Google researchers say they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. From a report: Variston IT bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices.

According to a report from Google's Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven't yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.

wiredmikey writes: The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers. A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation. Privately owned ICS security firm Dragos issued a separate notice documenting what is now the seventh known industrial control system (ICS)-specific malware. "[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment," the company said.

Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA. From a report: The attacks -- which had been previously unreported -- took place in March, July, and August and hit facilities in Nevada, Maine, and California, respectively. The attacks led to the threat actors encrypting files, and in one case, even corrupting a computer used to control the SCADA industrial equipment deployed inside the treatment plant. The three new incidents were listed as examples of what could happen when water treatment facilities ignore and fail to secure their computer networks.

An anonymous reader quotes a report from Ars Technica: The Florida water treatment facility whose computer system experienced a potentially hazardous computer breach last week used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees, government officials have reported. The computer intrusion happened last Friday in Oldsmar, a Florida city of about 15,000 that's roughly 15 miles northwest of Tampa. After gaining remote access to a computer that controlled equipment inside the Oldsmar water treatment plant, the unknown intruder increased the amount of sodium hydroxide -- a caustic chemical better known as lye -- by a factor of 100. The tampering could have caused severe sickness or death had it not been for safeguards the city has in place.

According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA -- short for "supervisory control and data acquisition" -- system. What's more, the computer had no firewall installed and used a password that was shared among employees for remotely logging into city systems with the TeamViewer application. [...] The revelations illustrate the lack of security rigor found inside many critical infrastructure environments. In January, Microsoft ended support for Windows 7, a move that ended security updates for the operating system. Windows 7 also provides fewer security protections than Windows 10. The lack of a firewall and a password that was the same for each employee are also signs that the department's security regimen wasn't as tight as it could have been.

darthcamaro writes: Apparently YouTube isn't the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: "At this point, Radiflow's (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow's CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems." Radiflow doesn't know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco's Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200,000 per year.

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems. From a report: SCADA vendor Wonderware admitted that Redmond's Meltdown patch made its Historian product wobble. "Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC," an advisory on Wonderware's support site explains. Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont.

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.
Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.

An anonymous reader quotes CyberScoop: The FBI has been briefing private sector companies on intelligence claiming to show that the Moscow-based cybersecurity company Kaspersky Lab is an unacceptable threat to national security, current and former senior U.S. officials familiar with the matter tell CyberScoop... The FBI's goal is to have U.S. firms push Kaspersky out of their systems as soon as possible or refrain from using them in new products or other efforts, the current and former officials say.

The FBI's counterintelligence section has been giving briefings since beginning of the year on a priority basis, prioritizing companies in the energy sector and those that use industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. In light of successive cyberattacks against the electric grid in Ukraine, the FBI has focused on this sector due to the critical infrastructure designation assigned to it by the Department of Homeland Security... The U.S. government's actions come as Russia is engaged in its own push to stamp American tech giants like Microsoft out of that country's systems.
Meanwhile Bloomberg Businessweek claims to have seen emails which "show that Kaspersky Lab has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted" -- and that Kaspersky Lab "confirmed the emails are authentic."

Kaspersky Lab told ZDNet they have not confirmed the emails' authenticity. A representative for Kaspersky Lab says that the company does not have "inappropriate" ties with any government, adding that "the company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime."

A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday. From the report: When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine. Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters. "The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion," Ukrenergo said.

Joseph Cox, reporting for Motherboard: After details emerged of Stuxnet, arguably the world's first digital weapon, there were concerns that other hackers would copy its techniques. Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Although the copycat malware -- dubbed IRONGATE by cybersecurity company FireEye -- only works in a simulated environment it, like Stuxnet, replaces certain types of files, and was seemingly written to target a specific control system configuration. [...] IRONGATE works within a simulated Siemens environment called PLCSIM, used for testing programs before they are pushed out into the field. Like Stuxnet, IRONGATE replaces a Dynamic Link Library (DLL), a small collection of code that can be used by different programs at the same time, with a malicious one of its own. IRONGATE's DLL records five seconds of traffic from the Siemens' system to the user interface, and replays it over again, potentially tricking whoever is monitoring the system into thinking everything is fine, while the malware might manipulate something else in the background.Dark Reading's coverage on this is also worth a read.

An anonymous reader writes: Verizon's RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times. The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design, and the payments app contained an INI file with the administrative password for the central router, from where the hackers reached the water treatment SCADA equipment. Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

snydeq writes: Stuffing bits in databases is boring, InfoWorld's Peter Wayner writes, so why not program everything around you? "The barrier between bits and atoms is disappearing, with programmers no longer confined to the virtual realm, in part thanks to the Internet of things becoming more real. Now we can do more than write ones and zeros to a disk: We can actually write code that tells a machine how to extrude, cut, bend, or morph atoms," Wayner writes in a survey of programming languages. "Rapidly developing domains such as autonomous cars, smart homes, intelligent office spaces, and mass customization require programmers to be savvy about how changes in data structures can lead to changes in objects. If the term "object-oriented programming" weren't already taken, it would be perfect."

itwbennett writes: Researchers from Rapid7 have discovered a vulnerability in serial-to-IP gateway devices from Advantech that would allow the Internet-connected industrial devices to be accessible to anyone, with no password. In October, the Taiwanese firm patched the firmware in some of these devices to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers. But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world.

chicksdaddy writes: The world's governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is a wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."

An anonymous reader writes: A project called 'Gridstrike' found that free and publicly available information can be used to determine the most critical electric substations in the US, which if attacked, could result in a nationwide blackout. Researchers from iSIGHT Partners used a combination of publicly available transmission substation information, maps, Google Earth, and grid congestion documentation, and drew correlations among the substations that serve the top ten cities in the US. They ID'ed 15 substations that if attacked and knocked offline would result in a nationwide blackout, they say. Their research took the spin of whether a homegrown terror group with little funding could get this crucial information. The study was inspired by the 2013 Federal Energy Regulatory Commission (FERC) study in 2013 that found that attacks on just nine electric substations in the U.S. could cause a blackout across the entire grid.

jmulvey writes: Think your SCADA systems are outdated? Environmental monitoring at 19 Grand Rapids Public Schools are still controlled by a Commodore Amiga. Programmed by a High School student in the 1980s, the system has been running 24/7 for decades. A replacement has been budgeted by the school system, estimated cost: Between $1.5 and 2 million. How much is your old Commodore Amiga worth?

An anonymous reader writes: Millions of smart meters, solar panels, and other grid-based devices rely on the Open smart grid protocol for communication and control — it's similar to SCADA's role for industrial systems. But new research shows that its creators made the common mistake of rolling their own encryption, and doing a poor job of it. The researchers believe this threatens the entire system. They say, "This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever." Security analyst Adam Crain added, "Protocol designers should stick to known good algorithms or even the 'NIST-approved' short list. In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials."

An anonymous reader writes: A recently released report (PDF) by the U.S. Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). The report found that while the "FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment [...] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems."

New submitter PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.

An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.