Wednesday, October 17, 2012
Daily Report
Top Stories
• A federal cybersecurity team warned of critical
vulnerabilities in computerized control systems that attackers could exploit to
sabotage or steal sensitive data from operators of the solar arrays that
generate electricity in homes and businesses. – Ars Technica
1.
October 15, Ars Technica – (National) Solar
panel control systems vulnerable to hacks, feds warn. DHS is warning of
critical vulnerabilities in a computerized control system that attackers could
exploit to sabotage or steal sensitive data from operators of the solar arrays
that generate electricity in homes and businesses, Ars Technica reported October
15. A slew of vulnerabilities in a variety of products, including the Sinapsi
eSolar Light Photovoltaic System Monitor and the Schneider Electric Ezylog
Photovoltaic Management Server, allow unauthorized people to remotely log into
the systems and execute commands, warned the Industrial Controls Systems Cyber
Emergency Response Team in a recent alert. Other vulnerable devices include the
Gavazzi Eos-Box and the Astrid Green Power Guardian. Proof-of-concept code
available online makes it easy to exploit some of the bugs. The advisory is
based on a report published in September that disclosed SQL injection
vulnerabilities, passwords stored in plain text, hard-coded passwords, and
other defects that left the devices open to tampering. According to researchers,
the vulnerable management server is incorporated into a photovoltaic products
from several manufacturers. “All the firmware versions we analyzed have been
found to be affected by these issues,” the researchers wrote. “The software
running on the affected devices is vulnerable to multiple security issues that
allow unauthenticated remote attackers to gain administrative access and
execute arbitrary commands,” the researchers said. Source: http://arstechnica.com/security/2012/10/solar-panel-control-systems-
vulnerable-to-hacks/
• Officials in Burlington, Washington,
notified hundreds of employees and residents that their names, bank account
information, and routing numbers were compromised the week of October 8 when
hackers broke into city systems and stole more than $400,000 from the city’s
account at Bank of America. – Computerworld See item 6 below in the Banking and Finance Sector
• Hackers managed to gain access to the
records of at least 8,500 current and former University of Georgia employees.
The university’s representatives began investigating the breach October 1,
after they learned the cybercriminals obtained unauthorized access through the
accounts of two employees. – Softpedia
23.
October 16, Softpedia – (Georgia) University
of Georgia hacked, at least 8,500 employees exposed. Hackers managed to
gain access to the records of at least 8,500 current and former University of
Georgia employees, Softpedia reported October 16. The cybercriminals obtained
access to the accounts of two employees who worked in “sensitive information
technology positions.” From there, the attackers were able to gain access to
the details of thousands of employees, including names, Social Security
numbers, and other information, University of Georgia Today reported. The
university’s representatives began investigating the breach October 1, after
they learned the passwords of two employees were reset by an unknown actor. It
was later determined that the intrusion could have occurred as early as
September 28. It is believed the hackers might have been able to reset the
passwords by guessing the answers to the secret questions set by the targets.
All the affected individuals were notified and those who request it will
benefit from credit monitoring services. The police were contacted to
investigate the incident. Source: http://news.softpedia.com/news/University-of-Georgia-Hacked-At-Least-8-
500-Employees-Exposed-299800.shtml
• Researchers from Symantec reported that
cybercriminals are trying to spread malware disguised as Windows help files in
attacks targeting government and industry sectors. – Softpedia See item 26 below in the Information Technology Sector
Details
Banking and Finance Sector
5. October
15, WNBC 4 New York – (New York) FBI arrests man accused of stuffing ATMs with fake
cash. A man was arrested October 15 in connection with the counterfeit
bills dispensed at two ATMs in New York City the week of October 8, authorities
said. The man was arrested at Kennedy Airport after voluntarily returning to
New York City from the Dominican Republic, the FBI said. He worked for a
company that serviced the ATMs. He faces several charges, including
embezzlement and other charges related to counterfeit currency. The amateurish
fake bills were put in ATMs at two Chase branches in Manhattan to replace cash
that had been stolen. The banks were short a total of some $11,000. The
counterfeit bills were blank on one side. Authorities believe they were meant
to trick the ATM into believing it was carrying a full complement of cash. A
bank official said that the machines were able to distinguish most of the fake
bills from real ones. Source: http://www.nbcnewyork.com/news/local/Counterfeit-ATM-Bills-Arrest-
Midtown-Chase-Gene-Carlo-Pena-JFK-FBI-174268821.html
6. October
15, Computerworld – (Washington) Cyberthieves loot $400,000 from city bank
account. Burlington, Washington officials notified hundreds of employees
and residents that their bank account information was compromised the week of
October 8 when hackers broke into city systems and stole more than $400,000
from a city account at Bank of America. Among those impacted by the breach were
employees participating in Burlington’s electronic payroll deposit program and
utility customers enrolled in the city’s autopay program. In an alert issued
October 15, a city administrator said all autopay customers should assume that
their name, bank account number, and routing number were comprised. He urged
affected customers to immediately contact their bank to flag or close their
accounts. All employees participating in the city’s electronic payroll deposit
program were also asked to close out their old accounts and establish a new one
as a result of the breach. The city first learned of the online heist October
11 when an east coast bank sought information about a series of suspicious
transfers from a Burlington city account. The city immediately reviewed the
activity and noticed at least three “significant transactions” from its Bank of
America account to accounts at the east coast bank over a two-day period, the
administrator said. The theft was from an account containing more funds, but
the administrator said the city did not know why more was not taken. The
account was frozen and all of the city’s money was temporarily moved out of
Bank of America as a precaution. The Burlington theft came just days after
security firm RSA warned of cybercriminals plotting a massive and concerted
campaign to steal money from the online accounts of thousands of consumers at
30 or more major U.S. banks. Source: http://www.computerworld.com/s/article/9232372/Cyberthieves_loot_400_000_from_c
ity_bank_account
7. October
15, Associated Press – (Texas) Ex-Houston attorney pleads guilty in Ponzi scheme. A
former attorney in Houston who portrayed himself as a real estate investment
tycoon pleaded guilty in a $7.8 million Ponzi scheme, the Associated Press
reported October 15. Federal prosecutors in Houston said the man pleaded guilty
to wire fraud. Investigators said more than 20 investors were scammed.
Prosecutors said the man during the past 10 years pretended to be in the real
estate investment business. He used money from investors to pay his previous
debts and fund his personal lifestyle. Source: http://www.businessweek.com/ap/2012-10-15/ex-houston-attorney-pleads-
guilty-in-ponzi-scheme
8. October
13, Lincoln Journal Star – (National) Former Cornhusker owner
indicted on fraud charges. A Boca Raton, Florida man who formerly owned
several lodging properties was indicted by a federal grand jury in Illinois on
10 counts of fraud and making false statements to lenders, the Lincoln Journal
Star reported October 13. The hotel owner and another Floridian are accused of
using about $9 million in bank loans to refinance and remodel hotels that the
owner’s Shubh Hotels owned in Cincinnati, Ohio, and Boca Raton, Florida, for
purposes other than those the bank intended. The hotel owner also owned hotels
in Detroit, Michigan, Pittsburgh, Pennsylvania, and Lincoln, Nebraska. The
indictment said the two men created false invoices in the name of the latter’s
remodeling firm and used false documentation of supplies to get money from the
lenders that ended up in accounts they controlled at other banks. The hotel
owner borrowed money in 2007 from two banks in Illinois that later failed due
to bad loans. Source: http://journalstar.com/business/local/former-cornhusker-owner-indicted-on-
fraud-charges/article_c7556967-03a0-5acc-80dd-bb2c02984950.html
Information Technology Sector
26. October
16, Softpedia – (International) Windows Help files used in attacks against
industry and government sectors. To make sure their potential victims do
not suspect they are the targets of an attack, cybercriminals often rely on
harmless-looking Windows Help files (.hlp) to spread pieces of malware.
Symantec reports that in the past period, cyberattacks using this attack vector
have been aimed at government and industry sectors. According to researchers,
everything starts with a simple email which informs the recipient of a “White
Paper on corporate strategic planning.” In reality, the attachment is not a
white paper, but a cleverly designed Windows Help file. The Help file’s
functionality permits a call to the Windows API, which allows the attacker to
execute code and install other malicious elements. Experts emphasize the fact
that this functionality exists by design, it is not an exploit. In the attacks
identified so far, cybercriminals were trying to spread Trojan.Ecltys and
Backdoor.Barkiofork — pieces of malware often utilized in targeted attacks
against government agencies and the industry sector. Most of the threats have
been identified in the United States, China, India, and France. Source: http://news.softpedia.com/news/Windows-Help-Files-Used-in-Attacks-
Against-Industry-and-Government-Sectors-299782.shtml
27. October
16, Softpedia – (International) Steam browser protocol flaws allow
cybercriminals to execute malicious commands. Two security researchers from
ReVuln
identified a vulnerability in the Steam Browser Protocol that could be
leveraged by remote attackers to cause damage. Their research was published in
a paper called Steam Browser Protocol Insecurity. The popular gaming platform
uses the steam:// URL protocol in order to run, install, and uninstall games,
backup files, connect to servers, and reach various sections dedicated to
customers. After testing various browsers, the experts concluded that Mozilla
and Safari are perfect for the “silent Stream Browser Protocol calls” needed to
perform such an attack because they do not warn users before executing the
external URL handler. Internet Explorer and Opera do warn users, but the “dodgy
part” of the URL can be hidden by adding spaces into the steam:// URL. The
researchers found that not only these Web browsers can be utilized for the
calls to external protocol handlers. Steam browser and RealPlayer’s embedded
browser are just as susceptible to an attack. One of the attacks they
demonstrated relies on the retailinstall command that designed for installing
and restoring backups from a local folder. A function that is in charge of
loading a splash image during this process contains an integer overflow
vulnerability which could be leveraged by an attacker to run his malicious
scripts. Furthermore, the researchers showed that the Steam Browser Protocol
can also be used in attacks against the Source and Unreal engines. Massive
multiplayer online games can be exploited via the auto- update features by
leveraging a directory traversal vulnerability. Source: http://news.softpedia.com/news/Steam-Browser-Protocol-Flaws-Allow-
Cybercriminals-to-Execute-Malicious-Commands-299598.shtml
28. October
15, Threatpost – (International) Oracle patch update to include 109 patches. Oracle’s
quarterly Critical Patch Update, October 16 included 109 fixes. The company
released fixes for security vulnerabilities across most of its enterprise
products, addressing a host of remotely exploitable flaws. This comes a little
more than a month after exploits of a serious zero-day vulnerability in Java
were reported, as well as a critical zero-day vulnerability in Java SE. Five
patches were released addressing security problems in Oracle Database Server,
including one that is remotely exploitable over a network without the need for
a username and password, Oracle said. Two of the patches address client-only
installations. Source: http://threatpost.com/en_us/blogs/oracle-patch-update-include-109-patches-
101512
29. October
15, Dark Reading – (International) Next-generation malware: Changing the game in
security’s operations center. Sophisticated, automated malware attacks are
spurring enterprises to shift their security technology and staffing
strategies. In many new cases, augmentations to malware involves no human
author, rather, it is being created by an automated program that continually
tweaks known attacks in new ways, so that it will not be recognized by
antivirus or intrusion prevention systems. Antivirus (AV) systems work by
identifying malware through a blacklist — a database of known viruses, trojans,
and other malicious code — and blocking and eradicating any code on the list.
The premise of AV technology is that it is possible to identify the unique
characteristics of any known malware — its “signature” — and use that signature
to prevent it from penetrating the enterprise. However, with new “zero-day” malware
being created constantly, AV systems often cannot keep up, and their blacklists
have become bloated and slow to perform. This growing problem has spurred many
vendors —
and many enterprises — to begin looking for ways to recognize malware not by
how it looks — its known signature — but by how it behaves. Source: http://www.darkreading.com/security-monitoring/167901086/security/security-
management/240009058/next-generation-malware-changing-the-game-in-security-s-
operations-center.html
30. October
15, Softpedia – (International) Fake DHL Express Tracking Notifications bring
‘good’ news and malware. A DHL Express Tracking Notification is making the
rounds, landing in the inboxes of users in an attempt to trick them into
infecting their computers with a piece of malware. Although DHL is one of the
most commonly utilized brands by cybercriminals in their malicious campaigns,
fake notifications that rely on the company’s name still appear to be a
success. The latest malware attack relies on emails entitled “Processing
complete successfully,” which urge recipients to open an attached file in order
to see additional details. As in all similar schemes, the file
(DHL_Express_Processing_ complete.pdf.zip) is not a detailed report, but a
piece of malware identified by Sophos as Troj/BredoZp-S. Source: http://news.softpedia.com/news/Fake-DHL-Express-Tracking-Notifications-
Bring-Good-News-and-Malware-299466.shtml
31. October
15, Softpedia – (International) Cybercriminals update the eBay logo in their
phishing scams. In order to ensure their malicious campaigns record a
success, cybercriminals must always keep up with the changes made by the
companies whose names and reputations they leverage. That is exactly what a
group in charge of an eBay phishing scam did. eBay recently changed its logo
and while the new one is not completely different compared to the old one, this
minor detail can make the difference between a successful and an unsuccessful
phishing scheme. If a user sees that it bears the old logo, it is probably a
scam. However, users should still be cautious when clicking on shady links,
since most criminals will surely update their pages in the upcoming period.
Source: http://news.softpedia.com/news/Cybercriminals-Update-the-eBay-Logo-in-
Their-Phishing-Scams-299482.shtml
Communications Sector
Nothing to
report
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.