For those in the oil and gas industry or others with any type of SCADA devices (e.g. electric, water, sewer), we have received numerous notifications on the Havex Trojan. To date we have not supported any incidents involving this threat, but TRUE does understand the challenges Industrial Control Systems present to these organizations. The days of “air gap” are of the past.
In light of the recent Target event, there has been an uptick in activity around malware that specifically targets Point of Sale systems. The most common ones that seem to be referenced are the following:
BlackPOS: Affects Windows-based Point of Sale systems. The attack essentially sits in between the card reader and the POS application. Track data (data that can be used to replicate a physical credit card) is extracted and uploaded to a remote server via FTP.Read more
If you haven’t heard about it by now, let me clue you in: Java is a security nightmare. A few days ago, a zero-day exploit for Java 7 became widely-known. The exploit bypasses Java 7’s security sandbox and permits attackers to download and execute code without user interaction. The attack is already available in Metasploit and in the Blackhole Exploit Kit (BEK). Since it’s in BEK, users are now susceptible to this attack via so-called “drive-by” web hacks. All a user has to do is get unlucky and visit a compromised site (and there are a TON of compromised WordPress sites out there) and their machine is compromised.Read more
With the recent focus on Stuxnet due to the CBS 60 Minutes Special: Stuxnet: Computer worm opens new era of warfare and the 60 Minutes Overtime special Stuxnet copycats: Let the hacking begin, aired earlier this month, I was reminded of the extent our nation’s critical infrastructure is at risk from cyber attack.Read more
Well, that didn’t take long. As of Thursday, an MS12-020 PoC (the Remote Desktop Protocol vulnerability) is in the wild. Looks like one of Microsoft’s MAPP partners leaked some test code. This PoC code only causes a Blue-Screen-of-Death, so the damage is limited to a denial-of-service. It won’t be long until the bad guys figure out which values they need to modify to achieve remote code execution. When that happens and you still have RDP open to the Internet and unpatched, you lose. I suspect we’ll see a worm exploiting this within a week. This could end up being a SQL Slammer-type event…