Intruders hack industrial heating system using backdoor posted online

A recent search on the Shodan computer search engine found more than 20,000 Niagara AX systems connected to the Internet.

Hackers illegally accessed the Internet-connected controls of a New Jersey-based company's internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney's Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a "Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area," according to the memo, which was issued in July. "All areas of the office were clearly labeled with employee names or area names."

An IT contractor for the unnamed business told FBI agents the "Niagara control box was directly connected to the Internet with no interposing firewall," according to the memo, which was published Saturday by Public Intelligence. The website has an established track record of posting authentic government documents. Barbara Woodruff, a spokeswoman in the Newark, New Jersey division of the FBI, where the memo originated, said the document appeared to be authentic.

Read 8 remaining paragraphs | Comments

Spam Campaign Flooding Towards Blackhole Exploit Kit

Contributor: Samir Patil

In the last few months, we have seen an increase in the volume of malicious spam. The majority of these new spam emails contain links to the Blackhole Exploit Kit.

Earlier this year Symantec reported on malicious spam during tax season that lead to the Blackhole Exploit Kit. Similar attacks targeting well-known businesses occurred throughout 2012, affecting major brands in various service industries such as payroll, fax, and social media.

The emails claim to be contacting the recipient in regards to account transactions, pending notifications, company complaint reports etc.

The main purpose of these spam campaigns is to lure recipients into clicking on links contained in the emails. These links then lead to malicious code being downloaded, which exploits common vulnerabilities.

Note: Read The Blackhole Theory for more information about how this type of attack works.

Figure 1 shows the volume of Blackhole spam over the past three months. The attacks increased noticeably around September 18 and even more so in mid October. During this time, the attacks targeting social networks and payroll companies were prominent. Throughout the monitoring phase, we observed 19 companies being targeted by the spammers. Social media and payroll are the most popular industries targeted by spammers, contributing 35 and 31 percent respectively.

Figure 1. Blackhole spam volume peaking in mid-October

Figure 2. Distribution of spam through targeted service industries            

The most frequently observed subject lines in these attacks were:

  • [REMOVED] Urgent Notification
  • [REMOVED] Funding Notification
  • [REMOVED] Complaint activity report
  • Corporate [REMOVED] message - [REMOVED] pages
  • New invitation
  • Verify your account
  • Your Order
  • List of all Employer contributions scheduled on [REMOVED]

Figure 3. Spam email example claiming to be a transaction report

Figure 4. Spam email example claiming to be from a social networking site

Using a company or brand's popularity in a spam campaign is nothing new, and we have seen these industries being used in other campaigns like online pharmacy spam. The good news is that Symantec protects customers from all of these attacks with multilevel protection including Antispam, IPS, and AV.

Follow these tips to avoid spam attacks:

  • Patch your operating system and software regularly
  • Use message security and antivirus solutions from Symantec and use the latest signatures
  • Be suspicious of emails with urgent requests for personal information
  • Do not open any suspicious links or attachments received in unsolicited email

New Labs Report: ‘Analyzing Project Blitzkrieg’

Project Blitzkrieg, a current attack on US financial institutions, got a lot of media attention following a blog posting by RSA researchers who wrote they had discovered an operation run by an individual known as vorVzakone. RSA identified the malware as belonging to the Gozi family and labeled it Prinimalka. VorVzakone’s claim was met with skepticism from Russian Underweb forums as well as from others in the research community.

The McAfee Labs paper Analyzing Project Blitzkrieg provides an insight into the credibility of this threat to the financial industry and analyzes the claims made by vorVzakone in his forum posting.

If the aims of Project Blitzkrieg, as vorVzakone has claimed, become fully realized by spring 2013, the financial industry needs to be fully prepared. In this research we take a deeper look into the overall credibility of this threat to the US financial industry.

Some key findings:

  • An active Gozi Prinimalka campaign discovered several weeks after VorVzakone’s initial forum posting on September 9. It has infected more than 80 victims across the United States–lending to the credibility that some cybercriminals put faith into VorVzakone’s claims and decided to join his action.
  • Discovery of an early pilot campaign conducted by VorVzakone and 01NSD operated from March to late April 2012.



Google Releases Google Chrome 23.0.1271.97

Google has released Google Chrome 23.0.1271.97 for Windows, Mac, Linux, and ChromeFrame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial of service.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 23.0.1271.97.

This product is provided subject to this Notification and this Privacy & Use policy.