Monday, December 17, 2012


Daily Report

Top Stories

 • Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to a FBI memo made public the week of December 10. – Wired.com

7. December 13, Wired.com – (New Jersey; International) Hackers breached heating system via industrial control system backdoor. Hackers broke into the industrial control system (ICS) of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to a FBI memo made public the week of December 10. The intruders first breached the company’s ICS network through a backdoor in its Niagara AX ICS system, made by Tridium. This gave them access to the mechanism controlling the company’s own heating and air conditioning, according to a memo prepared by the FBI’s office in Newark. The breach occurred in February and March, several weeks after someone using the Twitter moniker @ntisec posted a message online indicating that hackers were targeting supervisory controla and data acquisition (SCADA) systems, and that something had to be done to address vulnerabilities. The individual had used the Shodan search engine to locate Tridium Niagara systems that were connected to the internet and posted a list of URLs for the systems online. One of the IP addresses posted led to the New Jersey company’s heating and air conditioning control system. The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities, the memo noted. An IT contractor who worked for the company told the FBI that the company had installed its own control system directly connected to the internet with no firewall in place to protect it. Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. The backdoor URL gave access to a Graphical User Interface (GUI), “which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the FBI. “All areas of the office were clearly labeled with employee names or area names.” Forensic logs showed that intruders had gained access to the system from multiple IP addresses in and outside the U.S. Source: http://www.wired.com/threatlevel/2012/12/hackers-breach-ics/

 • Officials confirmed that the State of California mistakenly published thousands of social security numbers on the Internet, KCRA reported December 11. – KCRA 3 Sacramento

31. December 11, KCRA 3 Sacramento – (California) State of Calif. mistakenly publishes thousands of SSN online. Officials confirmed that the State of California mistakenly published thousands of Social Security numbers on the Internet, KCRA reported December 11. The confidential information was available on the State’s Medi-Cal Web site for anyone to see for a period of 9 days, before the mistake was discovered and the numbers removed. The list includes Medi-Cal providers in 25 California counties. State officials from the Department of Health Care Services admitted in an interview to the posting of nearly 14,000 Social Security numbers belonging to Medi-Cal providers working for In-Home Supportive Services. “This was inadvertent and we sincerely regret this has happened,” said the deputy director for public affairs for the Department of Health Care Services. Source: http://www.kcra.com/news/State-of-Calif-mistakenly-publishes-thousands-of-SSN-online/-/11797728/17723434/-/tad6swz/-/index.html?absolute=true

 • Twenty-seven people, including 20 children, were killed December 14 when a gunman opened fire inside his mother’s kindergarten class at a Newtown, Connecticut elementary school. – Fox News

33. December 14, Fox News – (Connecticut) At least 26 dead in shooting at Connecticut elementary school. Twenty-seven people, including 20 children, were killed December 14 when a gunman opened fire inside his mother’s kindergarten class at a Newtown, Connecticut elementary school. The shooter gunned down his mother and her entire class at Sandy Hook Elementary School; at the time of this report none of the pupils in the classroom were accounted for, according to local news sources. The gunman was found dead inside the school, according to officials. A source told Fox News that the shooter’s father, who was divorced from his ex-wife, was killed at his home in New Jersey. Police were also searching for two friends of the killer, who were unaccounted for at the time of this report. The shooter’s girlfriend and another friend were missing in New Jersey, according to law enforcement sources. An official with knowledge of the situation said the shooter was armed with a .223-caliber rifle. Four weapons in total were recovered from the scene. The motive was not yet known. The elementary school has close to 700 students. Source: http://www.foxnews.com/us/2012/12/14/police-respond-to-shooting-at-connecticut-elementary-school/

 • Federal prosecutors announced charges December 13 against four officers from a south Texas anti-drug task force, who allegedly took thousands of dollars in bribes to guard large shipments of cocaine. – Associated Press

35. December 14, Associated Press – (Texas) 4 officers from Texas anti-drug task force accused of guarding large cocaine shipments. Federal prosecutors announced charges December 13 against four officers from a south Texas anti-drug task force who they said took thousands of dollars in bribes to guard large shipments of cocaine. The officers, two from the Mission police department and two Hidalgo County sheriff’s deputies, were members of the “Panama Unit,” which is a joint task force between the two agencies that targets drug trafficking, according to prosecutors. The U.S. Immigration and Customs Enforcement department that conducts internal reviews received a tip in August about a police officer and another task force member stealing drugs. October 19, a deputy and another individual escorted a load of 20 kilograms of cocaine north from McAllen to the Border Patrol checkpoint in Falfurrias about an hour away. The officers earned thousands of dollars more for allegedly escorting four more cocaine shipments in November that were part of the sting operation, prosecutors contend. None of the officers have been arraigned, but one Mission police officer made an initial appearance in federal court December 13 on charges of twice possessing cocaine with intent to distribute. A U.S. Magistrate Judge set the officer’s bond at $100,000 and ordered him to remain under house arrest with electronic monitoring if he should make bond. She denied his request for a court-appointed attorney. Source: http://www.grandforksherald.com/event/apArticle/id/DA357ECG3/

Details

Banking and Finance Sector

10. December 14, BankInfoSecurity – (International) DDoS attacks: PNC struck again. PNC Financial Services Group confirmed that its online banking site December 13 was bombarded with high volumes of traffic for the second time the week of December 10, causing some users to have trouble logging into their accounts. A U.S. Bank spokesman also confirmed a distributed denial of service (DDoS) hit against U.S. Bank December 12. A PNC spokesman said the bank’s site experienced “higher than usual” traffic volumes. “We will continue to communicate directly to our customers through our social media and other online channels, including our website,” he said. The two banks, and others, were named by a hacktivist group as targets in a Pastebin post for the group’s second phase of DDoS attacks. Source: http://www.bankinfosecurity.com/ddos-attacks-pnc-struck-again-a-5356

11. December 14, The Columbia State – (National) 20 from Spartanburg, Cherokee counties charged in mail theft, cashing altered, fake checks. Federal authorities charged 20 people from South Carolina’s Spartanburg and Cherokee counties in a conspiracy involving mail theft and cashing altered or counterfeit checks. The suspects appeared in court December 13 to be formally indicted on federal charges involving mail and check fraud. The conspiracy, which dates back to 2011 and continued into this year, netted about $900,000 and involves “thousands” of victims, including residents and merchants who investigators said were scammed, an Assistant U.S. Attorney said. According to the indictment, the 20 people charged took mail from mail boxes, stole identification, altered checks stolen from mail boxes for their own use, counterfeited checks for their own use, used fake identification when negotiating stolen or counterfeit checks, and divided the proceeds from the checks. The conspiracy was investigated by the U.S. Postal Inspection Service, the Spartanburg County Sheriff’s Office, and the Cherokee County Sheriff’s Office. Source: http://www.goupstate.com/article/20121213/ARTICLES/121219841?tc=ar

12. December 14, Softpedia – (International) 60Gbps: Size of some DDoS attacks launched by hacktivists. A group of hacktivists re-initiated their campaign against U.S. financial institutions, and security experts from Arbor Networks analyzed the attacks and revealed that some of them were as large as 60Gbps, Softpedia reported December 14. The first series of distributed denial-of-service (DDoS) attacks launched by the hacktivists in September used a lot of compromised PHP Web applications as bots. One of the most important PHP-based tools utilized at the time was Brobot. KamiKaze and AMOS were also used, but not as often as Brobot, which is also known as “itsoknoproblembro.” Attacks the week of December 10 looked similar to the ones that used Brobot, but some changes have been made. ”Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2,” experts wrote. They emphasize that despite the fact that some of the attacks were 60Gbps in size, this is not what makes them so significant. Instead, it is the fact that they’re focused and part of an ongoing campaign. Arbor warns that the intrusion prevention systems (IPS) and the firewalls deployed by many enterprises are not effective in dealing with DDoS attacks. Instead, organizations need to use an on-premises DDoS mitigation solution. Source: http://news.softpedia.com/news/60Gbps-Size-of-Some-DDOS-Attacks-Launched-by-al-Qassam-Cyber-Fighters-314829.shtml

13. December 13, CNN – (National) FBI seeks help in catching ‘Ray-Bandit’ bank robber. The FBI released photos of a serial bank robber known as the “Ray-Bandit” who has successfully robbed 13 banks across the country in hopes that the photos will lead to a tip from the public about his identity and whereabouts, CNN reported December 13. The string of robberies began in July in Wisconsin and included banks in Indiana, Illinois, Iowa, and Nebraska through early October. Only one robbery attempt, in Indiana, was unsuccessful, the FBI said. The robber apparently left the Midwest and has resurfaced twice in California and twice in Virginia. Authorities dubbed him the “Ray-Bandit” because of the Ray-Ban-style glasses he has worn during some of the robberies. In addition to sunglasses and a cap, which often bears a Ford Shelby Cobra logo, the robber has worn fake beards, false teeth and dyed his hair different colors. He seems to cover his fingertips with rubber thimbles. He also seems to gravitate to banks in supermarkets, the FBI said. Source: http://www.cnn.com/2012/12/13/us/fbi-bank-robber/

14. December 13, U.S. Attorney’s Office, Eastern District of Texas – (National) Provident CFO indicted in $485 million investment fraud scheme. A Plano, Texas man was indicted in connection with a $485 million investment fraud scheme in the Eastern District of Texas, according to a December 13 court press release. He charged with conspiracy to commit mail fraud. According to the indictment, the man, who served as chief financial officer of Provident Royalties, is alleged to have conspired with others to defraud investors in an oil and gas scheme that involved over $485 million and 7,700 investors throughout the United States. Specifically, beginning in September 2006, he and other individuals are alleged to have made materially false representations and failed to disclose material facts to their investors in order to induce the investors into providing payments to Provident. Among these false representations were statements that funds invested would be used only for the oil and gas project for which those funds were raised; among the omissions of material fact were the facts that another of Provident founders had received millions of dollars of unsecured loans; that he had been previously charged with securities fraud violations by the State of Michigan; and that funds from investors in later oil and gas projects were being used to pay individuals who invested in earlier oil and projects. Two others involved in the alleged fraud were convicted, and two others were charged and are awaiting trial. Source: http://www.fbi.gov/dallas/press-releases/2012/provident-cfo-indicted-in-485-million-investment-fraud-scheme

15. December 13, Chicago Tribune – (Illinois) ‘Second Hand Bandit’ convicted of bank robberies. A federal jury in Chicago found a man guilty December 13 of two bank robberies and two attempted holdups. He made off with a combined nearly $600,000 in the heists, authorities said.The FBI labeled him the “Second Hand Bandit” because he wore used clothes during the robberies. Authorities suspected him in as many as 21 holdups but charged him in just the four. Security footage played for jurors showed the man jumping bank counters and wielding a handgun as he ordered employees to open vaults and ATMs at the banks. Source: http://www.chicagotribune.com/news/local/breaking/chi-second-hand-bandit-convicted-of-bank-robberies-20121213,0,5446834.story

16. December 12, U.S. Department of the Treasury – (International) Treasury levies additional sanctions against business network linked to Sinaloa Cartel drug lord “El Azul”. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced December 12 the designation of one entity and three individuals linked to a leader of Mexico’s Sinaloa Cartel also known as ‘El Azul’. The action, pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act), prohibits U.S. persons from conducting financial or commercial transactions with the designees, and also freezes any assets they may have under U.S. jurisdiction. The action targets Desarrollos Everest, S.A. de C.V., a real estate development company based in Culiacan, Sinaloa, Mexico. The company is co-owned by a wife of the Sinaloa leader who was previously designated because she acts on behalf of her husband. Also targeted was Residencial del Lago, a residential community located in Culiacan owned or controlled by Desarrollos Everest, S.A. de C.V. OFAC also designated three Mexican individuals in connection with the targeted companies. Source: http://www.albanytribune.com/12122012-treasury-levies-additional-sanctions-against-sinaloa-cartel-drug-lord-el-azul/

For another story, see item 7 above in Top Stories

Information Technology Sector

39. December 14, Softpedia – (International) Upclicker uses left mouse button to execute malicious code when no one is looking. Experts have identified a trojan that relies on a mouse hooking function to evade sandbox environments. Cybercriminals are aware of the fact that automated analysis systems do not use the mouse, so they have developed their creations so that they step into play only when mouse movement is detected. The trojan analyzed by FireEye, Upclicker, is interesting because the malicious code is executed only after the user clicks the left mouse button and releases it. Upclicker establishes malicious communication only when this particular action is performed. Experts from Symantec previously identified a similar trojan which relied on mouse actions to determine whether or not it was being monitored by security experts. Source: http://news.softpedia.com/news/Upclicker-Uses-Left-Mouse-Button-to-Execute-Malicious-Code-When-No-One-Is-Looking-314915.shtml

40. December 14, Threatpost – (International) Carberp banking trojan goes commercial; Adds bootkit and $40k price tag. Weeks after the banning of Aquabox, the keeper of the Citadel banking trojan, from an underground forum, another player has popped up to fill the market gap, this time with a new version of the Carberp trojan. This is a first for the Carberp gang, which until now had never sold its malware in the open, said a communications specialist and team leader for RSA Security’s FraudAction team. The new version of the banking malware comes with beefed up data-stealing capabilities and the addition of the Rovnix bootkit and builder kit for a hefty $40,000 price tag. For fees ranging between $2,000 and $10,000, customers can buy the kit as a service, sans the builder and bootkit. The addition of Rovnix, the researcher said, is an especially interesting twist in that it infects a computer’s volume boot record, giving it ring0 privileges and making not only difficult to detect, but clean up. Source: http://threatpost.com/en_us/blogs/carberp-banking-trojan-goes-commercial-adds-bootkit-and-40k-price-tag-121412

41. December 13, Softpedia – (International) Latin America targeted by information-stealing Dorkbot worm. Dorkbot, the malware involved in the recent Skype spam campaign that might have affected over 1 million users, is currently one of the most active threats that targets Latin America. According to experts from security firm ESET, the malicious element has been seen all over the world, but it is most prevalent in countries such as Columbia, Mexico, Chile, and Peru. Overall, 54 percent of Dorkbot infections have been recorded in Latin America. The worm, which specializes in stealing sensitive information such as usernames and passwords, is also designed to recruit its victims into a botnet. It spreads via various mediums, including Skype, Windows Live Messenger, Twitter, and Facebook. In most cases, victims are lured with promises of new phones or discounts. Currently, the Dorkbot that’s making the rounds in Latin America is designed to steal online banking credentials from internauts. A Dorkbot removal tool provided by ESET is available for download. Source: http://news.softpedia.com/news/Latin-America-Targeted-by-Information-Stealing-Dorkbot-Worm-314512.shtml

For another story, see item 7 above in Top Stories

Communications Sector

42. December 13, The Register – (International) Yet another eavesdrop vulnerability in Cisco phones. A university student presenting at the Amphion Forum demonstrated turning a Cisco VoIP phone into a listening device, even when it is on the hook, The Register reported December 13. The vulnerability demands a fairly extensive reconfiguration of the phone, according to Dark Reading. This, at least, means the attacker needs greater sophistication than previous eavesdropper attacks reported by The Register in 2007 and 2011. A number of 7900-series phones are affected, according to Forbes. The latest vulnerability is based on a lack of input validation at the syscall interface, according to Columbia University graduate student. He said this “allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone.” In the demonstration, the student modified the DSP to surreptitiously turn on the phone’s microphone and stream its output to the network. To simplify the demonstration, he programmed the necessary reconfiguration onto an external circuit which he plugged into the phone’s Ethernet port, and then captured what was spoken near the VoIP phone on his smartphone. The student told Dark Reading that the phones contain a number of vulnerable third-party libraries, which he promises to discuss at the upcoming Chaos Computer Conference, 29C3. Cisco said workarounds and a software patch are available to address the issue, tagged with the bug id CSCuc83860. Source: http://www.theregister.co.uk/2012/12/13/cisco_voip_phones_vulnerable/



Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.