North Korean Hackers Targeting Three Sectors
ship loading plans are 'easily hackable'
working with Homeland Security hacked into Boeing 757
US military social media spying archive left wide open in AWS S3
Latest Cyber Security NewsLatest Cyber Security News
about the Cyber
Security News update
The Cyber News Update is an
activity of the Cyber Research Center - Industrial Control Systems and
intended to reach out to all Cyber Security Professionals interested in
industrial / critical infrastructure threats, protection &
resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net
Malware Takes Aim at Financial Services, Aerospace and
Since last year, North Korean
hackers have been targeting businesses in the financial services,
aerospace and telecommunications sectors by exploiting a remote
administration tool, or RAT, according to an alert issued Tuesday by the the United States Computer Emergency Response Team,
part of the Department of Homeland Security.
According to the alert, the FBI and DHS
identified internet protocol addresses and other indictors of compromise
associated with the RAT, commonly known as FALLCHILL, used by the North
Korean government. Federal authorities have labeled North Korean
government malicious cyber activities as Hidden Cobra.
"The FBI has high confidence that Hidden
Cobra actors are using the IP addresses to maintain a presence on victims'
networks and to further network exploitation," the alert says.
Lazarus Group Ties
While Hidden Cobra is not a widely known
moniker, the group is believed to be the same as the Lazarus Group, which
is suspected of being responsible for some of the more notorious
cyberattacks in recent years. That includes attacks targeting the SWIFT
financial messaging system and Sony Pictures as well as the WannaCry ransomware campaign.
"Lazarus is not just another APT [advanced
persistent threat] actor," a Kaspersky Lab report concludes.
"The scale of Lazarus operations is shocking. It has been on a
growth spike since 2011."
To help companies defend against FALLCHILL, the
government is distributing the IP addresses to help toughen network
defenses and reduce exposure to any North Korean government malicious
FALLCHILL typically infects a system as a file
dropped by other Hidden Cobra malware or as a file downloaded unknowingly
by users when visiting sites compromised by Hidden Cobra actors,
according to the alert.
The malware is the primary component of a
command-and-control infrastructure that uses multiple proxies to
obfuscate network traffic between Hidden Cobra actors and a victim's
system. The alert, citing trusted third-party reporting, notes that
communication flows from the victim's system to Hidden Cobra actors using
a series of proxies as shown in the figure below.
FALLCHILL uses fake transport layer security
communications, encoding the data with RC4 encryption using a specific
key. The malware collects basic systems information and transmits that
data to command-and-control servers.
The alert provides network signatures and
host-based rules that can be used to detect malicious activity associated
with North Korean hackers. "Although created using a comprehensive
vetting process, the possibility of false positives always remains,"
the alert cautions. "These signatures and rules should be used to
supplement analysis and should not be used as a sole source of
attributing this activity to Hidden Cobra actors."
More info https://www.bankinfosecurity.com/us-cert-north-korean-hackers-targeting-three-sectors-a-10457
November 20, 2017
Security researchers have warned that it might be possible to destabilise a container ship by manipulating the
vessel stowage plan or "Bay Plan".
Look! A pic that's
not a metaphor
The issue stems from the absence of security in BAPLIE EDIFACT, a
messaging system used to create ship loading and container stowage plans
– for example which locations are occupied and which are empty – from the
numerous electronic messages exchanged between shipping lines, port
authorities, terminals and ships.
The messaging standard is developed and maintained by the Shipping
Message Development Group (SMDG).
Criminals less interested in destabilising
ships but perhaps instead stealing goods by rerouting containers, would
use "COPRAR / COPARN / CODECO / COARRI" messages instead. These
deal with shipping line to terminal messaging and vice versa.
Evidence suggests that ship and terminal messaging systems have
been abused at times in order to either conceal or re-route drugs or
steal valuables. "We believe this was done using front end GUIs in
port rather than manipulating the data itself," according to Ken
Munro, a security researcher at Pen Test Partners.
BAPLIE messages, once their syntax is understood, might
potentially be manipulated to change the destinations of cargo, money and
more. Pen Test Partners was more interested in message subsets that are
found in "LIN" line items about contents and handling for individual
Most straightforwardly it's possible to manipulate container
weight and thus the ship's balance.
A potential hacker would simply search the message for VGM
(Verified Gross Mass). The trailing value is the weight, so changing this
value to make it either lighter or heavier would mean that the vessel
load-planning software would place the container in the wrong place for
stability. "Some ports may intercept the wrong weight at a
weighbridge or possibly at the crane, but overloading containers to save
on shipping cost is already a significant issue in some regions,"
Researchers explained that it might be possible, using similar
trickery, to place a mislabelled heavy
container at the top of the stack, moving the centre
of gravity too high. For example, it's possible to set the handling for
"load third tier on deck", so high up, out of the hold.
Manipulating the weight distribution is an issue because the ship becomes
more and more unstable if heavy goods are loaded higher up in the stack.
Certain attributes can be set for a container to flag that it
needs special handling. Manipulating the message opens the door to all
sorts of mischief.
For example, the status for an aggregation of explosive materials
could be changed to an batch of regular liquids. Alternatively a
potential hacker could modify the flashpoint of a flammable vapour.
Refrigerated containers need special handling, as they need to be
located in certain bays that have power supplies. A particular code
states that the container is a "reefer", so the load plan
software will sign it to a powered bay.
Mischief-makers could change the designation of a batch of goods
that need refrigeration could be changed to signify normal handling or
(more subtly) that the refrigeration unit is inoperative, so the goods
can be placed anywhere. The consequences for a batch of prawns, for
example, of such trickery would be altogether malodorous.
Certain cargoes are sensitive to strong smells, particularly
coffee. Handling codes are set to place them well away from smelly
things. Pranksters could potentially change the designation so that the a
container full of odour-sensitive goods, such
as coffee, has its door open and locate next to a container of fishmeal,
which will be tagged as odorous.
To make things even worse the combo could be assigned to a hold
using the "keep dry" code where there's poor air circulation.
"Whatever happens, the coffee will stink of fish on arrival
at port," Munro writes.
The integrity of BAPLIE messaging is critical to the safety of
“I strongly encourage all operators, ports and terminals to carry
out a thorough review of their EDI systems to ensure that message
tampering isn’t possible,” Munro concluded.
The BAPLIE protocol features a literal checksum that uses the
total number of message segments, including itself, but excluding the UNH
"So, if you remove or add a message segment, don't forget to
update the UNT [message] trailer," Munro explained. "If you’re
just manipulating segment values, you don’t need to worry about
The terminal/ship/port receiving a doctored message will probably
respond with a CONTRL message, acknowledging receipt.
This is much of a stumbling block, either.
"If you're intercepting and forwarding the entire EDI message
stream, be prepared to spoof a message back to the sender," Munro
notes. "It's easy to generate the correct CONTRL message for your
modified request: there’s a generator here."
"Already there is evidence of theft of
valuable items from containers in port, potentially through insider
access by criminals to load information. It doesn't take much imagination
to see some far more serious attacks," Munro concluded.
Read more http://www.theregister.co.uk/2017/11/20/container_ship_loading_software_mischief/
November 10, 2017.
There's some unsettling news about one of
America's most widely-used jetliners.
In a test, experts working with Homeland
Security hacked into a Boeing 757. The team of researchers needed only
two days in September 2016 to remotely hack into a 757 parked at the
airport in Atlantic City, New Jersey.
Speaking at a conference this week, Robert
Hickey of the Department of Homeland Security said his team used
"typical stuff that could get through security" and hacked into
the aircraft systems using "radio frequency communications."
"The 757 hasn't been in production since
2004, but the aging workhorse is still flown by major airlines like
United, Delta and American," said Mark Rosenker,
the former chair of the National Transportation Safety Board.
President Trump's personal jet is a 757. So is
the plane Vice President Pence often uses -- including on his recent trip
The classified DHS testing followed a 2015
incident where a passenger told the FBI he had gained control of a
plane's engine by hacking into the airline's in-flight entertainment
That same year, the Government Accountability
Office warned about "potential malicious actors" accessing an
airliner's Wi-Fi network.
Homeland Security says the recent testing was in
an "artificial environment and risk reduction measures were already
Boeing observed the testing and was briefed on
its results. In a statement, the company says, "We firmly believe
that the test did not identify any cyber vulnerabilities in the 757, or
any other boeing aircraft."
An official briefed on the testing does not
believe it revealed an "extreme vulnerability" to airliners,
since it required a very specific approach in a very specific way on an
older aircraft with an older system. The official adds, it was good
information to have, "but I'm not afraid to fly."
More Info https://www.cbsnews.com/news/homeland-security-hacked-boeing-757-jetliner/
Massive US military
social media spying archive left wide open in AWS S3 buckets
November 17, 2017.
misconfigured AWS S3 buckets have been discovered wide open on the public
internet containing "dozens of terabytes" of social media posts
and similar pages – all scraped from around the world by the US military
to identify and profile persons of interest.
archives were found by UpGuard's veteran
security-breach hunter Chris Vickery during a routine scan of open
Amazon-hosted data silos, and the trio weren't exactly hidden. The
buckets were named centcom-backup, centcom-archive, and pacom-archive.
the common abbreviation for the US Central Command, which controls the
army, navy, air force, marines and special ops in the Middle East, north
Africa and central Asia. PACOM is the name for US Pacific Command,
covering the rest of southern Asia, China and Australasia.
told The Register today he stumbled upon them by accident while running a
scan for the word "COM" in publicly accessible S3 buckets.
After refining his search, the CENTCOM archive popped up, and at first he
thought it was related to Chinese multinational Tencent,
but quickly realized it was a US military archive of astounding size.
the research I downloaded 400GB of samples but there were many terabytes
of data up there," he said. "It's mainly compressed text files
that can expand out by a factor of ten so there's dozens and dozens of
terabytes out there and that's a conservative estimate."
Just one of
the buckets contained 1.8 billion social media posts automatically
fetched over the past eight years up to today. It mainly contains
postings made in central Asia, however Vickery noted that some of the
material is taken from comments made by American citizens.
databases also reveal some interesting clues as to what this information
is being used for. Documents make reference to the fact that the archive
was collected as part of the US government's Outpost program, which is a
social media monitoring and influencing campaign designed to target
overseas youths and steer them away from terrorism.
found the Outpost development configuration files in the archive, as well
as Apache Lucene indexes of keywords designed to be used with the
open-source search engine Elasticsearch.
Another file refers to Coral, which may well be a reference to the US
military's Coral Reef data-mining program.
Reef is a way to analyze a major data source to provide the analyst the
ability to mine significant amounts of data and provide suggestive
associations between individuals to build out that social network,"
Mark Kitz, technical director for the Army Distributed Common Ground
System – Army, told the Armed Forces Communications and Electronics
Association magazine Signal back in 2012.
we would mine through those intelligence reports or whatever data would
be available, and that would be very manual-intensive."
start scrabbling for your tinfoil hats, the army hasn't made a secret of
Coral Reef, even broadcasting the awards the software has won. And social
media monitoring isn't anything new, either.
is disturbing quite how easily this material was to find, how poorly
configured it was, and that the archives weren't even given innocuous
names. If America's enemies – or to be honest, anyone at all – are
looking for intelligence, these buckets were a free source of information
of security cockups like this in the public and private sectors, Amazon
has tried to help its customers avoid configuring their S3 buckets as
publicly accessible stores, by adding full folder encryption, yellow
warning lights when buckets aren't locked down, and tighter access
was found before these new Amazon controls were added," Vickery
said. "So we have yet to see how effective that yellow button will
said he notified the American military about the screwup,
and the buckets have now been locked down and hidden. Unusually, the
military contact thanked him for bringing the matter to their attention –
usually talking to the armed forces is a "one-way street,"
Read more: http://www.theregister.co.uk/2017/11/17/us_military_spying_archive_exposed/
Individuals at Risk
How to Opt
Out of Equifax Revealing Your Salary History: A KrebsOnSecurity series on how easy big-three credit
bureau Equifax makes it to get detailed salary history data on tens of
millions of Americans apparently inspired a deeper dive on the subject by
Fast Company, which examined how this Equifax division has been one of
the company’s best investments. In this post, I’ll show you how to opt
out of yet another Equifax service that makes money at the expense of
your privacy. KrebsOnSecurity,
November 13, 2017
million users’ personal and financial data publicly exposed by US-based
ride hailing firm Fasten: Over one
million users’ personal and financial data was inadvertently publicly
exposed by US-based ride hailing firm Fasten. The leaked data includes
names, emails, phone numbers, credit card data, links to photos, device
IMEI numbers, GPS data and users’ taxi routes. IBTimes,
November 11, 2017
Microsoft Patch Critical Cracks: It’s Nov.
14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe
and Microsoft have issued gobs of security updates for their software.
Microsoft’s 11 patch bundles fix more than four-dozen security holes in
various Windows versions and Office products — including at least four
serious flaws that were publicly disclosed prior to today. Meanwhile,
Adobe’s got security updates available for a slew of titles, including
Flash Player, Photoshop, Reader and Shockwave. KrebsOnSecurity,
November 14, 2017
Before Logging on to Public Wi-Fi: At the
airport, in a coffee shop or hotel lobby? Think twice before logging on
to that free Wi-Fi. Robert Braun, Partner, JMBM and Member of SecureTheVillage Leadership Council – JMBM
Cybersecurity Lawyer Forum, November 11, 2017
Android malware families invade Google Play Store:
Collectively downloaded millions of times, 158 fake Android applications
containing mobile malware were recently found smuggled into the Google
Play Store, according to a trio of separate research reports that were
published within days of each other. SCMagazine,
November 16, 2017
Extension “Browse-Secure” Steals Your Contact Info from Facebook and
LinkedIn: A new
Chrome extension called Browse-Secure is promoted on the Chrome Web Store
as being able to secure searches. What it does not tell you is that it is
also crawling your LinkedIn and Facebook accounts and uploading your
name, email address, gender, mobile number, and address to a remote
November 14, 2017
Information Security Management in the Organization
Information Security Management and Governance
Smart behaviors that can improve your
cybersecurity: Some of
the cybersecurity best practices for advisors are smart moves for
consumers, too. CNBC,
November 16, 2017
Sites Exposed to Attacks by ‘Formidable Forms’ Flaws:
Vulnerabilities found by a researcher in a popular WordPress plugin can be
exploited by malicious actors to gain access to sensitive data and take
control of affected websites. SecurityWeek,
November 15, 2017
Provides Guidance on Mitigating DDE Attacks: Despite a
rash of attacks leveraging Dynamic Data Exchange fields in Office,
including some spreading destructive ransomware, Microsoft has remained
insistent that DDE is a product feature and won’t address it as a
November 9, 2017
And Privileged Accounts Are Keys To The Kingdom. Requires Effective
Management to Assure Least Privilege: In many
ways, IT is very similar to economics in that there is no perfect state.
Low interest rates, for instance, helps borrowers but hurts savers and
full employment incurs inflation. Like an economist, today’s IT managers
face the continued challenge of finding that perfect middle ground
between a guaranteed secure network environment and one that is conducive
to user productivity and innovation. Such is the case when allotting
admin rights to users. ITSP
Magazine, November 2017
of Critical Vulnerability in Voice OS-Based Products: A vulnerability in the upgrade mechanism of Cisco
collaboration products based on the Cisco Voice Operating System software
platform could allow an unauthenticated, remote attacker to gain
unauthorized, elevated access to an affected device. CISCO,
November 15, 2017
issues emergency update for vulnerabilities affecting several products
that rely on proprietary Jolt protocol: This
Security Alert addresses CVE-2017-10269 and four other vulnerabilities
affecting the Jolt server within Oracle Tuxedo. These vulnerabilities
have a maximum CVSS score of 10.0 and may be exploited over a network
without the need for a valid username and password. The Oracle Jolt
client is not impacted. Oracle,
November 14, 2017
Know Your Enemy
Always Tips Its Hand. Ransomware study identifies specific components
common in ransomware attacks. ITSP Magazine: With the
large number of ransomware attacks that have surfaced in recent years,
many people have mistakenly believed that it’s a new threat, and one that
is impossible, or at least very difficult to prevent. ITSP
Magazine, November, 2017
Military Veterans Transition To Civilian Cybersecurity: Given the
number of ex-military folks we know who now work to defend networks, we
understand that military veterans possess natural synergies that can
allow them to develop into outstanding cybersecurity professionals. With
this in mind, Fortinet launched the FortiVets
program in 2013 in an effort to recruit and assist veterans seeking to
make the transition to a civilian career in cybersecurity. ITSP
Magazine, November, 2017
Poor application development practices leaving
organizations at significant risk of cyber attacks.
Particularly troublesome are .Net and Java applications: Banks and
financial services companies are leaving themselves at risk of being
hacked thanks to poorly-written code, according to new research. ITPRO,
November 13, 2017
Cybersecurity in Society
Investigating Payment Card Breach: Los
Angeles-based fashion retailer Forever 21 informed customers on Tuesday
that it has launched an investigation into a security incident involving
payment systems. SecurityWeek,
November 15, 2017
data breach: Hack costs Equifax $87.5 million, as income plummets: Equifax’s
data breach has cost the company $87.5 million, its latest financial
results reveal. ITPRO,
November 13, 2017
Undermined Elections in 18 Countries Last Year: The US
election was not a one-off: governments around the world sought to
influence elections via misinformation on social media in at least 18
countries over the past year, according to the latest report from Freedom
November 14, 2017
Blames NSA Analyst For U.S. Intel Leak: Kaspersky
Lab says it “inadvertently” scooped up classified U.S. documents and code
from a U.S. National Security Agency analyst’s home computer, but
suggested it wasn’t the conduit by which the material ended up in Russian
hands. Bank InfoSecurity
November 17, 2017
fixing the present so we can worry about the future: Ciaran
Martin, CEO of the UK NCSC, addresses the growing threats within cyber
space at The Times Tech Summit. National
Cyber Security Centre, November 15, 2017
trying to undermine us, says UK cyberdefence
chief as hackers have recently attacked UK’s energy, telecommunications
and media sectors: Russia is
seeking to undermine international order and its computer hackers have
recently attacked the UK’s energy, telecommunications and media sectors,
the nation’s cybersecurity chief is to warn today. The
Times, November 15, 2017
prepares for possible legal action over Kaspersky directive: The
Department of Homeland Security is continuing to remove Kaspersky Lab
software from federal systems after finding that 15 percent of federal
agencies detected it on their systems, DHS’s assistant secretary for
cybersecurity Jeanette Manfra told Congress
November 14, 2017
Baker discusses encryption in light of Texas shooting, NSA fears of leaks
and moles, ‘hack-back’ and the DoD with Michael Sulmeyer and Nicholas
Weaver: With the
Texas church shooting having put encryption back on the front burner, I
claim that Apple is becoming the FBI’s crazy ex-girlfriend in Silicon
Valley — and offer the tapes to prove it. When Nick Weaver rises to
Apple’s defense, I point out that Apple responded to a Chinese government
man-in-the-middle attack on iCloud users with spineless obfuscation
rather than a brave defense of user privacy. Nick asks for a citation.
Here it is: https://support.apple.com/en-us/HT203126 (Careful: don’t click
without a chiropractor standing by.) Nick provides actual news to
supplement the NYT’s largely news-free front page story about leak and
mole fears at NSA. I gloat, briefly, over hackback’s
new respectability, as the ACDC act acquires new cosponsors, including
Trey Gowdy, and hacking back acquires new
respectability. But not everywhere. Michael Sulmeyer
finally gets a word in edgewise as the conversation shifts to the NDAA
passes. He discusses the MGT Act, the growing Armed Services Committee
oversight of cyberoperations, and the decision
to lift — and perhaps separate — Cyber Command from NSA. I take issue
with any decision that requires that a three-star NSA director argue
intelligence equities with a four-star combatant commander. We end with
Michael Sulmeyer and I walking through the
challenges for DoD of deterring cyberattacks. We both end up expressing
skepticism about the current path. Steptoe
CyberBlog, November 14, 2017
Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core: WASHINGTON
— Jake Williams awoke last April in an Orlando, Fla., hotel where he was
leading a training session. Checking Twitter, Mr. Williams, a
cybersecurity expert, was dismayed to discover that he had been thrust
into the middle of one of the worst security debacles ever to befall
American intelligence. The New
York Times, November 12, 2017
Issues Warning – North Korean Hackers Targeting Businesses in Financial
Services, Aerospace and Telecommunications Sectors: Since last
year, North Korean hackers have been targeting businesses in the
financial services, aerospace and telecommunications sectors by
exploiting a remote administration tool, or RAT, according to an alert
issued Tuesday by the the United States
Computer Emergency Response Team, part of the Department of Homeland
November 15, 2017
you need to know about the future of cybersecurity: Terrorism
researchers, AI developers, government scientists, threat-intelligence
specialists, investors and startups gathered at the second annual WIRED
conference to discuss the changing face of online security. These are the
people who are keeping you safe online. Their discussions included Daesh’s media strategy, the rise of new forms of
online attacks, how to protect infrastructure, the threat of pandemics
and the dangers of hiring a nanny based on her Salvation Army uniform. Wired,
November 10, 2017
Vault 8: WikiLeaks starts releasing source code
of alleged CIA cyber weapons: WikiLeaks
is starting a new series of leaks, dubbed Vault 8, containing source code
and materials allegedly stolen from the CIA. HelpNetSecurity, November 10, 2017
hacktivists compromise terrorists’ website:
Hacktivists have cracked into one of terror organisation
Isis’s main online outlets, Amaq, exfiltrating the details of over 1,700 newsletter
November 13, 2017
The content of this CRC-ICS Cyber News
Update is provided for information purposes only. No claim is made as to
the accuracy or authenticity of the content of this news update or
incorporated into it by reference. No responsibility is taken for any
information or services which may appear on any linked websites. The
information provided is for individual expert use only.
Founded in 2015, the Cyber Research
Center - Industrial Control Systems is a not for profit research & information
sharing research center working on the future state of Physical &
Cyber Protection and Resilience. CRC-ICS goals are to inform industries /
critical infrastructures about the fast changing threats they are facing
and the measures, controls and techniques that can be implemented to be
prepared to deal with these cyber threats.