ICS & IoT Security News

30 Jan 2018
ICS-CERT Updated Alert for ICS product Vendors Affected by Meltdown & Spectre
US - The following product vendors have reported that they support products that use affected CPUs and have issued customer notifications with recommendations for users (NCCIC will update the list of vendors that have released customer notifications as additional information becomes available): ABB, Abbott, Becton, Dickinson and Company, Emerson, General Electric, Johnson and Johnson, Medtronic, OSIsoft, Philips, Rockwell Automation, Schneider Electric, Siemens, Smiths Medical. Also See SITREP 31

Separarely, HIMA releases its own advisory on Meltdown and Spectra, which can be downloaded here

[More: ICS-ALERT-18-011-01C ]

29 Jan 2018
Cisco Patches Critical Vulnerability in ASA Devices & Software
US - Cisco announced Monday a critical vulnerability in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software that allows an unauthenticated, remote attacker to execute code or cause a system reload.

Several security appliances using ASA software are affected, including 3000 Series Industrial Security Appliances (ISA), ASA 5500 security appliances and firewalls, ASA services modules for Catalyst 6500 series switches and 7600 series routers, ASA cloud firewalls, ASAv virtual appliances, and various Firepower devices. Cisco has released fixes for each of the affected ASA releases, except for ones that are no longer supported.

[More:  cyberscoop.com | securityweek.com | threatpost.com ]

28 Jan 2018
Malwarebytes Pushes Buggy Security Updates
US - Malwarebytes pushed out a protection update that gobbled up memory and CPU resources and turned off web protection last Sat. 

Unfortunately, even though a new update package was pushed out in about an hour, it did not fix the problem. Even after rebooting their computers, some users reported that their systems locked up as soon as the Malwarebytes Service process started, as it ate large amounts of RAM. Malwarebytes pushed out a second update to address the memory leak issue.

[More: csoonline.com | securityaffairs.co | securityweek.com ]


25 Jan 2018
Critical Vulnerabilitiy in China-based Nari’s PCS-9611 Allow Remote Read/Write Abilities
China - Kirill Nesterov and Alexey Osipov from @Kaspersky Lab reported a remotely exploitable with low skill level to exploit vulnerability (CVSS v3 9.8) in Nari PCS-9611 relay, a control and monitoring unit that is use mainly in the energy sector and throughout Asia. An improper input validation vulnerability has been identified that affects a service within the software that may allow a remote attacker to arbitrarily read/access system resources and affect the availability of the system. 

All versions of the PCS-9611 relay, a control and monitoring unit, are affected.

ICS-CERT reached out to China-based Nari and CNCERT but has not received a response.

[More:  isssource.com | ics-cert (ICSA-18-025-01) | tweeter.com ]

25 Jan 2018
Maersk Reinstalled 50,000 Computers Under 10 Days After NotPetya Attack
Denmark - The world's largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017. These new details came to light while Jim Hagemann Snabe, Chairman of A.P. Møller-Maersk, participated in a panel on securing the future of cyberspace at the World Economic Forum held in Davos, Switzerland. "Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT.

"It's almost impossible to even imagine. And we actually overcome that problem with human resilience," Stabe said. "We only had a 20% drop in volume, so we managed 80% of that volume manually. [...] Customers were great contributors to overcoming that."

[More:  bleepingcomputer.com | theinquirer.net | youtube.com ]

25 Jan 2018
Tel Aviv-Based Railway Cybersecurity Startup Cylus Raises $4.7 Million in Seed Round
Israel - Cylus, an Israel-based startup that specializes in railway cybersecurity solutions, emerged from stealth mode with $4.7 million in seed funding. Investors include Tel Aviv-based venture capital firm Magma Venture Partners General Partner Ltd., the Israel branch of Vertex Venture Capital, Tokyo-based SBI Holdings Inc. and Israeli cybersecurity entrepreneur Zohar Zisapel. Cylus is a pioneer in protecting railway and metro systems from a growing number of cyber-threats. Researchers have warned on several occasions in the past years that modern railway systems are vulnerable to cyber-attacks, and the rail industry has been targeted by both cyber criminals and state-sponsored cyber-spies.

[More:  securityweek.com | railnews.in | calcalistech.com ]

21 Jan 2018
Hacker Infects Gas Pumps with Code to Cheat Customers
Russia - Russian Federal Security Service (FSB) arrested hacker Denis Zayev in Stavropol, on charges that he created several software programs designed to swindler gas customers. The software, which was found only on gas stations located predominantly throughout the south of Russia,  manipulates electronic gas pumps to con customers into paying for more fuel than then actually pumped into their tanks. Not only did pumps display false data, but also cash registers and back-end systems, cloaking sales data tied to the sale of a station’s illicit surplus gasoline.
[More: threatpost.com | rosbalt.ru | securityaffairs.co ]

16 Jan 2018
Researchers Offer a 'VirusTotal for ICS'
US - S4x18 CONFERENCE – Miami – A team of researchers plans to release an open source online tool for capturing and vetting industrial control system (ICS) malware samples that operates as a sandbox with honeypot features. David Atch, vice president of research for CyberX, outlined details of the free, Web-based sandbox tool he and his team initially developed for research purposes. "It's like a VirusTotal for ICS," he explains in an interview.
[More: darkreading.com ]

16 Jan 2018
Trisis has mistakenly been released on the open internet
Germany - The source code of Trisis, an ICS malware targeting Schneider Electric's Triconex Safety Systems, has been available for nearly anyone to copy since Dec. 22. Schneider Electric has mistakenly posted a sensitive computer file related to Trisis, Library.zip, for scanning in VirusTotal, three sources familiar with the matter told CyberScoop. Library.zip holds the backbone of a dangerous malware framework known as “Trisis” or “Triton,” according to research by U.S. cybersecurity companies Dragos Inc. and FireEye. The upload to VirusTotal, a public malware repository, provided the remaining puzzle piece needed for someone to reconstruct Trisis from publicly available artifacts. Shortly posting to VirusTotal, Schneider Electric received a request from a third party to take the file down, and promptly complied with that request. See related SITREP 26.
[More: cyberscoop.com | github.com ]

 Trainings & Events 

 Featured ICS Solutions [SPONSORED POSTS]  

 REDCONSA Digital Publications 

Latest Research Papers & Technical Instruction for ICS Against NotPetya Wiper Malware on Unpatched Windows Systems

Related Video Demonstrations on Mitigation Procedures

Last Line Of Defense Against NotPetya Wiper On Unpatched Windows Systems (Win 7 & 2008)

Last Line Of Defense Against NotPetya Wiper On Unpatched Windows Systems (Win XP & 2003)

Copyright © 2018 REDCON Security Advisors, All rights reserved.

Our mailing address is: