Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware)

McAfee product coverage and mitigations for malware or indicators associated with the recent attacks (a.k.a. Dragonfly, Energetic Bear, Havex/SYSMain) on industrial control systems (ICS’s) are listed below.

The Havex remote access tool is common across these associated attacks or campaigns–including Dragonfly. We have seen Havex in ICS-specific targeted campaigns. It can detect and affect ICS- and SCADA-specific services, such as OPCServer (OLE for Process Control).

McAfee Product Coverage and Mitigation

  • McAfee VirusScan (AV):  Known, associated, malware samples are covered by the current DAT set (7486).   Updated coverage will be included in the July 2 DAT set
  • McAfee Web Gateway (AV): Same as VirusScan coverage.
  • McAfee Application Control: Provides coverage via whitelisting.  Nonconforming executables will not run.
  • McAfee Next Generation Firewall: Partial coverage (for malware artifacts) is available via built-in McAfee AV inspection of  mail, web, and file transfers.


Please check back often for updated technical details and product coverage.



The post Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware) appeared first on McAfee.

Microsoft expands the use of encryption on Outlook, OneDrive

Last December, Microsoft promised to expand its use of encryption for its cloud services to protect them from criminals and hackers (and, though the company didn't say so, spying governments). Today, it announced that it has reached a number of milestones in this ongoing effort.

Both inbound and outbound mail on the service will use TLS encryption when sending and receiving from servers that also support TLS. The company says that it has worked with a number of other mail providers, including Deutsche Telekom, Yandex, and Mail.Ru, to ensure that mail sent to and from these popular providers is encrypted in transit. and OneDrive have also been updated to use perfect forward security (PFS). In PFS, the keys used for each connection are randomly generated on a per-session basis. This is important because it protects against bulk data collection. Without PFS, if a law enforcement agency or hacker can demand or steal the long-term key used to secure connections, they can use that key to decrypt all historic, recorded sessions. PFS prevents this; compromising one session's key only enables decryption of that session.

Read 3 remaining paragraphs | Comments

WordPress plugin with 1.7 million downloads puts sites at risk of takeover

Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned.

"If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable."

The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it's the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, "any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated." The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses.

Read 2 remaining paragraphs | Comments

Apple Releases Security Updates for OS X, Safari, iOS devices, and Apple TV

Original release date: July 01, 2014

Apple has released security updates for Mac OS X, Safari, iOS devices, and Apple TV to address multiple vulnerabilities, some of which could allow attackers to execute arbitrary code with system privileges or cause an unexpected application termination.

Updates available include:

  • Security Update 2014-003 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks 10.9 to 10.9.3.
  • Safari 6.1.5 and Safari 7.0.5 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.3.
  • iOS 7.1.2 for iPhone 4 and later, iPod touch 5th generation and later, or iPad 2 and later.
  • Apple TV 6.2 for Apple TV 2nd generation and later.

Users and administrators are encouraged to review Apple security updates HT6293, HT6296, HT6297, and HT6298, and apply the necessary updates to help mitigate these risks.

This product is provided subject to this Notification and this Privacy & Use policy.