(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / An overview of Crash Override/Industroyer, including the four international specifications it uses to communicate with electric grid devices all over the world. (credit: Eset)

Last December, hackers with suspected ties to Russia caused a power outage in Ukraine in a deliberate attempt to leave households without electricity during what's typically one of the coldest months of the year. Now, the advanced malware that triggered the power failure has been found in the wild. This discovery is prompting concerns that the attack tools could be repurposed or reused in new sabotage operations, possibly by unrelated hacking groups.

"Crash Override," as security firm Dragos has named the tool platform, is the first known malware framework designed to attack electric grid systems. Dragos researchers said it was used successfully in what may have been a dress rehearsal on a December 17 hack on an electric transmission substation in Kiev. While the Kiev outage lasted only a few hours, several features of the malware that weren't turned on in the December hack have the potential to cause disruptions that persist for as long as a week. Crash Override is a completely new platform that was far more advanced than the general-purpose tools the same group used to attack Ukraine's power grid in December 2015.

What makes Crash Override so sophisticated is its ability to use the same arcane technical protocols that individual electric grid systems rely on to communicate with one another. As such, the malware is more notable for its mastery of the industrial processes used by global grid operators than its robust code. Its fluency in the low-level grid languages allowed it to instruct Ukrainian devices to de-energize and re-energize substation lines, a capability not seen in the attack a year earlier that used a much cruder set of tools and techniques. The concern is that "Industroyer"—the other name given to the malware—can be used against a broad range of electric systems around the world.

Read 9 remaining paragraphs | Comments

 
VMware vSphere Data Protection CVE-2017-4914 Command Execution Vulnerability
 

If you would like to practicememory forensics using Volatility but you dont like command line tools and you hate to remmber plugins then VolUtility is your friend.

Volutility1is a web frontend for Volatility framework.

Installation

In this dairy, I will install VolUtlity on Linux SIFT2workstation.

  1. Update your SIFT workstation and install django margin-right:210.0pt">$ sudo apt-get update margin-right:0in">

    1. Install MongoDB :

    In this dairy I am not going to discuss how to install MongoDB , for futher details about margin-left:.5in">

    $ git clone https://github.com/volatilityfoundation/volatility

    $ cd volatility

    $ sudo python setup.py install

    margin-left:.5in">

    $ git clone https://github.com/kevthehermit/VolUtility

    Configuration

    In this diary I am going to use the default config file volutility.conf.sample border:solid windowtext 1.0pt">

    $ ./manage.py runserver 0.0.0.0:8000

    width:400px" />

    Enter a name for the session and the location of the memory image ,for the profile you can either specify it or you can choose autodetect, then click on submit button width:400px" />

    You have to wait for few minutest till it finishes from processing the image, once it finished the status will change to Complete width:400px" />

    To examine the image click on the session name , in this the dairy its SANS ISC width:400px" />

    Now let width:400px" />

    And you can of course filter your result using tools such as MS Excel.

    _______________________________________________________

    [1] https://github.com/kevthehermit/VolUtility/wiki

    [1] https://digital-forensics.sans.org/community/downloads

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
GStreamer Bad Plug-ins CVE-2016-9813 NULL pointer Dereference Remote Denial of Service Vulnerability
 
GStreamer Bad Plug-ins CVE-2016-9447 Buffer Overflow Vulnerability
 
PHP 'main/php_ini.c' Denial of Service Vulnerability
 
D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability
 
VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability
 
Evolution Script CMS v5.3 - Cross Site Scripting Vulnerability
 
Zenbership 1.0.8 CMS - Multiple SQL Injection Vulnerabilities
 
[SECURITY] [DSA 3876-1] otrs2 security update
 
[security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities
 
[SECURITY] [DSA 3877-1] tor security update
 
[security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities
 
[SECURITY] [DSA 3875-1] libmwaw security update
 
Internet Storm Center Infocon Status