ICS & IoT Security News

8 Feb 2018
Cisco Aware of Attacks Exploiting Critical Firewall Flaw
US - Cisco informed customers on Wednesday that it has become aware of malicious attacks attempting to exploit a recently patched vulnerability affecting the company’s Adaptive Security Appliance (ASA) software. The flaw affects almost all products running ASA software. Cisco had first notified customers about the availability of fixes on January 29 (SITREP32) , which initially said the security hole was related to the webvpn feature. It later discovered that more than a dozen other features were impacted as well. The company released new patches this week after identifying new attack vectors and determining that the original fix had been incomplete.

[More: securityweek.com | bleepingcomputer.com | tools.cisco.com | nvd.nist.gov (CVE-2018-0101) ]

7 Feb 2018
European Sewage Plant Hit by Cryptocurrency Mining Malware
Europe - The attack is the first public discovery of an unauthorized cryptocurrency miner impacting industrial controls systems (ICS) or SCADA (supervisory control and data acquisition) servers. Security firm Radiflow which made the discovery, has been able to determine that the cryptocurrency mining software was on the water utility's network for approximately three weeks before it was detected. The malware was probably installed after someone used a browser on a server to visit a website they shouldn't have. The servers were running Windows XP and CIMPLICITY SCADA software from GE Digital.  The malware decreases response times of the HMI in monitoring time-sensitive changes on an ICS network.

[More: eweek.com | securityweek.com | theregister.co.uk ]

6 Feb 2018
Windows 10 Ransomware Protection Bypassed
Spain - The Controlled Folder Access (CFA) in Windows 10—which Microsoft promoted as a reliable anti-ransomware measure under the Windows Defender Exploit Guard in October 2017, can be easily bypassed with the use of 'boobytrapped' Office files, according to work from security researcher based in Spain. According to the researcher, a ransomware developer could easily bypass Microsoft CFA anti-ransomware feature by adding simple scripts that bypass CFA via OLE objects inside Office files, which are automatically whitelisted. Microsoft was informed about the findings and that the company confirmed that they would resolve the issue “through an improvement to the Controlled Folder Access functionality.” However, it appears that the tech giant doesn’t see the bug as a security vulnerability, “because Defender Exploit Guard isn't meant to be a security boundary.”

[More: bleepingcomputer.com | techrepublic.com | securityweek.com ]

1 Feb 2018
Flaws in Popular Gas Station Software Exposed for Abuse
Israel - The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store's network. An attacker could also simply alter fuel prices and steal petrol. The vulnerable system, SiteOmat automation software, belongs to an Israeli company named Orpak Systems, which makes fuel-management software. Besides discovering a great number of vulnerable Orpak system gas stations connected to the Internet, the researchers also found a user manual on Orpak's website that contained the default password. This would allow remote hackers to bypass the password protection on the front end of the system and access any Orpak gas station, whether the owner had changed the default password or not. In an unrelated case, a hacker was arrested in Russia for manipulating electronic gas pumps to con customers into paying for more fuel than then actually pumped into their tanks (SITREP32).

[More: motherboard.vice.com | scmagazine.com | trendmicro.com ]

30 Jan 2018
ICS-CERT Updated Alert for ICS product Vendors Affected by Meltdown & Spectre
US - The following product vendors have reported that they support products that use affected CPUs and have issued customer notifications with recommendations for users (NCCIC will update the list of vendors that have released customer notifications as additional information becomes available): ABB, Abbott, Becton, Dickinson and Company, Emerson, General Electric, Johnson and Johnson, Medtronic, OSIsoft, Philips, Rockwell Automation, Schneider Electric, Siemens, Smiths Medical. Also See SITREP 31

Separarely, HIMA releases its own advisory on Meltdown and Spectra, which can be downloaded here

[More: ICS-ALERT-18-011-01C ]

29 Jan 2018
Cisco Patches Critical Vulnerability in ASA Devices & Software
US - Cisco announced Monday a critical vulnerability in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software that allows an unauthenticated, remote attacker to execute code or cause a system reload.

Several security appliances using ASA software are affected, including 3000 Series Industrial Security Appliances (ISA), ASA 5500 security appliances and firewalls, ASA services modules for Catalyst 6500 series switches and 7600 series routers, ASA cloud firewalls, ASAv virtual appliances, and various Firepower devices. Cisco has released fixes for each of the affected ASA releases, except for ones that are no longer supported.

[More:  cyberscoop.com | securityweek.com | threatpost.com ]

28 Jan 2018
Malwarebytes Pushes Buggy Security Updates
US - Malwarebytes pushed out a protection update that gobbled up memory and CPU resources and turned off web protection last Sat. 

Unfortunately, even though a new update package was pushed out in about an hour, it did not fix the problem. Even after rebooting their computers, some users reported that their systems locked up as soon as the Malwarebytes Service process started, as it ate large amounts of RAM. Malwarebytes pushed out a second update to address the memory leak issue.

[More: csoonline.com | securityaffairs.co | securityweek.com ]


25 Jan 2018
Critical Vulnerabilitiy in China-based Nari’s PCS-9611 Allow Remote Read/Write Abilities
China - Kirill Nesterov and Alexey Osipov from @Kaspersky Lab reported a remotely exploitable with low skill level to exploit vulnerability (CVSS v3 9.8) in Nari PCS-9611 relay, a control and monitoring unit that is use mainly in the energy sector and throughout Asia. An improper input validation vulnerability has been identified that affects a service within the software that may allow a remote attacker to arbitrarily read/access system resources and affect the availability of the system. 

All versions of the PCS-9611 relay, a control and monitoring unit, are affected.

ICS-CERT reached out to China-based Nari and CNCERT but has not received a response.

[More:  isssource.com | ics-cert (ICSA-18-025-01) | tweeter.com ]

25 Jan 2018
Maersk Reinstalled 50,000 Computers Under 10 Days After NotPetya Attack
Denmark - The world's largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017. These new details came to light while Jim Hagemann Snabe, Chairman of A.P. Møller-Maersk, participated in a panel on securing the future of cyberspace at the World Economic Forum held in Davos, Switzerland. "Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT.

"It's almost impossible to even imagine. And we actually overcome that problem with human resilience," Stabe said. "We only had a 20% drop in volume, so we managed 80% of that volume manually. [...] Customers were great contributors to overcoming that."

[More:  bleepingcomputer.com | theinquirer.net | youtube.com ]

 Trainings & Events 

Special Discount of USD200 available for REDCONSA's Partners. Please email to advisors@redconsa.sg for more information.

 Featured ICS Solutions [SPONSORED POSTS]  

 REDCONSA Digital Publications 

Latest Research Papers & Technical Instruction for ICS Against NotPetya Wiper Malware on Unpatched Windows Systems

Related Video Demonstrations on Mitigation Procedures

Last Line Of Defense Against NotPetya Wiper On Unpatched Windows Systems (Win 7 & 2008)

Last Line Of Defense Against NotPetya Wiper On Unpatched Windows Systems (Win XP & 2003)

Copyright © 2018 REDCON Security Advisors, All rights reserved.

Our mailing address is: