive security, GitHub has released tens of new capabilities to Advanced Security over the past year, and is now adding AI into the mix, “to revolutionize how developers build secure applications from the get-go”.

In addition to code scanning, the platform now offers an ‘autofix’ capability, where AI-generated fixes will be delivered for CodeQL, JavaScript, and TypeScript alerts in developers’ pull requests, enabling them to address issues immediately.

“These are not just any fixes, but precise, actionable suggestions that will allow you to quickly understand what the vulnerability is and how to remediate it. You can instantly commit these fixes to your code, helping you resolve issues faster and preventing new vulnerabilities from creeping into your codebases,” GitHub says.

The platform is also leveraging the latest LLMs to identify leaked passwords with lower false positives. The capability is offered as part of secret scanning, currently in limited public beta.

GitHub’s secret scanning program has 180 partners and provides more than 225 patterns for scanning, and is now leveraging AI to make it easier for code maintainers to create custom patterns to detect secrets unique to their organizations.

“Through this form-based experience, all you have to do is answer a few simple questions to auto-generate custom patterns in the form of regular expressions. This new feature enables you to execute dry runs in real time to ensure proper scanning before saving the newly created pattern,” GitHub explains.

Additionally, the platform has updated the security overview dashboard to provide security managers and administrators with access to an analysis of their security alerts and a better view of their security posture, based on risks, remediation, and prevention.

“We’re thrilled to harness the power of AI to improve the relevance of alerts, speed up remediation, and improve the administrative experience—with the ultimate goal of making your teams happier and more productive, and your code more secure,” GitHub says.

A spike in generative AI repositories

Also today, GitHub released a new iteration of its Octoverse report, revealing that an increasing number of developers are building open source generative AI projects, which have made it to “the top 10 most popular open source projects by contributor count in 2023”.

The number of generative AI projects on GitHub in the first half of 2023 more than doubled compared to the entire 2022, and developers have progressed from research to using pre-trained models and APIs to create generative AI-powered applications.

Building on top of foundation models, such as ChatGPT, developers leverage LLMs to create APIs, assistants, bots, mobile applications, and plugins, laying the groundwork for mainstream adoption.

“With almost all developers (92%) using or experimenting with AI coding tools, we expect open source developers to drive the next wave of AI innovation on GitHub,” the platform says.

The top 20 open source generative AI projects on GitHub are owned by individuals, but the platform expects organizations to start using pre-trained AI models too, as more developers become accustomed to them.

In terms of contributions to generative AI projects, GitHub has observed a 148% year-over-year growth, with the US, India, and Japan leading the trend, and Hong Kong, the UK, and Brazil following.

“As more and more developers gain familiarity with building generative AI-powered applications, we expect a growing talent pool to bolster businesses that seek to develop their own AI-powered products and services,” GitHub notes.

Today, the platform also announced the adoption of LLMs for GitHub Copilot, the AI developer tool that has more than one million paid users. In December, the tool’s users will have access to Copilot Chat, which leverages LLMs to help developers identify errors, debug code, and more.

“Copilot Chat will be generally available in December 2023 as part of your existing GitHub Copilot subscription, for organizations and individuals. This offering is also available at no cost to verified teachers, students, and maintainers of popular open source projects,” GitHub announced today.

Resource : https://www.securityweek.com/github-enhances-security-capabilities-with-ai/?web_view=true

8Nov, 2023

Performance Development: Unlock Your Team’s Potential

SHRM defines performance management as “the process of maintaining or improving employee job performance through the use of performance assessment tools, coaching, and counseling as well as providing continuous feedback.”

But far too many organizations stop at the first part — performance assessment — and miss the opportunity to actually improve employee performance. Only about one in four employees strongly agree that their manager provides meaningful feedback to them or that the feedback they receive helps them do better work. And only 21% of employees strongly agree that their performance is managed in a way that motivates them to do outstanding work.

Best-in-class organizations are integrating continuous feedback and development to enable more effective performance management. This approach is often referred to as performance development — think of it as the place where performance management meets career development — and it can be a great way to unlock your team members’ full potential.

The benefits of performance development

Performance development goes beyond traditional employee reviews to focus on fostering continuous growth, skills enhancement, and career progression.

Investing in a more robust approach to performance management has many benefits, including:

Building emerging skill sets. Skills sets for jobs have changed by around 25% since 2015 — and this number is expected to grow to 65% by 2030. Effective performance management can help your team members identify and learn the in-demand and emerging skills they need to be successful in their current roles — and in their future ones.
Increasing employee engagement. Performance development demonstrates the direct connection between feedback and career growth, motivating employees to go above and beyond at work. In fact, Gallup found that development is a top driver of employee engagement.
Reducing turnover. Continuous feedback and development shows your organization’s commitment to an employee’s long-term success, making your team members more likely to stay. The Josh Bersin Company found that organizations that offer ongoing skill development to their employees are 7.2x more likely to retain and engage their employees than those that don’t.
Improving business outcomes. Upskilling, engaging, and retaining talented team members through effective performance development practices can make a tremendous impact on your organization’s success. Companies that facilitate career development are 4x more likely to innovate effectively and 2.6x more likely to exceed financial targets.

Building a performance management program that encourages career development

Effective performance management is more than an annual event — it’s an ongoing process of goal setting, employee development, performance evaluation, and rewards. Each should be discussed regularly to nurture an engaged, motivated, and highly skilled workforce.

Align on goals and performance expectations

Just 50% of employees clearly understand what’s expected of them at work and only 21% strongly agree they have performance metrics that are within their control. Ambiguity and uncertainty around job expectations can hinder performance and negatively impact engagement.

Discussing goals and expectations with each of your team members is a critical step toward effective performance management. Employees should understand how their success is being measured and feel empowered to accomplish their goals.

Begin discussions on goal setting during your employee onboarding process by reviewing the job description, organizational goals, and your team member’s expected impact. Work together to build achievable short- and long-term goals, revisiting them during check-ins and performance reviews to gauge progress and make adjustments.

Employees whose managers involve them in goal setting are 3.6x more likely than other employees to be engaged, making this a worthwhile step in your performance management process.

Build and maintain employee development plans

Every employee has opportunities to learn and develop — and most want to. More than four out of five employees (83%) say that improving their skills is one of their top priorities.

Hold regular conversations with your team members to learn about each person’s professional growth goals, career aspirations, and skills they’d like to master. Then find the intersection of your team member’s development goals and your business needs to create a personalized performance development plan for each employee.

Performance development should go beyond addressing areas for improvement to also include honing strengths, learning emerging skills, and reskilling. Employees’ top motivation to learn is progress toward career goals, so it’s crucial to get your team members’ feedback and buy-in around their development plan to ensure alignment.

Update development plans as your team members acquire new skills and identify additional opportunities for professional growth. The most effective development plans are flexible to accommodate evolving needs and interests.

Provide continuous feedback

Only 21% of U.S. employees strongly agree they have received meaningful feedback in the last week, with nearly half saying they receive feedback a few times a year or less. In other words, most employees don’t get enough performance feedback to understand what they’re doing well or when they need a course correction.

Effective performance development requires that feedback be given consistently so employees have the guidance they need to be successful in their roles. Things you can do to make sure this happens include:

Initiate casual conversations. Let employees know when you see commendable efforts or teachable moments in their day-to-day work. Frequent feedback lets your team members know how you feel about their current performance and guides their development. Record the feedback in your performance management system so it can be referenced during future performance discussions.
Plan regular check-ins. Schedule regular one-on-one meetings to discuss progress toward goals, challenges, and development needs. These informal check-ins are a great opportunity to go in-depth on performance development discussions so you can make necessary adjustments to employee goals and development plans.
Conduct regular performance evaluations. Plan comprehensive performance reviews at regular intervals to assess your employee’s overall performance and goal attainment. If you do performance development well, employees shouldn’t be hearing any feedback for the first time during the review process.

Reward your team members for professional development

Rewarding your team members for professional development acknowledges their effort and demonstrates the value your organization places on learning and growth. It can also help you retain employees: Compensation and career progression are among the top reasons for turnover.

Offer raises and promotions as appropriate to reward your team members for developing their skill sets and gaining new experiences. This is particularly important if your employee’s new competencies or responsibilities qualify them for a higher pay grade or job level according to your compensation strategy.

Final thoughts: Effective performance management is an ongoing process

Gone are the days where an annual review is considered sufficient to manage employee performance. Modern teams encourage ongoing performance development to help employees achieve professional growth and meet evolving organizational goals. This approach can help you unlock your team’s full potential and drive your company’s success.

Resource : https://www.linkedin.com/business/talent/blog/learning-and-development/performance-development

3Nov, 2023

Lendlease, Google end development deals for San Francisco Bay Area projects

Nov 3 (Reuters) – Lendlease Group (LLC.AX) and Alphabet’s (GOOGL.O) Google reached a mutual agreement to end development services deals for four master-planned districts in the San Francisco Bay Area, the Australian developer said on Friday.

“The decision to end these agreements followed a comprehensive review by Google of its real estate investments, and a determination by both organisations that the existing agreements are no longer mutually beneficial given current market conditions,” Lendlease said.

Google did not immediately reply to Reuters’ request for comment.

Lendlease in 2019 bagged the contract from Google to develop $15 billion worth of residential and retail space in Sunnyvale, San Jose and Mountain View.

Under the project, Leandlease was to develop up to 15 million square feet of residential, retail and hospitality space and associated amenities, and Google would develop office space.

California’s commercial real estate market is one of the hardest hit globally as remote working has reduced the demand for office space amid declining property values and higher debt servicing costs on the back of rising rates.

In June, Unibail-Rodamco-Westfield (URW.PA), owner of one of the biggest shopping centers in the city decided to walk away after 20 years, hurt by declining sales, occupancy and foot traffic.

Earlier this year, Lendlease also paused its 47-storey Hayes Point project in central San Francisco, its largest investment in the Americas, looking to line up tenants or find a co-investor.

Lendlease said it will remove the San Francisco Bay project, which was expected to commence construction in fiscal 2026, from its development pipeline.

“While market expectations for the project had deflated over the past ~12-18 months, the change is negative for medium term (FY26-28) earnings,” analysts at UBS said.

Lendlease retained its forecast for fiscal 2024, with core operating return on equity at the lower end of its 8%-10% range.

Resource : https://www.reuters.com/world/us/lendlease-google-end-development-agreements-san-francisco-bay-area-projects-2023-11-03/

30Oct, 2023

New Project Analyzes and Catalogs Vendor Support for Secure PLC Coding

ATLANTA – SECURITYWEEK 2023 ICS CYBERSECURITY CONFERENCE – A new project aims to make it easier for PLC programmers to implement secure coding practices by analyzing and cataloging useful files and functions from each PLC vendor.

The new project was presented on Tuesday at SecurityWeek’s ICS Cybersecurity Conference in Atlanta by David Formby, CEO and CTO of Fortiphyd Logic, a company that specializes in endpoint detection for programmable logic controllers (PLCs) and virtual industrial control systems (ICS) security training labs.

The project builds on the ‘Top 20 Secure PLC Coding Practices’, whose goal is to provide PLC programmers with guidelines for improving security.

Some of these practices apply to all PLCs, regardless of vendor. This includes modularizing code, leaving operational logic directly in the PLC, assigning registers by function, using correlation and input plausibility checks, monitoring PLC uptime, trapping false negatives/positives, restricting third-party data interfaces, defining a safe start state in case of a restart, and validating timers, paired input/output, and indirections.

However, some secure PLC coding practices are different for each vendor and it can be difficult to identify relevant documentation. The goal of the Fortiphyd Logic project is to provide the information needed for vendor-specific practices in an easy-to-digest format.

The information is provided in a table format and includes the product name and model, whether required functionality is supported, and the file or function that enables access to the required data.

One secure PLC coding recommendation whose implementation is different for each vendor involves tracking the device’s operating mode. PLCs can have various modes, such as ‘run’, ‘program’, ‘test’ and ‘debug’. It’s easier for an attacker to hack a PLC that is not in ‘run’ mode, which is why it’s important that PLCs are not left in ‘program’, ‘test’ and ‘debug’ modes. In addition, mode changes should be monitored in order to detect a potential attack.

However, monitoring mode changes is done differently for each PLC, Formby pointed out. For instance, in the case of Rockwell Automation PLCs, the data can be obtained through the ‘GSV(ControllerDevice.Status)’ instruction or from a status file, while in the case of Siemens PLCs this can be achieved using the ‘GET_DIAG’ function.

Another vendor-specific secure PLC coding practice involves monitoring flags that indicate various errors and faults, which can be triggered by malicious attacks. However, PLCs from each vendor have different errors and faults and there are different ways of reading them, Formby explained.

Attackers targeting PLCs can make changes to the PLC logic and some controllers have checksums that enable users to detect changes in logic. Monitoring checksums can be useful for detecting attacks, but different vendors have different functions for achieving this and in some cases checksum monitoring is not supported at all.

Other examples of vendor-specific PLC secure coding practices covered by Fortiphyd Logic’s new project include monitoring cycle times, hard stops, and memory usage, as well as the detection of unused software.

For the time being, the new project, hosted on GitHub, only provides information for products made by Schneider Electric, Siemens and Rockwell Automation, but information will be added for other vendors as well, with the goal being to cover all PLC vendors. Anyone can contribute to the project.

Fortiphyd Logic has also created a custom module for the top 20 secure PLC coding practices for CISA’s Cyber Security Evaluation Tool (CSET), which provides a series of requirement questionnaires to help organizations assess their security posture.

Resource : https://www.securityweek.com/new-project-analyzes-and-catalogs-vendor-support-for-secure-plc-coding/?web_view=true