Security Bulletin

Security Bulletin #126 – 13 June 2017

  • Text Hover
2017 / 06 / 13

  • Text Hover
  • Text Hover

Experts spotted Industroyer Industrial Control Systems(ICS) Malware

The experts published a detailed analysis of the malware, they speculated the malicious code has been involved in the December 2016 attack on an electrical substation in Ukraine. Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are Stuxnet, BlackEnergy, and Havex. Industroyer is a sophisticated modular malware that includes several components such as a backdoor, a launcher, a data wiper, at least four payloads, and many other tools. The experts focused their analysis on the payloads (IEC 60870-5-101 (aka IEC 101), IEC 60870-5-104 (aka IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA)) the core components of the malware in the attacks that allow controlling electric circuit breakers. The Industroyer backdoor allows attackers to execute various commands on the targeted system, the C&C server is hidden in the Tor network and it can be programmed to be active only at specified times, making hard its detection. The backdoor installs the launcher component, which initiates the wiper and the payloads, it also drops a second backdoor disguised as a trojanized version of the Windows Notepad application. The wiper component is used in the final stage of the attack to hide tracks and make difficult to restore the targeted systems.

  • Text Hover

MacRansom: The first Mac ransomware offered as a RaaS Service

Malware researchers at security firm Fortinet have spotted a new strain of ransomware dubbed MacRansom that targets Mac machines. The malware is available with Ransomware-as-a-service (RaaS) model through a hidden service in the TOR network. Experts believe this is the first time a Mac ransomware is offered as RaaS. The threat is not sophisticated like other similar threats but it could cause serious problems to the victims because it encrypts victim’s files. The availability of MacRansom as RaaS makes it easy to arrange ransomware campaign to crooks that have no specific skills. MacRansom implements symmetric encryption with a hard-coded key and the ransomware only encrypts a maximum of 128 files, it demands 0.25 bitcoin (around $700) for decryption keys. The malicious code implements anti-analysis activity, the first thing the ransomware does is to check if the sample is being run in a non-Mac environment or if it is running in debugged environment.

Top 5 InfoSec concerns for 2017

Cloudbleed, WannaCry, ransomware, hackers. Each and every day, it seems, the tech community wakes up to news of another attack on data security and privacy. As IT professionals, we spend our days working to the best of our knowledge and ability to keep company information secure. As soon as we learn one method of protection, the hackers have invented a new workaround. Basic security concerns are still at the top of the most-searched list, while there’s a spike in interest for new content and questions on specific issues, like WannaCry. Here were the top 5 searched security topics on site over the last four months: 1) Network Security: A breach in network security can cause large and lasting ramifications for a company. 2) Networking: When data and information passes virtually from one location to another, entry point increase and vulnerabilities multiply. 3) Windows OS: As the recent WannaCry malware attack taught us, even old programs no longer in mass circulation are vulnerable to attack. 4) OS security: OS systems safeguard community assets. IT managers and professionals need to know the best ways to protect identity and data from being stolen or deleted, best practices for passwords and authentication processes, and basic safeguarding against viruses, malware, and remote hackers.5) Active Directory: Though popular, it is a complex system that requires constant and vigilant security maintenance, positioning it as a prime opportunity for hackers.

CERT-FR Weekly News Alert


CERTFR-2017-AVI-173           : Vulnerabilities in Google Chrome (12 June 2017)