Monthly Archives: March 2017

Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies

25 March 2017

SQL injection is one of the oldest, most used and best understood attack vectors. The solution (input sanitizing) is also well understood, but still lots of systems vulnerable to SQL injection are operated on the internet. And the cybercriminal Rasputin is obviously a genius in detecting such systems.

In his post “Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies“, David Bisson provides some insight into the problem and why organizations are struggling with the solution:

“The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.

As always, it’s a lack of budget and resources. But especially in the case of university web sites I find this really difficult to understand.

Computer science students can work on this issues in seminars and projects after the basic database and web programming courses. Even the project management can be done by students. Only few expensive professionals are required to coordinate the activities with the universities IT department.

If one starts with the web pages where user input is requested, the major problems can be solved in short or medium term. In addition, students will get very valuable insights into real cyber security issues and how to solve them.

Have a good weekend.

Ransomware for Industrial Control System – Digital Carelessness

19 March 2017

Ransomware for Industrial Control Systems (ICS) is a scaring idea. The research paper ‘Out of Control: Ransomware for Industrial Control System‘ by David Formby, Srikar Durbha and Raheem Beyah from the Georgia Institute of Technology is really worth reading.

The researchers study several attack vectors and run a proof of concept (POC). In addition, they give some hints for mitigation of this new risk in the ICS / SCADA domain.

In the simplest case, if the PLC is connected to the internet, the cyber-criminal can attack the PLC directly. A more dangerous, but also very promising way is to start an attack on a workstation located in the corporate network and use this system as base camp for the access to the production network.

In the past weeks I prepared a speech for a workshop about “Safety and security in plant safety”. In the IIoT, the digital world acts upon the physical world. With this, flaws in the IIoT software may create a safety problem. For example, if a PLC or other SCADA components are attached to the internet, cyber criminals can exploit such flaws and compromise the integrity of the systems or implement ransomware on the systems. In the worst case, if e.g. the SCADA system controls a critical infrastructure like a power grid, this may result in a blackout. And operators of critical infrastructures will pay definitely any ransom to avoid a blackout.

The attack vectors described above are the native way for accessing industrial facilities and critical infrastructures. Besides the PLC, lots of other components like switches or HMI panels are connected more or less intentionally to the internet today. My colleague Christoph Thust from Evonik calls this the Digital Carelessness.

A plain SHODAN search for ‘SCALANCE‘ results in 213 hits. These network switches are more or less exposed to the internet. If a cyber attacker can hijack such a switch, he gains full control of the production network.

Shodan Scalance Search

Shodan Scalance Search. Click to enlarge.

A search for ‘SIMATIC HMI‘ results in 103 hits. This HMI panels are directly attached to the internet, lots of them can be viewed with WinVNC, some of them can be fully operated by EVERYONE.

Shodan Search HMI

Shodan Search HMI. Click to enlarge.

And, above all, HMI panels attached to the internet can be used as base camp for an attacker’s lateral movement in the production network.

Although ransomware is a really big issue today, the effort to rollout ransomware in a SCADA environment is high compared to the effort of plain attacks to unsecured SCADA system components.

The good news is, that the vendors of SCADA components already offer the elementary technology and strategies for their secure operation. But improvement of the basic security technologies is of crucial need for efficient use in the production domain.

The bad news is, that neither the engineering service providers nor the plant operators are fully aware of cyber-threats and their impact on plant operations and safety. The above examples make clear that the mitigation measures and defense strategies provided by the technology vendors are not followed.

From my point of view we need to start early in the construction process with considerations of cyber security. Security gates must be added to each construction phase. And during handover to the operator, a final pen test must be performed. As soon as Security by Design becomes an integral part of the Industrial Plant Life Cycle, the era of digital carelessness will end.

Have a good weekend.

British man arrested after 900,000 broadband routers knocked offline in Germany

5 March 2017

About 900,000 Deutsche Telekom customers suffered internet outages on Sunday 27th and Monday 28th November 2016. Two weeks ago a 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with this attack. Both, the attack and the arrest of the cyber attacker made it into the headlines.

Report ‘New Mirai attack vector – bot exploits a recently discovered router vulnerability‘, posted on 28 November 2016 at BadCyber, describes the technical details of attack. The attacker used the TR-064 protocol over Port 7547 to inject code into the routers configuration details.

Protocol TR-064 is used by ISP’s to keep their infrastructure up-to-date. Under normal conditions the updates are initiated by the router. In this case the attacker sent some specially crafted packets to the router to inject the malicious code.

For access to the router a username and password is required. The attacker used well-known default passwords in the attack, with great success:

Username Password
 root     xc3511
 root     vizxv
 root     admin

How can such attacks been avoided?

We all need to take greater care over our router security. Default passwords must be changed at commissioning, forced by the router software. In addition, the router should prevent the usage of passwords from the ‘Worst Password‘ lists.

But in my opinion that’s not enough. Vendors deliver internet routers with really poor software quality. Although injection attacks are at least for ten years on the OWASP Top 10 Vulnerabilities list, no vendor seems to care about this issue.

The NIST NVD database lists 995 injection related software flaws (e.g. remote command injection or sql-injection) in the last three years, even though solutions to address this issues, e.g. by input sanitizing, are known for years now.

in my opinion, to protect critical infrastructures from cyber attacks some governmental attention is required. For critical components like internet routers a certification before selling is required to make sure, that state-of-the-art protection against common attack vectors is implemented.

Sounds easy, doesn’t it?

Have a good weekend. And check the complexity of your internet router password.