Cyber Research

Cyber News

Cyber Info


november, 2017







 In this issue



*         US-CERT: North Korean Hackers Targeting Three Sectors

*         Container ship loading plans are 'easily hackable'

*         Experts working with Homeland Security hacked into Boeing 757

*         Massive US military social media spying archive left wide open in AWS S3 buckets

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


US-CERT: North Korean Hackers Targeting Three Sectors

November 15, 2017

Malware Takes Aim at Financial Services, Aerospace and Telecommunications Industries


Since last year, North Korean hackers have been targeting businesses in the financial services, aerospace and telecommunications sectors by exploiting a remote administration tool, or RAT, according to an alert issued Tuesday by the the United States Computer Emergency Response Team, part of the Department of Homeland Security.


According to the alert, the FBI and DHS identified internet protocol addresses and other indictors of compromise associated with the RAT, commonly known as FALLCHILL, used by the North Korean government. Federal authorities have labeled North Korean government malicious cyber activities as Hidden Cobra.

"The FBI has high confidence that Hidden Cobra actors are using the IP addresses to maintain a presence on victims' networks and to further network exploitation," the alert says.

Lazarus Group Ties

While Hidden Cobra is not a widely known moniker, the group is believed to be the same as the Lazarus Group, which is suspected of being responsible for some of the more notorious cyberattacks in recent years. That includes attacks targeting the SWIFT financial messaging system and Sony Pictures as well as the WannaCry ransomware campaign.

"Lazarus is not just another APT [advanced persistent threat] actor," a Kaspersky Lab report concludes. "The scale of Lazarus operations is shocking. It has been on a growth spike since 2011."

To help companies defend against FALLCHILL, the government is distributing the IP addresses to help toughen network defenses and reduce exposure to any North Korean government malicious cyber activity.

Muddling Network Traffic

FALLCHILL typically infects a system as a file dropped by other Hidden Cobra malware or as a file downloaded unknowingly by users when visiting sites compromised by Hidden Cobra actors, according to the alert.

The malware is the primary component of a command-and-control infrastructure that uses multiple proxies to obfuscate network traffic between Hidden Cobra actors and a victim's system. The alert, citing trusted third-party reporting, notes that communication flows from the victim's system to Hidden Cobra actors using a series of proxies as shown in the figure below.

Source: US-CERT

FALLCHILL uses fake transport layer security communications, encoding the data with RC4 encryption using a specific key. The malware collects basic systems information and transmits that data to command-and-control servers.

The alert provides network signatures and host-based rules that can be used to detect malicious activity associated with North Korean hackers. "Although created using a comprehensive vetting process, the possibility of false positives always remains," the alert cautions. "These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to Hidden Cobra actors."

More info https://www.bankinfosecurity.com/us-cert-north-korean-hackers-targeting-three-sectors-a-10457

Container ship loading plans are 'easily hackable'

November 20, 2017

Security researchers have warned that it might be possible to destabilise a container ship by manipulating the vessel stowage plan or "Bay Plan".

Look! A pic that's not a metaphor


The issue stems from the absence of security in BAPLIE EDIFACT, a messaging system used to create ship loading and container stowage plans – for example which locations are occupied and which are empty – from the numerous electronic messages exchanged between shipping lines, port authorities, terminals and ships.

The messaging standard is developed and maintained by the Shipping Message Development Group (SMDG).

Criminals less interested in destabilising ships but perhaps instead stealing goods by rerouting containers, would use "COPRAR / COPARN / CODECO / COARRI" messages instead. These deal with shipping line to terminal messaging and vice versa.

Evidence suggests that ship and terminal messaging systems have been abused at times in order to either conceal or re-route drugs or steal valuables. "We believe this was done using front end GUIs in port rather than manipulating the data itself," according to Ken Munro, a security researcher at Pen Test Partners.


BAPLIE messages, once their syntax is understood, might potentially be manipulated to change the destinations of cargo, money and more. Pen Test Partners was more interested in message subsets that are found in "LIN" line items about contents and handling for individual containers.

Most straightforwardly it's possible to manipulate container weight and thus the ship's balance.

A potential hacker would simply search the message for VGM (Verified Gross Mass). The trailing value is the weight, so changing this value to make it either lighter or heavier would mean that the vessel load-planning software would place the container in the wrong place for stability. "Some ports may intercept the wrong weight at a weighbridge or possibly at the crane, but overloading containers to save on shipping cost is already a significant issue in some regions," Munro explained.

Researchers explained that it might be possible, using similar trickery, to place a mislabelled heavy container at the top of the stack, moving the centre of gravity too high. For example, it's possible to set the handling for "load third tier on deck", so high up, out of the hold. Manipulating the weight distribution is an issue because the ship becomes more and more unstable if heavy goods are loaded higher up in the stack.

Reefer madness

Certain attributes can be set for a container to flag that it needs special handling. Manipulating the message opens the door to all sorts of mischief.

For example, the status for an aggregation of explosive materials could be changed to an batch of regular liquids. Alternatively a potential hacker could modify the flashpoint of a flammable vapour.

Refrigerated containers need special handling, as they need to be located in certain bays that have power supplies. A particular code states that the container is a "reefer", so the load plan software will sign it to a powered bay.

Mischief-makers could change the designation of a batch of goods that need refrigeration could be changed to signify normal handling or (more subtly) that the refrigeration unit is inoperative, so the goods can be placed anywhere. The consequences for a batch of prawns, for example, of such trickery would be altogether malodorous.

Certain cargoes are sensitive to strong smells, particularly coffee. Handling codes are set to place them well away from smelly things. Pranksters could potentially change the designation so that the a container full of odour-sensitive goods, such as coffee, has its door open and locate next to a container of fishmeal, which will be tagged as odorous.

To make things even worse the combo could be assigned to a hold using the "keep dry" code where there's poor air circulation.

"Whatever happens, the coffee will stink of fish on arrival at port," Munro writes.

The integrity of BAPLIE messaging is critical to the safety of container ships.

“I strongly encourage all operators, ports and terminals to carry out a thorough review of their EDI systems to ensure that message tampering isn’t possible,” Munro concluded.

The BAPLIE protocol features a literal checksum that uses the total number of message segments, including itself, but excluding the UNH message header.

"So, if you remove or add a message segment, don't forget to update the UNT [message] trailer," Munro explained. "If you’re just manipulating segment values, you don’t need to worry about UNT."

The terminal/ship/port receiving a doctored message will probably respond with a CONTRL message, acknowledging receipt.

This is much of a stumbling block, either.

"If you're intercepting and forwarding the entire EDI message stream, be prepared to spoof a message back to the sender," Munro notes. "It's easy to generate the correct CONTRL message for your modified request: there’s a generator here."

"Already there is evidence of theft of valuable items from containers in port, potentially through insider access by criminals to load information. It doesn't take much imagination to see some far more serious attacks," Munro concluded.

Read more http://www.theregister.co.uk/2017/11/20/container_ship_loading_software_mischief/

Experts working with Homeland Security hacked into Boeing 757

November 10, 2017.

There's some unsettling news about one of America's most widely-used jetliners.

In a test, experts working with Homeland Security hacked into a Boeing 757. The team of researchers needed only two days in September 2016 to remotely hack into a 757 parked at the airport in Atlantic City, New Jersey.

Speaking at a conference this week, Robert Hickey of the Department of Homeland Security said his team used "typical stuff that could get through security" and hacked into the aircraft systems using "radio frequency communications."

"The 757 hasn't been in production since 2004, but the aging workhorse is still flown by major airlines like United, Delta and American," said Mark Rosenker, the former chair of the National Transportation Safety Board.

President Trump's personal jet is a 757. So is the plane Vice President Pence often uses -- including on his recent trip to Texas.

The classified DHS testing followed a 2015 incident where a passenger told the FBI he had gained control of a plane's engine by hacking into the airline's in-flight entertainment system.

That same year, the Government Accountability Office warned about "potential malicious actors" accessing an airliner's Wi-Fi network.

Homeland Security says the recent testing was in an "artificial environment and risk reduction measures were already in place."

Boeing observed the testing and was briefed on its results. In a statement, the company says, "We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other boeing aircraft."

An official briefed on the testing does not believe it revealed an "extreme vulnerability" to airliners, since it required a very specific approach in a very specific way on an older aircraft with an older system. The official adds, it was good information to have, "but I'm not afraid to fly."

More Info https://www.cbsnews.com/news/homeland-security-hacked-boeing-757-jetliner/




Massive US military social media spying archive left wide open in AWS S3 buckets

November 17, 2017.

Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.

The archives were found by UpGuard's veteran security-breach hunter Chris Vickery during a routine scan of open Amazon-hosted data silos, and the trio weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive.

CENTCOM is the common abbreviation for the US Central Command, which controls the army, navy, air force, marines and special ops in the Middle East, north Africa and central Asia. PACOM is the name for US Pacific Command, covering the rest of southern Asia, China and Australasia.

Vickery told The Register today he stumbled upon them by accident while running a scan for the word "COM" in publicly accessible S3 buckets. After refining his search, the CENTCOM archive popped up, and at first he thought it was related to Chinese multinational Tencent, but quickly realized it was a US military archive of astounding size.

"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate."

Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens.

The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the US government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Vickery found the Outpost development configuration files in the archive, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch. Another file refers to Coral, which may well be a reference to the US military's Coral Reef data-mining program.

"Coral Reef is a way to analyze a major data source to provide the analyst the ability to mine significant amounts of data and provide suggestive associations between individuals to build out that social network," Mark Kitz, technical director for the Army Distributed Common Ground System – Army, told the Armed Forces Communications and Electronics Association magazine Signal back in 2012.

"Previously, we would mine through those intelligence reports or whatever data would be available, and that would be very manual-intensive."

Before you start scrabbling for your tinfoil hats, the army hasn't made a secret of Coral Reef, even broadcasting the awards the software has won. And social media monitoring isn't anything new, either.

However, it is disturbing quite how easily this material was to find, how poorly configured it was, and that the archives weren't even given innocuous names. If America's enemies – or to be honest, anyone at all – are looking for intelligence, these buckets were a free source of information to mine.

After years of security cockups like this in the public and private sectors, Amazon has tried to help its customers avoid configuring their S3 buckets as publicly accessible stores, by adding full folder encryption, yellow warning lights when buckets aren't locked down, and tighter access controls.

"This was found before these new Amazon controls were added," Vickery said. "So we have yet to see how effective that yellow button will be."

Vickery said he notified the American military about the screwup, and the buckets have now been locked down and hidden. Unusually, the military contact thanked him for bringing the matter to their attention – usually talking to the armed forces is a "one-way street," Vickery said.

Read more: http://www.theregister.co.uk/2017/11/17/us_military_spying_archive_exposed/

Latest Cyber Security News

Individuals at Risk

Cyber Privacy

How to Opt Out of Equifax Revealing Your Salary History: A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy. KrebsOnSecurity, November 13, 2017

Over one million users’ personal and financial data publicly exposed by US-based ride hailing firm Fasten: Over one million users’ personal and financial data was inadvertently publicly exposed by US-based ride hailing firm Fasten. The leaked data includes names, emails, phone numbers, credit card data, links to photos, device IMEI numbers, GPS data and users’ taxi routes. IBTimes, November 11, 2017

Cyber Update

Adobe, Microsoft Patch Critical Cracks: It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave. KrebsOnSecurity, November 14, 2017

Cyber Defense

Think Twice Before Logging on to Public Wi-Fi: At the airport, in a coffee shop or hotel lobby? Think twice before logging on to that free Wi-Fi. Robert Braun, Partner, JMBM and Member of SecureTheVillage Leadership Council – JMBM Cybersecurity Lawyer Forum, November 11, 2017

Cyber Warning

Three more Android malware families invade Google Play Store: Collectively downloaded millions of times, 158 fake Android applications containing mobile malware were recently found smuggled into the Google Play Store, according to a trio of separate research reports that were published within days of each other. SCMagazine, November 16, 2017

Chrome Extension “Browse-Secure” Steals Your Contact Info from Facebook and LinkedIn: A new Chrome extension called Browse-Secure is promoted on the Chrome Web Store as being able to secure searches. What it does not tell you is that it is also crawling your LinkedIn and Facebook accounts and uploading your name, email address, gender, mobile number, and address to a remote server. BleepingComputer, November 14, 2017

Information Security Management in the Organization

Information Security Management and Governance

Smart behaviors that can improve your cybersecurity: Some of the cybersecurity best practices for advisors are smart moves for consumers, too. CNBC, November 16, 2017

Cyber Warning

WordPress Sites Exposed to Attacks by ‘Formidable Forms’ Flaws: Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites. SecurityWeek, November 15, 2017

Cyber Defense

Microsoft Provides Guidance on Mitigating DDE Attacks: Despite a rash of attacks leveraging Dynamic Data Exchange fields in Office, including some spreading destructive ransomware, Microsoft has remained insistent that DDE is a product feature and won’t address it as a vulnerability. ThreatPost, November 9, 2017

Administrative And Privileged Accounts Are Keys To The Kingdom. Requires Effective Management to Assure Least Privilege: In many ways, IT is very similar to economics in that there is no perfect state. Low interest rates, for instance, helps borrowers but hurts savers and full employment incurs inflation. Like an economist, today’s IT managers face the continued challenge of finding that perfect middle ground between a guaranteed secure network environment and one that is conducive to user productivity and innovation. Such is the case when allotting admin rights to users. ITSP Magazine, November 2017

Cyber Update

Cisco Warns of Critical Vulnerability in Voice OS-Based Products: A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. CISCO, November 15, 2017

Oracle issues emergency update for vulnerabilities affecting several products that rely on proprietary Jolt protocol: This Security Alert addresses CVE-2017-10269 and four other vulnerabilities affecting the Jolt server within Oracle Tuxedo. These vulnerabilities have a maximum CVSS score of 10.0 and may be exploited over a network without the need for a valid username and password. The Oracle Jolt client is not impacted. Oracle, November 14, 2017

Know Your Enemy

Ransomware Always Tips Its Hand. Ransomware study identifies specific components common in ransomware attacks. ITSP Magazine: With the large number of ransomware attacks that have surfaced in recent years, many people have mistakenly believed that it’s a new threat, and one that is impossible, or at least very difficult to prevent. ITSP Magazine, November, 2017

Cyber Talent

How Military Veterans Transition To Civilian Cybersecurity: Given the number of ex-military folks we know who now work to defend networks, we understand that military veterans possess natural synergies that can allow them to develop into outstanding cybersecurity professionals. With this in mind, Fortinet launched the FortiVets program in 2013 in an effort to recruit and assist veterans seeking to make the transition to a civilian career in cybersecurity. ITSP Magazine, November, 2017

Application Security

Poor application development practices leaving organizations at significant risk of cyber attacks. Particularly troublesome are .Net and Java applications: Banks and financial services companies are leaving themselves at risk of being hacked thanks to poorly-written code, according to new research. ITPRO, November 13, 2017

Cybersecurity in Society

Cyber Crime

Forever 21 Investigating Payment Card Breach: Los Angeles-based fashion retailer Forever 21 informed customers on Tuesday that it has launched an investigation into a security incident involving payment systems. SecurityWeek, November 15, 2017

Identity Theft

Equifax data breach: Hack costs Equifax $87.5 million, as income plummets: Equifax’s data breach has cost the company $87.5 million, its latest financial results reveal. ITPRO, November 13, 2017


Cyber Freedom

Governments Undermined Elections in 18 Countries Last Year: The US election was not a one-off: governments around the world sought to influence elections via misinformation on social media in at least 18 countries over the past year, according to the latest report from Freedom House. InfoSecurity, November 14, 2017

National Cybersecurity

Kaspersky Blames NSA Analyst For U.S. Intel Leak: Kaspersky Lab says it “inadvertently” scooped up classified U.S. documents and code from a U.S. National Security Agency analyst’s home computer, but suggested it wasn’t the conduit by which the material ended up in Russian hands. Bank InfoSecurity November 17, 2017

Cyber security: fixing the present so we can worry about the future: Ciaran Martin, CEO of the UK NCSC, addresses the growing threats within cyber space at The Times Tech Summit. National Cyber Security Centre, November 15, 2017

Kremlin is trying to undermine us, says UK cyberdefence chief as hackers have recently attacked UK’s energy, telecommunications and media sectors: Russia is seeking to undermine international order and its computer hackers have recently attacked the UK’s energy, telecommunications and media sectors, the nation’s cybersecurity chief is to warn today. The Times, November 15, 2017

DHS prepares for possible legal action over Kaspersky directive: The Department of Homeland Security is continuing to remove Kaspersky Lab software from federal systems after finding that 15 percent of federal agencies detected it on their systems, DHS’s assistant secretary for cybersecurity Jeanette Manfra told Congress Tuesday. CyberScoop, November 14, 2017

Stewart Baker discusses encryption in light of Texas shooting, NSA fears of leaks and moles, ‘hack-back’ and the DoD with Michael Sulmeyer and Nicholas Weaver: With the Texas church shooting having put encryption back on the front burner, I claim that Apple is becoming the FBI’s crazy ex-girlfriend in Silicon Valley — and offer the tapes to prove it. When Nick Weaver rises to Apple’s defense, I point out that Apple responded to a Chinese government man-in-the-middle attack on iCloud users with spineless obfuscation rather than a brave defense of user privacy. Nick asks for a citation. Here it is: https://support.apple.com/en-us/HT203126 (Careful: don’t click without a chiropractor standing by.) Nick provides actual news to supplement the NYT’s largely news-free front page story about leak and mole fears at NSA. I gloat, briefly, over hackback’s new respectability, as the ACDC act acquires new cosponsors, including Trey Gowdy, and hacking back acquires new respectability. But not everywhere. Michael Sulmeyer finally gets a word in edgewise as the conversation shifts to the NDAA passes. He discusses the MGT Act, the growing Armed Services Committee oversight of cyberoperations, and the decision to lift — and perhaps separate — Cyber Command from NSA. I take issue with any decision that requires that a three-star NSA director argue intelligence equities with a four-star combatant commander. We end with Michael Sulmeyer and I walking through the challenges for DoD of deterring cyberattacks. We both end up expressing skepticism about the current path. Steptoe CyberBlog, November 14, 2017

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core: WASHINGTON — Jake Williams awoke last April in an Orlando, Fla., hotel where he was leading a training session. Checking Twitter, Mr. Williams, a cybersecurity expert, was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall American intelligence. The New York Times, November 12, 2017

Critical Infrastructure

US-CERT Issues Warning – North Korean Hackers Targeting Businesses in Financial Services, Aerospace and Telecommunications Sectors: Since last year, North Korean hackers have been targeting businesses in the financial services, aerospace and telecommunications sectors by exploiting a remote administration tool, or RAT, according to an alert issued Tuesday by the the United States Computer Emergency Response Team, part of the Department of Homeland Security. BankInfoSecurity, November 15, 2017

5 things you need to know about the future of cybersecurity: Terrorism researchers, AI developers, government scientists, threat-intelligence specialists, investors and startups gathered at the second annual WIRED conference to discuss the changing face of online security. These are the people who are keeping you safe online. Their discussions included Daesh’s media strategy, the rise of new forms of online attacks, how to protect infrastructure, the threat of pandemics and the dangers of hiring a nanny based on her Salvation Army uniform. Wired, November 10, 2017

Vault 8: WikiLeaks starts releasing source code of alleged CIA cyber weapons: WikiLeaks is starting a new series of leaks, dubbed Vault 8, containing source code and materials allegedly stolen from the CIA. HelpNetSecurity, November 10, 2017

Cyber Sunshine

Anti-Isis hacktivists compromise terrorists’ website: Hacktivists have cracked into one of terror organisation Isis’s main online outlets, Amaq, exfiltrating the details of over 1,700 newsletter subscribers. ITPRO, November 13, 2017



Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net