April 17, 2014

Four-star General under investigation for leaking details of Stuxnet attack

circuitboard(LiveHacking.Com) – New reports are suggesting that the FBI is starting a new investigation into the public leak  about the Stuxnet worm. According to NBC a retired four-star general US Marine, who had a close relationship to President Barack Obama, is under investigation for leaking details of the cyber-attack.

Gen. James Cartwright, who was the former vice chairman of the Joint Chiefs of Staff,  has been told he is under investigation for allegedly disclosing details the USA’s cyber-attack on Iran’s nuclear facilities. The original FBI investigation looked into possible White House sources, however now the agency has turned its investigation towards possible military leaks including Cartwright.

When the worm first escaped the confines of Iran’s Natanz plant and starting infecting computers across the global, the origin and purpose of the malware was unclear. Over time more and more details of the worm’s activity were analysed and finally thanks to an internal leak in the US Government, it was confirmed (but not publicly) that the National Security Agency had developed Stuxnet in tandem with the Israelis.

According to the  New York Times report on 1 July, 2012, Stuxnet was created under a project known as ”Operation Olympic Games” as part of an American and Israeli effort to undermine Iran’s nuclear program.

Stuxnet was designed to destroy the centrifuges used in Iran’s uranium enrichment program and targeted Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes at the Natanz enrichment facilities.

Chevron claimed it also had trouble with Stuxnet, once it had gone global, as it too uses SCADA based systems. However Chevron says none of its equipment was damaged.

There is likley to be other cases of Stuxnet infections in industrial plants across the U.S. and mainland Europe that have been unreported for reasons of security or to avoid embarrassment.

Has Iran been fighting off a fresh Stuxnet attack?

targeted attack(LiveHacking.Com) – There is some confusion about recent malware activity in Iran. A story broke in the last few days saying that a power plant and other industries in southern Iran have been targeted by Stuxnet but that the cyber attack has been successfully rebuffed and prevented from spreading. The story was carried by many of the world’s news agencies including the BBC and Agence France-Presse.

The original story comes from the Iranian Students News Agency (ISNA) which reported that cyberattackers had struck industrial infrastructure in the southern province of Hormuzgan. In it Ali Akbar Akhavan is quoted as saying that a virus had penetrated some manufacturing industries in Hormuzgan province, but that with the help of skilled hackers it had been repelled. Akhavan is quoted as saying that the malware was “Stuxnet-like” but he did not expand on what that meant.

Once the story was being reported Iran issued a correction. “At a press conference we announced readiness to confront cyber attacks against Hormuzgan installations, which was mistakenly reported by the agencies as a cyber attack having been foiled,” Ali Akbar Akhavan said. However ISNA is sticking with its original story and has published MP3 files which it claims contain Akhavan’s initial remarks.

The state of Iran’s industrial and IT infrastructure has been a topic of much discussion ever since the original Stuxnet worm was allegedly used to hamper Iran’s nuclear enrichment efforts in 2010. Since then Iran has has various malware troubles including reports of a piece of malware called Narilam which attacked Iranian business databases and a malware incident where Iran was been forced to disconnect some of the computers at its Kharg Island oil processing terminal.

Symantec says new worm attacking Iranian businesses – Iran says no, it isn’t true

(LiveHacking.Com) – Symantec is reporting that it has detected a new piece of malware called Narilam which is attacking business databases in Iran. Of course, the existence of such a worm that is attacking the Middle East, and Iran specifically, has drawn parallels with other well documented cyber-attacks on Iran including Stuxnet, Duqu and Flame.

According to Symantec, Narilam is designed to cause chaos by targeting and modifying corporate databases. It does this by attacking Microsoft SQL databases via OLEDB (Object Linking and Embedding, Database) and hunts out SQL databases with three distinct names: alim, maliran, and shahd. It then replaces certain items (including columns called Asnad.LastNo, Asnad.FirstNo and refcheck.amount) in the database with random values.

However the Iranian National Cert “Maher”, is saying that after its initial investigations there seems to be some misunderstanding about the malware. First, it isn’t new malware but old! Iran reckons it has been around since 2010 but under a different name. Secondly, the malware is not a major threat nor is it a sophisticated piece of malware. Thirdly, the malware isn’t that wide spread and it is only able to corrupt the database of a particular accounting package for small businesses.

Maher’s advise is not to panic and only the customers who use that particular accounting software should make sure they have good backups and that they scan their systems regularly with a decent antivirus product.

So who is right? It is difficult to tell. Malware which targets a very specific software product made and predominately used in Iran is very suspect, especially in light of other cyber attacks like Stuxnet, but at the same time if it is old and contains no functionality to steal information from infected systems then its impact will certainly be limited.

Chevron was a victim of Stuxnet

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”

Kaspersky Lab developing secure OS for industrial control systems

(LiveHacking.Com) – In a blog post for Kaspersky Lab, Eugene Kaspersky has confirmed that the security company is working on a new, secure operating system on top of which  industrial control systems (ICS) can be installed. The aim is to provide a secure environment that incorporate all the latest security technologies available and is built to tackle the realities of 21st century cyber-attacks.

The motivation behind such an ambitious project is the inevitable future of mass cyber-attacks on nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems. Until a few years ago cyber attacks were limited to web servers and emails server, however that has changed and now the very infrastructure that controls our countries is open for attack.

Industrial IT systems are different to office system and internet facing server for three very important reasons:

  1. The system must always be running. If a web server is under attack, worst case scenario is that the server is shutdown until everything can be resolved. You can’t do that with the control system running a nuclear power station!
  2. Because of the “always on” nature of the systems, performing software upgrades are difficult and often undesired by those running the systems.
  3. Traditionally the ICS manufacturers have been less willing to provide updates to existing control system.

The result is that when an exploit is found in the control system, fixing it can be very hard.

The fact that the majority of control systems aren’t connected to the Internet could lull us into a false sense of security as how could a hacker possibility get to the system if it isn’t connected to anything. Unfortunately the reality is quite different. Kaspersky gives the following example from twelve years ago:

An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council (in  Australia) carried out 46 (!) attacks on its control system, which caused the pumps to stop working or work not as they should have. No one could understand what was happening, since the communication channels inside the system had been breached and the information traveling along them distorted. Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!

And this long before the rise of cyber espionage malware like Stuxnet, Duqu, Flame, miniflame and Gauss.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” wrote Kaspersky.

However, such a huge project effort would still not guarantee sufficiently stable operation of systems. The alternative is to create a a secure operating system, one onto which ICS can be installed. To do this Kaspersky Lab are developing a highly tailored operating system for a specific narrow task. It is not, as Kaspersky put it “for playing Half-Life on, editing your vacation videos, or blathering on social media.”

Also the company is working on methods of writing software which, by design, won’t be able to carry out any behind-the-scenes, undeclared activity.

“It’s a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can’t reveal many details of the project now because of the confidentiality of such cooperation. And we don’t want to talk about some stuff so competitors won’t jump on our ideas and nick the know-how. And then there are some details that will remain for certain customers’ eyes only forever, to ward off cyber-terrorist abuses,” added Kaspersky.

More details about the system, its requirements and background to its development can be read here.

miniFlame: New malware found that is linked with Flame, Stuxnet, Duqu and Gauss

(LiveHacking.Com) – Kaspersky Lab has found a new piece of malware that is linked with the various nation-state cyber-espionage malware including Stuxnet, Duqu, Flame and Gauss. Although found all over the world, these malware attacks have specifically targeted the Middle East. Previous analysis of the Flame malware led Kaspersky Lab that there was some form of collaboration between the groups that developed Flame, Stuxnet and Duqu.  Further research prompted the discovery of  the previously unknown malware called Gauss which uses a modular structure resembling that of Flame, has a similar code base and uses the same system for communicating with its C&C servers. The made the whole family: Flame, Stuxnet, Duqu and Gauss.

Now Kaspersky Lab has discovered miniFlame. This new malware is based on the Flame platform and can be operated as part of Flame, but it can also be run as independently, without the main Flame modules installed.

“The SPE malware, is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” wrote GReAT a Kaspersky Lab Expert.

Kaspersky Lab have also discovered that miniFlame can also be used in together with Gauss. It has also been assumed that Flame and Gauss were parallel projects but different as they did not have any common modules or common C&C servers. The fact that miniFlame works with both of these malware projects, proves that that they come from the same authors.

Like the others in the family, miniFlame is targeting the Middle East. Flame attacks where found mainly in Iran and Sudan, while Gauss was mostly present in Lebanon. However miniFlame does not have a clear geographical bias but there are reports from Lebanon, Palestine, Iran, Kuwait and Qatar.

Kaspersky Lab have a a Full Technical Paper on miniFlame here.

Why does Gauss install Palida Narrow font?

Source: Securelist

(LiveHacking.Com) – In the ongoing saga, which started with Stuxnet and continued with Duqu and Flame, Gauss is seen by many as malware which, like its predecessors, is state sponsored. It was discovered during the ITU’s investigation into Flame and is thought to have been created in mid-2011 and deployed for the first time in August-September of the same year.

The major difference between Stuxnet and its cousins is that Gauss is a banking Trojan and is designed to steal login details for customers of Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal. Kaspersky lab have gone as far as to say “This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component.”

It has now been discovered that computers infected with Gauss all have a previously unknown font, known as “Palida Narrow”, installed on them. Security researchers have linked Duqu to Gauss, due to some similar characteristics, and have wondered if Gauss uses the same font rendering vulnerability as Duqu. However Kaspersky has checked the font for such malicious code and found nothing: “But of course, anything is possible”.

However the new font can be used as a marker for the presence of the malware and to this end the Cryptography Laboratory at the Technical University of Budapest has created a web page to test for Palida and hence Gauss.

 

Iran Releases Flamer Malware Removal Tool

(LiveHacking.Com) – Iran’s Computer Emergency Response Team (CCCERT) has released a tool which can detect and remove the Flame worm which is being described as “the most sophisticated cyber weapon yet unleashed”. This is the first time a tool has been released to tackle the malware which according to a report from CrySys Lab was first spotted in Europe in 2007. According to the BBC, the detection and clean-up tool was written in early May and now Iran’s National Computer Emergency Response Team are ready to distribute it to organisations at risk of infection.

The Flame malware is sophisticated and is designed for surveillance malware and with the ability to record audio, keystrokes and even Bluetooth devices. It also has a unique modular design which allows its creators to upload new functionality to malware on a victim’s machine. As well as being modular in design, it appears that Flame also tries to detect which anti-virus software is installed on a target machine and then disguise itself as a file that traditionally isn’t scanned for viruses or malware.

According to Kaspersky, 189 infections have been reported in Iran, compared to 98 in Israel/Palestine and 32 in Sudan. Reports are coming in that Syria, Lebanon, Saudia Arabia and Egypt have also been hit.

Back in April, Iran was forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware.  At the time the malware was unknown, but it is now believed to be Flame. At the time the National Iranian Oil Company (NIOC) disconnected some of its computers from the Internet, to stop any further spread of the malware, however the terminal remained operational.

An analysis by Symantec says that “the complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.”

 

Flame Malware Designed for Cyber Espionage

A new piece of malware called “Flame” has been uncovered by Kaspersky Lab and is thought to be part of a well-organized, state-run cyber espionage operation affecting Iran, Israel and other Middle Eastern countries. Because the new malware seems to attack computer mainly in the Middle East and because of the specific software vulnerabilities exploited, analysts are saying that although Flame differs from Duqu and Stuxnet it belongs to the same family.

“The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet” wrote Kaspersky Lab in a statement.

According to the the Iranian CERTCC, the file naming conventions, propagation methods, complexity level, and precise targeting indicate that Flame is a close relation to the Stuxnet. However one important difference is that Flame is modularised. Once a machine has been infected the operators can upload new modules to increase Flame’s functionality. So far 20 modules have been found but it is expected that researchers will find more.

Flame can perform a number of complex operations including network sniffing, making screenshots, recording audio, logging keyboard strokes, and so on. All this data is sent to the operators via command-and-control servers.

According to Reuters, it is possible that Flame has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign. Further details can be found in Kaspersky Lab’s Flame FAQ.

Stuxnet Worm was Planted by Double Agent

(LiveHacking.Com) – Industrial Safety and Security Source is reporting that the Stuxnet virus was planted by an Iranian double agent via a memory stick. The Stuxnet malware is widely believed to have caused damage to Iran’s nuclear program by breaking the motors on 1,000 centrifuges at the Natanz uranium enrichment facility.

ISS Source are quoting from U.S. intelligence officials who say that saboteur was probably a member of an Iranian dissident group as using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.

The report says that these agents were probably members of the militant Iranian opposition movement Mujahideen-e Khalq (MEK) which, according to Vince Cannistraro, former head of the CIA’s Counterterrorism, is being used by Israel’s Mossad intelligence service from whom they receive training and finance.