Monday, December 17, 2012
Daily Report
Top Stories
• Hackers broke into the industrial control
system of a New Jersey air conditioning company earlier this year, using a
backdoor vulnerability in the system, according to a FBI memo made public the
week of December 10. – Wired.com
7. December
13, Wired.com – (New Jersey; International) Hackers breached heating system
via industrial control system backdoor. Hackers broke into the industrial
control system (ICS) of a New Jersey air conditioning company earlier this
year, using a backdoor vulnerability in the system, according to a FBI memo
made public the week of December 10. The intruders first breached the company’s
ICS network through a backdoor in its Niagara AX ICS system, made by Tridium.
This gave them access to the mechanism controlling the company’s own heating
and air conditioning, according to a memo prepared by the FBI’s office in
Newark. The breach occurred in February and March, several weeks after someone
using the Twitter moniker @ntisec posted a message online indicating that
hackers were targeting supervisory controla and data acquisition (SCADA)
systems, and that something had to be done to address vulnerabilities. The
individual had used the Shodan search engine to locate Tridium Niagara systems
that were connected to the internet and posted a list of URLs for the systems
online. One of the IP addresses posted led to the New Jersey company’s heating
and air conditioning control system. The company used the Niagara system not
only for its own HVAC system, but also installed it for customers, which
included banking institutions and other commercial entities, the memo noted. An
IT contractor who worked for the company told the FBI that the company had
installed its own control system directly connected to the internet with no
firewall in place to protect it. Although the system was password protected in
general, the backdoor through the IP address apparently required no password
and allowed direct access to the control system. The backdoor URL gave access
to a Graphical User Interface (GUI), “which provided a floor plan layout of the
office, with control fields and feedback for each office and shop area,”
according to the FBI. “All areas of the office were clearly labeled with
employee names or area names.” Forensic logs showed that intruders had gained
access to the system from multiple IP addresses in and outside the U.S. Source:
http://www.wired.com/threatlevel/2012/12/hackers-breach-ics/
• Officials confirmed that the State of
California mistakenly published thousands of social security numbers on the
Internet, KCRA reported December 11. – KCRA 3 Sacramento
31. December
11, KCRA 3 Sacramento – (California) State of Calif. mistakenly
publishes thousands of SSN online. Officials confirmed that the State of
California mistakenly published thousands of Social Security numbers on the
Internet, KCRA reported December 11. The confidential information was available
on the State’s Medi-Cal Web site for anyone to see for a period of 9 days,
before the mistake was discovered and the numbers removed. The list includes
Medi-Cal providers in 25 California counties. State officials from the
Department of Health Care Services admitted in an interview to the posting of
nearly 14,000 Social Security numbers belonging to Medi-Cal providers working
for In-Home Supportive Services. “This was inadvertent and we sincerely regret
this has happened,” said the deputy director for public affairs for the
Department of Health Care Services. Source: http://www.kcra.com/news/State-of-Calif-mistakenly-publishes-thousands-of-SSN-online/-/11797728/17723434/-/tad6swz/-/index.html?absolute=true
• Twenty-seven people, including 20 children,
were killed December 14 when a gunman opened fire inside his mother’s
kindergarten class at a Newtown, Connecticut elementary school. – Fox News
33.
December 14, Fox News – (Connecticut) At
least 26 dead in shooting at Connecticut elementary school. Twenty-seven
people, including 20 children, were killed December 14 when a gunman opened
fire inside his mother’s kindergarten class at a Newtown, Connecticut
elementary school. The shooter gunned down his mother and her entire class at
Sandy Hook Elementary School; at the time of this report none of the pupils in
the classroom were accounted for, according to local news sources. The gunman
was found dead inside the school, according to officials. A source told Fox
News that the shooter’s father, who was divorced from his ex-wife, was killed
at his home in New Jersey. Police were also searching for two friends of the
killer, who were unaccounted for at the time of this report. The shooter’s
girlfriend and another friend were missing in New Jersey, according to law
enforcement sources. An official with knowledge of the situation said the
shooter was armed with a .223-caliber rifle. Four weapons in total were
recovered from the scene. The motive was not yet known. The elementary school
has close to 700 students. Source: http://www.foxnews.com/us/2012/12/14/police-respond-to-shooting-at-connecticut-elementary-school/
• Federal prosecutors announced charges
December 13 against four officers from a south Texas anti-drug task force, who
allegedly took thousands of dollars in bribes to guard large shipments of
cocaine. – Associated Press
35.
December 14, Associated Press –
(Texas) 4 officers from Texas anti-drug task force accused of guarding large
cocaine shipments. Federal prosecutors announced charges December 13
against four officers from a south Texas anti-drug task force who they said
took thousands of dollars in bribes to guard large shipments of cocaine. The
officers, two from the Mission police department and two Hidalgo County
sheriff’s deputies, were members of the “Panama Unit,” which is a joint task
force between the two agencies that targets drug trafficking, according to
prosecutors. The U.S. Immigration and Customs Enforcement department that
conducts internal reviews received a tip in August about a police officer and
another task force member stealing drugs. October 19, a deputy and another
individual escorted a load of 20 kilograms of cocaine north from McAllen to the
Border Patrol checkpoint in Falfurrias about an hour away. The officers earned
thousands of dollars more for allegedly escorting four more cocaine shipments
in November that were part of the sting operation, prosecutors contend. None of
the officers have been arraigned, but one Mission police officer made an
initial appearance in federal court December 13 on charges of twice possessing
cocaine with intent to distribute. A U.S. Magistrate Judge set the officer’s
bond at $100,000 and ordered him to remain under house arrest with electronic
monitoring if he should make bond. She denied his request for a court-appointed
attorney. Source: http://www.grandforksherald.com/event/apArticle/id/DA357ECG3/
Details
Banking and Finance Sector
10. December
14, BankInfoSecurity – (International) DDoS attacks: PNC struck again. PNC
Financial Services Group confirmed that its online banking site December 13 was
bombarded with high volumes of traffic for the second time the week of December
10, causing some users to have trouble logging into their accounts. A U.S. Bank
spokesman also confirmed a distributed denial of service (DDoS) hit against
U.S. Bank December 12. A PNC spokesman said the bank’s site experienced “higher
than usual” traffic volumes. “We will continue to communicate directly to our
customers through our social media and other online channels, including our
website,” he said. The two banks, and others, were named by a hacktivist group as
targets in a Pastebin post for the group’s second phase of DDoS attacks.
Source: http://www.bankinfosecurity.com/ddos-attacks-pnc-struck-again-a-5356
11. December
14, The Columbia State – (National) 20 from Spartanburg, Cherokee
counties charged in mail theft, cashing altered, fake checks. Federal
authorities charged 20 people from South Carolina’s Spartanburg and Cherokee
counties in a conspiracy involving mail theft and cashing altered or counterfeit
checks. The suspects appeared in court December 13 to be formally indicted on
federal charges involving mail and check fraud. The conspiracy, which dates
back to 2011 and continued into this year, netted about $900,000 and involves
“thousands” of victims, including residents and merchants who investigators
said were scammed, an Assistant U.S. Attorney said. According to the
indictment, the 20 people charged took mail from mail boxes, stole
identification, altered checks stolen from mail boxes for their own use,
counterfeited checks for their own use, used fake identification when
negotiating stolen or counterfeit checks, and divided the proceeds from the
checks. The conspiracy was investigated by the U.S. Postal Inspection Service,
the Spartanburg County Sheriff’s Office, and the Cherokee County Sheriff’s
Office. Source: http://www.goupstate.com/article/20121213/ARTICLES/121219841?tc=ar
12. December
14, Softpedia – (International) 60Gbps: Size of some DDoS attacks launched by
hacktivists. A group of hacktivists re-initiated their campaign against
U.S. financial institutions, and security experts from Arbor Networks analyzed
the attacks and revealed that some of them were as large as 60Gbps, Softpedia
reported December 14. The first series of distributed denial-of-service (DDoS)
attacks launched by the hacktivists in September used a lot of compromised PHP
Web applications as bots. One of the most important PHP-based tools utilized at
the time was Brobot. KamiKaze and AMOS were also used, but not as often as Brobot,
which is also known as “itsoknoproblembro.” Attacks the week of December 10
looked similar to the ones that used Brobot, but some changes have been made.
”Some attacks looked similar in construction to Brobot v1, however there is a
newly crafted DNS packet attack and a few other attack changes in Brobot v2,”
experts wrote. They emphasize that despite the fact that some of the attacks
were 60Gbps in size, this is not what makes them so significant. Instead, it is
the fact that they’re focused and part of an ongoing campaign. Arbor warns that
the intrusion prevention systems (IPS) and the firewalls deployed by many
enterprises are not effective in dealing with DDoS attacks. Instead,
organizations need to use an on-premises DDoS mitigation solution. Source: http://news.softpedia.com/news/60Gbps-Size-of-Some-DDOS-Attacks-Launched-by-al-Qassam-Cyber-Fighters-314829.shtml
13. December
13, CNN – (National) FBI seeks help in catching ‘Ray-Bandit’ bank
robber. The FBI released photos of a serial bank robber known as the
“Ray-Bandit” who has successfully robbed 13 banks across the country in hopes
that the photos will lead to a tip from the public about his identity and
whereabouts, CNN reported December 13. The string of robberies began in July in
Wisconsin and included banks in Indiana, Illinois, Iowa, and Nebraska through
early October. Only one robbery attempt, in Indiana, was unsuccessful, the FBI
said. The robber apparently left the Midwest and has resurfaced twice in
California and twice in Virginia. Authorities dubbed him the “Ray-Bandit”
because of the Ray-Ban-style glasses he has worn during some of the robberies.
In addition to sunglasses and a cap, which often bears a Ford Shelby Cobra
logo, the robber has worn fake beards, false teeth and dyed his hair different
colors. He seems to cover his fingertips with rubber thimbles. He also seems to
gravitate to banks in supermarkets, the FBI said. Source: http://www.cnn.com/2012/12/13/us/fbi-bank-robber/
14. December
13, U.S. Attorney’s Office, Eastern District of Texas –
(National) Provident CFO indicted in $485 million investment fraud scheme. A
Plano, Texas man was indicted in connection with a $485 million investment
fraud scheme in the Eastern District of Texas, according to a December 13 court
press release. He charged with conspiracy to commit mail fraud. According to
the indictment, the man, who served as chief financial officer of Provident
Royalties, is alleged to have conspired with others to defraud investors in an
oil and gas scheme that involved over $485 million and 7,700 investors
throughout the United States. Specifically, beginning in September 2006, he and
other individuals are alleged to have made materially false representations and
failed to disclose material facts to their investors in order to induce the
investors into providing payments to Provident. Among these false
representations were statements that funds invested would be used only for the
oil and gas project for which those funds were raised; among the omissions of
material fact were the facts that another of Provident founders had received
millions of dollars of unsecured loans; that he had been previously charged
with securities fraud violations by the State of Michigan; and that funds from
investors in later oil and gas projects were being used to pay individuals who
invested in earlier oil and projects. Two others involved in the alleged fraud
were convicted, and two others were charged and are awaiting trial. Source: http://www.fbi.gov/dallas/press-releases/2012/provident-cfo-indicted-in-485-million-investment-fraud-scheme
15. December
13, Chicago Tribune – (Illinois) ‘Second Hand Bandit’ convicted of bank robberies. A
federal jury in Chicago found a man guilty December 13 of two bank robberies
and two attempted holdups. He made off with a combined nearly $600,000 in the
heists, authorities said.The FBI labeled him the “Second Hand Bandit” because
he wore used clothes during the robberies. Authorities suspected him in as many
as 21 holdups but charged him in just the four. Security footage played for
jurors showed the man jumping bank counters and wielding a handgun as he
ordered employees to open vaults and ATMs at the banks. Source: http://www.chicagotribune.com/news/local/breaking/chi-second-hand-bandit-convicted-of-bank-robberies-20121213,0,5446834.story
16. December
12, U.S. Department of the Treasury – (International) Treasury
levies additional sanctions against business network linked to Sinaloa Cartel
drug lord “El Azul”. The U.S. Department of the Treasury’s Office of
Foreign Assets Control (OFAC) announced December 12 the designation of one
entity and three individuals linked to a leader of Mexico’s Sinaloa Cartel also
known as ‘El Azul’. The action, pursuant to the Foreign Narcotics Kingpin
Designation Act (Kingpin Act), prohibits U.S. persons from conducting financial
or commercial transactions with the designees, and also freezes any assets they
may have under U.S. jurisdiction. The action targets Desarrollos Everest, S.A.
de C.V., a real estate development company based in Culiacan, Sinaloa, Mexico.
The company is co-owned by a wife of the Sinaloa leader who was previously
designated because she acts on behalf of her husband. Also targeted was
Residencial del Lago, a residential community located in Culiacan owned or
controlled by Desarrollos Everest, S.A. de C.V. OFAC also designated three
Mexican individuals in connection with the targeted companies. Source: http://www.albanytribune.com/12122012-treasury-levies-additional-sanctions-against-sinaloa-cartel-drug-lord-el-azul/
For
another story, see item 7 above in Top
Stories
Information Technology Sector
39. December
14, Softpedia – (International) Upclicker uses left mouse button to execute malicious
code when no one is looking. Experts have identified a trojan that relies
on a mouse hooking function to evade sandbox environments. Cybercriminals are
aware of the fact that automated analysis systems do not use the mouse, so they
have developed their creations so that they step into play only when mouse
movement is detected. The trojan analyzed by FireEye, Upclicker, is interesting
because the malicious code is executed only after the user clicks the left
mouse button and releases it. Upclicker establishes malicious communication
only when this particular action is performed. Experts from Symantec previously
identified a similar trojan which relied on mouse actions to determine whether
or not it was being monitored by security experts. Source: http://news.softpedia.com/news/Upclicker-Uses-Left-Mouse-Button-to-Execute-Malicious-Code-When-No-One-Is-Looking-314915.shtml
40. December
14, Threatpost – (International) Carberp banking trojan goes commercial; Adds
bootkit and $40k price tag. Weeks after the banning of Aquabox, the keeper
of the Citadel banking trojan, from an underground forum, another player has
popped up to fill the market gap, this time with a new version of the Carberp
trojan. This is a first for the Carberp gang, which until now had never sold
its malware in the open, said a communications specialist and team leader for
RSA Security’s FraudAction team. The new version of the banking malware comes
with beefed up data-stealing capabilities and the addition of the Rovnix bootkit
and builder kit for a hefty $40,000 price tag. For fees ranging between $2,000
and $10,000, customers can buy the kit as a service, sans the builder and
bootkit. The addition of Rovnix, the researcher said, is an especially
interesting twist in that it infects a computer’s volume boot record, giving it
ring0 privileges and making not only difficult to detect, but clean up. Source:
http://threatpost.com/en_us/blogs/carberp-banking-trojan-goes-commercial-adds-bootkit-and-40k-price-tag-121412
41. December
13, Softpedia – (International) Latin America targeted by
information-stealing Dorkbot worm. Dorkbot, the malware involved in the
recent Skype spam campaign that might have affected over 1 million users, is
currently one of the most active threats that targets Latin America. According
to experts from security firm ESET, the malicious element has been seen all
over the world, but it is most prevalent in countries such as Columbia, Mexico,
Chile, and Peru. Overall, 54 percent of Dorkbot infections have been recorded
in Latin America. The worm, which specializes in stealing sensitive information
such as usernames and passwords, is also designed to recruit its victims into a
botnet. It spreads via various mediums, including Skype, Windows Live
Messenger, Twitter, and Facebook. In most cases, victims are lured with
promises of new phones or discounts. Currently, the Dorkbot that’s making the
rounds in Latin America is designed to steal online banking credentials from
internauts. A Dorkbot removal tool provided by ESET is available for download.
Source: http://news.softpedia.com/news/Latin-America-Targeted-by-Information-Stealing-Dorkbot-Worm-314512.shtml
For another story, see item 7 above in Top Stories
Communications Sector
42.
December 13, The Register –
(International) Yet another eavesdrop vulnerability in Cisco phones. A
university student presenting at the Amphion Forum demonstrated turning a Cisco
VoIP phone into a listening device, even when it is on the hook, The Register
reported December 13. The vulnerability demands a fairly extensive
reconfiguration of the phone, according to Dark Reading. This, at least, means
the attacker needs greater sophistication than previous eavesdropper attacks
reported by The Register in 2007 and 2011. A number of 7900-series phones are
affected, according to Forbes. The latest vulnerability is based on a lack of
input validation at the syscall interface, according to Columbia University
graduate student. He said this “allows arbitrary modification of kernel memory
from userland, as well as arbitrary code execution within the kernel. This, in
turn, allows the attacker to become root, gain control over the DSP [Digital
Signal Processor], buttons, and LEDs on the phone.” In the demonstration, the
student modified the DSP to surreptitiously turn on the phone’s microphone and
stream its output to the network. To simplify the demonstration, he programmed
the necessary reconfiguration onto an external circuit which he plugged into
the phone’s Ethernet port, and then captured what was spoken near the VoIP
phone on his smartphone. The student told Dark Reading that the phones contain
a number of vulnerable third-party libraries, which he promises to discuss at
the upcoming Chaos Computer Conference, 29C3. Cisco said workarounds and a
software patch are available to address the issue, tagged with the bug id
CSCuc83860. Source: http://www.theregister.co.uk/2012/12/13/cisco_voip_phones_vulnerable/
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.