Cyber Research

Cyber News

Cyber Info


 June, 2016







 In this issue



*         Irongate ICS Malware Steals From Stuxnet Playbook

*         Iranian and Saudi hackers wage virtual war

*         SWIFT threatens to give insecure banks a slap if they don't shape up

*         No hacking required: Israeli researchers show how to steal data through PC components

*         Latest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Irongate ICS Malware Steals From Stuxnet Playbook

June 2, 2016

New malware that targets industrial control systems called Irongate was found by researchers who say the discovery should serve as another wakeup call to the security industry to shore up its detection capabilities around ICS and SCADA threats.

Irongate, which shares some of the same attributes as the lethal Stuxnet malware, was found by researchers at FireEye Labs Advanced Reverse Engineering which published its findings today. FireEye said the malware does not currently pose a threat because it was designed with the single purpose of running within Siemens simulated control system environments. But researchers say the malware has gone undetected for years, collecting dust in Google’s VirusTotal database.

“Our ability as an industry to understand and detect threats is improving, but it’s not sufficient as evidenced by an example such as this,” said Rob Caldwell, manager of FireEye Labs Advanced Reverse Engineering. “We need to get better at understanding what the threats are to industrial control systems and how to detect them to better defend against them.”

Irongate’s key attributes include its ability to perpetrate a man-in-the-middle attack against process input and output, along with attacking process operator software within industrial simulations, according to FireEye. An Irongate-compromised system could give attackers the ability to alter industrial controls unbeknownst to the system operator. Those types of techniques have been used in the past to sabotage everything from power grids to logic controllers in nuclear centrifuges.

Researchers stumbled onto the malware on VirusTotal in late 2015 while researching droppers compiled with PyInstaller. That’s when FireEye researchers spotted the Irongate sample and noticed a close relationship to SCADA (supervisory control and data acquisition) applications and other industrial control system malware. Investigating the malware further, FireEye researchers noticed that Irongate was submitted to VirusTotal in 2012 and since then had gone undetected.

A technical analysis of the malware revealed a man-in-the-middle attack designed specifically for a custom-compiled user application in a Siemens Step 7 PLC simulation environment. FireEye researchers also found the introduction of a malicious DLL capable of masking malicious behavior of the malware. That DLL had the ability to record five seconds of “normal” traffic from a simulated PLC (programmable logic controller). An attacker could then replay the “normal” traffic to conceal the fact they were sending hardcoded data back to the simulated hardware unnoticed, FireEye said.

But Irongate really surprised research analysts when they discovered the malware designed for industrial control systems began to act more like conventional malware. When Irongate was introduced to a VMware or Cuckoo Sandbox environment via a dropper, the malware attempted to avoid detection by staying dormant and not running. “While Stuxnet is orders of magnitude technically more advanced, Irongate borrows some similar traits,” said Sean McBride, senior threat intelligence analyst with FireEye.

Similarities between the two include being written for attacks against a specific control system. The two also share the ability to evade discovery by detecting the presence of antivirus software (in the case of Stuxnet) and VMs (for Irongate). Compared to just a handful of other industrial control system malware – such as BlackEnergy, Havex, and StuxnetIrongate remains toothless because it was created for the sole purpose of the Siemens simulated control system environment. So then, who created Irongate, put it on VirusTotal and why?

FireEye has three theories as to the origins of Irongate. One, a malicious actor was trying to entice someone to use and port the code from within the simulated Siemens control system environment to a real world deployment. Or, an attacker was testing Irongate in the simulated environment for use in a live environment and submitted it to VirusTotal to verify it couldn’t be detected. Lastly, FireEye said it strongly suspects it may have been a security researcher who abandoned their code on VirusTotal.

“There needs to be a lot more effort as an industry to find ICS threats,” said Dan Scali senior manager at FireEye. “We have generally not see a lot of progress since Stuxnet to address the issues that Irongate brings up. The concern is as the capability to do these types of attacks gets easier over time we need to bolster our defenses as a counterweight.”

More info https://threatpost.com/irongate-ics-malware-steals-from-stuxnet-playbook/118416/

Iranian and Saudi hackers wage virtual war

June 3, 2016


Video produced by Marcus Thompson

Tensions between Saudi Arabia and Iran have increased since the execution of Shia cleric Sheikh Nimr al-Nimr.

BBC Persian correspondent Siavash Ardalan and BBC Arabic correspondent Hanan Razek explain the politics of these two nations.

Read more at http://www.bbc.com/news/world-middle-east-35229325

SWIFT threatens to give insecure banks a slap if they don't shape up

June 3, 2016.

Network also says it will impose 'baseline' security standards

The SWIFT global payments system has announced it plans to suspend banks with weaker cyber defences until they improve their security.

The threatened sanction follows a run of attacks on international banks over recent weeks, including the $81m mega-heist at the Bangladeshi Central Bank.

These cyber-heists1 relied on hackers using malware infecting bank terminals to obtain login credentials for the SWIFT messaging system, allowing crooks to send fraudulent transfer orders.

In response, SWIFT said it will "expand" its use of two-factor authentication as well as mandating “baseline” security standards, which financial institutions will be assisted in meeting.

SWIFT’s customer security programme will clearly define an operational and security baseline that customers must meet to protect the processing and handling of their SWIFT transactions. SWIFT will also continue to enhance its own products and services to provide customers with additional protection and detection mechanisms, and in turn help customers to meet these baselines.

Richard Brown, director of EMEA channels & alliances at DDoS mitigation vendor Arbor Networks, welcomed the tougher line and called for an increase in collaboration between international banks.

“This announcement from Swift will hopefully force banks to take even further steps to proactively assess and improve their security posture,” Brown said. “The financial services industry is one of the best at sharing threat intelligence and organisations such as CERT-UK are promoting this across different verticals. This style of collaborative approach against cybercriminals will be far more effective than each individual organisation fighting their own battle.”

Banks are already among the most heavily regulated organisations, thanks to regulations such as PCI and Sarbanes–Oxley. Brown reckons there’s still room for improvement.

“The news that Swift will not work with any banks with sub-standard security standards will be welcomed by the public, but also worry many financial institutions,” Brown said. “Banks are an attractive target for cybercriminals because of the money and valuable data they hold. Just this week we saw the Federal Reserve announce it has been hacked more than 50 times in the past five years, so it is clearly losing the battle against cybercriminals.”

David Kennerley, director of threat research at cybersecurity firm Webroot, added: “The monetary gains from financial cybercrime can be incredibly high. I hope this development represents a new chapter for Swift, understanding that good security posture of their payment ecosystem is reliant on more than just a ‘secure’ application. It’s also essential that the network and devices where the systems reside are as secure as possible – with users trained to spot and report anomalies as quickly as possible while following a well-defined set of security practices.”


SWIFT has consistently blamed affected banks for security breaches.

“SWIFT’s network, software and services have not been compromised; each case occurred after a customer suffered a series of security breaches within their locally managed infrastructure,” SWIFT said in its latest statement.

More Info http://www.theregister.co.uk/2016/06/03/swift_threatens_insecure_bank_suspensions/



No hacking required: Israeli researchers show how to steal data through PC components

June 2, 2016.

A team of computer science researchers from the Israel Institute of Technology (a.k.a the Technion) developed a series of side-channel-attacks that can steal encryption keys by monitoring acoustic, electric, and electromagnetic signals generated by a PC.

Researchers claimed to have carried out the attacks on several public-key encryption schemes and digital-signature schemes using inexpensive and readily available equipment, according to a research paper contributed to the Association for Computing Machinery, a professional association. The attacks are unlikely and difficult to pull off, but possible said industry experts.

In one attack, researchers were able to steal encryption keys by monitoring the acoustics of the “coil whine” or vibrations caused by electronic components inside a PC fluctuating as voltages and currents pass through. The coil whines leak keys during cryptographic operations because the noise is correlated with the ongoing computation about what applications are running and what data is being processed, according to the paper.

“By recording such noise while a target is using the RSA algorithm to decrypt ciphertexts (sent to it by the attacker), the RSA secret key can be extracted within one hour for a high-grade 4,096-bit RSA key,” researchers said in the paper.

The attack can be carried out from as far as 10 meters away using a parabolic microphone or from 30cm away through a plain mobile phone placed next to the computer.

In another attack, researchers were able to steal RSA and ElGamal keys after measuring how the electric potential energy of a laptop’s chassis fluctuates. This can be done directly through a plain wire connected to a conductive part of the laptop, or indirectly through any cable with a conductive shield attached to a port on the laptop, researchers said in the post.

An attacker could also steal RSA and ElGamal keys by monitoring the electromagnetic field radiated by the computer using a suitable electromagnetic probe antenna or even a plain consumer-grade AM radio receiver, researchers said.

In order to defend against these attacks, hardware counter measures can be taken, such as, the use of sound-absorbing enclosures to protect against the acoustic attacks, Faraday cages against electromagnetic attacks, and insulating enclosures against chassis and touch attacks. However, researchers admitted that these countermeasures are expensive and cumbersome.

Software countermeasures include the use of algorithms and other software implementations that are designed so that leakage through the given channel will not convey useful information, researchers said.

The average person doesn’t have to worry about these kinds of attacks and most users can safely ignore the risks they present, Trend Micro Vice President of Cloud Research Mark Nunnikhoven told SCMagazine.com via emailed comments.

“The manner in which hardware processes data has always exposed some vulnerabilities,” he said. “There are things that manufacturers can do to reduce these possibilities, and they should protect their products when the solutions (increased insulation, shielding, etc.) are reasonable…that’s just good, secure design.”

Nunnikhoven said nevertheless that the attacks are real and can be carried out, but require specialized equipment and knowledge, and require the attacker and their equipment to be physically near the system in question for an extended period of time.

“Unlike average cybercrime campaigns and hacks, these attacks simply don’t scale and aren’t worth the attacker’s investment,” he said.

Nunnikhoven did say the attacks could be worth investment for an attacker targeting governments and sensitive industries and that these entities should invest in counter measures such as cable isolation, physically securing systems in their data centres.

Read more: https://cybernewsgroup.co.uk/no-hacking-required-israeli-researchers-show-how-to-steal-data-through-pc-components/



Latest Cyber Security News

Individuals at Risk

Cyber Danger

FBI Alert: Extortion E-mail Schemes Tied to Recent High-Profile data thefts: The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via e-mail related to recent high-profile data thefts. The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions. The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200. ic3, June 1 2016

Researcher shows updaters installed on PCs from top 5 OEMs provide inadequate cybersecurity protection: The next time you’re in the market for a new Windows computer, consider this: if it comes from one of the top five manufacturers, it’s vulnerable to man-in-the-middle attacks that allow hackers to install malware. [See below news article re Lenovo PCs] ars technica, June 1, 2016

Cyber Defense

Bing offers improved warnings for possible malware and phishing sites: Microsoft has added new features for users of its Bing search engine, warning them if sites in their search results could be possible malware or phishing locations. WindowsCentral, June 3, 2016

Lenovo tells users to uninstall vulnerable Accelerator app in response to OEM PC security flaws: In the wake of Duo Security’s report on the critical vulnerabilities sported by Original Equipment Manufacturer (OEM) updaters loaded on popular laptop and desktop computers, Lenovo has advised users to uninstall its Accelerator Application. HelpNetSecurity, June 3, 2016

Reminder: Use different passwords for different sites & change passwords periodically: Less than two weeks after more than 177 million LinkedIn user passwords surfaced, security researchers have discovered three more breaches involving MySpace, Tumblr, and dating website Fling that all told bring the total number of compromised accounts to more than 642 million. ars technica, May 31, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

FireEye CTO advises business to pay attention to the information security management basics: Instead of preventing further attacks, FireEye’s CTO of emerging technologies Josh Goldfarb says many organisations are just cleaning up infected devices, allowing them to undergo the same compromise again. ZDNet, June 3, 2016

When Technology Evolves, So Does Risk: The potential of our newest, most innovative technologies could be life-changing. So could the cyber attacks that take advantage of gaps in security. Zurich Insurance. The Atlantic, 2016

Cyber Crime

Dropbox Smeared in Week of Megabreaches: Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr. KrebsOnSecurity, June 2, 2016

Cyber Defense

BYOD Security: How To Shift Device Control & Grant Users More Choice: Information Technology departments too often have rigid policies circumvented by end users seeking convenience. At the same time, many employees have flexible work environments and more choice for how and where they work. This dichotomy leads to unchecked behaviors where users can bypass traditional security measures by using unsanctioned or unapproved applications, accessing insecure Wi-Fi networks, or choosing to store important data and files on their personal devices. It’s a growing security problem, seemingly, without a foreseeable resolution. DarkReading, June 3, 2016

Web Developers: Update WordPress to Patch Zero Day in WP Mobile Detector Plugin: A WordPress plugin was patched Thursday night, close to a week after reports began to surface of public attacks against a zero-day vulnerability. ThreatPost, June 3, 2016

IT organizations advised to update NTP to patch vulnerabilities expoited in recent DDoS attacks: The network time protocol, at the center of a number of high-profile DDoS attacks in 2014, was updated on Thursday to ntp-4.2.8p8. The latest version includes patches for five vulnerabilities, including one rated high-severity. ThreatPost, June 3, 2016

Cyber Warning

Updated CryptXXX Ransomware becomes more dangerous as it now steals credentials CryptXXX ransomware has received a major overhaul by its authors, putting it on the fast track to unseat Locky as top moneymaker for criminals. ThreatPost, June 3, 2015

Cyber Security in Society

Cyber Privacy

Now you can Google yourself into better privacy and data protection: Want to find out everything Google knows about you? Well, you can just Google yourself! NakedSecurity, June 3, 2016

NFL Players’ Medical Information Stolen from theft of unencrypted laptop: The theft of a backpack holding a laptop computer and paper documents containing medical information on perhaps thousands of National Football League players serves as a lesson in the importance of properly safeguarding health information, even for entities falling outside of HIPAA’s reach. BankInfoSecurity, June 2, 2016

Cyber Attack

TeamViewer strengthens cybersecurity; denies breach; claims users use same passwords on other sites: TeamViewer is whacking anti-hacker protections into its remote-desktop tool – as its customers continue to report having their PCs and Macs remotely hijacked by criminals. TheRegister, June 3, 2016

Cyber Underworld

Ransomware-as-a-Service business model emerges in Russia; cybercriminals easily earn $90,000 / yr: Ransomware as a business is maturing and nowhere is that better illustrated than in Russia, according to Flashpoint researchers. The security firm released two reports on Thursday, one on a burgeoning ransomware-as-a-service business model (PDF) in Russia and the second on new developments in Russian ransomware kingpins targeting hospitals (PDF). ThreatPost, June 3, 2016

Malware developers reuse computer code from GitHub to develop new & more dangerous exploits: Android malware developers are misusing techniques unearthed in GitHub projects to bypass security measures introduced in the latest versions of the mobile OS. HelpNetSecurity, June 3, 2016

Got $90,000? A Windows 0-Day Could Be Yours: How much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows? That price probably depends on the power of the exploit and what the market will bear at the time, but here’s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft’s current security defenses is USD $90,000. KrebsOnSecurity, May 31, 2016

US National Cyber Security

Iranian and Saudi hackers wage virtual war: Saudi and Iranian hackers are waging war on each other, amid rising tensions between their countries. BBC, June 3, 2016

Chinese hackers target Taiwan political party to spy on website visitors: The website of a major political party in Taiwan has been targeted by Chinese hackers looking to spy on its visitors. CNN, June 1, 2016

Cyber Law

SEC appoints first-ever cybersecurity policy senior advisor to strengthen cyber risk mechanisms: The Securities and Exchange Commission has appointed Christopher Hetner, a cybersecurity lead under SEC’s Office of Compliance Inspections and Examinations, as senior adviser on cybersecurity policy to SEC Chair Mary Jo White. ExecutiveGov, June 3, 2016

Financial Cyber Security

SWIFT plans to suspend banks with inadequate information security management practices: The SWIFT global payments system has announced it plans to suspend banks with weaker cyber defences until they improve their security. The Register, June 3, 2016

Fed records show dozens of cybersecurity breaches: The U.S. Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage,” according to Fed records. Reuters, June 1, 2016

Critical Infrastructure

Irongate ICS Malware Resembling Stuxnet Goes Undetected 5 Years: New malware that targets industrial control systems called Irongate was found by researchers who say the discovery should serve as another wakeup call to the security industry to shore up its detection capabilities around ICS and SCADA threats. Irongate, which shares some of the same attributes as the lethal Stuxnet malware, was found by researchers at FireEye Labs Advanced Reverse Engineering which published its findings today. ThreatPost, June 3, 2016

Internet of Things

CMU Researchers Offer 6 Suggestions For Driving Safely With Onboard Devices: Computing in cars today has become a standard item. When buying a new car people expect Bluetooth, Wi-Fi and advanced navigation systems. They also expect to connect aftermarket onboard devices through the vehicle’s OBD-II port that do everything from usage-based insurance to tracking the overall energy management of the vehicle. DarkReading, June 3, 2016

Cyber Sunshine

Russian Police Bust Alleged Bank Malware Gang Suspected of stealing $25 Million in last 5 years: Russian authorities have arrested about 50 people in connection with an ongoing investigation into a hacker group that’s suspected of unleashing malware-enabled hack attacks against customers of major Russian financial institutions. BankInfoSecurity, June 2 2016

Secure the Village

Guidance Software CEO urges greater focus on education; cybersecurity neighborhood watch, pt 2: Last week, I had the chance to sit down with Patrick Dennis, CEO of Guidance Software, during Enfuse Conference 2016. Earlier this week, I discussed Dennis’s thoughts about the jurisdiction of cybersecurity events. Today, we get his view on how we should approach cybercrime’s law enforcement jurisdiction. ITBusiness Edge, June 2, 2016

Guidance Software CEO urges greater focus on education; cybersecurity neighborhood watch, pt 1: Last week, I had the chance to sit down with Patrick Dennis, CEO of Guidance Software, during Enfuse Conference 2017. The bulk of our conversation revolved around a topic that Dennis considers very important yet under-discussed – the relationship of private versus public sectors, particularly when it comes to the jurisdiction of security events. ITBusinessEdge, May 31, 2016

Cyber Miscellany

Google takes down Chrome extension targeting Jews: Google has taken down a Chrome extension that targeted prominent Jews in media and politics. CNN, June 3, 2016





Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net