October 16, 2019

Iran Unplugs Oil Export Terminal Computers After Virus Found

(LiveHacking.Com) – Iran has been forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware. The yet unknown virus was found inside the control systems of Kharg Island – Iran’s main oil terminal which handles the vast majority of Iran’s crude oil exports. The National Iranian Oil Company (NIOC) said although it disconnected some computers from the Internet, to stop any further spread of the malware, the terminal remained operational.

According to the semi-official Mehr news agency, the virus affected the computers in Iran’s Oil Ministry and of its national oil company. As a precaution, computers that control some of Iran’s other oil facilities have also been disconnected from the Internet. It is also reporting that the Iranian authorities have set up a crisis unit which is work to neutralize what they are calling an “attack.”

It looks as if the disruption to Iran’s oil production has been minimal unlike the international sanctions which, according to Reuters, is forcing the country to use more than half of its supertanker oil fleet to store crude at sea in the Gulf. The only tangible effect seems to be that the Iranian oil ministry and national oil company websites went offline. This could be due to the massive unplugging that occurred or it could be a direct result of the virus. This remains to be seen. According to the BBC the Ministry website was back in action on Monday but the oil company site has remained unreachable. The BBC added that an Iranian oil ministry spokesperson was quoted as saying that data about users of the sites had been stolen as a result of the attack.

Pundits are already starting to make comparisons with the Stuxnet computer worm which hit Iran’s nuclear facilities in 2009 and 2010. It is estimated that the Stuxnet worm, which specifically targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers), was responsible for destroying about a fifth of Iran’s nuclear centrifuges in an attempt to delay Iran’s nuclear program. In 2010 William J. Lynn, U.S. Deputy Secretary of Defense, wrote that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.”

Same Platform Used to Create Stuxnet, Duqu and Other Yet Unknown Malware

(LiveHacking.Com) – Researchers from Kaspersky Labs have discovered that Stuxnet and Duqu were created on the same platform which may have been developed long before the Stuxnet scandal of 2011. Known as “Tilded”, because of the common use of files that start with the tilde symbol (~), it is used by just one team to create modular malware that can be adapted to specific targets.

Kaspersky Labs came to this conclusion by analyzing the drivers used for infecting systems with Duqu and Stuxnet. More worrying is that one of the internal driver files used was compiled in January 2008 and that seven types of drivers with similar characteristics exist in the wild.

“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

This leads to the conclusion that Duqu and Stuxnet are separate projects, but that they were created on a single platform – Tilded. It appears that Tilded was developed around the end of 2007 and the beginning of 2008. In 2010 the platform was developed further to avoid detection by antivirus solutions. There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown.

The full version of the report of Alexander Gostev and Igor Sumenkov is available at Securelist.

Microsoft Releases Security Advisory And ‘Fix it’ to Combat Duqu

(LiveHacking.Com) – It was revealed a couple of days ago that the new Duqu malware (which many see as related to the infamous Stuxnet trojan) spreads via a zero day vulnerability in the Windows kernel. Microsoft have now issued a security advisory and “fix it” workaround.

Microsoft has revealed in the advisory that the problem is with the Windows’ TrueType font parsing engine. An attacker who exploits this vulnerability can run their own code in kernel mode and then proceed, unhindered to  install programs; modify data; or create new accounts.

The vulnerability is in every supported version of Windows including the desktop versions (XP, Vista and Windows 7) along with the server variants (Windows Server 2003 and Windows Server 2008). The vulnerability affects both 32 bit and 64 bits systems.

The vulnerability can be exploited in multiple ways including  providing documents or convincing users to visit a Web page that embed specially crafted TrueType fonts. The vulnerability is caused when a Windows kernel-mode driver fails to properly handle the TrueType font type.

Workaround

A temporary workaround is to block access to t2embed.dll. Blocking access to this dll does not correct the underlying issue but it will help block known attack vectors before Microsoft issue a security update.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for users to install, Microsoft has released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

No fix for November’s Patch Tuesday

Microsoft have said that a fix for this vulnerability will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Duqu Spreads Using Windows Zero Day Vulnerability

(LiveHacking.Com) – It has been discovered that the new Duqu trojan (which is thought to be related to Stuxnet) infects PCs by exploiting a zero day Windows kernel vulnerability via a specially crafted Microsoft Word file.

Duqu, which was spotted in the wild a little under two weeks ago, has parts which are nearly identical to that of Stuxnet but the payload carried by the worm is not intended to sabotage industrial control systems, instead it grants general remote access to a remote command-and-control (C&C) server.

Although the analysis of the worm shows no code related to industrial control systems, the executables have been found in organizations involved in the manufacturing of industrial control systems.

It is important to underline that the vulnerability used by Duqu is in Windows itself and not Word. This means that this flaw could be exploited through other delivery mechanisms.

“We are working diligently to address this issue and will release a security update for customers,” Microsoft said on Tuesday in a short twitter statement.

Explotation of zero-day vulnerabilities in Windows by malware programs are not that common. Microsoft’s recent Security Intelligence Report (SIR) showed that none of the malware infections cleaned by the MSRT (Malicious Software Removal Tool) used zero-day exploits.

Duqu, Son of Stuxnet, Targets European Industrial Control Systems

(LiveHacking.Com) – Details are emerging about a new worm which seems to be based on Stuxnet, the worm that was allegedly used by either Israel or the USA to attack Iran’s nuclear research.

According to Symantec the new worm, which has been dubbed Duqu because it creates files with the prefix “~DQ”, has parts which are nearly identical to that of Stuxnet, but with a completely different purpose.

Duqu shares a large proportion of its code with Stuxnet but the payload carried by the worm is not intended to sabotage an industrial control system, instead it grants general remote access  to a remote command-and-control (C&C) server. What this shows is that the writers of Duqu have access to the Stuxnet source code and not just its binaries.

Although the analysis of the worm  shows no code related to industrial control systems,  the executables have been found in  organizations involved in the manufacturing of industrial control systems.

It is possible that this is a precursor to a future Stuxnet-like attack:

The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

This does now question the almost universal belief that Stuxnet was either written by Israel or the USA as either of these two countries launching some kind of cyber attack on European companies is almost unthinkable due to the amount of political damage that would be done.

Zero-day Flaws in Discovered in Various SCADA Systems

(LiveHacking.Com) – Security researcher, Luigi Auriemma, has revealed details of several zero-day vulnerabilities in various Supervisory Control and Data Acquisition (SCADA) products from several different vendors.

SCADA vulnerabilities have recently been of interest due to the creation of Stuxnet and its use to delay the proliferation of nuclear weapons. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, something that previously wasn’t really possible.

The vulnerabilities are as following including links to the  advisories written by Luigi:

  • Multiple vulnerabilities in Cogent DataHub 7.1.1.63: adv – adv – adv – adv
  • Stack overflow in DAQFactory 5.85 build 1853 adv
  • Multiple vulnerabilities in Progea Movicon / PowerHMI 11.2.1085: adv – adv – adv
  • Directory traversal in Carel PlantVisor 2.4.4:  adv
  • Heap overflow in Rockwell RSLogix 19 (FactoryTalk RnaUtility.dll) adv
  • Multiple vulnerabilities in Measuresoft ScadaPro 4.0.0:  adv
  • Denial of Service in Beckhoff TwinCAT 2.11.0.2004:  adv

This is the second set of disclosures by this researcher this year. In March, he disclosed similar vulnerabilities in SCADA products from Siemens, Iconics, 7-Technologies and Datac. His disclosures prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities.

US Government Warns (Again) that Stuxnet Variants Could Target Critical US Systems

(LiveHacking.Com) – It was this time last year that the world first heard about Stuxnet, the computer worm that launched the first successful cyberattack on infrastructure facilities – namely Iran’s nuclear programme. In a US House of Representatives committee hearing, Roberta Stempfley and Sean P. McGurk from the DHS’s Office of Cyber Security and Communications revealed that the US Government is concerned that cyber-terrorists could use variants of Stuxnet to attack other installations that use programmable control systems.

Their comments echo testimony given in March of this year to a Homeland Security House Subcommittee by Deputy Under Secretary Philip Reitinger.

According to both testimonies (which are word for word the same) “copies of the Stuxnet code, in various different iterations, have been publicly available for some time now.” As a result “the Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems.”

ICS-CERT and the NCCIC remain vigilant and continue analysis and mitigation efforts of any derivative malware.

SCADA Talked Cancelled at TakeDownCon Dallas 2011 After Pressure From US Government

Dillon Beresford and Brian Meixell cancelled their TakeDownCon Dallas 2011 talk about Supervisory Control and Data Acquisition (SCADA) on Wednesday after a request from U.S. cybersecurity and Siemens representatives.

The planned presentation would have looked at how attackers can penetrate even the most heavily fortified industrial control systems in the world, without the backing of a nation state. They also planned to present a guide to writing industrial grade malware without having direct access to the target hardware.

“We were asked very nicely if we could refrain from providing that information at this time,” Dillon Beresford, an independent security researcher and a security analyst at NSS Labs, told CNET. “I decided on my own that it would be in the best interest of security… to not release the information.”

SCADA exploits have recently taken center stage in the international community with the creation of Stuxnet and its use to delay the proliferation of nuclear weapons. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, something that previously wasn’t really possible.

Update: Stars Worm Probably Just Political Bluff

It is now a couple of days since Iran claimed it was under another cyber attack but so far it has not offered any proof or given security experts any information about the worm. Simple fingerprint  information about the worm would immediately validate Iran’s claims and also allow security experts to see if examples of the worm have been found in the west.

Investigations by Live Hacking have revealed that inside of Iran there is little or no information about this worm and even Iran’s Computer Emergency Response Team have no knowledge of the attack.

Since Stuxnet also infected PC’s outside of Iran it is impossible that the new Stars worm has remained only inside the borders of this middle eastern country. When (and if) Iran publish more data on the worm it can be analysed thoroughly. If they don’t published any more information this will just been seen as another attempt at political misdirection.

First Stuxnet, Now Stars – New Worm Attacks Iran

Gholam-Reza Jalali, the director of Iran’s Passive Defense Organization has announced that it has detected a new worm called Stars which is designed to spy on Iran’s government systems. Jalali did not reveal what facilities the worm targeted or when it was first detected.

These new revelations come in the wake of Stuxnet, the first ever malware designed to attack industrial equipment. Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers). It is reported that such equipment is used by Iran at its Natanz nuclear facility.

Last week Jalali accused Siemens of helping the U.S. and Israel create the Stuxnet worm saying they should “explain why and how it provided the enemies with the information about the codes of the SCADA software and [so] prepared the ground for a cyber attack.”

Could Stars be just an “ordinary” Windows worm which Iran have mistaken as a cyber attack? Every day security experts find thousands of new malware samples, many of which are designed for spying on victims’ computers.