NSS labs discovers vulnerabilities in Siemens industrial control systems

Exploitation of vulnerabilities in computer systems can always have negative effects, such as loss of availability, productivity, data or other compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems (ICS) can, in rare circumstances, have potentially devastating physical world implications such as loss of life and environmental impact.

A number of vulnerabilities have been discovered by NSS researchers and validated on the Siemens Simatic S7-1200 PLC. Other Siemens device models have yet to be tested. There is the possibility that PLCs from other vendors are similarly affected. Currently, these vulnerabilities could enable an attacker to control an affected S7-1200 PLC.

In the course of the NSS labs research, significant vulnerabilities in industrial control systems have been identified, responsibly disclosed and validated by the affected parties. Due to the serious impact these issues could have on a industrial systems worldwide, further details will be withheld until effective remediation measures have been released by the affected vendor(s) and validated by NSS researchers.

The vulnerabilities discovered, if exploited by an attacker, would enable the attacker to gain full control of the system and perform actions such as:

• Start and stop the CPU
• Arbitrarily control devices connected to the PLC
• Arbitrarily reprogram the PLC and read and write memory contents
• Cause arbitrary (false) data to be returned to logging and management stations
• Hijack control of the PLC from an administrator
• Bypass security controls

“The most effective remediation will be based upon accepted best practices and specific knowledge of the operating environment. Given the implications of the problem, a true air-gap separation between ICS and internet-connected corporate networks should be enforced wherever possible. In many cases, the operator may not be fully aware of the connectivity an attacker may be able to gain. An exposure assessment is recommended in such cases,” the report suggests.

India Home for Phishing Emails: X-Force 2010 report

IBM has released results from its annual X-Force 2010 Trend and Risk Report, highlighting that public and private organizations around the world faced increasingly sophisticated, customized IT security threats in 2010. According to the report India was the top country for phishing email origination in 2010 at 15.5 percent, followed by Russia at 10.4 percent. Spam has continued to incline and grow continuously in India from spring 2009 to autumn 2010. The report highlights that U.S., India, Brazil, and Vietnam were the top four spam-sending countries, accounting for nearly one third of worldwide spam.

Based on the intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, key observations from the IBM X-Force Research team included:

More than 8,000 new vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.

• The historically high growth in spam volume leveled off by the end of 2010. This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focused on making sure it is bypassing filters.
• While overall there were significantly fewer phishing attacks relative to previous years, “spear phishing,” a more targeted attack technique, grew in importance in 2010. This further indicates that cyber criminals have become more focused on quality of attacks, rather than quantity.
• India along with USA, Brazil, Vietnam, and Russia are the top five countries for spam origination in 2010
• As end user adoption of smartphones and other mobile devices increased, IT security departments have struggled to determine the right way to bring these devices safely into corporate networks. Although attacks against the latest generation of mobile devices were not yet widely prevalent in 2010, IBM X-Force data showed a rise in vulnerability disclosures and exploits that target these devices.

“From Stuxnet to Zeus botnets to mobile exploits, a widening variety of attack methodologies is popping up each day,” said Pradeep Nair, Director, IBM Software Group, IBM ISA. “The numerous, high profile targeted attacks in 2010 shed light on a crop of highly sophisticated cyber criminals, who may be well-funded and operating with knowledge of security vulnerabilities that no one else has. Staying ahead of these growing threats and designing software and services that are secure from the start has never been more critical. We have seen significant increase in interest from clients in India to enhance the reliability of their security infrastructure.”

The report also discusses the security trends and best practices for the emerging technologies of mobile devices and cloud computing.

Cloud Computing — The report highlighted a shift in perception about cloud security as adoption continued to evolve and knowledge around this emerging technology increased.

Mobile Devices — Organizations are increasingly concerned about the security implications of personal mobile devices used by employees. Organizations must ensure control of their data regardless of where it is, including employee-owned or business-issued smartphones.

Additional trends highlighted in the report included:

The new, sophisticated face of cyber crime — From a security standpoint, 2010 is most remembered as a year marked by some of the most high profile, targeted attacks that the industry has ever witnessed.

Vulnerabilities exposed in Hotmail

A couple of days ago, Trend Micro reported an attack that appeared to be targeted and that involved email messages sent through a Webmail service. Upon further investigation, Trend Micro was able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

“The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines,” Karl Dominguez, Trend Micro’s Threat Response Engineer said in a blog post.

The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

“The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field,” Dominguez opined.

The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to a certain email address. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the said bug.

Dominguez said, “We analyzed the embedded crafted code before the actual email message’s content and discovered that onceHotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine. This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmaillogin session.”

Microsoft has already acknowledged the presence of the vulnerability and has released a security update to address the issue.