Jump to content


Photo

SCADA alerts/vulns...


  • Please log in to reply
27 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 March 2011 - 02:55 PM

FYI...

SCADA alerts/vulns posted...
- https://www.computer...ernment_warning
March 23, 2011 - "... U.S. CERT's Industrial Control Systems Cyber Emergency Response Team issued four alerts* on Monday..."
* What's New...: http://www.us-cert.g...ontrol_systems/
(All PDF files)

- http://www.us-cert.g...stems/ics-cert/

- http://www.informati...cleID=229400160
March 23, 2011

:!: :ph34r:

Edited by AplusWebMaster, 24 March 2011 - 08:02 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 May 2011 - 07:40 AM

FYI...

SCADA Alerts - ICONICS, Advantech, Samsung...
- http://www.us-cert.g...stems/ics-cert/
11 May 2011
• ICS-CERT Advisory ICSA-11-131-01-ICONICS GENESIS32 and BizViz ActiveX Stack Overflow - "... stack overflow vulnerability affecting ICONICS GENESIS32 and BizViz products"
• ICS-CERT Alert ICS-ALERT-11-131-01 - Advantech Studio ISSymbol ActiveX Control Buffer Overflow Vulnerabilities - "... multiple buffer overflow vulnerabilities in Advantech ISSymbol ActiveX Control and Advantech Studio"
9 May 2011
• ICS-CERT Alert ICS-ALERT-11-129-01 - Samsung Data Management Server Root Access"

- http://iconics.com/certs

- http://support.advan...rt/default.aspx

- http://www.samsung.com/us/support/
___

- http://isc.sans.edu/...l?storyid=10873
Last Updated: 2011-05-12 13:03:43 UTC

:ph34r: :!:

Edited by AplusWebMaster, 12 May 2011 - 10:28 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 May 2011 - 05:06 AM

FYI...

SCADA/Siemens vuln detail remains in fog...
- http://www.csoonline...a-security-talk
May 23, 2011 - "After a presentation on SCADA (supervisory control and data acquisition) system exploits was pulled at the last minute from the TakeDownCon conference, accusations began to swirl that NSS Labs, the company that helped fund the research, had been told by the Department of Homeland Security (DHS) to pull the talk that would have exposed existing flaws in certain Siemens systems used to control critical infrastructure... Vik Phatak, chief technology officer at NSS Labs. "Siemens found out, near the last minute, that the mitigation they had planned didn't work. It could be bypassed," Phatak says. According to Phatak, DHS pointed to a broad context of risks should the talk go forward without proper mitigation. Following that, NSS Labs independently chose to postpone the talk... Siemens and DHS ICS CERT are expected to release advisories and fixes for the vulnerabilities within the week, Phatak said..."
* http://www.takedownc...m/?page_id=1148
"Synopsis: Traditional perimeter network security is not a sufficient enough means on its own to defend against dynamic threats to applications already residing on enterprise systems and accessible over the Internet. Web-accessed databases are especially susceptible..."

- http://www.reuters.c...428619720110524
May 24, 2011

- http://www.us-cert.g...stems/ics-cert/

:scratchhead: :question:

Edited by AplusWebMaster, 25 May 2011 - 05:28 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 June 2011 - 06:50 AM

FYI...

ICS-Siemens patches released...
- https://www.computer...found_by_hacker
June 10, 2011 - "Siemens has fixed bugs in its Simatic S7 industrial computer systems, used to control machines on factory floors, power stations and chemical plants. The patches*, released Friday, mark Siemens' first response to a high-profile computer security incident since the Stuxnet worm, which was discovered a year ago circulating on computer networks in Iran. Siemens fixed a pair of flaws in the S7-1200 controller, acknowledging that one could be leveraged to take control of the system using what's known as a replay attack. A second flaw, in a Web server that ships with the device, could give attackers a way to crash the system. However, the attacker would have to first find a way onto the victim's network before launching these attacks..."
* http://support.autom...932&caller=view
Patch: http://support.autom...41886031/133100

- http://www.us-cert.g...stems/ics-cert/
ICS-ALERT-11-161-01 Siemens S7-1200 PLC - Fri, 10 June 2011 - "... Siemens has released a Siemens Security Advisory and patch for the Siemens S7-1200 PLCs."
* http://www.us-cert.g...T-11-161-01.pdf

- http://www.securityt....com/id/1025671
June 16 2011

- http://www.theinquir...aknesses-remain
Jun 13 2011 - "... there is a firmware update available for its S7-1200 programmable logic controller (PLC)... However, the United States Computer Emergency Readiness Team (US-CERT) claimed that the security patch only addresses "a portion" of the flaws*, although it confirmed the effectiveness of the patches and was working with Beresford and Siemens on other problems..."

:!:

Edited by AplusWebMaster, 18 June 2011 - 05:18 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 June 2011 - 07:47 AM

FYI...

ClearSCADA vuln - updates available
- http://secunia.com/advisories/44955/
Release Date: 2011-06-16
Criticality level: Moderately critical
Impact: Cross Site Scripting, System access
Where: From local network
Solution: Update to a fixed version. Please see the CERT advisory for more information.
US-CERT: http://www.us-cert.g...-10-314-01A.pdf

> http://www.us-cert.g...stems/ics-cert/

- http://www.securityt....com/id/1025672
- http://www.securityt....com/id/1025673
Jun 16 2011

- http://secunia.com/advisories/44990/
- http://secunia.com/advisories/45033/
Release Date: 2011-06-20
___

- http://www.reuters.c...E75G0CV20110617
Jun 16, 2011 - "... Sunway's products, widely used in China, are also deployed to a lesser extent in other countries including the United States... Beresford (NSS Labs) has worked with Sunway, Chinese authorities and the DHS to fix the bugs he found. Sunway has developed software patches to plug the holes..."

:!:

Edited by AplusWebMaster, 20 June 2011 - 06:44 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 July 2011 - 11:38 AM

FYI...

ICS-Cert Alert 11-186-01 - Seimens...
- http://www.us-cert.g...stems/ics-cert/
5 July 2011 - "ICS-ALERT-11-186-01 "Password Protection Vulnerability in Siemens SIMATIC Controllers S7-200, S7-300, S7-400 and S7-1200 - This ALERT warns that replay attack vulnerabilities affecting the S7-1200 also are verified to affect the SIMATIC S7-200, S7-300, and S7-400 PLCs"
(PDF file)

CSSP Recommended Practices
- http://www.us-cert.g..._Practices.html

Potential Password Security Weakness in SIMATIC Controllers
- http://support.autom...iew/en/51401544
2011-07-05

> http://www.h-online....le-1275226.html
7 July 2011
___

- http://secunia.com/advisories/45164/
Release Date: 2011-07-08
Impact: Exposure of sensitive information
Where: From local network
Operating System: Siemens SIMATIC S7-200, SIMATIC S7-300, SIMATIC S7-400
Solution: Restrict access to trusted hosts only.

Also see:
- http://secunia.com/advisories/44961/
Last Update: 2011-07-08

- http://www.securityt....com/id/1025751
Jul 7 2011
> http://support.autom...&objid=50182361
2011-05-10

:!:

Edited by AplusWebMaster, 08 July 2011 - 07:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 August 2011 - 04:54 AM

FYI...

Siemens SIMATIC S7-300 PLCs advisory
- http://www.securityt....com/id/1025912
Aug 10 2011
Version(s): S7-300
Description: A vulnerability was reported in Siemens SIMATIC S7-300 PLCs...
S7-400 PLCs are not affected... vendor's advisory is available at:
- http://support.autom...333&caller=view

Also see: https://www.us-cert....stems/ics-cert/
ICS-CERT advisory "ICSA-11-223-01 - Siemens SIMATIC PLCs Reported Issues Summary"

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 September 2011 - 11:07 AM

FYI...

ICS-CERT SCADA Alerts update ...
> https://www.us-cert....stems/ics-cert/

ICS-ALERT-11-238-01A - Sunway ForceControl SCADA SEH (PDF)
- http://www.us-cert.g...-11-238-01A.pdf
31 Aug

Cyber Security for Industrial Control Systems... $4.1 Billion
- http://www.pikeresea...billion-by-2018
August 23, 2011

Siemens vuln - update available
- https://secunia.com/advisories/45770/
Release Date: 2011-09-01
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Siemens SIMATIC WinCC Flexible 2005, Flexible 2007, Flexible 2008
Solution: Apply patches... see vendor's advisory
Original Advisory: Siemens:
http://support.autom...&objid=50182361
2011-05-10
ICS-CERT: http://www.us-cert.g...A-11-175-02.pdf
July 1, 2011

> https://www.us-cert....rt/archive.html
See: ICS-CERT Advisory "ICSA-11-175-02 - Siemens WinCC Exploitable Crashes"

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 September 2011 - 06:48 AM

FYI...

ClearSCADA vuln - updates available
- http://www.securityt....com/id/1026009
Sep 5 2011
Impact: User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 2005, 2007, 2009, 2010 R1.0
Description: A vulnerability was reported in ClearSCADA. A remote user can access diagnostic functions on the target system...
Solution: The vendor has issued a fix (2010 R1.1).
Vendor URL: http://www.clearscada.com/
> http://resourcecente...SCADA 2010 R1.1

ICS-CERT SCADA Alerts update ...
> https://www.us-cert....stems/ics-cert/

- https://www.us-cert....A-11-173-01.pdf
Aug 25, 2011

:!: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 September 2011 - 08:46 AM

FYI...

0-day SCADA systems flaws...
- https://www.computer...n_SCADA_systems
September 16, 2011 - "... disclosure prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities. The most recent flaws discovered... affect SCADA products from six vendors, including Rockwell Automation, Cogent Datahub, Measuresoft and Progea. Several of the flaws could enable remote execution attacks and denial-of-service attacks against the vulnerable systems... The disclosures prompted US-CERT's Industrial Control Systems Cyber Emergency Response Team* to issue advisories about the flaws..."
* http://www.us-cert.g...stems/ics-cert/

:ph34r: :!: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 October 2011 - 05:41 AM

FYI...

Stuxnet2 - follow-up for SCADA systems - "DuQu"
- https://isc.sans.edu...l?storyid=11836
Last Updated: 2011-10-19 01:36:37 UTC - "... Symantec, McAfee and F-Secure*, to name a few security vendors, released information about what they are calling "DuQu"... because this malware creates some files on the user's temp folder, that starts with ~DQXXX.tmp (where the XXX can be any number)... There are several common aspects between DuQu and Stuxnet that leads to the conclusion that they were written by the same group. While the original Stuxnet was focused on Industrial systems, aka SCADA, this DuQu malware is mostly used on a recon process, and being used as an advanced RAT (Remote Administration Tool)... DuQu received commands via an encrypted config file, and seems to download a password stealer that is able to record several behaviors from user and machine and send to a Command and Control IP in India. Like some of the components of the original Stuxnet, this one was also able to decrypt and extract additional components embedded into other PE files... like Stuxnet, some components had a VALID digital signature..."
* http://www.f-secure....s/00002255.html

- https://www.us-cert....-11-291-01A.pdf
October 19, 2011
___

Duqu Q&A
- http://www.securewor...h/threats/duqu/
October 26, 2011
___

- http://www.malwareci...lware-1186.html
Oct 24, 2011

- http://blogs.cisco.c...e-next-stuxnet/
Mary Landesman | October 22, 2011 - "... Duqu is a trojan and is not self-propagating. Conversely, Stuxnet employed a very sophisticated system of self-propagation, including the use of the following exploits, four of which were zero-days at the time of discovery:
Windows Shell .LNK Vulnerability (MS10-046)
Print Spooler Vulnerability (MS10-061)
RPC Handling Vulnerability (MS08-067)
Windows Task Scheduler Vulnerability (MS10-092)
Win32k.sys Keyboard Layout Vulnerability (MS10-071) ...
Duqu appears to be part of a targeted attack designed to gain intelligence on sensitive systems. Targeted attacks, by nature, are not widespread. Thus far, Duqu has been detected at only a small number of companies, mainly in Europe..."
- http://tools.cisco.c...x?alertId=24425

- http://www.f-secure....s/00002257.html
October 21, 2011

:ph34r: :ph34r:

Edited by AplusWebMaster, 28 October 2011 - 12:44 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 October 2011 - 07:09 AM

FYI...

India "Duqu" server components confiscated
- http://www.reuters.c...E79R1G020111028
Oct 28, 2011 - "Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat. Two workers at a web-hosting company called Web Werks told Reuters that officials from India's Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu... The equipment seized from Web Werks, a privately held company in Mumbai with about 200 employees, might hold valuable data to help investigators determine who built Duqu and how it can be used... An official in India's Department of Information Technology who investigates cyber attacks also declined to discuss the matter..."
___

- http://www.us-cert.g...-11-291-01D.pdf
October 26, 2011 - "... determined after additional analysis that neither industrial control systems (ICSs) nor vendors/manufacturers were targeted by Duqu. In addition, as of October 21, 2011, there have been few infections, and there is no evidence based on current code analysis that Duqu presents a specific threat to ICSs. However, organizations should still remain vigilant against this and other sophisticated malware. ICS-CERT also recommends that the ICS community update intrusion prevention systems (IPSs) and antivirus systems to detect Duqu and other new threats. ICS-CERT will continue to analyze the malware, monitor the threat landscape, and report additional information as appropriate..."

:ph34r: :ph34r:

Edited by AplusWebMaster, 30 October 2011 - 01:52 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 November 2011 - 09:55 AM

FYI...

Hacks destroy water utility pump
- http://www.theregist...utility_hacked/
17 November 2011 - "Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery... the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer's customers. The unknown attackers used IP addresses that originated in Russia... bare-bones details of the hack*..."
* http://community.con...
___

- http://www.wired.com...ater-pump/all/1
November 18, 2011

- http://www.cnn.com/2...tion/index.html
November 18, 2011

:question: https://www.us-cert....stems/ics-cert/

:grrr: :ph34r:

Edited by AplusWebMaster, 18 November 2011 - 08:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 November 2011 - 08:07 AM

FYI...

No evidence of a cyber intrusion in SCADA
- https://krebsonsecur...r-station-hack/
November 22, 2011 - "... in an email dispatch sent to state, local and industry officials late today, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that after detailed analysis, DHS and the FBI “have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.” The ICS-CERT continued:
“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available”..."

- http://h-online.com/-1383976
23 November 2011
___

SCADA hacks published on Pastebin
- https://isc.sans.edu...l?storyid=12088
Last Updated: 2011-11-23 15:50:30 UTC
___

- http://www.chron.com...tem-2277795.php
November 19, 2011 - "A hacker identified only as "pr0f" posted diagrams of the South Houston sewer system online to show how easy it is to infiltrate the system. South Houston Mayor Joe Soto said Saturday that no harm was done to the sewer system, and the control system known as Supervisory Control and Data Acquisition has been taken offline. "The plant runs automatically anyway," said Soto, who said he found out Friday about the hacking. "We just disconnected the SCADA system. That takes us off being online, where someone could change some of the operations on their own." The Department of Homeland Security and FBI are responding to the incident and will be investigating, Soto said..."

:blink:

Edited by AplusWebMaster, 24 November 2011 - 11:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 December 2011 - 04:20 AM

FYI...

FBI: 3 cities - SCADA networks compromised ...
- https://www.infoseci...A-Networks.html
November 30, 2011 - "Michael Welch, deputy assistant director of the FBI's Cyber Division, revealed that three U.S. cities recently experienced significant network intrusion events by unnamed attackers by way of poorly secured supervisory control and data acquisition (SCADA) networks... SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city," Welch said. The intrusions were characterized by Welch as "sort of a tease to law enforcement and the local city administration, saying 'I’m here, what are you going to do about it.' Essentially it was an ego trip for the hacker..." While Welch downplayed the intrusion, he was candid about the potential for mayhem had the attacker's intentions been more malicious..."

- http://www.informati...scada-fbi.thtml
29 November 2011

:!: :blink:

Edited by AplusWebMaster, 06 December 2011 - 06:53 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 December 2011 - 05:51 AM

FYI...

> https://www.us-cert....stems/ics-cert/

ICS-ALERT-11-346-01 SCHNEIDER ELECTRIC QUANTUM* ETHERNET MODULE - MULTIPLE VULNERABILITES
- http://www.us-cert.g...T-11-346-01.pdf
December 12, 2011 - "... Multiple hardcoded credentials... enable access to the following services:
• Telnet port – May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• Windriver Debug port - Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• FTP service – May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.
ICS-CERT is currently coordinating with Schneider Electric to develop mitigations. Additional information regarding the impact and mitigations will be issued as it becomes available..."
* http://products.schn...ms/quantum-plc/

- https://secunia.com/advisories/47019/
Release Date: 2011-12-14
Criticality level: Moderately critical
Impact: Security Bypass
Where: From local network
Solution Status: Unpatched
Operating System: Schneider Electric M340 Series Modules, Premium Series Modules, Quantum Series Modules, STB DIO Series Modules ...
... see the ICS-CERT's advisory for a list of affected products and versions.
Solution: Restrict access to trusted hosts only.
___

- http://h-online.com/-1395141
14 December 2011

:!: :ph34r:

Edited by AplusWebMaster, 15 December 2011 - 06:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 January 2012 - 03:02 PM

FYI...

Cyber threat to Power Grid ...
- http://www.forbes.co...estors-at-risk/
12/27/2011 - "The electric-utility industry’s concerns about cyber security has escalated sufficiently for several investor-owned utilities to include cyber-attacks as a material risk factor in recent filings with the U.S. Securities and Exchange Commission... the grid’s vulnerabilities to hackers are expanding... This grim conclusion is among the many grim findings of a major new study on the “Future of the Electric Grid*” by researchers at [MIT]."
Linked from: https://www.us-cert....systems/#tabs-4

* http://web.mit.edu/m...ion_Privacy.pdf
Pg. 2 of 38 - "... Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce attack vectors — paths that attackers can use to gain access to computer systems or other communicating equipment — that increase the risk of intentional and accidental communications disruptions. As the North American Electric Reliability Corporation (NERC) notes, these disruptions can result in a range of failures, including loss of control over grid devices, loss of communications between grid entities or control centers, or blackouts..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 January 2012 - 06:45 AM

FYI...

> https://www.us-cert....stems/ics-cert/

Multiple PLC vulns- Major ICS vendors...
- https://www.us-cert....T-12-020-01.pdf
Jan. 20, 2011 - "... Project Basecamp team of researchers during Digital Bond’s SCADA Security Scientific Symposium (S4) on January 19, 2012, without coordination with either the vendors or ICS-CERT... findings include multiple zero-day vulnerabilities for several leading industrial control system (ICS) hardware Programmable Logic Controllers (PLCs). Major affected vendors include GE, Koyo, Rockwell, Schneider (Modicon), and Schweitzer. Exploit code was also released for the GE vulnerabilities. The affected PLCs are used to control functions in critical infrastructure in the chemical, energy, water, nuclear, and critical manufacturing sectors..."

Proof-of-concept exploits - multiple vulnerabilities in SCADA products demonstrated...
- https://www.computer...control_systems
January 20, 2012

- http://h-online.com/-1418921
23 January 2012
___

GE Energy - https://secunia.com/advisories/47632/
Release Date: 2012-01-20
Criticality level: Moderately critical
Impact: Exposure of sensitive information, System access
Where: From local network...

Koyo - https://secunia.com/advisories/47735/
Release Date: 2012-01-23
Impact: Cross Site Scripting, DoS
Where: From remote

Rockwell - https://secunia.com/advisories/47737/
Release Date: 2012-01-23
Criticality level: Moderately critical
Impact: DoS, System access, Exposure of system information
Where: From local network...

Schneider - https://secunia.com/advisories/47723/
Release Date: 2012-01-23
Impact: Cross Site Scripting, DoS
Where: From remote

Schweitzer - https://secunia.com/advisories/47739/
Release Date: 2012-01-23
Impact: DoS
Where: From local network...

:ph34r: :ph34r:

Edited by AplusWebMaster, 23 January 2012 - 09:02 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 January 2012 - 11:44 AM

FYI...

- https://www.us-cert....stems/ics-cert/
News Feed: 10K Reasons To Worry About Critical Infrastructure*
Tue, 24 Jan - "A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the Internet and found that many could be open to easy hack attacks, due to lax security practices."
* http://www.wired.com...systems-online/

:ph34r: :blink:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 March 2012 - 01:09 PM

FYI...

SCADA exploits released...
- http://atlas.arbor.n...index#797484922
Severity: Elevated Severity
Published: Thursday, March 08, 2012 20:33
Security holes in selected SCADA software released to public causes outcry and increases risks along with awareness.
Analysis: It is strongly suggested that organizations running SCADA software affected by the Metasploit modules
- http://www.digitalbo...sploit-modules/
... ensure that those systems are protected or at least segregated appropriately from the Internet and internet networks in order to reduce attack surface. While the code release is controversial, the vulnerabilities at hand are a reminder that SCADA and industrial control systems suffer from some serious security issues that need further attention.
Source: http://go.bloomberg....r-the-bad-guys/
Mar 6, 2012

:( :blink: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 April 2012 - 08:02 AM

FYI...

SCADA alert: Rugged Operating System (ROS) vuln
- http://www.kb.cert.org/vuls/id/889195
Last revised: 30 Apr 2012
Overview: RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password....
Workarounds: ROS users can disable the rsh service and set the number of allowed telnet connections to 0...
> http://www.ruggedcom...-security-page/
"... In the next few weeks, RuggedCom will be releasing new versions of ROS firmware that removes the undocumented factory account..."

- http://web.nvd.nist....d=CVE-2012-1803 - 8.5 (HIGH)
Last revised: 04/30/2012

> http://www.wired.com...-W.-Clarke1.jpg

- https://www.us-cert....-12-116-01A.pdf

US-CERT Recent Vulnerability Notes
- http://www.kb.cert.org/vuls

:!: :ph34r: :ph34r:

Edited by AplusWebMaster, 01 May 2012 - 02:33 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 May 2012 - 11:54 AM

FYI...

- https://www.us-cert....stems/ics-cert/

Spear-phish targeted at nat-gas-pipeline companies...
- https://www.us-cert....tor_Apr2012.pdf
Apr 2012 ICS newsletter- "In March, ICS-CERT identified an active series of cyber intrusions targeting natural gas pipeline sector companies. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign with spear-phishing activity dating back to as early as December 2011. Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. ICS-CERT has issued an alert (and two updates) to the US-CERT Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators..."
___

Alert: Major cyber attack aimed at natural gas pipeline companies
- http://atlas.arbor.net/briefs/
Severity: High Severity
Published: Monday, May 07, 2012 20:08
Natural gas pipeline infrastructure has been under focused cyber-attack since at least December 2011.
Analysis: The attack technique here is "spear phishing" - highly specific e-mail sent to targets of value, who open malicious documents or malicious links and then allow attackers inside the network. The attackers then move laterally until they find the resources and data they are after. The attacks are mentioned in the public document http://www.us-cert.g...tor_Apr2012.pdf
Source: Alert: http://www.csmonitor...eline-companies

:ph34r:

Edited by AplusWebMaster, 09 May 2012 - 04:31 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 August 2012 - 05:46 PM

FYI...

> https://www.us-cert....stems/ics-cert/

Gauss - Information-Stealing Malware
JSAR-12-222-01— Joint Security Awareness Report
- https://www.us-cert....R-12-222-01.pdf
August 9, 2012 - "... According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:
• injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• collecting information about the computer’s network connections,
• collecting information about processes and folders,
• collecting information about BIOS and CMOS RAM,
• collecting information about local, network and removable drives,
• infecting removable media drives with an information-stealing module in order to steal information from other computers,
• installing the custom “Palida Narrow” font (purpose unknown),
• ensuring the entire toolkit’s loading and operation, and
• interacting with the command and control server, sending the information collected to it, and downloading additional modules.
a. http://www.securelis...al_Distribution
... Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568b), the same vulnerability exploited by Stuxnet. According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
MITIGATION: At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical..."
___

Font installed with Gauss trojan...
- http://h-online.com/-1666328
13 August 2012

Online detection of Gauss
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
August 13, 2012
Kaspersky Lab offers an on-line mechanism to detect the font installed by the Gauss spying malware.
Analysis: Users that have Palida Narrow, an unusual font installed on their system should investigate why it is there. It may have been installed by the Gauss malware. At this time, there is no other known explanation why the font would be installed.
Source: http://www.securelis...ection_of_Gauss

:!: :ph34r:

Edited by AplusWebMaster, 15 August 2012 - 03:20 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 September 2012 - 05:45 AM

FYI...

- https://www.us-cert....stems/ics-cert/

Automated Toolkits named in massive DDoS attacks against U.S. Banks
- https://threatpost.c...us-banks-100212
Oct 2, 2012
___

ICS-CERT Advisory "ICSA-12-243-01 - GarrettCom - Use of Hard-Coded Password"
- https://www.us-cert....A-12-243-01.pdf
Aug 30, 2012 - "This Advisory details a privilege-escalation vulnerability in the GarrettCom Magnum MNS-6K Management Software application via the use of a hard-coded password."

- http://h-online.com/-1701193
5 Sep 2012 - "... GarrettCom fixed the problem on 18 May 2012, but did not document that the updated software* had fixed the flaw in the release notes**. The ICS-CERT advisory is the first public notification of the problem."
* http://www.garrettco...ownloads_6k.htm

** PDF: http://www.garrettco...dl/6k440_rn.pdf
___

JSAR-12-241-01 - Shamoon/DistTrack Malware
- https://www.us-cert....R-12-241-01.pdf
Aug 29, 2012 - "This JSAR details "Shamoon," an information-stealing malware that also includes a destructive module."

> http://www.symantec....ttacks-continue
3 Sep 2012

:ph34r: :ph34r:

Edited by AplusWebMaster, 04 October 2012 - 08:11 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 October 2012 - 01:43 PM

FYI...

- https://www.us-cert....stems/ics-cert/

ICS-CERT ALERT - Increasing Threat to Industrial Control Systems
- https://www.us-cert....-12-046-01A.pdf
Oct 25, 2012 - "ICS-CERT is monitoring and responding to a combination of threat elements that increase the risk of control systems attacks. These elements include Internet accessible industrial control system (ICS) configurations, vulnerability and exploit tool releases for ICS devices, and increased interest and activity by hacktivist groups and others..."

> https://krebsonsecur...ontrol-systems/
Oct 26, 2012
___

- http://www.h-online....iew=zoom;zoom=1
30 Oct 2012

:( :!: :ph34r:

Edited by AplusWebMaster, 30 October 2012 - 09:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 January 2013 - 06:32 AM

FYI...

ICS-ALERT - Siemens PLC
- http://h-online.com/-1790903
24 Jan 2013 - "... Python script has been developed by security experts Alexander Timorin and Dmitry Sklyarov, both members of the SCADA StrangeLove research group. The tool uses a brute force attack to crack passwords for Siemens SIMATIC S7 programmable logic controllers. It does not, however, try out the passwords on the controller itself; instead it does so offline using recorded network traffic containing authentication events... control systems should not be accessible via the internet, they should be protected behind a firewall and should be isolated from company networks. Remote access should require a secure method such as VPN..."
- http://www.us-cert.g...T-13-016-02.pdf
Jan 16, 2013 - "ICS-CERT is aware of a public report of an offline brute-force password tool with proof-of-concept (PoC) exploit code targeting Siemens S7 programmable logic controllers. According to this report, a password can be obtained by offline password brute forcing the challenge-response data extracted from TCP/IP traffic file..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 September 2013 - 08:53 AM

FYI...

- https://www.us-cert....stems/ics-cert/

Watering-Hole Attacks Target Energy Sector
- https://ics-cert.us-...t-Energy-Sector
09/20/2013 - "... Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack* targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host."
* http://blogs.cisco.c...-energy-sector/
"... Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host. Observed watering-hole style domains containing the malicious iframe... the largest percent of visitors were expectedly from the financial and energy sectors – an audience concentration that is also consistent with the nature of watering-hole style attacks.
> http://blogs.cisco.c...ds/topvert.jpeg
... Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit..."

- https://web.nvd.nist...d=CVE-2013-1347 - 9.3 (HIGH)
Last revised: 05/16/2013
- https://web.nvd.nist...d=CVE-2013-1690 - 9.3 (HIGH)
Last revised: 08/22/2013
- https://web.nvd.nist...d=CVE-2012-1723 - 10.0 (HIGH)
Last revised: 08/22/2013
___

- http://atlas.arbor.net/briefs/
Oil, Energy Watering Hole Attacks Could Be Tied to DOL Attacks*
High Severity
September 20, 2013 21:24
Targeted attacks towards the oil and energy sector continue. Legitimate sites were compromised and used in a "watering hole" campaign which was used to focus the target audience and compromise their systems with a Remote Access Trojan (RAT).
Analysis: ... a Firefox exploit was used in this campaign... The Poison Ivy RAT was used here, and while it is easily available, it's continued use in various attack campaigns suggest that better monitoring processes should be implemented in order to detect it's network and host fingerprints... Targeted attacks will certainly continue, and as defenses increase, the attackers tactics and procedures will evolve. Defenders must be vigilant in protecting their assets..."
* http://www.darkreadi...endly=this-page

- http://www.infosecur...tacks/1009.aspx
9/23/2013 - "... The probability of success is significantly higher for watering hole attacks since the attacker has used the tracking service’s data to confirm that traffic to the site is both allowed and frequent. When a user visits the site, the malicious code redirects the user’s browser to a malicious site so the user’s machine can be assessed for vulnerabilities. The trap is sprung... The user’s computer is assessed for the right set of vulnerabilities and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user’s access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they’ve gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 29 September 2013 - 10:34 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 June 2014 - 09:40 AM

FYI...

- https://ics-cert.us-cert.gov/

ICS-ALERT-14-176-02A - ICS Focused Malware
- https://ics-cert.us-...LERT-14-176-02A
Last revised: July 01, 2014 (Update A) - "... follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-176-02 ICS Focused Malware that was published June 25, 2014 on the ICS-CERT web site, and includes information previously published to the US-CERT secure portal... These include phishing emails, redirects to compromised web sites and most recently, trojanized update installers on at least 3 industrial control systems (ICS) vendor web sites, in what are referred to as watering hole-style attacks... Based on information ICS-CERT has obtained from Symantec* and F-Secure**, the software installers for these vendors were infected with malware known as the Havex Trojan..."
June 25, 2014 - "... NCCIC/ICS-CERT is aware of reports of malware targeting industrial control systems (ICSs) that are being distributed via compromised ICS vendor web sites. The ICS vendor web sites were reportedly found to have their products’ downloadable software installer -infected- with a backdoor Trojan known as the Havex Trojan. Customers of these vendors that visited a compromised site, downloaded, and installed the trojanized software could be compromised. This could allow attackers access to their networks including those that operate critical infrastructure. In addition, ICS-CERT is conducting analysis to determine possible linkages between this activity and previous watering-hole compromises and malware campaigns...
* http://www.symantec....sabotage-threat

- http://www.symantec....y_Suppliers.pdf
July 2, 2014 - pg 17:
Trojan.Karagany
• 91.203.6.71   : https://www.virustot...71/information/
• 93.171.216.118: https://www.virustot...18/information/
• 93.188.161.235: https://www.virustot...35/information/

** http://www.f-secure....s/00002718.html

- https://ics-cert.us-.../ICSA-14-178-01
June 30, 2014 | Last revised: July 01, 2014
___

- http://atlas.arbor.n...ndex#-203181723
Elevated Severity
26 Jun 2014
The Havex RAT (Remote Access Trojan) has previously been profiled due to its use in targeted attacks against industry sectors. Recently, the malware has been used to “trojanize” software available for download from legitimate ICS/SCADA vendor websites.
Analysis: This is most likely accomplished by exploiting vulnerabilities in the software running the websites. [ http://www.f-secure....s/00002718.html ] The group behind the malware has been identified by security company CrowdStrike as “Energetic Bear”. [ http://www.crowdstri...Report_2013.pdf ] ICS/SCADA systems, which are known to be brittle and vulnerable, are frequently targeted by attackers. Those in the critical infrastructure sector would benefit from a continuous review of the network traffic and host activity associated with any SCADA/ICS system. In particular, information on the Havex malware and the group behind these attacks should be reviewed.

 

:ph34r: :ph34r:


Edited by AplusWebMaster, 17 September 2014 - 02:29 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button