Culture Jamming

[FBI: 3 cities - SCADA networks compromised]

FYI...

FBI: 3 cities - SCADA networks compromised ...
- https://www.infosecisland.com/blogview/18450-FBI-Three-Cities-Compromised-via-SCADA-Networks.html
November 30, 2011 - "Michael Welch, deputy assistant director of the FBI's Cyber Division, revealed that three U.S. cities recently experienced significant network intrusion events by unnamed attackers by way of poorly secured supervisory control and data acquisition (SCADA) networks... SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city," Welch said. The intrusions were characterized by Welch as "sort of a tease to law enforcement and the local city administration, saying 'I’m here, what are you going to do about it.' Essentially it was an ego trip for the hacker..." While Welch downplayed the intrusion, he was candid about the potential for mayhem had the attacker's intentions been more malicious..."

- http://www.information-age.com/channels/security-and-continuity/news/1676243/hackers-accessed-city-infrastructure-via-scada-fbi.thtml
29 November 2011

 

[ICS-ALERT-11-346-01 SCHNEIDER ELECTRIC QUANTUM* ETHERNET MODULE - MULTIPLE VULNERABILITES]

FYI...

> https://www.us-cert.gov/control_systems/ics-cert/

ICS-ALERT-11-346-01 SCHNEIDER ELECTRIC QUANTUM* ETHERNET MODULE - MULTIPLE VULNERABILITES
- http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf
December 12, 2011 - "... Multiple hardcoded credentials... enable access to the following services:
• Telnet port – May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.  
• Windriver Debug port - Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• FTP service – May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.
ICS-CERT is currently coordinating with Schneider Electric to develop mitigations. Additional information regarding the impact and mitigations will be issued as it becomes available..."
* http://products.schneider-electric.us/products-services/products/plcs-pac-and-distributed-io/industrial-process-infrastructure-and-oems/quantum-plc/

- https://secunia.com/advisories/47019/
Release Date: 2011-12-14
Criticality level: Moderately critical
Impact: Security Bypass
Where: From local network
Solution Status: Unpatched
Operating System: Schneider Electric M340 Series Modules, Premium Series Modules,  Quantum Series Modules, STB DIO Series Modules ...
... see the ICS-CERT's advisory for a list of affected products and versions.
Solution: Restrict access to trusted hosts only.
___

- http://h-online.com/-1395141
14 December 2011

 

[Cyber threat to Power Grid]

FYI...

Cyber threat to Power Grid ...
- http://www.forbes.com/sites/williampentland/2011/12/27/cyber-threat-to-power-grid-puts-utility-investors-at-risk/
12/27/2011 - "The electric-utility industry’s concerns about cyber security has escalated sufficiently for several investor-owned utilities to include cyber-attacks as a material risk factor in recent filings with the U.S. Securities and Exchange Commission... the grid’s vulnerabilities to hackers are expanding... This grim conclusion is among the many grim findings of a major new study on the “Future of the Electric Grid*” by researchers at [MIT]."
Linked from: https://www.us-cert.gov/control_systems/#tabs-4

* http://web.mit.edu/mitei/research/studies/documents/electric-grid-2011/Electric_Grid_9_Data_Communications_Cybersecurity_Information_Privacy.pdf
Pg. 2 of 38 - "... Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce attack vectors — paths that attackers can use to gain access to computer systems or other communicating equipment — that increase the risk of intentional and accidental communications disruptions. As the North American Electric Reliability Corporation (NERC) notes, these disruptions can result in a range of failures, including loss of control over grid devices, loss of communications between grid entities or control centers, or blackouts..."

 

[Multiple PLC vulns - Major ICS vendors]

FYI...

> https://www.us-cert.gov/control_systems/ics-cert/

Multiple PLC vulns - Major ICS vendors...
- https://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-01.pdf
Jan. 20, 2011 - "... Project Basecamp team of researchers during Digital Bond’s SCADA Security Scientific Symposium (S4) on January 19, 2012, without coordination with either the vendors or ICS-CERT... findings include multiple zero-day vulnerabilities for several leading industrial control system (ICS) hardware Programmable Logic Controllers (PLCs). Major affected vendors include GE, Koyo, Rockwell, Schneider (Modicon), and Schweitzer. Exploit code was also released for the GE vulnerabilities. The affected PLCs are used to control functions in critical infrastructure in the chemical, energy, water, nuclear, and critical manufacturing sectors..."

Proof-of-concept exploits - multiple vulnerabilities in SCADA products demonstrated...
- https://www.computerworld.com/s/article/9223592/Researchers_expose_flaws_in_popular_industrial_control_systems
January 20, 2012

- http://h-online.com/-1418921
23 January 2012
___

GE Energy - https://secunia.com/advisories/47632/
Release Date: 2012-01-20
Criticality level: Moderately critical
Impact: Exposure of sensitive information, System access
Where: From local network...

Koyo - https://secunia.com/advisories/47735/
Release Date: 2012-01-23
Impact: Cross Site Scripting, DoS
Where: From remote

Rockwell - https://secunia.com/advisories/47737/
Release Date: 2012-01-23
Criticality level: Moderately critical
Impact: DoS, System access, Exposure of system information
Where: From local network...

Schneider - https://secunia.com/advisories/47723/
Release Date: 2012-01-23
Impact: Cross Site Scripting, DoS
Where: From remote

Schweitzer - https://secunia.com/advisories/47739/
Release Date: 2012-01-23
Impact: DoS
Where: From local network...

 

[here]

FYI...

- https://www.us-cert.gov/control_systems/ics-cert/
News Feed: 10K Reasons To Worry About Critical Infrastructure*
Tue, 24 Jan - "A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the Internet and found that many could be open to easy hack attacks, due to lax security practices."
* http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/

 

[SCADA exploits released]

FYI...

SCADA exploits released...
- http://atlas.arbor.net/briefs/index#797484922
Severity: Elevated Severity
Published: Thursday, March 08, 2012 20:33
Security holes in selected SCADA software released to public causes outcry and increases risks along with awareness.
Analysis: It is strongly suggested that organizations running SCADA software affected by the Metasploit modules
- http://www.digitalbond.com/tools/basecamp/metasploit-modules/
... ensure that those systems are protected or at least segregated appropriately from the Internet and internet networks in order to reduce attack surface. While the code release is controversial, the vulnerabilities at hand are a reminder that SCADA and industrial control systems suffer from some serious security issues that need further attention.
Source: http://go.bloomberg.com/tech-blog/2012-03-06-hacker-group-unveils-critical-attack-accused-of-drawing-a-road-map-for-the-bad-guys/
Mar 6, 2012

  

[SCADA alert: Rugged Operating System (ROS) vuln]

FYI...

SCADA alert: Rugged Operating System (ROS) vuln
- http://www.kb.cert.org/vuls/id/889195
Last revised: 30 Apr 2012
Overview: RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password....
Workarounds: ROS users can disable the rsh service and set the number of allowed telnet connections to 0...
> http://www.ruggedcom.com/productbulletin/ros-security-page/
"... In the next few weeks, RuggedCom will be releasing new versions of ROS firmware that removes the undocumented factory account..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1803 - 8.5 (HIGH)
Last revised: 04/30/2012

> http://www.wired.com/images_blogs/threatlevel/2012/04/RCOM-Devices_Justin-W.-Clarke1.jpg

- https://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01A.pdf

US-CERT Recent Vulnerability Notes
- http://www.kb.cert.org/vuls

 

[Spear-phish targeted at nat-gas-pipeline companies]

FYI...

- https://www.us-cert.gov/control_systems/ics-cert/

Spear-phish targeted at nat-gas-pipeline companies...
- https://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf
Apr 2012 ICS newsletter- "In March, ICS-CERT identified an active series of cyber intrusions targeting natural gas pipeline sector companies. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign with spear-phishing activity dating back to as early as December 2011. Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. ICS-CERT has issued an alert (and two updates) to the US-CERT Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators..."
___

Alert: Major cyber attack aimed at natural gas pipeline companies
- http://atlas.arbor.net/briefs/
Severity: High Severity
Published: Monday, May 07, 2012 20:08
Natural gas pipeline infrastructure has been under focused cyber-attack since at least December 2011.
Analysis: The attack technique here is "spear phishing" - highly specific e-mail sent to targets of value, who open malicious documents or malicious links and then allow attackers inside the network. The attackers then move laterally until they find the resources and data they are after. The attacks are mentioned in the public document http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf
Source: Alert: http://www.csmonitor.com/USA/2012/0505/Alert-Major-cyber-attack-aimed-at-natural-gas-pipeline-companies

   

[Gauss - Information-Stealing Malware]

FYI...

> https://www.us-cert.gov/control_systems/ics-cert/

Gauss - Information-Stealing Malware
JSAR-12-222-01—  Joint Security Awareness Report
- https://www.us-cert.gov/control_systems/pdf/JSAR-12-222-01.pdf
August 9, 2012 - "... According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:
• injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• collecting information about the computer’s network connections,
• collecting information about processes and folders,
• collecting information about BIOS and CMOS RAM,  
• collecting information about local, network and removable drives,
• infecting removable media drives with an information-stealing module in order to steal  information from other computers,
• installing the custom “Palida Narrow” font (purpose unknown),
• ensuring the entire toolkit’s loading and operation, and
• interacting with the command and control server, sending the information collected to it, and  downloading additional modules.
a. http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution
... Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568b), the same vulnerability exploited by Stuxnet. According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
MITIGATION: At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical..."
___

Font installed with Gauss trojan...
- http://h-online.com/-1666328
13 August 2012

Online detection of Gauss
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
August 13, 2012
Kaspersky Lab offers an on-line mechanism to detect the font installed by the Gauss spying malware.
Analysis: Users that have Palida Narrow, an unusual font installed on their system should investigate why it is there. It may have been installed by the Gauss malware. At this time, there is no other known explanation why the font would be installed.
Source: http://www.securelist.com/en/blog/724/Online_detection_of_Gauss

 

[ICS-CERT Advisory]

FYI...

- https://www.us-cert.gov/control_systems/ics-cert/

Automated Toolkits named in massive DDoS attacks against U.S. Banks
- https://threatpost.com/en_us/blogs/automated-toolkits-named-massive-ddos-attacks-against-us-banks-100212
Oct 2, 2012
___

ICS-CERT Advisory "ICSA-12-243-01 - GarrettCom - Use of Hard-Coded Password"
- https://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf
Aug 30, 2012 - "This Advisory details a privilege-escalation vulnerability in the GarrettCom Magnum MNS-6K Management Software application via the use of a hard-coded password."

- http://h-online.com/-1701193
5 Sep 2012 - "... GarrettCom fixed the problem on 18 May 2012, but did not document that the updated software* had fixed the flaw in the release notes**. The ICS-CERT advisory is the first public notification of the problem."
* http://www.garrettcom.com/techsupport/sw_downloads_6k.htm

** PDF: http://www.garrettcom.com/techsupport/6k_dl/6k440_rn.pdf
___

JSAR-12-241-01 - Shamoon/DistTrack Malware
- https://www.us-cert.gov/control_systems/pdf/JSAR-12-241-01.pdf
Aug 29, 2012 - "This JSAR details "Shamoon," an information-stealing malware that also includes a destructive module."

> http://www.symantec.com/connect/blogs/shamoon-attacks-continue
3 Sep 2012

 

[ICS-CERT ALERT - Increasing Threat to Industrial Control Systems]

FYI...

- https://www.us-cert.gov/control_systems/ics-cert/

ICS-CERT ALERT - Increasing Threat to Industrial Control Systems
- https://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-046-01A.pdf
Oct 25, 2012 - "ICS-CERT is monitoring and responding to a combination of threat elements that increase the risk of control systems attacks. These elements include Internet accessible industrial control system (ICS) configurations, vulnerability and exploit tool releases for ICS devices, and increased interest and activity by hacktivist groups and others..."

> https://krebsonsecurity.com/2012/10/dhs-warns-of-hacktivist-threat-against-industrial-control-systems/
Oct 26, 2012
___

- http://www.h-online.com/security/news/item/ICS-CERT-warns-of-increasing-threat-to-industrial-control-systems-1739808.html?view=zoom;zoom=1
30 Oct 2012

   

[ICS-ALERT - Siemens PLC]

FYI...

ICS-ALERT - Siemens PLC
- http://h-online.com/-1790903
24 Jan 2013 - "... Python script has been developed by security experts Alexander Timorin and Dmitry Sklyarov, both members of the SCADA StrangeLove research group. The tool uses a brute force attack to crack passwords for Siemens SIMATIC S7 programmable logic controllers. It does not, however, try out the passwords on the controller itself; instead it does so offline using recorded network traffic containing authentication events... control systems should not be accessible via the internet, they should be protected behind a firewall and should be isolated from company networks. Remote access should require a secure method such as VPN..."
- http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-13-016-02.pdf
Jan 16, 2013 - "ICS-CERT is aware of a public report of an offline brute-force password tool with proof-of-concept (PoC) exploit code targeting Siemens S7 programmable logic controllers. According to this report, a password can be obtained by offline password brute forcing the challenge-response data extracted from TCP/IP traffic file..."