ICS & IoT Security News

9 Feb 2018
Russian Nuclear Scientists Arrested for 'Bitcoin Mining Plot'
Russia - Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies. The suspects had tried to use one of Russia's most powerful supercomputers to mine Bitcoins, media reports say. The supercomputer was not supposed to be connected to the internet - to prevent intrusion - and once the scientists attempted to do so, the nuclear centre's security department was alerted. They were handed over to the Federal Security Service (FSB), the Russian news service Mash says. It appears that this is the 2nd revelation of ICS systems being exploited by insiders for mining crypto-currencies, after a similar occurrence in Europe (SITREP 34)

[More: bbc.com | thehackernews.com | theverge.com ]

8 Feb 2018
Cisco Aware of Attacks Exploiting Critical Firewall Flaw
US - Cisco informed customers on Wednesday that it has become aware of malicious attacks attempting to exploit a recently patched vulnerability affecting the company’s Adaptive Security Appliance (ASA) software. The flaw affects almost all products running ASA software. Cisco had first notified customers about the availability of fixes on January 29 (SITREP32) , which initially said the security hole was related to the webvpn feature. It later discovered that more than a dozen other features were impacted as well. The company released new patches this week after identifying new attack vectors and determining that the original fix had been incomplete.

[More: securityweek.com | bleepingcomputer.com | tools.cisco.com | nvd.nist.gov (CVE-2018-0101) ]

7 Feb 2018
European Sewage Plant Hit by Cryptocurrency Mining Malware
Europe - The attack is the first public discovery of an unauthorized cryptocurrency miner impacting industrial controls systems (ICS) or SCADA (supervisory control and data acquisition) servers. Security firm Radiflow which made the discovery, has been able to determine that the cryptocurrency mining software was on the water utility's network for approximately three weeks before it was detected. The malware was probably installed after someone used a browser on a server to visit a website they shouldn't have. The servers were running Windows XP and CIMPLICITY SCADA software from GE Digital.  The malware decreases response times of the HMI in monitoring time-sensitive changes on an ICS network.

[More: eweek.com | securityweek.com | theregister.co.uk ]

6 Feb 2018
Windows 10 Ransomware Protection Bypassed
Spain - The Controlled Folder Access (CFA) in Windows 10—which Microsoft promoted as a reliable anti-ransomware measure under the Windows Defender Exploit Guard in October 2017, can be easily bypassed with the use of 'boobytrapped' Office files, according to work from security researcher based in Spain. According to the researcher, a ransomware developer could easily bypass Microsoft CFA anti-ransomware feature by adding simple scripts that bypass CFA via OLE objects inside Office files, which are automatically whitelisted. Microsoft was informed about the findings and that the company confirmed that they would resolve the issue “through an improvement to the Controlled Folder Access functionality.” However, it appears that the tech giant doesn’t see the bug as a security vulnerability, “because Defender Exploit Guard isn't meant to be a security boundary.”

[More: bleepingcomputer.com | techrepublic.com | securityweek.com ]

1 Feb 2018
Flaws in Popular Gas Station Software Exposed for Abuse
Israel - The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store's network. An attacker could also simply alter fuel prices and steal petrol. The vulnerable system, SiteOmat automation software, belongs to an Israeli company named Orpak Systems, which makes fuel-management software. Besides discovering a great number of vulnerable Orpak system gas stations connected to the Internet, the researchers also found a user manual on Orpak's website that contained the default password. This would allow remote hackers to bypass the password protection on the front end of the system and access any Orpak gas station, whether the owner had changed the default password or not. In an unrelated case, a hacker was arrested in Russia for manipulating electronic gas pumps to con customers into paying for more fuel than then actually pumped into their tanks (SITREP32).

[More: motherboard.vice.com | scmagazine.com | trendmicro.com ]

30 Jan 2018
ICS-CERT Updated Alert for ICS product Vendors Affected by Meltdown & Spectre
US - The following product vendors have reported that they support products that use affected CPUs and have issued customer notifications with recommendations for users (NCCIC will update the list of vendors that have released customer notifications as additional information becomes available): ABB, Abbott, Becton, Dickinson and Company, Emerson, General Electric, Johnson and Johnson, Medtronic, OSIsoft, Philips, Rockwell Automation, Schneider Electric, Siemens, Smiths Medical. Also See SITREP 31

Separarely, HIMA releases its own advisory on Meltdown and Spectra, which can be downloaded here

[More: ICS-ALERT-18-011-01C ]

29 Jan 2018
Cisco Patches Critical Vulnerability in ASA Devices & Software
US - Cisco announced Monday a critical vulnerability in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software that allows an unauthenticated, remote attacker to execute code or cause a system reload.

Several security appliances using ASA software are affected, including 3000 Series Industrial Security Appliances (ISA), ASA 5500 security appliances and firewalls, ASA services modules for Catalyst 6500 series switches and 7600 series routers, ASA cloud firewalls, ASAv virtual appliances, and various Firepower devices. Cisco has released fixes for each of the affected ASA releases, except for ones that are no longer supported.

[More:  cyberscoop.com | securityweek.com | threatpost.com ]

28 Jan 2018
Malwarebytes Pushes Buggy Security Updates
US - Malwarebytes pushed out a protection update that gobbled up memory and CPU resources and turned off web protection last Sat. 

Unfortunately, even though a new update package was pushed out in about an hour, it did not fix the problem. Even after rebooting their computers, some users reported that their systems locked up as soon as the Malwarebytes Service process started, as it ate large amounts of RAM. Malwarebytes pushed out a second update to address the memory leak issue.

[More: csoonline.com | securityaffairs.co | securityweek.com ]

 

25 Jan 2018
Critical Vulnerabilitiy in China-based Nari’s PCS-9611 Allow Remote Read/Write Abilities
China - Kirill Nesterov and Alexey Osipov from @Kaspersky Lab reported a remotely exploitable with low skill level to exploit vulnerability (CVSS v3 9.8) in Nari PCS-9611 relay, a control and monitoring unit that is use mainly in the energy sector and throughout Asia. An improper input validation vulnerability has been identified that affects a service within the software that may allow a remote attacker to arbitrarily read/access system resources and affect the availability of the system. 

All versions of the PCS-9611 relay, a control and monitoring unit, are affected.

ICS-CERT reached out to China-based Nari and CNCERT but has not received a response.

[More:  isssource.com | ics-cert (ICSA-18-025-01) | tweeter.com ]

 Trainings & Events 

Special Discount of USD200 available for REDCONSA's Partners. Please email to advisors@redconsa.sg for more information.

Past Year Videos

 Featured ICS Solutions [SPONSORED POSTS]  

 REDCONSA Digital Publications 

Latest Research Papers & Technical Instruction for ICS Against NotPetya Wiper Malware on Unpatched Windows Systems

Copyright © 2018 REDCON Security Advisors, All rights reserved.

Our mailing address is:
ADVISORS@REDCONSA.SG