Touch Panels Deployed In Critical Infrastructure: Remote Attacks Are a Growing Threat and How to Mit

Through extensive analysis, Independent Security Evaluators (ISE) has identified dozens of previously undisclosed, critical security vulnerabilities in numerous network storage devices from a handful of goto manufacturers (manufacturers: e.g., Seagate, D-Link, Netgear). Vulnerabilities of network-attached storage not only expose stored data, but also provide a vantage point for further PWNAGE of the network infrastructure on which the storage system sits. Our research efforts focused on identifying vulnerabilities that obtained administrative access (such as command injection, directory traversal, authentication bypass, memory corruption, backdoors, etc.), and quantifying the associated risk. The attacks we developed demonstrate how unauthenticated attackers can compromise and control storage systems with and without user interaction. Network based storage systems are used in millions of homes, schools, government agencies, and businesses around the world for data storage and retrieval. With today's dependence on Internet based services, virtualization technologies, and the need to access data from anywhere, storage systems are relied on more than ever. Similar to other network hardware (e.g., routers), these devices are purchased and installed by IT teams and home consumers with the expectation that the system is protected from the infamous hacker. This presentation focuses on "how to," and the implications of compromising network based storage systems, but will conclude that the absence of security in not only storage hardware, but networking hardware in general, has left data unprotected and millions of networks vulnerable to exploitation. Throughout this presentation, several vulnerabilities will be exploited in order to achieve the glorious ro0t (#) shell!

Satellite Communications (SATCOM) play a vital role in the global telecommunications system. We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage. The ability to disrupt, inspect, modify, or re-route traffic provides an invaluable opportunity to carry out attacks.SATCOM infrastructure can be divided into two major segments, space and ground. Space includes those elements needed to deploy, maintain, track, and control a satellite. Ground includes the infrastructure required to access a satellite repeater from Earth station terminals. Earth station terminals encompass the equipment located both on the ground and on airplanes and ships; therefore, this segment includes air and sea. This specific portion of the ground segment was the focus of our research. We analyzed devices, from leading SATCOM vendors, used to access services such as: - Inmarsat-C -Inmarsat BGAN / M2M - FleetBroadBand - SwiftBroadBand - Classic Aero Services - GMDSS (Global Maritime Distress Safety System) - SSAS (Ship Security Alert System)IOActive found that 100% of the devices could be abused. The vulnerabilities we uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols or weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.The talk will show all the technical details, mainly based on static firmware analysis via reverse engineering, also including a live demo against one of these systems.Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.

Touch Panels Deployed In Critical Infrastructure Vulnerable To Remote Attacks

SSL has been around for decades and yet it keeps happening: new attacks are being discovered against TLS at a steady rate. The past year has seen its share of rogue CA certificates and critical vulnerabilities in TLS libraries that we have come to expect. In this talk, I will present no less than three new attacks against the use of TLS on the web. The first one relies on a long-known cryptographic weakness in the protocol that can be combined with long-known issues in TLS implementations to re-enable a flavor of the 2009 renegotiation attack that was thought to be fixed. The second one exploits the truncation weakness known since SSL2 but left unsolved to bypass anti-stripping defenses (strict transport security) and steal secure cookies. The last one exploits vulnerabilities in the deployment of HTTPS, in particular, how HTTP servers process requests and manage certificates and sessions, to reach the holy grail of TLS attacks: full server impersonation of several thousands of websites, including Microsoft, Apple, Twitter, PayPal. The three attacks have strong common points: they rely on an attacker that operates both at the TLS and HTTP levels, and they exploit misunderstandings and false assumptions between TLS libraries and applications.In the course of this talk, you will learn about the full capabilities of the "beastly" attacker that operates jointly at the transport and application levels and how they can be exploited. You will also learn how to configure your HTTPS server to avoid being vulnerable to our virtual host confusion attacks, for which no simple universal fix exists. Lastly, I will try to disprove some misconceptions about TLS and privacy in the context of powerful network attackers.

The Font Scaler engine is widely used in Microsoft Windows and Mac OS operating systems for rendering TrueType/OpenType fonts. It was first introduced in 1989. Later, to improve the performance of the Windows NT operating system, Microsoft decided to move the engine from user mode to kernel mode. This enhancement does improve the performance, but it also brings security issues. Specifically, Font Scaler engine represents a significant kernel attack surface, and it is perhaps the most easily accessible point which can be reached remotely. For example, the famous Duqu malware well demonstrated vulnerabilities in this engine in 2011. Many things make the font engine vulnerable. Such as the complexity of font file format, the enhancement of the Font Scaler engine (i.e., moving from user mode to kernel), the assumptions about the interactions between the font engine and its clients (win32k.sys), and the existence of font cache. Among these vulnerabilities, TOCTTOU (Time-of-Check to Time-of-Use) is the most critical type. In this talk, I'm going to discuss the basic double fetch problem. Furthermore, I would like to present the more stealthy TOCTTOU vulnerability which is introduced by the design of the font engine.

Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.

Cuba ransomware (aka COLDDRAW), which was first detected in December 2019, reemerged on the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.

Siemens deploys Palo Alto Networks VM-Series virtual firewall on the RUGGEDCOM APE1808 module. Together, this solution will provide a secure offering to protect your OT network and ease of deployment with a single console for remote and critical environments. The Palo Alto Networks VM-Series virtual firewall will block malware, perform application control, provide SSL/TLS inspection for encrypted traffic, and detect and prevent advanced attacks inline within application flows throughout the network.

"This incident is not the first and will definitely not be the last, as US critical infrastructure spans across an entire continent and relies on engineers in remote places to log in and perform maintenance when needed," Bitdefender commented. "It is common for ransomware operators to probe networks for such points of entry or even to buy phished credentials to remote desktop instances that they can use to mount an attack. Critical infrastructure is becoming increasingly appealing to ransomware operators -- particularly those who are involved in Ransomware-as-a-Service schemes."

A recent research report from Trend Micro Incorporated revealed that 89% of critical infrastructure organizations experienced cyberattacks impacting production and energy supply in 2021/2022. To ensure the safety of their employees and the public, they need to identify, monitor and manage changes of every operational technology (OT) asset in their infrastructure.

Malware targeted specifically at ICS and SCADA systems has been developed and deployed for over a decade. Attacks specifically designed for OT systems seem to be on the rise, with safety systems increasingly being a target. For those OT organisations responsible for critical infrastructure, any sort of compromise needs to be taken extremely seriously. 2ff7e9595c