News & Updates

Findings of the MIMICS project conducted by Dragos Threat Operations Center show a malware posing as Siemens PLC application is targeting ICS worldwide.

After the disclosure of the Stuxnet case, the security industry started looking at ICS malware with increasing attention. A malware that infects an industrial control system could cause serious damages and put in danger human lives.

Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research based on data regarding ICS incidents collected over the last 13+ years.

The project studied modern industrial control systems (MIMICS) from completely public datasets.

“In this project the Dragos, Inc. team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files being uploaded to encourage a more nuanced discussion around security in the modern ICS.” explains Dragos CEO, Robert M. Lee. 

Miller discovered ~30k samples of infected ICS files and installers dating back to 2003. The most dangerous threats are malware that quickly spread like Sivis, Ramnit, and Virut.

The experts confirmed that the infections of ICSs are not rare, they highlighted that there are only three publicly showcased pieces of ICS tailored malware: StuxnetHavex, and BlackEnergy2. There have been rumors around another couple of ICS tailored malware exploited in active campaigns, some of them studied by researchers at IronGate.

One of the most interesting findings of the MIMICS research is that multiple variants of the same malware disguised as software for Siemens programmable logic controllers (PLCs) has been detected 10 times over the last 4 years. The last time this specific ICS malware was discovered was early March.

“Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware.” continues Lee. “Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.”

ICS

 

Researchers encurage asset owners and operators to implement simple best practices such as network security monitoring in order to protect their environments, for example software supply chain validation can be sufficient to drastically a concerning attack vector.

“The last finding we had was driven by the hypothesis that many of the IT security teams and security technologies that are not used to ICS environments may be flagging legitimate ICS software as malicious where it could be inappropriately placed in public databases.” concludes the report.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – ICSs, malware)

 

The post Malware posing as Siemens PLC application is targeting ICS worldwide appeared first on Security Affairs.

Source: Security affairs

Enlarge / New Horizons’ high-resolution farewell to Pluto. (credit: NASA/Johns Hopkins University APL/Southwest Research Institute)

Even though all of the New Horizons spacecraft data taken during its 2015 flyby of Pluto has been downloaded to Earth for months, scientists are still piecing it all together. Now two scientists, Tod Lauer and Alex Parker, have processed some of the New Horizons data to produce a stunning look back at the dwarf planet.

This departure shot was constructed from a mosaic of six black-and-white images captured by New Horizons’ Long Range Reconnaissance Imager as the spacecraft moved away from Pluto. Color has been added from a lower resolution Ralph/Multispectral Visible Imaging Camera. At the time the pictures were taken, New Horizons was only about 200,000km away from Pluto, or about 3.5 hours after the closest approach on July 14, 2015. The resolution of the images stitched together is about 1km per pixel.

In this composite photo, Pluto is illuminated from behind by the Sun, almost as if the world is producing an annular eclipse for New Horizons. The image showcases a beautiful blue “haze” which, according to planetary scientists, is smog produced by sunlight interacting with methane and other molecules in Pluto’s atmosphere. These larger molecules scatter blue sunlight.

Read 1 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / The European model shows the formation of a subtropical cyclone next Tuesday in the Atlantic Ocean. (credit: Weather Bell)

Just one hurricane has ever formed in the northern Atlantic Ocean, Caribbean Sea, or the Gulf of Mexico in the month of March—a time when the oceans are still cold from the winter months in the northern hemisphere. This occurred in 1908 with an unnamed hurricane that, according to the Atlantic Hurricane database, reached sustained winds of 100mph and caused damage in the Caribbean islands.

As the 1908 cyclone formed long before the National Hurricane Center existed, there has never been a “named” storm in March. That could change next week, as an area of low pressure may develop several hundred miles to the east of Florida, in the Atlantic Ocean. This storm system is unlikely to be a major threat to landmasses, with the possible exception of Bermuda. Due to the rarity of March cyclones, however, it would garner significant attention.

Any cyclone that forms next week would almost certainly be classified as a “subtropical storm” (the Miami-based National Hurricane Center began naming subtropical storms, in addition to tropical storms, in 2002). It would originate from a mass of cold air that recently moved off of the United States, eastward, into the subtropical area of the Atlantic Ocean. Unlike “tropical” storms, subtropical storms have cold air at their centers and generate energy from the interaction of cold and warm air masses. (By contrast, a tropical cyclone derives energy from latent heat, as water vapor evaporates from the ocean’s surface and condenses into liquid water).

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge (credit: 8th Summit)

Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com—and let us know what you think.

You’re just an ordinary 1930s inhabitant of the ordinary town of Arkham, Massachusetts—a plain New England place where nothing unusual ever happens. Well, except for that one infestation of hood-wearing cultists hoping to usher an angry Elder God into our world. Or that little problem with the Dark Young of Shub-Niggurath. Or those 17th-century witches who don’t seem to be quite dead yet. Or that matter of the snake god Yig.

When occult trouble threatens, Miskatonic University’s aging librarian, Professor Henry Armitage—the kind of man who runs a “restricted section” featuring books like the human-skin-covered Necromomicon—beckons you to his office. In his kindly way, he asks if you would be so good as to poke around Arkham, ask some questions, visit a few locations—in other words, clear this whole mystery up. Of course, it’s probably nothing…

Read 24 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Gift cards have once again caused quite a headache for retailers, as cyber criminals are using a botnet to break into and steal cash from money-loaded gift cards provided by major retailers around the globe.

Dubbed GiftGhostBot, the new botnet specialized in gift card fraud is an advanced persistent bot (APB) that has been spotted in the wild by cyber security firm Distil Networks.


Source: http://feeds.feedburner.com/TheHackersNews

Open-world video games bear the impossible promise—offering compelling, enjoyable open-endedness and freedom within the constraints of what is, by necessity of the medium, an extremely limited set of possible actions. These games provide a list of (predominantly violent) verbs that’s minuscule in comparison to the options you would face in identical real-life situations. Yet, we can’t get enough of them.

In spite of their many obvious failings or limitations, we’ve been losing ourselves within open worlds for some 30-odd years. Today, nearly every big release is set in an open world. We delight in their unspoken possibility and shrug at their quirks.

Those quirks, by the way, are not merely a consequence of current technology. The oddities of modern open-world games have origins in the games that came before. We’re not talking about just the earlier Grand Theft Autos—even the first GTA built on the foundations set by more than a decade of prior open-world games.

Read 85 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The recently patched CVE-2017-0022 Windows Zero-Day vulnerability has been exploited by threat actors behind the AdGholas malvertising campaign and Neutrino EK since July 2016.

Microsoft has fixed several security flaws with the March 2017 Patch Tuesday updates. According to security experts at Trend Micro, the list of fixed vulnerabilities includes three flaws that had been exploited in the wild since last summer.

One of the vulnerabilities, is an XML Core Services information disclosure vulnerability, tracked as CVE-2017-0022, that can be exploited by attackers by tricking victims into clicking on a specially crafted link.

“An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk.” reads the security advisory published by Microsoft.

“To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website.”

The flaw was discovered by a joint investigation conducted by security researchers at Trend Micro and ProofPoint, it was reported to Microsoft in September 2016.

Who did exploit the CVE-2017-0022 flaw?

According to the security researchers at Trend Micro, the zero-day vulnerability has been exploited in the AdGholas malvertising campaign since July 2016. The exploit code of the flaw was added to the Neutrino exploit kit in September 2016.

The threat actor behind the AdGholas malvertising campaign was notable for its use of steganography and careful targeting of the massive volume of malicious ads and impressions and its ability to avoid detection of researchers.

Initially the attackers leveraged the CVE-2016-3298 and CVE-2016-3351 flaws to avoid detection, now the experts at TrendMicro speculate they used the CVE-2017-0022 flaw for the same purpose.

“This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same campaign, which were addressed by previous patches.” reads the analysis published by TrendMicro.

cve-2017-0022 malvertising exploit

“An attacker exploiting CVE-2017-0022 could use phishing attacks to lure potential targets to malicious websites. Successful exploitation of this vulnerability could allow a cybercriminal access to information on the files found in the user’s system.” explained the experts from TrendMicro. “In particular, the attacker would be able to detect if the system is using specific security solutions—especially ones that analyze malware.”

Trend Micro has published a detailed analysis of the CVE-2017-0022 flaw and of the attack chain that exploits it in a malvertising campaign leveraging the Neutrino exploit kit.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – CVE-2017-0022, AdGholas malvertising campaign)

The post CVE-2017-0022 Windows Zero-Day flaw used by AdGholas hackers and it was included in Neutrino EK appeared first on Security Affairs.

Source: Security affairs

Enlarge (credit: Goseteufel )

In the German state of North Rhine-Westphalia, a coal mine will close in 2018. Aging coal infrastructure, low wholesale power prices, and a move away from the highly polluting power source all make renewable energy the political darling of the day.

But that doesn’t mean the Prosper-Haniel coal mine will be shutting down completely. According to Bloomberg, North Rhine-Westphalia State Governor Hannelore Kraft recently confirmed that a project to turn the coal mine into pumped storage will move forward after mining activities have stopped.

Pumped storage has been used for decades, but placing a pumped storage scheme at a retired mine is somewhat new. Here’s how it works: when electricity is plentiful and cheap—say, on a windy day when the Sun is shining and solar panels and wind turbines are working at their maximum—a pumped storage facility pumps water from a lower reservoir up to an upper reservoir. When electricity is scarce, the facility can release the water back down to the lower reservoir through a turbine, creating renewable hydroelectric power.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Security researchers at MalwareBytes have uncovered a spearphishing campaign that targeted Saudi Arabia Government organizations.

Security experts at MalwareBytes have spotted a new spear phishing campaign that is targeting Saudi Arabia governmental organizations.

According to the experts, the campaign already targeted about a dozen Saudi agencies. Attackers used weaponized Word document and tricked victims into opening them and enabling macros.

Saudi Arabia Government

The document is in Arabic language, if the victim opens it up, it will be infected and the phishing document is sent to their contact via Outlook inbox.

The malicious payload is embedded in the macro as Base64 code and leverages the certutil application for decoding into a PE file that is finally executed.

The binary dropped on the infected machine is coded in .NET and its code is encrypted but not obfuscated. The malware was designed to steal information from the victims and upload it to a remote server.

“Decrypting it we can see the main payload (neuro_client.exe renamed to Firefox-x86-ui.exe here) and two helper DLLs” reads the analysis published by MalwareBytes.

Saudi Arabia Government

The malicious code gains persistence via the Task Scheduler.

MalwareBytes is still monitoring the campaign and plans to provide further information in the future.

I suggest reading the analysis that also includes the IoCs.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Saudi Arabia Government, spear phishing)

 

The post Spear phishing campaign targeted Saudi Arabia Government organizations appeared first on Security Affairs.

Source: Security affairs

Sam Machkovech

The Nintendo Switch may not have a full-blown Virtual Console collection yet, but its eShop has a few emulated classics already. This week, fans finally noticed that its current, small slate of ’80s and ’90s games had a surprise tucked inside ever since the system’s launch: a vertical orientation option.

The only classic games available for purchase on the Switch’s eShop come from the Neo-Geo system, and this week’s launch of Neo Turf Masters should have gone by as a minor blip. This title wasn’t a major Neo-Geo hit, nor a rare curio. But for whatever reason, this game, as opposed to the other Neo-Geo games launched thus far, got someone to post video of the emulator’s “display settings menu.”

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/