(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: fcpages.com)

A surprisingly large number of critical infrastructure participants—including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers—rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage.

Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory control and data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices.

Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:

Read 6 remaining paragraphs | Comments

 

Enlarge / We're also mad you're connected to the Internet, toaster et al. (credit: Disney)

Welcome to the Internet of Evil Things. The attack that disrupted much of the Internet on October 21 is still being teased apart by investigators, but evidence thus far points to multiple "botnets" of Internet-connected gadgets being responsible for blocking access to the Domain Name Service (DNS) infrastructure at DNS provider Dyn. Most of these botnets—coordinated armies of compromised devices that sent malicious network traffic to their targets—were controlled by Mirai, a self-spreading malware for Internet of Things (IoT) devices.

in a blog post on the attack, Dyn reported "tens of millions" of devices were involved in the attack

But other systems not matching the signature of Mirai were also involved in the coordinated attack on Dyn. "We believe that there might be one or more additional botnets involved in these attacks," Dale Drew, CSO of Level 3 Communications, told Ars. "This could mean that they are 'renting' several different botnets to launch an attack against a specific victim, in which multiple other sites have been impacted."

Read 29 remaining paragraphs | Comments

 
Joomla! Core CVE-2016-8869 Remote Privilege Escalation Vulnerability
 
Cloudera Manager CVE-2016-4949 Information Disclosure Vulnerability
 
Cloudera HUE CVE-2016-4947 User Enumeration Vulnerability
 
Cloudera HUE CVE-2016-4946 HTML Injection Vulnerability
 
QEMU 'fw_cfg_write()' Function Remote Code Execution Vulnerability
 
QEMU CVE-2016-2392 Null Pointer Dereference Denial of Service Vulnerability
 
QEMU 'ne2000.c' CVE-2016-2841 Denial of Service Vulnerability
 
Qemu 'rng-random.c' Denial of Service Vulnerability
 
 
Adobe Flash Player CVE-2016-6992 Type Confusion Remote Code Execution Vulnerability
 
Adobe Flash Player CVE-2016-4286 Unspecified Security Bypass Vulnerability
 
Adobe Flash Player APSB16-32 Multiple Unspecified Memory Corruption Vulnerabilities
 
CVE-2016-6804 Apache OpenOffice Windows Installer Untrusted Search Path
 
Adobe Acrobat and Reader APSB16-33 Use-After-Free Multiple Remote Code Execution Vulnerabilities
 
Quagga CVE-2016-1245 Buffer Overflow Vulnerability
 
WordPress e-search Plugin 'date_select.php' Cross Site Scripting Vulnerability
 
systemd CVE-2016-7796 Local Denial of Service Vulnerability
 
AlienVault USM/OSSIM CVE-2016-8583 Multiple Cross Site Scripting Vulnerabilities
 
Multiple AlienVault Products 'widgets/data/gauge.php' SQL Injection Vulnerability
 
Alienvault OSSIM/USM CVE-2016-8581 HTML Injection Vulnerability
 
QEMU '/hw/net/mipsnet.c' Remote Buffer Overflow Vulnerability
 
QEMU 'block/iscsi.c' Heap Based Buffer Overflow Vulnerability
 
QEMU CVE-2016-4037 Denial of Service Vulnerability
 
QEMU CVE-2016-4441 Remote Code Execution Vulnerability
 
wincvs-2.0.2.4 Privilege Escalation
 
Foreman CVE-2016-8613 HTML Injection Vulnerability
 

In my last diary[1], I gave an example of anuncommon spam message. But attackers have always new ideas to deliver their malicious content to us. Here are two new examples. October being the Cyber Security Awareness month[2], more examples are always welcome.

The first one was delivered as an NDR message (Non-Delivery Receipt"> From: Bounced mail To: [email protected]: Mail System Error - Returned MailDate: Fri, 21 Oct 2016 22:08:23 +0530X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Message-Id: [email protected]: UNKNOWNX-Loop: handlermailYour message was not delivered due to the following reason(s):Your message could not be delivered because the destination server wasnot reachable within the allowed queue period. The amount of timea message is queued before it is returned depends on local configura-tion parameters.Most likely there is a network problem that prevented delivery, butit is also possible that the computer is turned off, or does nothave a mail system running right now.Your message was not delivered within 1 days:Server 32.80.249.78 is not responding.The following recipients could not receive this message:Please reply to [email protected] you feel this message to be in error.

Attached to this mail, a malicious ZIP file with a .pif" />

The link points tohxxp://thekchencholing.org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message.

Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!

[1]https://isc.sans.edu/forums/diary/Spam+Delivered+via+ICS+Files/21611/
[2]https://www.dhs.gov/national-cyber-security-awareness-month

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status