Posts by CSECybSec

The popular cyber security expert Troy Hunt has uncovered a massive data leak he called ‘Collection #1’ that included 773 million records.

The name ‘Collection #1’ comes from the name of the root folder.

Collection #1

Someone has collected a huge trove of data through credential stuffing, the ‘Collection #1’ archive is a set of email addresses and passwords totalling 2,692,818,238 rows resulting from thousands of different sources.

According to Hunt, there are 1,160,253,228 unique combinations of email addresses and passwords, while the unique email addresses totalled 772,904,991.

The data was posted on file-sharing service MEGA and also on an unnamed popular hacking forum, it includes more than 12,000 files for a total size of 87 gigabytes.

Hunt pointed out that approximately 140 million email accounts and some 10.6 million passwords are not part of known past data breaches.

The unique email addresses totalled 772,904,991. This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of “cleanliness”. This number makes it the single largest breach ever to be loaded into HIBP.” wrote Troy Hunt.

The post on the hacking forum referenced “a collection of 2000+ dehashed databases and Combos stored by topic” and included a directory listing of 2,890 of the files, Hunted reproduced it here.

Users can check if their credentials are included in the Collection #1 dump by visiting the HIBP website.

“As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.” concludes Hunt.

Pierluigi Paganini

(SecurityAffairs – Collection #1, data leak)

The post Collection #1 dump, 773 million emails, 21 million passwords appeared first on Security Affairs.

Drupal released security updates for Drupal 7, 8.5 and 8.6 that address two “critical” security vulnerabilities that could be exploited for arbitrary code execution.

The first vulnerability could be exploited by a remote attacker to execute arbitrary PHP code. The flaw resides in the phar stream wrapper implemented in PHP and is related to the way it handles untrusted phar:// URIs.

“A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. ” reads the security advisory.

“Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability, This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.”

The development team marked .phar as a potentially dangerous extension, this means that .phar files uploaded to a website running on the popular CMS will be automatically converted to .txt to prevent malicious execution.
Note that the replacement stream wrapper is not compatible with PHP versions lower than 5.3.3.

The development team has disabled the phar:// wrapper for Drupal 7 sites running a version of PHP earlier than 5.3.3.

“Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.” continues the advisory.

The second flaw affects the PEAR Archive_Tar, a third-party library that handles .tar files in PHP. An attacker could use a specially crafted .tar file to delete arbitrary files on the system and possibly even execute remote code.

“Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.” reads the security advisory.

The development team behind the Archive_Tar have patched flaw and released the update it in the core of the CMS.

Drupal 8.6.6, 8.5.9 and 7.62 patch both flaws, experts highlighted that Drupal 8 versions prior to 8.5.x will no longer receive security updates because they have reached the end of life.

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6 appeared first on Security Affairs.

South Korea – Allegedstate-sponsored hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration.

Unknown hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration which is the office that manages the military procurement.

The news was confirmed by the South Korea Ministry of National Defense.

“It has been turned out that 30 computers installed on the internal system of the Defense Acquisition Program Administration, in charge of arms procurement such as next-generation fighter jets, have come under simultaneous virtual attacks and 10 out of them saw internal data leaked.”
the Korea’s 
Dong-A Ilbo reports

“As cyberattacks have continued on major Korean foreign affairs facilities including the Korean presidential office Cheong Wa Dae, the National Assembly and the Defense Acquisition Program Administration, concerns are ever increasing regarding the government’s cyber security capabilities.”

The systems targeted by the hackers contain sensitive data on purchases for military equipment and weapons, including “next-generation fighter jets,”

The security breach was disclosed this week in a report from a South Korean politician.

The National Assembly and the Defense Acquisition Program Administration confirmed that no confidential information was accessed or exfiltrated by hackers.

The security breach has occurred on October 4, 2018, the attack aimed at 30 computers, but only 10 of them were hacked. The intrusion was spotted on October 26 when the National Intelligence Service noticed suspicious traffic on IP associated with the Agency.

The intrusion coincides with another attack on Liberty Korea Party Rep. Baek Seung-joo’s email account. Experts believe that a threat actor politically motivated targeted systems of Korea’s major organizations simultaneously. 

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Rep. Lee pointed out. “Further investigation to find out if the source of attacks is North Korea or any other party.”

The A Ilbo added that an intelligence agent said that further review will be executed on defense measures implemented to protect by the Defense Acquisition Program Administration’s systems.

Pierluigi Paganini

(SecurityAffairs – South Korea, Defense Acquisition Program Administration)

The post South Korea: hackers compromised Defense Acquisition Program Administration PCs appeared first on Security Affairs.

A huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.

Another data leak made the headlines, a huge trove of data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a server for at least a week.
It is not clear how long data were left exposed online, according to the Shodan search engine, the server had been publicly open since at least November 30, 2018.

The unsecured storage server was discovered by security expert Greg Pollock from UpGuard, it contained 3 terabytes of data including millions of sensitive Government files and years worth of sensitive FBI investigations.

Other documents included social security numbers, names, and addresses
for over a hundred thousand brokers, credentials for remote access to ODS workstations, and communications meant for the Oklahoma Securities Commission.

The server also included email backups from 1999 to 2016, the largest and most recent reaching 16GB in size.

The exposed information includes passwords that could have used by an attacker to remotely access the state agency’s workstations, and credentials to access several internet services.

Digging in the archive it is also possible to find information related to people with AIDS including patient names and T cell counts.

Oklahoma Department

“By the best available measures of the files’ contents and metadata, the data was generated over decades, with the oldest data originating in 1986 and the most recent modified in 2016,” reads a blog post published by UpGuard.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server.”

UpGuard immediately notified the discovery to the ODS department, the storage server was secured by the agency.

The Oklahoma Securities Commission published a press release to disclose the data leak, it announced that a forensic team is still investigating the case.

“The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall.” reads the press release.

“An accidental vulnerability of limited duration to a server containing archived data was discovered and immediately secured. The ODS has notified law enforcement and OMES regarding the incident. A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them.”

Pierluigi Paganini

(SecurityAffairs – Oklahoma Department, data leak)

The post Unprotected server of Oklahoma Department of Securities exposes millions of government files appeared first on Security Affairs.

A critical flaw in online flight ticket booking system developed by Amadeus could impact almost half of the fight travelers of 141 airlines around the world

A critical flaw in online flight ticket booking system developed by Amadeus could be exploited by a remote attacker to access and modify travel details and claim his frequent flyer miles. The flaw was discovered by the Israeli security researcher Noam Rotem while he was booking a flight on the Israeli airline ELAL,

It has been estimated that the vulnerability could impact almost half of the fight travelers of 141 airlines around the world, including United Airlines, Lufthansa and Air Canada.

The attacker just needs to know the victim’s PNR (Passenger Name Record) number to exploit the vulnerability.

“Hacker and Activist Noam Rotem, working with Safety Detective research lab, was shocked when he recently discovered a major vulnerability affecting nearly half of all airlines worldwide. While booking a flight with Israeli national carrier ELAL, he came across a significant security breach that allows anyone to access and change private information on flight bookings.” reads a post published by the expert.

“The same breach was then discovered to include 44% of the international carriers market, potentially affecting tens of millions of travelers.”

Once a customer has booked a flight with ELAL, he will receive a PNR number and a unique link that could be used to check the booking and data associated with the PNR.

The researcher analyzed the link and discovered that changing the value of the “RULE_SOURCE_1_ID” parameter in the link using the PNR number of other users would see the booking information associated with their accounts.

Rotem also demonstrated that using the booking information (i.e. booking ID and last name of the customer) it is possible to access the user’s ELAL account and claim frequent flyer miles to a personal account and perform other operations.

“With the PNR and customer name at our disposal, we were able to log into ELAL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.” continues the post.

“Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram. But that’s just the tip of the iceberg,”

Rotem also discovered that the Amadeus portal was not implementing any brute-force protection allowing attackers to enumerate all active PNR numbers of customers of any airline website using Amadeus.

“After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information,” continues the expert.

Below a video PoC published by the expert, he used a simple script to find active numbers in Amadeus.

Rotem notified the issue to ELAL, Amadeus has quickly fixed the vulnerability.

Pierluigi Paganini

(SecurityAffairs – hacking, flight ticket booking system)

The post Critical bug in Amadeus flight booking system affects 141 airlines appeared first on Security Affairs.

Early January, an interesting malware sample has been disclosed through the InfoSec community: a potential GreyEnergy implant still under investigation.

Figure 1. Possible GreyEnergy sample

This kind of threat, previously analyzed by third party firms, contains similarities with the infamous BlackEnergy malware, used in the attacks against the Ukrainian energy industry back in 2015.

The Cybaze-Yoroi ZLAB researchers dissected this new sample to investigate its attribution.

Background – Past Research

According to a recent ESET report, GreyEnergy malware is part of the new cyber arsenal of the BlackEnergy APT group, whose main toolset was last seen back in 2015 during the Ukraine power grid cyber-attack. It typically spreads through two different vectors:

  1. perimeter breach, for instance compromising company’s websites;
  2. spear-phishing emails and malicious attachments.

The GreyEnergy implant is also known as “FELIXROOT” backdoor: FireEye researchers published a technical article on July 2018 about a spear-phishing campaign trying to deliver the malware to undisclosed targets.

The entire malware architecture is modular and very difficult to neutralize. It is able to retrieve new modules from command and control servers, empowering the offensive capabilities of the implant: modules such as NMAP and MIMIKATZ were used in the past to perform lateral movement and privilege escalation. 

Figure 2 – Modules of GreyEnergy malware (Figure by ESET)

Technical analysis

In order to investigate the attribution of the sample, Cybaze-Yoroi Zlab researchers performed a comparative analysis of the January 2019’s sample with respect to technical indicators and TTP published in previous articles.

First of all, static analysis on this sample shows the information about original filename, size, exported functions and other information are closely similar to the FE_Dropper_Win32_FELIXROOT_1 sample.

Figure 3 – January’s sample on the left; FELIXROOT_1 sample on the right.

Despite this similarity, the first sample results to be known to the community only since the 6th of January 2019, meanwhile the FELIXROOT_1 one has been submitted to the VT platform almost an year earlier, back in 2018.

Figure 4 – January’s sample on top; FELIXROOT_1 sample on bottom.

A dynamic analysis of the sample shows classic, but effective, automated analysis’ evasion techniques such as long sleep time-periods of dozens of minutes.

Figure 5 – GreyEnergy invokes sleep API to evade analysis.

After this incubation time, the malware contacts the C2 server sending checking information about victim machine. The remote destination ends to the 217.12.204.100 IP address, owned by an Ukrainian contractor and manufacturer company.

Figure 6 – The malicious IP

The callback activity of the malware is periodic, every thirty minutes it gets in touch with the remote C2 to notify the implant is still running. It sends information about computer name, user name, volume serial number, Windows version, processor architecture and two additional values: “1.3” and “KdfrJKN”. These values match the campaign-id reported by the FE researchers back in 2018.

These identifiers are clearly visible in Figure 7, where the in-memory analysis session shows the malware configuration.

Figure 7 – The malware accesses to its configurations.

The data sent to the C2 are protected by SSL encryption. However, emulating the network destination is possible to decrypt the victim information sent to the remote server; the data are transmitted into the “u=” parameter of HTTP POST requests.

Figure 8 – POST body.

This evidence matches the FELIXROOT backdoor’s behavior reported into past FE researches, where the usage of three main HTTP parameter, including the “u=” one, have been documented.

Also, a binary differential analysis between the January’s sample and the FELIXROOT_1 sample reported only three modified binary areas, as shown in Figure 10.

Figure 10 – Differences between the latest binary and FELIXROOT_1 sample.

Conclusion

The sample disclosed in January 2019 is clearly classifiable as GreyEnergy malware implant with highest level of confidence: the behaviour, the configurations and the static data closely match TTP and technical details from previous analysis. 

This means the analyzed sample is linked to the BlackEnergy/Sandworm APT group.

The recent detection of this previously unknown sample containing known campaign identifiers, may suggest the attack operations reported by third party firms in 2018 are still ongoing.

The lack of contextual data about this new sample makes the determination of the current targeted organizations harder; however CERT-Yoroi assessed no organization part of its constituency have been impacted by this threat.

Further details, including IoCs and Yara rules are reported in the analyais published by Yoroi.

Pierluigi Paganini

(SecurityAffairs – GreyEnergy, ICS-SCADA)

The post GreyEnergy: Welcome to 2019 appeared first on Security Affairs.

By using multi-gesture trackpad along with Safari browser in MacBook Pro, one can view sensitive data which is cached in your Safari browser. (Note: This is not a back button browsing vulnerability)

I figured out this issue while playing around with Safari browser, looks like the most recent activity of any authenticated or un-authenticated website is stored in the cache of Safari and by taking the advantage of multi-gesture trackpad we can retrieve any or all information about that activity.

Looks like Apple provides a feature in trackpad which allows users to swipe between the pages or applications. It also allows you to tap, swipe, pinch, or spread one or more fingers to perform useful actions but seems they forgot to add some security measures in this.

Safari browser

Steps to reproduce:
1. Open Safari (v12.0.2 (14606.3.4) was used in this case)
2. Login to any dynamic website (I’ve used www.gmail.com)
3. Perform your dynamic activity
4. Logout (But don’t close your safari browser)
5. Now swipe right

You would actually see your recent data, between the pages. I’ve also created a video proof-of-concept for same.
Apple says: After reviewing your report we do not see any actual security implications.

But, I feel like this is an interesting issue which can be exploited by a local attacker. Also this only works with safari browser only. I hope you like the read.

Original post available at the following URL

https://www.inputzero.io/2019/01/i-swiped-right-macos-bug.html

About the Author: Security Researcher Dhiraj Mishra

(@mishradhiraj_)

Pierluigi Paganini

(SecurityAffairs – hacking, Safari browser)

The post I swiped right, Viewing sensitive data cached in your Safari browser. appeared first on Security Affairs.

Security researchers at Check Point have discovered several flaws in the popular game Fortnite that could be exploited to takeover gamers’account.

Security experts at Check Point discovered several issues in the popular online battle game Fortnite. One of the flaws is an OAuth account takeover vulnerability that could have allowed a remote attacker to takeover gamer accounts tricking players into clicking a specially crafted link.

Remaining flaws discovered by the experts include a cross-site scripting flaw, a SQL injection, and a web application firewall bypass bug.

The figures behind Fortnite are impressive, Fortnite has roughly 80 million monthly players, according to EpicFull, the game is responsible for almost half of their $5bn-$8bn estimated company value

Fortnite allows players log in to their accounts using Sign-On (SSO) implemented by third-party applications, such as Facebook, Google, Xbox, and PlayStation accounts.

“Due to flaws found in Epic Games’ web infrastructure, though, our researchers were able to identify vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover. ” reads the analysis published by CheckPoint.

The experts demonstrated that was possible to takeover a Fortnite account by chaining a cross-site scripting (XSS) flaw and a malicious redirect vulnerability on the Epic Games’ subdomains.

Researchers initially discovered a vulnerability in the Epic Games login page, accounts.epicgames.com. They noticed that the domain had not been validated and it was susceptible to a malicious redirect. The experts were able to redirect traffic to another Epic Games sub-domain that was not used. This sub-domain was also affected by multiple flaws, including an XSS bug that allowed them to load a JavaScript that would make a secondary request to the SSO provider. The SSO provider (i.e. Facebook or Google) in turn, resends the authentication token. By exploiting the redirect issue, the token sent by the SSO provider is hijacked to the sub-domain under the control of the attackers instead of the login page. The researchers used an injected JavaScript code to capture the token.

“For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them. To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker. ” continues the analysis published by the experts.

fortnite hack

For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them. To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.

Once obtained the token, an attacker could impersonate the victim and act on his behalf (access personal information, buy more in-game currency at the user’s expense, listen in on and record conversations taking place during game play).

“Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world,” continues Check Point.

“After all, as mentioned above we have already seen similar scams operating on the back of Fortnite popularity.”

Checkpoint published a video PoC of the attack:

Check Point reported the flaws to Epic Games that fixed them in mid-December.

Full technical analysis of the flaws is available on Check Point Research.

Pierluigi Paganini

(SecurityAffairs – hacking, Fortnite)

The post Multiple Fortnite flaws allowed experts to takeover players’ accounts appeared first on Security Affairs.

Researchers from Flashpoint linked the recently disclosed attack on Chilean interbank network Redbanc to the North Korean APT group Lazarus.

Security experts at Flashpoint linked the recently disclosed attack on the Chilean interbank network to the dreaded Lazarus APT group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

At the end of 2018, the group was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa. Security experts from Symantec discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.

Active since at least 2009, and believed to be backed by the North Korean government, the Lazarus group has attacked targets in various sectors and is said to be the most serious threat against banks. Last year, researchers revealed that code reuse links most North Korean malware to Lazarus

The attack against the Chilean interbank network is has happened in December 2018, threat actors seem to have used PowerRatankba,
a PowerShell-based malware variant that closely resembles the original Ratankba implant. The experts pointed out that that the Redbanc corporate network was infected with a version of the PowerRatankba that was not detected by anti-malware.

It is interesting the way attackers delivered the malware, according to
Flashpoint a trusted Redbanc IT professional clicked to apply to a job opening found on social media. The person that published the job opening then contacted the employee via Skype for an interview and tricked him into installing the malicious code.

“According to recent reporting, the intrusion occurred due to malware delivered via a trusted Redbanc IT professional who clicked to apply to a job opening found through social media.” reported Flashpoint .

“The individual who appeared to have posted the open position then contacted the applicant from Redbanc to arrange a brief interview, which occurred shortly thereafter in Spanish via Skype. Having never expressed any doubts about the legitimacy of the open position, application, or interview process, the applicant was ultimately and unwittingly tricked into executing the payload. “

The dropper used to deliver the malware is related to the PowerRatankba, a Microsoft Visual C#/ Basic .NET (v4.0.30319)-compiled executable associated with Lazarus APT. The dropper was used to download a PowerRatankba PowerShell reconnaissance tool. 

The dropper displays a fake job application form while downloads and executes PowerRatankba in the background.

chilean interbank redbanc intrusion

The payload, however, was not available during analysis, although it was recovered from a sandbox, Flashpoint’s security researchers reveal.

The PowerRatankba sample used in the Chilean interbank attack, differently from other variants, communicates to the C&C server on HTTPS.

The malware uses Windows Management Instrumentation (WMI) to gather information on the infected system (i.e. process lists, username, proxy settings), it also checks for open file shares and Remote Desktop Protocol (RDP) ports.

“The malware leverages Windows Management Instrumentation (WMI) to obtain the victim IP by parsing Win32_NetworkAdapterConfiguration for the IP and MAC address.” continues the analysis.

“It is notable that for the victim ID, the malware leverages the MAC address with Base64-encoding, which is passed to action=”What” and encoded one more time via the Base64 algorithm.”

If PowerRatankba has admin privileges, it attempts to download the next stage from hxxps://ecombox[.]store/tbl_add[.]php as “c:windowstempREG_WINDEF.ps1.

This latter code is registered as a service through the “sccreate” command as,“ the malware gain persistence by setting an autostart.

The malware supports several commands, including delete agent, modify and replace ps1 and VBS files, send data to the server and download an executable and run it via PowerShell. 

The PowerRatankba variant analyzed by the experts includes the “ConsoleLog” output logic to debug the application, it could help Lazarus developers to survey the output. 

“The group has reportedly been involved in a string of bank intrusions impacting institutions all over the world, heavily targeting Latin American financial institutions and cryptocurrency exchanges.” concludes
Flashpoint.

“Monitoring and reviewing the incidents related to Lazarus and dissecting the group’s attacks and toolkits across the ATT&CK framework may assist with mitigating the exposure to this threat. Additionally, Lazarus attacks appear to reportedly rely on social media and trusted relationships, which may elevate their abilities to execute and install their payloads.”

Pierluigi Paganini

(SecurityAffairs – Lazarus, APT)

The post Experts link attack on Chilean interbank network Redbanc NK Lazarus APT appeared first on Security Affairs.

Researchers from Trend Micro have analyzed the communication protocols used by cranes and other industrial machines and discovered several flaws.

Security experts from Trend Micro have discovered several vulnerabilities in the communication protocols used by cranes, hoists, drills and other industrial machines.

The experts found vulnerabilities in products from several vendors, including Saga, Juuko, Telecrane, Hetronic, Circuit Design, Autec, and Elca.

The flaw could be exploited by remote attackers to carry out cyber attacks.

Machines used in transportation, manufacturing, construction, and mining sectors often use radio frequency (RF) protocols. RF controllers are composed of a transmitter and a receiver that communicates via radio waves.

Trend Micro researchers analyzed RF controllers in lab environment and in the real scenarios demonstrating the presence of the flaws and the associated risks.

The experts tested 14 devices across the world, and all of them were vulnerable to one of the attacks conducted by the experts.

The five types of attacks tested by the experts are:

  • Replay attacks – Attackers captures a valid transmission and fraudulently repeat or delayed it.
  • Command injection attacks – Attackers can arbitrarily and selectively modify RF packets to completely control the machine
  • “emergency stop” attacks – Attackers can replay e-stop (emergency stop) commands indefinitely to cause a persistent denial-of-service (DoS) condition.
  • Malicious re-pairing attacks – Attackers clone a remote controller to hijack a legitimate one.
  • Malicious reprogramming – The attacker is able to run tainted firmware on the remote controllers to obtain persistent, full remote control.

Below two PoC videos published by Trend Micro experts.

Trend Micro reported the issues to the affected vendors, the ICS-CERT published two security advisories for Hetronic and Telecrane devices.

Most of the flaws discovered by the experts are related to unprotected communications between the transmitter and the receiver, an attacker could exploit the issues to capture traffic and spoof commands.

“Our research reveals that RF remote controllers are distributed globally, and millions of vulnerable units are installed on heavy industrial machinery and environments. Our extensive in-lab and on-site analysis of devices made by seven popular vendors reveals a lack of security features at different levels, with obscure, proprietary protocols instead of standard ones.” reads the report.

“They are vulnerable to command spoofing, so an attacker can selectively alter their behavior by crafting arbitrary commands — with consequences ranging from theft and extortion to sabotage and injury “

The experts demonstrated how to carry out the attacks remotely by using a small, battery-powered device planted in range of the targeted machine.

“Our research shows that there is a discrepancy between the consumer and industrial worlds. In the consumer world, the perceived risks have pushed the vendors to find reasonably secure, albeit imperfect, solutions such as rolling codes.” reads the report. “In the industrial world, where the assets at risk are much more valuable than a fancy house or car, there seems to be less awareness.”

Pierluigi Paganini

(SecurityAffairs – RF protocols, hacking)

The post Cranes, drills and other industrial machines exposed to hack by RF protocols appeared first on Security Affairs.