Search results

Tuesday, April 24, 2018 @ 08:04 PM gHale

Nozomi Networks Inc. and SecureLink inked a partnership pact to broaden SecureLink Germany’s delivery of services across Germany, Austria and Switzerland.

“With cyberthreats on the rise, our industrial enterprise customers are turning to SecureLink to address these threats head on,” said SecureLink Germany’s General Manager and Chief Technology Officer, Andreas Mertz. “Nozomi Networks is a leader in the market when it comes to ICS cybersecurity. Their proven track record of success in some of the most complex industrial operations make them a trusted option for our customer and the strongest possible partner for SecureLink.”

SCADAguardian capabilities include real-time ICS monitoring, industrial network visualization, hybrid ICS threat and anomaly detection, asset inventory and vulnerability assessment.

Through this reseller agreement with Nozomi Networks, SecureLink Germany is able to offer its customers a solution for mapping, monitoring and detecting cyber threats to ICS networks.

“SecureLink has a plethora of customers across the German-speaking region of Europe — many with immediate and long-term needs for better protection against advance ICS security threats,” said Chet Namboodri, Nozomi Networks vice president of alliances and business development.  “We’ve already been working with SecureLink Germany on solutions for several key customers. This reseller agreement allows us to have an even bigger impact within the industrial and mission-critical sectors that SecureLink serves.”

Friday, March 30, 2018 @ 12:03 PM gHale

WAGO released new firmware to mitigate an improper resource shutdown or release for its 750 Series, according to a report with ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability, discovered by Younes Dragoni of Nozomi Networks, could allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools.

Siemens Updates TIM 1531 IRC Hole
Siemens has Mitigation for SIMATIC
Allen Bradley MicroLogix Vulnerabilities
Philips Plans to Fix Vulnerabilities by Dec.

The following versions of 750 series PLC suffer the issue:
• 750-880 firmware version 10 and prior
• 750-881 firmware version 10 and prior
• 750-852 firmware version 10 and prior
• 750-882 firmware version 10 and prior
• 750-885 firmware version 10 and prior
• 750-831 firmware version 10 and prior
• 750-889 firmware version 10 and prior
• 750-829 firmware version 10 and prior

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

In the vulnerability, a remote attack may take advantage of an improper implementation of the 3-way handshake during a TCP connection affecting the communications with commission and service tools. Specially crafted packets may also be sent to Port 2455/TCP/IP, used in Codesys management software, which may result in a denial-of-service condition of communications with commissioning and service tools.

CVE-2018-8836 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees action mainly in the commercial facilities, critical manufacturing, energy, and transportation systems sectors. It also sees use on a global basis. The company has offices in the United States, Germany, Switzerland, Poland, China, and India.

WAGO released new firmware addressing this vulnerability that can be obtained by contacting WAGO support via email.

If updating the firmware is not feasible WAGO recommends users disable the WAGO Service Communication via WBM or limit the access to Ports 6626 and 2455/TCP/IP to trusted devices.

For more information click on WAGO’s security advisory.

Tuesday, March 20, 2018 @ 05:03 PM gHale

By Heather MacKenzie and Moreno Carullo
The U.S. government just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.

While there has been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case, the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.

Feds Alert on Russian Cyber Activity Targeting ICS
Hacking Robots with Ease
ARC: Holistic Plan to Secure Safety
Siemens, Partners Ink Cybersecurity Charter

In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IoCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly.

This following is intended to help you gain perspective on this alert, and provide additional guidance on what security measures to take.

Multi-Stage Campaigns
The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.

In this case, the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.

The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:
• Altering trade publication websites
• Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
• Analyzing publicly available photos that inadvertently contained information about industrial systems

The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.

The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks. This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.

The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity.

Next, tools were downloaded from a remote server, which manipulated Microsoft Window’s shortcut files and registries to gather and store user credentials. They also used the infrastructure of staging targets to connect to intended targets using the stolen credentials and remote access services.

An ICS reconnaissance phase followed, which included tactics like:
• Using batch scripts to enumerate the industrial control network
• Using scheduled tasks and a screenshot utility to capture the screens of systems across the network
• Using text files to hold lists of host information
• Accessing computers on the corporate network to take data output about control and SCADA systems, including ICS vendor names and reference documents
• Gathering profile and configuration information for ICS systems

The threat actors also conducted activity to hide their tracks, such as clearing logs and removing malware applications, registry keys and screen captures.

While long on details about the infection and reconnaissance phases of the Russian cyberattacks, the US-Cert advisory is notably, but not surprisingly, lacking in detail about what equipment was targeted and what disruption was intended.

The goal of the advisory is to provide the intended targets, which are asset owners, with a wide set of clues for determining if your facility is infected. If so, you need to eradicate the infection and report it to authorities.

APTs Detected
The list of detection and prevention measures provided in the Alert (TA18-074A) is extensive. Anyone glancing at the list will realize it will take a lot of manpower and focus to do all the log and file checking, as well as the security improvements recommended.

What Next?
This US-CERT alert is a milestone. It makes it perfectly clear that U.S. infrastructure and critical manufacturing sectors are under Russian cyberattack.

If your organization is in one of the targeted sectors, now is the time to check for and eradicate the malware before a final ICS attack occurs. Even if your operation is in another country or another sector, you likely want to do the same thing.

To help you efficiently deal with the risk level and workload associate with this alert, consider a real-time cybersecurity and operational visibility solution.
Moreno Carullo is founder and chief technology officer at Nozomi Networks. Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.

Thursday, March 8, 2018 @ 05:03 PM gHale

Aerospace, defense and security provider Leonardo partnered with network monitoring provider, Nozomi Networks to offer increased network visibility in a move to enhance Leonardo’s Cyber Protection Program for Industrial and Critical National Infrastructures (CNI).

“The cyber threat to critical infrastructure, industrial systems and operational technology networks is at an all-time high, thus generating growing customer demand for better protection,” said Andrea Biraghi, managing director of Leonardo’s Security & Information Systems Division. “We’ve partnered with Nozomi Networks because they provide the strongest possible solution when it comes to detecting anomalies early and proactively, preventing threats within our customers’ environments.”

CyberX Raises Additional Funds
Splunk Deals for Phantom Cyber
Wireless Provider Partners with Security Firm
Bomgar Deal Strengthens PAM Tools

Deep knowledge of the complexities of ICS networks, continuous innovation and expertise in artificial intelligence were the reasons why Leonardo went with Nozomi Networks and its SCADAguardian product, officials said.

Now in its third generation of technology, Nozomi’s technolgoy includes real-time ICS monitoring, industrial network visualization, hybrid ICS threat and anomaly detection, asset inventory and vulnerability assessment.

Focused on the military and CNI fields, Leonardo provides a systemic approach that covers the entire lifecycle of cybersecurity programs including security governance, assessment and design of digital infrastructures, the adoption of specific technologies for SCADA/ICS protection, the design and operation of industrial security operations centers and cyber threat intelligence systems.

Leonardo is pursuing an open innovation approach, in line with the strategic drivers of the Industrial Plan recently presented, collaborating with the best universities and national institutions of the countries in which the Company operates and activating synergies and qualified partnerships with innovative start-up to integrate the best technologies.

“(Leonado has) an intimate understanding of the unique demands these networks face and we look forward to helping them make infrastructure around the world more safe,” Nozomi Networks co-founder and chief product officer Andrea Carcano.

Tuesday, February 27, 2018 @ 04:02 PM gHale

Emerson has a mitigation plan to help offset a stack-based buffer overflow in its ControlWave Micro Process Automation Controller, according to a report with ICS-CERT.

A family of SCADA RTUs, PLCs, PACs, and flow computers, ControlWave Micro [ProConOS v.4.01.280] – firmware: CWM v.05.78.00 and prior suffer from the remotely exploitable vulnerability, discovered by Younes Dragoni of Nozomi Networks.

ICS Spectre, Meltdown Update Part III
ABB Fixes netCADOPS Web Application Hole
ABB Creates Fix for TropOS KRACK Attacks
Nortek Linear eMerge E3 Series

Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
A stack-based buffer overflow vulnerability caused by sending crafted packets on Port 20547 could force the PLC to change its state into halt mode.

CVE-2018-5452 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use mainly in the energy and water and wastewater systems sectors. It also sees action on a global basis.

Emerson offers the following mitigation advice:
• Assess which ControlWave products in your organization have Ethernet connectivity.
• Upgrade the affected devices to firmware version 05.79.00 to correct this possible action. System firmware upgrade instructions are available in product documentation (ControlWave Micro Process Automation Controller Instruction Manual, part D301392X012).
• The resolution described is available only to the user when appropriately incorporated into the application running in ControlWave Micro firmware.
• Prior to upgrading the system firmware, always perform a full alarm and historical collection (archive files as well as audit logs).

The release notes and firmware upgrade are available to registered users.

Tuesday, February 27, 2018 @ 01:02 PM gHale

Critical infrastructure security provider, Radiflow, inked a partnership pact with Wireless Data Systems, a provider of turnkey wireless-based networks for multiple applications.

Wireless Data Systems (WDS) designs, implements and supports wireless communications systems and networks for operators of critical infrastructure. The company said it has seen an increasing need for cybersecurity protection for its clients. 

Bomgar Deal Strengthens PAM Tools
Emerson Deals for ProSys
FireEye Deals for Big Data Firm
Nozomi Raises $15 Million

As part of the cooperation between the two companies, Wireless Data Systems will integrate and support Radiflow’s industrial intrusion detection and security gateway products for power and water utilities, oil and gas, renewable energy and municipalities.

“Radiflow’s industrial cybersecurity products are an important addition to our technology portfolio,” said Rick Greene, president of Wireless Data Systems. “There is a definite and growing market need for cybersecurity and Radiflow’s offerings will help us better address the needs of our customers as well as attract new business.”

Radiflow’s industrial cybersecurity product portfolio is designed specifically for OT networks and ICS and SCADA systems used by critical infrastructure operators. Radiflow’s iSID system is an industrial intrusion detection system that maps a baseline of the operational assets and continuously monitors the industrial network for changes to the traffic and other anomalies. The company’s line of industrial security gateways facilitates secure communication with automation devices on SCADA and ICS networks at remote and distributed sites.

“With a wide market presence and excellent integration capabilities, WDS is an ideal VAR partner,” said Ilan Barda, chief executive of Radiflow. “We have high expectations that our new partnership with WDS will significantly enhance the security posture of customers in the market segments we are jointly serving.”

Radiflow and Wireless Data Systems report the two companies are already jointly engaged in significant opportunities with utilities providers and municipalities across the United States. 

Friday, February 2, 2018 @ 03:02 PM gHale

Bomgar has acquired identity and credential management software provider Lieberman Software.

Remote access is the most common attack pathway for attackers and the majority of today’s data breaches involve a stolen privileged credential.

Emerson Deals for ProSys
FireEye Deals for Big Data Firm
Nozomi Raises $15 Million
FL Security Providers Reach Deal

Bomgar now looks to offer an approach to securing access to critical systems and ensuring the credentials to those critical systems are managed and protected.

The deal for Lieberman Software pushes Bomgar’s mission to help organizations connect by adding technology to discover, manage, and protect privileged credentials while simultaneously identifying and neutralizing attacks.

“With our combined technologies, we will deliver a true defense-in-depth PAM (privileged access management) solution with a quick time to value, rapid deployments, and a winning user experience,” said Matt Dircks, Bomgar chief executive.

Through 2021, organizations with PAM tools will have at least 50 percent lower risk of impact by advanced threats compared to their peers without PAM tools, according to a Gartner report.

Bomgar currently offers a seamless integration between Lieberman’s credential management functionality and Bomgar’s privileged session management capabilities. The acquisition will result in a single PAM offering with capabilities for:
• Privileged account auto-discovery
• Credential management and rotation
• Service account management
• Privileged session management
• Insider and vendor access

Terms of the deal were not immediately available.

Monday, January 22, 2018 @ 04:01 PM gHale

Emerson acquired ProSys Inc., a software and services provider covering production and safety for the chemical, oil and gas, pulp and paper, and refining industries.

By building intuitive processes for plant operators, these solutions make everything from everyday operations to responding during abnormal situations easier.

FireEye Deals for Big Data Firm
Nozomi Raises $15 Million
FL Security Providers Reach Deal
Claroty Gains RSA Certification

“Adding ProSys’ differentiated technologies and expertise allows us to help our customers improve plant performance, safety and profitability by optimizing their human and automation resources,” said Mike Train, executive president, Emerson Automation Solutions. “With ProSys, we can provide innovative control and operator performance capabilities to make control room operators far more effective.”

ProSys’ portfolio includes solutions that help operators manage alarms critical to plant production and safety, and efficiently handle changing plant states. In addition, ProSys provides modern, high performance and intuitive graphics for better operator communications.

ProSys complements Emerson’s May 2017 acquisition of MYNAH Technologies, which provides dynamic simulation and operator training software.

“Our specialization in software and services that increase operator performance builds on Emerson’s market leadership in automation control systems,” said Dustin Beebe, president and chief executive at ProSys. “By working together as one, we can provide even more operational and financial value to customers.” Beebe will join Emerson Automation Solutions as vice president, control and operator performance.

Thursday, January 18, 2018 @ 03:01 PM gHale

By Gregory Hale
The network monitoring challenge is over and the champion is Claroty.

Network monitoring, which allows visibility into what is on and what is happening on the network, is a huge area the manufacturing automation sector is moving toward, so Dale Peterson, Digital Bond chief executive who also heads up the S4 conference wanted to see how the new players in the market shaped up and are the companies and technologies living up to the hype.

S4: Lean OT Security
S4: Open-Minded Security? Just Try
ICS Alert: USB Malware Attack
Safety System, DCS Attacked

Judges of the competition, which concluded Thursday at the S4x18 conference in Miami, were security experts, John Cusimano, Eric Byres and Ron Brash.

While there may be up to 25 or so companies focused on the network monitoring area, the four companies participating in the challenge were Claroty, SecurityMatters, Nozomi Networks and Gravwell.

“This was very much tougher than the real world,” Byres said. (With a tight timeframe to understand the attack), “they couldn’t do a long-term baseline. These poor guys were just stuck out there with a pcap (packet capture).”

There were two days in the competition. The first challenge on Tuesday was labeled asset identification.

The objective for the contestants was to identify as many assets and details as possible, submit a topology diagram, release a complete, correct and timely response and the judges were able to give extra credit for unique findings.

The challenge pcaps came from the Palm Desert Oil Co. and they then had the contestants review the pcaps and then report on them. They were able to capture packets from 15 locations in the oil and gas midstream company’s control room and multiple stations and terminals. Around 15 million packets were sent in an hour there were about 800 IP addresses in a consolidated stream. SCADA system, PLCs, protocol converters, VFDs and flow computers were used from multiple manufacturers.

In that category, Claroty was the winner with 23 points, followed by SecurityMatters and Nozomi Networks at 20 points apiece. Gravwell had 11 points.

The second day was all about detection. What occurred on the second day was a Pcap stream modified to introduce malicious/surprise traffic and to detect and identify unusual behavior.

The judges added in:
1. Delivery/penetration
2. Command and control
3. Internal recon
4. Lateral movement
5. Obfuscation/hiding
6. Denial of service
7. Process modification
8. Logic modification
9. Policy violation
10. Self-inflicted user error

“We added in malware from Havex and Stuxnet,” Brash said. They also added in port scans, policy violations, buffer overflow attacks against PLCs, logic changes and firmware installs, hidden process changes in Modbus and network behavioral changes.

“The technology exceeded our expectations. Every one of the products had their own sweet spots,” Byres said. “The tools are really good for looking into issues really forgotten about on the plant floor – configuration issues.”

One of the areas the judges thought the technologies can improve upon would be indicators were found, but link to the attack was not there.

“If you have a cough, do you have a cold? Do you have the flu? I don’t know,” Brash said. “Indicators were found, but the correlation of the attack was missing.”

The day two results showed Claroty with 24 points, SecurityMatters with 22, Nozomi with 22 and Gravwell with 17.

That left the overall winner as Claroty with 47 points, Nozomi and Security Matters with 42 points each and Gravwell with 28 points.

Friday, January 12, 2018 @ 04:01 PM gHale

Security provider FireEye paid $20 million to acquire Big Data platform provider X15 Software.

Under the terms of the deal, FireEye agreed to pay $15 million in equity and $5 million in cash to acquire the privately held Sunnyvale, CA-based X15. The deal closed Thursday.

Nozomi Raises $15 Million
FL Security Providers Reach Deal
Claroty Gains RSA Certification
Leidos Loads Up Network Monitoring Partners

“Organizations today are overwhelmed by alerts, the number of tools required to manage their security operations, and the challenge of unifying access to the large volumes of data that matter,” said John Laliberte, senior vice president of engineering at FireEye. “The X15 Software team built an incredibly versatile, enterprise-grade big data platform that enables distributed, real-time access and ingestion of data at scale within a unified data model and modular query language. X15 Software technology will accelerate our strategy of delivering an innovative, next-gen security platform.”

FireEye said the integration of X15 Software’s technology will help FireEye’s security operations platform address the challenges of collecting, querying and analyzing large volumes of machine-generated data in real-time and manage security data from on-premise, hybrid and cloud environments.

The integration of X15 Software’s technology will enhance the ability of FireEye to collect and deliver the data organizations need to protect their most valuable assets, providing:

Big Data Management Capabilities – X15 Software technology solves the complex problem of collecting, querying and analyzing large volumes of machine-generated data in real-time. X15 Software technology is built with the flexibility to ingest data sources at scale, allowing organizations to capture new data as their infrastructure evolves.

One Management Console for Cloud, On-Premise and Hybrid Environments – As organizations expand their usage of different cloud platforms, X15 Software technology will provide the flexibility to manage security data from on-premise, hybrid and cloud environments, including: AWS Microsoft Azure, Google Cloud Platform and Oracle Cloud. 

A Platform for Innovation – As the security landscape changes, organizations need a flexible security operations platform that can match the evolving capabilities of the adversaries. X15 Software technology will accelerate the capabilities of the FireEye platform to better enable organizations to leverage security data to make expert decisions and keep pace with the threats against them.

“We founded X15 Software to help organizations get more value out of the massive data they were generating on a daily basis, and very quickly we saw how impactful our technology could be in the security space,” said Val Rayzman, chief executive of X15 Software prior to the acquisition. “By coming together with FireEye, we can help build a security platform that uses big data, threat intelligence and analytics to keep customers secure.”

X15 Software started up in 2013 and employs 20 workers.