May 17, 2020

Security researchers find zero-day vulnerabilities in SCADA systems made by General Electric, Schneider, Siemens and others

(LiveHacking.Com) – Security vulnerability research (and profiteering – see below) company ReVuln has released a video showing a collection of zero-day vulnerabilities in SCADA systems by big name companies such as General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton and Siemens. The profiteering angle is that the company has chosen to sell the vulnerabilities to governments and other paying customers instead of disclosing them to the relevant manufacturers.

In the video ReVuln demonstrated nine “zero-day” SCADA (supervisory control and data acquisition) software vulnerabilities which are all server-side and remotely exploitable. However all product names and version were hidden in the video so it is impossible to tell exactly what products are affected.

Since the vulnerabilities are remotely exploitable, attackers can execute arbitrary code, download files, execute commands, open remote shells or hijack sessions on any system running vulnerable SCADA software. This was confirmed by ReVuln co-founder and security researcher Luigi Auriemma in an email to Computer World: “[Attackers] can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service. They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure.”

A surprising number of SCADA systems are connected to the Internet and are improperly protected. Luigi pointed out that Shodan (a search engine that can be used to discover Internet-accessible industrial control systems) yields “tons of interesting results” about systems that can be exploited remotely using ReVuln’s research.

Even though ReVuln has been contacted by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the U.S. Department of Homeland Security, it won’t reveal the weaknesses. “ICS-CERT has just contacted us some minutes ago requesting more details but we don’t release information,” Auriemma said. Rather the company sees the vulnerabilities as part of their portfolio for their customers.

“The vulnerabilities included in our Zero-day feed remain undisclosed by ReVuln unless either the vulnerability is discovered and reported by a third party or the vendor publicly or privately patches the issue,” says ReVuln on their website. It also mentions that it offers “consulting services for improving and testing the security of ICS and industrial systems.”

SCADA Talked Cancelled at TakeDownCon Dallas 2011 After Pressure From US Government

Dillon Beresford and Brian Meixell cancelled their TakeDownCon Dallas 2011 talk about Supervisory Control and Data Acquisition (SCADA) on Wednesday after a request from U.S. cybersecurity and Siemens representatives.

The planned presentation would have looked at how attackers can penetrate even the most heavily fortified industrial control systems in the world, without the backing of a nation state. They also planned to present a guide to writing industrial grade malware without having direct access to the target hardware.

“We were asked very nicely if we could refrain from providing that information at this time,” Dillon Beresford, an independent security researcher and a security analyst at NSS Labs, told CNET. “I decided on my own that it would be in the best interest of security… to not release the information.”

SCADA exploits have recently taken center stage in the international community with the creation of Stuxnet and its use to delay the proliferation of nuclear weapons. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, something that previously wasn’t really possible.

Stuxnet: The Industrial Sabotage Mystery Deepens

Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.

Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).

[ad code=6 align=left]

PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.

Since the discovery of Stuxnet, conspiracy theories about its purposes have been rampant and these theories have included nation states, well funded hackers, Israeli spies and Iran’s nuclear program. But Symantec have just revealed ( that the Stuxnet virus only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. This is sure to reignite the speculations about its target and origin.

What Stuxnet does is monitor the frequency of these drives and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short time to 1410Hz and then to 2Hz and then to 1064Hz and thus effects the operation of the connected motors.

Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

If you work with PLCs and variable-frequency drives over 807Hz please contact Live Hacking as soon as possible as you might be able to shed some light on this increasingly mysterious malware.

Stuxnet Traget U.S. Power Grid System

U.S. Power grid system is based on control system software from Siemens AG. This system has been targeted by Stuxnet malware recently.

According to Computerworld, Stuxnet exploits a Windows flaw to find and steal industrial data from supervisory control and data acquisition (SCADA) systems running Siemens’ Simatic WinCC or PCS 7 software.

SCADA systems are used to control critical equipment at power companies, manufacturing facilities, water treatment plants and nuclear power operations. This malware is the first publicly known malicious software program written specifically to exploit vulnerabilities in a SCADA system.

Furthermore, it was a report in The Wall Street Journal about the cyber-spies from China, Russia and elsewhere who had gained access to the U.S. electrical grid and installed malware tools that could be used to shut down service recently. However, a group of cybersecurity specialist has been deployed from U.S. department of homeland security to study and investigate the U.S. department of energy network after this report.