September 18, 2014

Security researchers find zero-day vulnerabilities in SCADA systems made by General Electric, Schneider, Siemens and others

(LiveHacking.Com) – Security vulnerability research (and profiteering – see below) company ReVuln has released a video showing a collection of zero-day vulnerabilities in SCADA systems by big name companies such as General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton and Siemens. The profiteering angle is that the company has chosen to sell the vulnerabilities to governments and other paying customers instead of disclosing them to the relevant manufacturers.

In the video ReVuln demonstrated nine “zero-day” SCADA (supervisory control and data acquisition) software vulnerabilities which are all server-side and remotely exploitable. However all product names and version were hidden in the video so it is impossible to tell exactly what products are affected.

Since the vulnerabilities are remotely exploitable, attackers can execute arbitrary code, download files, execute commands, open remote shells or hijack sessions on any system running vulnerable SCADA software. This was confirmed by ReVuln co-founder and security researcher Luigi Auriemma in an email to Computer World: “[Attackers] can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service. They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure.”

A surprising number of SCADA systems are connected to the Internet and are improperly protected. Luigi pointed out that Shodan (a search engine that can be used to discover Internet-accessible industrial control systems) yields “tons of interesting results” about systems that can be exploited remotely using ReVuln’s research.

Even though ReVuln has been contacted by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the U.S. Department of Homeland Security, it won’t reveal the weaknesses. “ICS-CERT has just contacted us some minutes ago requesting more details but we don’t release information,” Auriemma said. Rather the company sees the vulnerabilities as part of their portfolio for their customers.

“The vulnerabilities included in our Zero-day feed remain undisclosed by ReVuln unless either the vulnerability is discovered and reported by a third party or the vendor publicly or privately patches the issue,” says ReVuln on their website. It also mentions that it offers “consulting services for improving and testing the security of ICS and industrial systems.”

Kaspersky Lab developing secure OS for industrial control systems

(LiveHacking.Com) – In a blog post for Kaspersky Lab, Eugene Kaspersky has confirmed that the security company is working on a new, secure operating system on top of which  industrial control systems (ICS) can be installed. The aim is to provide a secure environment that incorporate all the latest security technologies available and is built to tackle the realities of 21st century cyber-attacks.

The motivation behind such an ambitious project is the inevitable future of mass cyber-attacks on nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems. Until a few years ago cyber attacks were limited to web servers and emails server, however that has changed and now the very infrastructure that controls our countries is open for attack.

Industrial IT systems are different to office system and internet facing server for three very important reasons:

  1. The system must always be running. If a web server is under attack, worst case scenario is that the server is shutdown until everything can be resolved. You can’t do that with the control system running a nuclear power station!
  2. Because of the “always on” nature of the systems, performing software upgrades are difficult and often undesired by those running the systems.
  3. Traditionally the ICS manufacturers have been less willing to provide updates to existing control system.

The result is that when an exploit is found in the control system, fixing it can be very hard.

The fact that the majority of control systems aren’t connected to the Internet could lull us into a false sense of security as how could a hacker possibility get to the system if it isn’t connected to anything. Unfortunately the reality is quite different. Kaspersky gives the following example from twelve years ago:

An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council (in  Australia) carried out 46 (!) attacks on its control system, which caused the pumps to stop working or work not as they should have. No one could understand what was happening, since the communication channels inside the system had been breached and the information traveling along them distorted. Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!

And this long before the rise of cyber espionage malware like Stuxnet, Duqu, Flame, miniflame and Gauss.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” wrote Kaspersky.

However, such a huge project effort would still not guarantee sufficiently stable operation of systems. The alternative is to create a a secure operating system, one onto which ICS can be installed. To do this Kaspersky Lab are developing a highly tailored operating system for a specific narrow task. It is not, as Kaspersky put it “for playing Half-Life on, editing your vacation videos, or blathering on social media.”

Also the company is working on methods of writing software which, by design, won’t be able to carry out any behind-the-scenes, undeclared activity.

“It’s a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can’t reveal many details of the project now because of the confidentiality of such cooperation. And we don’t want to talk about some stuff so competitors won’t jump on our ideas and nick the know-how. And then there are some details that will remain for certain customers’ eyes only forever, to ward off cyber-terrorist abuses,” added Kaspersky.

More details about the system, its requirements and background to its development can be read here.

Was There a Cyber Attack at Water Plant in Illinois?

(LiveHacking.Com) – There has been lots of discussion about an alleged cyber attack on a water plant in Illinois. The story broke last week when Illinois officials said they were investigating the report of a water pump failure. Then Joe Weiss, a managing partner for Applied Control Solutions, revealed details of a cyber attack. Joe stated in his blog that the SCADA software vendor was hacked and customer usernames and passwords stolen and that during the attack the SCADA system was powered on and off repeatedly and so burned out a water pump. The golden proof, according to Joe, was that the IP address of the attacker was traced back to Russia.

Now, The FBI and the US Department of Homeland Security (DHS) are crying foul. According to an email sent to members of the Industrial Control Systems Joint Working Group, detailed analysis has found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

Cover up? Media hype? Paranoia?

The email from the FBI and DHS slams down the rumors hard saying:

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.  Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

They do admit that there was an incident where a hacker claimed to have accessed an industrial control system responsible for water supply in the city of South Houston. The hacker posted a series of images allegedly obtained from the system. The FBI are still investigation this incident.

But is this the end? Probably not, according to Brian Krebs Weiss has a report, which he is refusing to publish, which states that:

“An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia.”

And that

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

So the internal report says yes, definitely a cyber attack but the FBI say no… Who will you believe?

Zero-day Flaws in Discovered in Various SCADA Systems

(LiveHacking.Com) – Security researcher, Luigi Auriemma, has revealed details of several zero-day vulnerabilities in various Supervisory Control and Data Acquisition (SCADA) products from several different vendors.

SCADA vulnerabilities have recently been of interest due to the creation of Stuxnet and its use to delay the proliferation of nuclear weapons. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, something that previously wasn’t really possible.

The vulnerabilities are as following including links to the  advisories written by Luigi:

  • Multiple vulnerabilities in Cogent DataHub 7.1.1.63: adv – adv – adv – adv
  • Stack overflow in DAQFactory 5.85 build 1853 adv
  • Multiple vulnerabilities in Progea Movicon / PowerHMI 11.2.1085: adv – adv – adv
  • Directory traversal in Carel PlantVisor 2.4.4:  adv
  • Heap overflow in Rockwell RSLogix 19 (FactoryTalk RnaUtility.dll) adv
  • Multiple vulnerabilities in Measuresoft ScadaPro 4.0.0:  adv
  • Denial of Service in Beckhoff TwinCAT 2.11.0.2004:  adv

This is the second set of disclosures by this researcher this year. In March, he disclosed similar vulnerabilities in SCADA products from Siemens, Iconics, 7-Technologies and Datac. His disclosures prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities.

SCADA Talked Cancelled at TakeDownCon Dallas 2011 After Pressure From US Government

Dillon Beresford and Brian Meixell cancelled their TakeDownCon Dallas 2011 talk about Supervisory Control and Data Acquisition (SCADA) on Wednesday after a request from U.S. cybersecurity and Siemens representatives.

The planned presentation would have looked at how attackers can penetrate even the most heavily fortified industrial control systems in the world, without the backing of a nation state. They also planned to present a guide to writing industrial grade malware without having direct access to the target hardware.

“We were asked very nicely if we could refrain from providing that information at this time,” Dillon Beresford, an independent security researcher and a security analyst at NSS Labs, told CNET. “I decided on my own that it would be in the best interest of security… to not release the information.”

SCADA exploits have recently taken center stage in the international community with the creation of Stuxnet and its use to delay the proliferation of nuclear weapons. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, something that previously wasn’t really possible.