Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies

25 March 2017

SQL injection is one of the oldest, most used and best understood attack vectors. The solution (input sanitizing) is also well understood, but still lots of systems vulnerable to SQL injection are operated on the internet. And the cybercriminal Rasputin is obviously a genius in detecting such systems.

In his post “Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies“, David Bisson provides some insight into the problem and why organizations are struggling with the solution:

“The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.

As always, it’s a lack of budget and resources. But especially in the case of university web sites I find this really difficult to understand.

Computer science students can work on this issues in seminars and projects after the basic database and web programming courses. Even the project management can be done by students. Only few expensive professionals are required to coordinate the activities with the universities IT department.

If one starts with the web pages where user input is requested, the major problems can be solved in short or medium term. In addition, students will get very valuable insights into real cyber security issues and how to solve them.

Have a good weekend.

Ransomware for Industrial Control System – Digital Carelessness

19 March 2017

Ransomware for Industrial Control Systems (ICS) is a scaring idea. The research paper ‘Out of Control: Ransomware for Industrial Control System‘ by David Formby, Srikar Durbha and Raheem Beyah from the Georgia Institute of Technology is really worth reading.

The researchers study several attack vectors and run a proof of concept (POC). In addition, they give some hints for mitigation of this new risk in the ICS / SCADA domain.

In the simplest case, if the PLC is connected to the internet, the cyber-criminal can attack the PLC directly. A more dangerous, but also very promising way is to start an attack on a workstation located in the corporate network and use this system as base camp for the access to the production network.

In the past weeks I prepared a speech for a workshop about “Safety and security in plant safety”. In the IIoT, the digital world acts upon the physical world. With this, flaws in the IIoT software may create a safety problem. For example, if a PLC or other SCADA components are attached to the internet, cyber criminals can exploit such flaws and compromise the integrity of the systems or implement ransomware on the systems. In the worst case, if e.g. the SCADA system controls a critical infrastructure like a power grid, this may result in a blackout. And operators of critical infrastructures will pay definitely any ransom to avoid a blackout.

The attack vectors described above are the native way for accessing industrial facilities and critical infrastructures. Besides the PLC, lots of other components like switches or HMI panels are connected more or less intentionally to the internet today. My colleague Christoph Thust from Evonik calls this the Digital Carelessness.

A plain SHODAN search for ‘SCALANCE‘ results in 213 hits. These network switches are more or less exposed to the internet. If a cyber attacker can hijack such a switch, he gains full control of the production network.

Shodan Scalance Search

Shodan Scalance Search. Click to enlarge.

A search for ‘SIMATIC HMI‘ results in 103 hits. This HMI panels are directly attached to the internet, lots of them can be viewed with WinVNC, some of them can be fully operated by EVERYONE.

Shodan Search HMI

Shodan Search HMI. Click to enlarge.

And, above all, HMI panels attached to the internet can be used as base camp for an attacker’s lateral movement in the production network.

Although ransomware is a really big issue today, the effort to rollout ransomware in a SCADA environment is high compared to the effort of plain attacks to unsecured SCADA system components.

The good news is, that the vendors of SCADA components already offer the elementary technology and strategies for their secure operation. But improvement of the basic security technologies is of crucial need for efficient use in the production domain.

The bad news is, that neither the engineering service providers nor the plant operators are fully aware of cyber-threats and their impact on plant operations and safety. The above examples make clear that the mitigation measures and defense strategies provided by the technology vendors are not followed.

From my point of view we need to start early in the construction process with considerations of cyber security. Security gates must be added to each construction phase. And during handover to the operator, a final pen test must be performed. As soon as Security by Design becomes an integral part of the Industrial Plant Life Cycle, the era of digital carelessness will end.

Have a good weekend.

British man arrested after 900,000 broadband routers knocked offline in Germany

5 March 2017

About 900,000 Deutsche Telekom customers suffered internet outages on Sunday 27th and Monday 28th November 2016. Two weeks ago a 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with this attack. Both, the attack and the arrest of the cyber attacker made it into the headlines.

Report ‘New Mirai attack vector – bot exploits a recently discovered router vulnerability‘, posted on 28 November 2016 at BadCyber, describes the technical details of attack. The attacker used the TR-064 protocol over Port 7547 to inject code into the routers configuration details.

Protocol TR-064 is used by ISP’s to keep their infrastructure up-to-date. Under normal conditions the updates are initiated by the router. In this case the attacker sent some specially crafted packets to the router to inject the malicious code.

For access to the router a username and password is required. The attacker used well-known default passwords in the attack, with great success:

Username Password
 root     xc3511
 root     vizxv
 root     admin

How can such attacks been avoided?

We all need to take greater care over our router security. Default passwords must be changed at commissioning, forced by the router software. In addition, the router should prevent the usage of passwords from the ‘Worst Password‘ lists.

But in my opinion that’s not enough. Vendors deliver internet routers with really poor software quality. Although injection attacks are at least for ten years on the OWASP Top 10 Vulnerabilities list, no vendor seems to care about this issue.

The NIST NVD database lists 995 injection related software flaws (e.g. remote command injection or sql-injection) in the last three years, even though solutions to address this issues, e.g. by input sanitizing, are known for years now.

in my opinion, to protect critical infrastructures from cyber attacks some governmental attention is required. For critical components like internet routers a certification before selling is required to make sure, that state-of-the-art protection against common attack vectors is implemented.

Sounds easy, doesn’t it?

Have a good weekend. And check the complexity of your internet router password.

Malware in SQL – Really new?

18 February 2017

In post ‘Magento stores targeted by self-healing malware that steals credit card details‘, published by David Bisson on 18 February 2017 at Graham Cluleys’s newsletter, I found the really astonishing statement from Willem de Groot:

This is the first time I see malware written in SQL.

What happened? To put is briefly, someone found a vulnerability in Magento-powered online stores. He guessed the web shop’s administrator password. With this, he managed to get the database schema user’s username and password, connected to the database and added an after-insert trigger to the sales_flat_order table. The after-insert triggers adds code to the web page which sends customer credit card details to the attackers C&C server.

To be honest, there’s nothing new here.

As in 90% of all data breaches, a vulnerability known for some month was used to get administrative access to the shop software. For details please see post ‘10 tricks to improve Magento admin security‘.

But this must not necessarily end in a data breach. The issue here is, that the admin user was used to get privileged access to the database. This kind of trouble can be easily avoided by strict separation of duties inside the database. Only the database schema owner should have the privileges to change the database schema, i.e. add a trigger to a table. All other database users should have the privilege to access data sets only. And the web shop software administrator should have no access to database content at all. That’s plainly long known database design best practice.

In general, database application designers spend a lot of time ensuring data integrity. Data integrity was not violated here. In this case, we encounter code integrity issues, which result in the loss of confidentiality.

Separation of duties is the standard means for mitigation of this kind of issues. In addition, we should consider adding code integrity checks to ensure code integrity at runtime.

Have a good weekend.

IIoT is killing ISA 95!?

12 February 2017

At the end of his great post ‘IIoT is killing ISA 95 !! …a.k.a. the operators that talked to the CEO‘, Antonio Buendia, Head of Manufacturing Process Control at Novartis, asks 3 questions:


What do you think?

(1) Do you think that ISA 95 is dead, and we are going to have a series of devices each of them talking to each other? And those devices will be able to digest and process the information by themselves?

(2) Do you think that the IIoT will bring enhanced communication capabilities, but we still need to establish a hierarchy, a set of common rules for orchestration, but a new model has to be created?

(3) Or do you think that ISA 95, with some minor tweaks, is still the model of reference for the IIoT?”


There is no simple answer to this question. In my opinion the answer depends strongly on the issues one is going to solve with IIoT devices.

Even in the age of IIoT ISA 95 will still be a reference model in production. Let me be quite clear: For just the execution of a manufacturing order the ISA 95 model will fit more or less well even in the age of the IIoT.

For other production related issues the ISA model may possible not fit. Let me make this clear with an example:

For the execution of a huge production order it would be helpful to know in advance of the likelihood of equipment breakdowns during the execution time. IIoT devices like smart pumps or smart valves are able to gather operational data. This data can be used for the prediction of the remaining run time of the devices. If the remaining run times of all devices are known, it is easy to predict whether a production order can be executed without major delays.

This is one possible added value we create from IIoT devices. Currently only few manufacturers are collecting these data. The Industrie 4.0 concept goes far beyond the local collection and analysis of operational data. If the data is sent to the equipment manufacturer for further analysis, we can create more value from the data because the device vendor may correlate the data with the data from thousands of similar devices. With this, remaining run times can be estimated more accurately.

From my point of view, it is not necessary that an individual device contacts the vendors database to get details about its remaining run time. It is enough if the device management system does this job. I don’t think that the ERP system must be involved at least during this analysis phase in this communication.

With this, my answer is: ISA 95 is still a reference model for manufacturing in the age of IIoT. But we have to develop other models or extent the ISA 95 model if we are going to turn the capabilities of the IIoT into EBIT.

Have a good week.

Rethinking the Patch Strategy in the ICS Domain

5 February 2017

In the past weeks I reviewed several drafts on Industrial Control System (ICS) security. Although of limited value in the ICS Domain, patching and malware protection are key issues of all drafts.

Especially the patch process, which works moderately satisfying in the Office-IT domain, cannot be directly applied to ICS systems because ICS systems cannot be just rebooted to apply the patch.

Industrial control system patch cycle

Industrial control system patch cycle

To reboot an ICS system a shutdown of the process is required. In the worst case, the operators have to wait several weeks or months for the next scheduled plant maintenance to implement the patch and to reboot the ICS. During this time the ICS is more vulnerable against the threats mitigated by the patch.

With this, we have to design and operate our ICS systems and networks such, that they are resilient against cyber-attacks during the time until the next scheduled maintenance.

The following are examples of technical measures:

  • Isolation of ICS and SCADA systems in secured network zones inside the production network and strict flow control across security devices between the zones are basic design principles for creating robust systems.
  • A secure remote maintenance solution which is completely under control of the plant operators, ideally a rendezvous solution to keep the external service provider in the DMZ.
  • A secure and controlled remote access solution for plant operators.
  • Strict Network Access Control in the entire production network to increase resilience against attackers from internal.
  • No Internet access and personal email in the entire production network. This is a quick win! The same holds for the deactivation of USB disk devices.

Have a good weekend.

Unsecured IIoT devices in untrusted networks

28 January 2017

I am currently reviewing a draft of the German Federal Office for Information Security (BSI) about Operational and Control Technology. The goal of the paper is to define suitable requirements for IT security in OT.

IIoT devices, e.g. moderns sensors like the Schneider Electric PowerLogic ION7650 power meter, offer many communication options, including an optional Ethernet port:

PowerLogic ION 7650 communication options

Schneider Electric PowerLogic ION7650 communication options

With the Ethernet port activated the power meter behaves like a standard web server which provides standard internet communication options for access, e.g. ftp via port 21, http via ports 80, 81 and 443.

The BSI paper introduces the concept of ‘required connections‘ to communication partners outside the production network. This concept is based on the idea that production networks are isolated from a company’s office network as well as from the internet through security devices. The number of required connections, e.g. a connection from the ERP system to the Manufacturing Executions system (MES), should be kept as low as possible. In addition, required connections and the related communication endpoints must be specially protected to prevent misuse.

Lots of the PowerLogic ION7650 power meters are not operated in a production network. They are directly attached to the internet through an internet router, thus directly attackable by all internet users.

With this, each power meter creates its own production network, and every connection becomes a required connection. The major difference to the classic production network is that the power meter is far short of the protection capabilities a classic production network provides.

Thus, special attention has to be paid to the secure configuration of the devices and the attached internet routers during commissioning. Unfortunately, neither the service personnel setting up the device nor the operators seem to be aware of the dangers which result from this limited protection options because lots of unsecured devices are directly attached to the internet.

It is not very likely that a single compromised power meter has an impact on the national power grid. But if an attacker is able to compromise hundreds or thousands of devices …

The BSI paper provides a comprehensive set of technical and organizational measures to OT organizations to deal effectively with IT security issues in production environments.

Nevertheless, I recommend to the operators to review the configuration of and secure their devices. Besides financial loss due to malfunctions unsecured devices can be hijacked and included into bot nets.

Have a good weekend.