28 replies to this topic

[AplusWebMaster]

FYI...

FBI: 3 cities - SCADA networks compromised ...
- https://www.infoseci...A-Networks.html
November 30, 2011 - "Michael Welch, deputy assistant director of the FBI's Cyber Division, revealed that three U.S. cities recently experienced significant network intrusion events by unnamed attackers by way of poorly secured supervisory control and data acquisition (SCADA) networks... SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city," Welch said. The intrusions were characterized by Welch as "sort of a tease to law enforcement and the local city administration, saying 'I’m here, what are you going to do about it.' Essentially it was an ego trip for the hacker..." While Welch downplayed the intrusion, he was candid about the potential for mayhem had the attacker's intentions been more malicious..."

- http://www.informati...scada-fbi.thtml
29 November 2011

Edited by AplusWebMaster, 06 December 2011 - 06:55 AM.

[AplusWebMaster]

FYI...

> https://www.us-cert....stems/ics-cert/

ICS-ALERT-11-346-01 SCHNEIDER ELECTRIC QUANTUM* ETHERNET MODULE - MULTIPLE VULNERABILITES
- http://www.us-cert.g...T-11-346-01.pdf
December 12, 2011 - "... Multiple hardcoded credentials... enable access to the following services:
• Telnet port – May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• Windriver Debug port - Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• FTP service – May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.
ICS-CERT is currently coordinating with Schneider Electric to develop mitigations. Additional information regarding the impact and mitigations will be issued as it becomes available..."
* http://products.schn...ms/quantum-plc/

- https://secunia.com/advisories/47019/
Release Date: 2011-12-14
Criticality level: Moderately critical
Impact: Security Bypass
Where: From local network
Solution Status: Unpatched
Operating System: Schneider Electric M340 Series Modules, Premium Series Modules, Quantum Series Modules, STB DIO Series Modules ...
... see the ICS-CERT's advisory for a list of affected products and versions.
Solution: Restrict access to trusted hosts only.
___

- http://h-online.com/-1395141
14 December 2011

Edited by AplusWebMaster, 15 December 2011 - 06:11 AM.

[AplusWebMaster]

FYI...

Cyber threat to Power Grid ...
- http://www.forbes.co...estors-at-risk/
12/27/2011 - "The electric-utility industry’s concerns about cyber security has escalated sufficiently for several investor-owned utilities to include cyber-attacks as a material risk factor in recent filings with the U.S. Securities and Exchange Commission... the grid’s vulnerabilities to hackers are expanding... This grim conclusion is among the many grim findings of a major new study on the “Future of the Electric Grid*” by researchers at [MIT]."
Linked from: https://www.us-cert....systems/#tabs-4

* http://web.mit.edu/m...ion_Privacy.pdf
Pg. 2 of 38 - "... Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce attack vectors — paths that attackers can use to gain access to computer systems or other communicating equipment — that increase the risk of intentional and accidental communications disruptions. As the North American Electric Reliability Corporation (NERC) notes, these disruptions can result in a range of failures, including loss of control over grid devices, loss of communications between grid entities or control centers, or blackouts..."

[AplusWebMaster]

FYI...

> https://www.us-cert....stems/ics-cert/

Multiple PLC vulns - Major ICS vendors...
- https://www.us-cert....T-12-020-01.pdf
Jan. 20, 2011 - "... Project Basecamp team of researchers during Digital Bond’s SCADA Security Scientific Symposium (S4) on January 19, 2012, without coordination with either the vendors or ICS-CERT... findings include multiple zero-day vulnerabilities for several leading industrial control system (ICS) hardware Programmable Logic Controllers (PLCs). Major affected vendors include GE, Koyo, Rockwell, Schneider (Modicon), and Schweitzer. Exploit code was also released for the GE vulnerabilities. The affected PLCs are used to control functions in critical infrastructure in the chemical, energy, water, nuclear, and critical manufacturing sectors..."

Proof-of-concept exploits - multiple vulnerabilities in SCADA products demonstrated...
- https://www.computer...control_systems
January 20, 2012

- http://h-online.com/-1418921
23 January 2012
___

GE Energy - https://secunia.com/advisories/47632/
Release Date: 2012-01-20
Criticality level: Moderately critical
Impact: Exposure of sensitive information, System access
Where: From local network...

Koyo - https://secunia.com/advisories/47735/
Release Date: 2012-01-23
Impact: Cross Site Scripting, DoS
Where: From remote

Rockwell - https://secunia.com/advisories/47737/
Release Date: 2012-01-23
Criticality level: Moderately critical
Impact: DoS, System access, Exposure of system information
Where: From local network...

Schneider - https://secunia.com/advisories/47723/
Release Date: 2012-01-23
Impact: Cross Site Scripting, DoS
Where: From remote

Schweitzer - https://secunia.com/advisories/47739/
Release Date: 2012-01-23
Impact: DoS
Where: From local network...

Edited by AplusWebMaster, 23 January 2012 - 09:02 AM.

[AplusWebMaster]

FYI...

- https://www.us-cert....stems/ics-cert/
News Feed: 10K Reasons To Worry About Critical Infrastructure*
Tue, 24 Jan - "A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the Internet and found that many could be open to easy hack attacks, due to lax security practices."
* http://www.wired.com...systems-online/

[AplusWebMaster]

FYI...

SCADA exploits released...
- http://atlas.arbor.n...index#797484922
Severity: Elevated Severity
Published: Thursday, March 08, 2012 20:33
Security holes in selected SCADA software released to public causes outcry and increases risks along with awareness.
Analysis: It is strongly suggested that organizations running SCADA software affected by the Metasploit modules
- http://www.digitalbo...sploit-modules/
... ensure that those systems are protected or at least segregated appropriately from the Internet and internet networks in order to reduce attack surface. While the code release is controversial, the vulnerabilities at hand are a reminder that SCADA and industrial control systems suffer from some serious security issues that need further attention.
Source: http://go.bloomberg....r-the-bad-guys/
Mar 6, 2012

[AplusWebMaster]

FYI...

SCADA alert: Rugged Operating System (ROS) vuln
- http://www.kb.cert.org/vuls/id/889195
Last revised: 30 Apr 2012
Overview: RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password....
Workarounds: ROS users can disable the rsh service and set the number of allowed telnet connections to 0...
> http://www.ruggedcom...-security-page/
"... In the next few weeks, RuggedCom will be releasing new versions of ROS firmware that removes the undocumented factory account..."

- http://web.nvd.nist....d=CVE-2012-1803 - 8.5 (HIGH)
Last revised: 04/30/2012

> http://www.wired.com...-W.-Clarke1.jpg

- https://www.us-cert....-12-116-01A.pdf

US-CERT Recent Vulnerability Notes
- http://www.kb.cert.org/vuls

Edited by AplusWebMaster, 01 May 2012 - 02:32 PM.

[AplusWebMaster]

FYI...

- https://www.us-cert....stems/ics-cert/

Spear-phish targeted at nat-gas-pipeline companies...
- https://www.us-cert....tor_Apr2012.pdf
Apr 2012 ICS newsletter- "In March, ICS-CERT identified an active series of cyber intrusions targeting natural gas pipeline sector companies. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign with spear-phishing activity dating back to as early as December 2011. Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. ICS-CERT has issued an alert (and two updates) to the US-CERT Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators..."
___

Alert: Major cyber attack aimed at natural gas pipeline companies
- http://atlas.arbor.net/briefs/
Severity: High Severity
Published: Monday, May 07, 2012 20:08
Natural gas pipeline infrastructure has been under focused cyber-attack since at least December 2011.
Analysis: The attack technique here is "spear phishing" - highly specific e-mail sent to targets of value, who open malicious documents or malicious links and then allow attackers inside the network. The attackers then move laterally until they find the resources and data they are after. The attacks are mentioned in the public document http://www.us-cert.g...tor_Apr2012.pdf
Source: Alert: http://www.csmonitor...eline-companies

Edited by AplusWebMaster, 09 May 2012 - 04:32 AM.

[AplusWebMaster]

FYI...

> https://www.us-cert....stems/ics-cert/

Gauss - Information-Stealing Malware
JSAR-12-222-01— Joint Security Awareness Report
- https://www.us-cert....R-12-222-01.pdf
August 9, 2012 - "... According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:
• injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• collecting information about the computer’s network connections,
• collecting information about processes and folders,
• collecting information about BIOS and CMOS RAM,
• collecting information about local, network and removable drives,
• infecting removable media drives with an information-stealing module in order to steal information from other computers,
• installing the custom “Palida Narrow” font (purpose unknown),
• ensuring the entire toolkit’s loading and operation, and
• interacting with the command and control server, sending the information collected to it, and downloading additional modules.
a. http://www.securelis...al_Distribution
... Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568b), the same vulnerability exploited by Stuxnet. According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
MITIGATION: At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical..."
___

Font installed with Gauss trojan...
- http://h-online.com/-1666328
13 August 2012

Online detection of Gauss
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
August 13, 2012
Kaspersky Lab offers an on-line mechanism to detect the font installed by the Gauss spying malware.
Analysis: Users that have Palida Narrow, an unusual font installed on their system should investigate why it is there. It may have been installed by the Gauss malware. At this time, there is no other known explanation why the font would be installed.
Source: http://www.securelis...ection_of_Gauss

Edited by AplusWebMaster, 15 August 2012 - 03:21 PM.

[AplusWebMaster]

FYI...

- https://www.us-cert....stems/ics-cert/

Automated Toolkits named in massive DDoS attacks against U.S. Banks
- https://threatpost.c...us-banks-100212
Oct 2, 2012
___

ICS-CERT Advisory "ICSA-12-243-01 - GarrettCom - Use of Hard-Coded Password"
- https://www.us-cert....A-12-243-01.pdf
Aug 30, 2012 - "This Advisory details a privilege-escalation vulnerability in the GarrettCom Magnum MNS-6K Management Software application via the use of a hard-coded password."

- http://h-online.com/-1701193
5 Sep 2012 - "... GarrettCom fixed the problem on 18 May 2012, but did not document that the updated software* had fixed the flaw in the release notes**. The ICS-CERT advisory is the first public notification of the problem."
* http://www.garrettco...ownloads_6k.htm

** PDF: http://www.garrettco...dl/6k440_rn.pdf
___

JSAR-12-241-01 - Shamoon/DistTrack Malware
- https://www.us-cert....R-12-241-01.pdf
Aug 29, 2012 - "This JSAR details "Shamoon," an information-stealing malware that also includes a destructive module."

> http://www.symantec....ttacks-continue
3 Sep 2012

Edited by AplusWebMaster, 04 October 2012 - 08:12 AM.

[AplusWebMaster]

FYI...

- https://www.us-cert....stems/ics-cert/

ICS-CERT ALERT - Increasing Threat to Industrial Control Systems
- https://www.us-cert....-12-046-01A.pdf
Oct 25, 2012 - "ICS-CERT is monitoring and responding to a combination of threat elements that increase the risk of control systems attacks. These elements include Internet accessible industrial control system (ICS) configurations, vulnerability and exploit tool releases for ICS devices, and increased interest and activity by hacktivist groups and others..."

> https://krebsonsecur...ontrol-systems/
Oct 26, 2012
___

- http://www.h-online....iew=zoom;zoom=1
30 Oct 2012

Edited by AplusWebMaster, 30 October 2012 - 09:47 PM.

[AplusWebMaster]

FYI...

ICS-ALERT - Siemens PLC
- http://h-online.com/-1790903
24 Jan 2013 - "... Python script has been developed by security experts Alexander Timorin and Dmitry Sklyarov, both members of the SCADA StrangeLove research group. The tool uses a brute force attack to crack passwords for Siemens SIMATIC S7 programmable logic controllers. It does not, however, try out the passwords on the controller itself; instead it does so offline using recorded network traffic containing authentication events... control systems should not be accessible via the internet, they should be protected behind a firewall and should be isolated from company networks. Remote access should require a secure method such as VPN..."
- http://www.us-cert.g...T-13-016-02.pdf
Jan 16, 2013 - "ICS-CERT is aware of a public report of an offline brute-force password tool with proof-of-concept (PoC) exploit code targeting Siemens S7 programmable logic controllers. According to this report, a password can be obtained by offline password brute forcing the challenge-response data extracted from TCP/IP traffic file..."

[AplusWebMaster]

FYI...

- https://www.us-cert....stems/ics-cert/

Watering-Hole Attacks Target Energy Sector
- https://ics-cert.us-...t-Energy-Sector
09/20/2013 - "... Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack* targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host."
* http://blogs.cisco.c...-energy-sector/
"... Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host. Observed watering-hole style domains containing the malicious iframe... the largest percent of visitors were expectedly from the financial and energy sectors – an audience concentration that is also consistent with the nature of watering-hole style attacks.
> http://blogs.cisco.c...ds/topvert.jpeg
... Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit..."

- https://web.nvd.nist...d=CVE-2013-1347 - 9.3 (HIGH)
Last revised: 05/16/2013
- https://web.nvd.nist...d=CVE-2013-1690 - 9.3 (HIGH)
Last revised: 08/22/2013
- https://web.nvd.nist...d=CVE-2012-1723 - 10.0 (HIGH)
Last revised: 08/22/2013
___

- http://atlas.arbor.net/briefs/
Oil, Energy Watering Hole Attacks Could Be Tied to DOL Attacks*
High Severity
September 20, 2013 21:24
Targeted attacks towards the oil and energy sector continue. Legitimate sites were compromised and used in a "watering hole" campaign which was used to focus the target audience and compromise their systems with a Remote Access Trojan (RAT).
Analysis: ... a Firefox exploit was used in this campaign... The Poison Ivy RAT was used here, and while it is easily available, it's continued use in various attack campaigns suggest that better monitoring processes should be implemented in order to detect it's network and host fingerprints... Targeted attacks will certainly continue, and as defenses increase, the attackers tactics and procedures will evolve. Defenders must be vigilant in protecting their assets..."
* http://www.darkreadi...endly=this-page

- http://www.infosecur...tacks/1009.aspx
9/23/2013 - "... The probability of success is significantly higher for watering hole attacks since the attacker has used the tracking service’s data to confirm that traffic to the site is both allowed and frequent. When a user visits the site, the malicious code redirects the user’s browser to a malicious site so the user’s machine can be assessed for vulnerabilities. The trap is sprung... The user’s computer is assessed for the right set of vulnerabilities and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user’s access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they’ve gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening."

Edited by AplusWebMaster, 29 September 2013 - 10:32 AM.

[AplusWebMaster]

FYI...

- https://ics-cert.us-cert.gov/

ICS-ALERT-14-176-02A - ICS Focused Malware
- https://ics-cert.us-...LERT-14-176-02A
Last revised: July 01, 2014 (Update A) - "... follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-176-02 ICS Focused Malware that was published June 25, 2014 on the ICS-CERT web site, and includes information previously published to the US-CERT secure portal... These include phishing emails, redirects to compromised web sites and most recently, trojanized update installers on at least 3 industrial control systems (ICS) vendor web sites, in what are referred to as watering hole-style attacks... Based on information ICS-CERT has obtained from Symantec* and F-Secure**, the software installers for these vendors were infected with malware known as the Havex Trojan..."
June 25, 2014 - "... NCCIC/ICS-CERT is aware of reports of malware targeting industrial control systems (ICSs) that are being distributed via compromised ICS vendor web sites. The ICS vendor web sites were reportedly found to have their products’ downloadable software installer -infected- with a backdoor Trojan known as the Havex Trojan. Customers of these vendors that visited a compromised site, downloaded, and installed the trojanized software could be compromised. This could allow attackers access to their networks including those that operate critical infrastructure. In addition, ICS-CERT is conducting analysis to determine possible linkages between this activity and previous watering-hole compromises and malware campaigns...
* http://www.symantec....sabotage-threat

- http://www.symantec....y_Suppliers.pdf
July 2, 2014 - pg 17:
Trojan.Karagany
• 91.203.6.71   : https://www.virustot...71/information/
• 93.171.216.118: https://www.virustot...18/information/
• 93.188.161.235: https://www.virustot...35/information/

** http://www.f-secure....s/00002718.html

- https://ics-cert.us-.../ICSA-14-178-01
June 30, 2014 | Last revised: July 01, 2014
___
 

- http://atlas.arbor.n...ndex#-203181723
Elevated Severity
26 Jun 2014
The Havex RAT (Remote Access Trojan) has previously been profiled due to its use in targeted attacks against industry sectors. Recently, the malware has been used to “trojanize” software available for download from legitimate ICS/SCADA vendor websites.
Analysis: This is most likely accomplished by exploiting vulnerabilities in the software running the websites. [ http://www.f-secure....s/00002718.html ] The group behind the malware has been identified by security company CrowdStrike as “Energetic Bear”. [ http://www.crowdstri...Report_2013.pdf ] ICS/SCADA systems, which are known to be brittle and vulnerable, are frequently targeted by attackers. Those in the critical infrastructure sector would benefit from a continuous review of the network traffic and host activity associated with any SCADA/ICS system. In particular, information on the Havex malware and the group behind these attacks should be reviewed.
 

Edited by AplusWebMaster, 17 September 2014 - 02:28 PM.