Breaking News »

Latest Hacking News

Outpost24 researchers find major flaws in Sauter SCADA systems

Flaws in Sauter’s moduWEB Vision SCADA product can be exploited by remote attackers to take full control of the product. The flaw was identified by researchers at vulnerability Management Company, Outpost24.

Sauter is a Switzerland-based company that specializes in building automation and system integration products. moduWEB Vision is a web-based visualization solution designed to allow users to operate and monitor building technologies remotely.

One of the flaw in the product is that though Sauter tells its users to change the password of the administrator account but there are other default accounts which are not covered in the vendor’s documentation thus making them vulnerable to the attackers.

The attackers then can reset the system to its default configuration, change the configuration or disable devices, and modify all passwords.

The attackers do not need to crack the hash to access the admin account, instead they can use it directly to authenticate on the system.

The researcher team found that some of the passwords are transmitted in clear text (CVE-2015-7915) when populating the password field in cases where the “keep me logged in” feature is enabled, but this feature is only enabled in newer versions of the SCADA system.

In addition, the attacker can also leverage a persistent cross-site scripting vulnerability found in the user and events management panels to elevate privileges and execute commands on behalf of an administrator.

The installations of the product are exposed to the internet which makes it easy to find its flaws because the product runs on web server that has specific header information.

The vendor has released 1.6.0 of the firmware to address the issues but Outpost 24 alleges that some of the vulnerabilities are still left untouched.

The vulnerabilities were reported to the company last year in April.

5,200 affected after unauthorized access of Neiman Marcus Group's websites

Neiman Marcus Group (NMG) has reported an unauthorized access to their online customer accounts on the websites  Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP.

According to the public notice released on Jan. 29, 2016  by the company,  approximately 5,200 accounts has been affected. Information compromised includes Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.

No sensitive information like Social security number, date of birth, financial account number, or PIN number is visible through online accounts.

The  websites has been breached on or around Dec. 26, 2015, when an unauthorized individual gained access by using automated attacks to attempt various login and password combinations. As a result the hacker was able to make purchases on approximately 70 of these accounts.

Company's senior vice president Lindy Rawlinson,  said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.”

The company has taken steps to limit the ability of the threat actors to access customer accounts, and has initiated a comprehensive response and investigation to understand the scope of the incident.

However the company has requested its customers to change their passwords on all NMG websites and any other site that uses the same username password combination. 

Flaw in Westermo Industrial Switches puts customer devices at risk

U.S Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)revealed last week that Westermo Ethernet industrial switches uses secure sockets layer (SSL)private keys which are hardcoded and shared across devices.

The Sweden-based company, Westermo is a supplier of high quality data communications equipment designed for harsh industrial applications. The firm’s solutions are used across the world in sectors such as transport, water, energy supplies, mining and petrochemical.

ICS-CERT discovered that using same SSL keys can be used by malicious actors to intercept and decrypt communications via a man-in-the-middle (MitM) attack and leverage the information to gain unauthorized access to a vulnerable device.

Even an attacker with low skill can exploit this flaw if they manage to launch a successful MitM attack on devices running versions 4.18 and earlier of WeOS, the operating system that powers Westermo’s hardware platforms.

The attack can affect Falcon, Wolverine, Lynx, Viper and RedFox.

The company is working on fixing the flaw by including the automate function of changing the key which will be included in WeOS 4.19 but for now the vendor has released an update that will allow users to change the problematic certificate in the web interface of the affected devices.

Meanwhile, users have been advised to update WeOS to the latest version and upload a custom certificate by following the instructions.

The affected company has also warned its customers to avoid self-signed certificates and either completely disable web access to the devices or limit access to secure networks.

BlackEnergy malware behind power outrages in Ukraine

The advanced Persistent threat (APT) actor that has recently targeted Ukraine has started sending BlackEnergy malware using specially coded Word documents that have embedded macros in them.

BlackEnergy malware which is assumed to be handled by multiple groups, have adopted sophisticated tools and they have been targeting energy and ICS/SCADA companies from across the world. Recently they have been seen targeting Ukraine's critical infrastructure.

In December , BlackEnergy malware attack resulted in power failure in Ivano - Frankivsk region. Along with BlackEnergy malware on systems, investigators found killDisk plugin that has been designed to delete data and make system inoperable. Researchers believe that not only the malware but along with other plugins are responsible for power outrages.

Cys Centrum, an Ukrainian security firm reported that attackers used PowerPoint presentations to deliver the malware. Usually the threat actors embedded macros into Excel spreadsheets to send Trojan onto targeted system.

Recently it has been reported by the Kaspersky lab that the attackers used specially crafted Microsoft word documents, they simply attached malicious code to microsoft word documents and sent them via email to potential users.

The document was cleverly coded so that when it was uploaded for online scanner, very few security scanners flagged it as threat, so it easily went through security systems without fail.

when the document is opened by user, it warned them that macros have been disabled for security reasons and they have to enable them, and thus by enabling macros, an executable file "vba_macr.exe" is created and installed on the system.

Security firm SentinelOne even conclued that there might be role of internal actors in order to help BlackEnergy attackers, especially in operations aimed at SCADA systems .

“The only two options then to carry out the attack is – target a victim’s machine that was not patched, or get an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network. At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor,” SentinelOne said in its report.

Udi Shamir, Chief Security Officer at SentinelOne told SecurityWeek that a new attack targeting a Ukrainian power facility has been detected very recently, but they have not been able to know the complete details .

Vulnerability »

Malware Report »

Defacements »

Spam Report »