Order restored to universe as Microsoft surrenders confiscated No-IP domains

Microsoft has surrendered the 23 domain names it confiscated from dynamic domain hosting service No-IP.com, a move that begins the process of restoring millions of connections that went dark as a result of the highly controversial legal action.

At the time this post was being prepared, No-IP had recovered 18 of the domains and was in the process of reacquiring the remaining five from Public Interest Registry, the registry for Internet addresses ending in .org, No-IP spokeswoman Natalie Goguen told Ars. People who rely on No-IP subdomains that don't end in .org should already have service restored, as long as the domain name service (DNS) server they use has been updated to reflect Wednesday's transfer. Users who are still experiencing connectivity problems should try using DNS services from Google or OpenDNS, which have both updated their lookups to incorporate the transfers.

Microsoft confiscated the No-IP domains in late June through a secretive legal maneuver that didn't give the dynamic DNS provider an opportunity to oppose the motion in court. Microsoft's ex parte request was part of a legal action designed to dismantle two sprawling networks of infected Windows computers that were abusing No-IP in an attempt to evade takedown. As partial justification for the request, Microsoft lawyers argued No-IP didn't follow security best practices.

Read 3 remaining paragraphs | Comments

Private crypto key stashed in Cisco VoIP manager allows network hijacking

Cisco Systems has released a security update that closes a backdoor allowing attackers to control software that large organizations use to manage voice over IP (VoIP) calls and messaging over their networks.

The default secure shell (SSH) key made it possible for hackers to gain highly privileged administrative access to the Cisco Unified Communications Domain Manager, the networking company warned in an advisory published Wednesday. From there, intruders could execute arbitrary commands or gain persistent access to the systems. The advisory didn't explicitly say that attackers could monitor discussions or track the times that calls or messages were made and who sent and received them, but it wouldn't be surprising if those capabilities were also possible in an e-mail, a Cisco representative said these capabilities were not possible. In addition to VoiP management, the Cisco Unified Communications Domain Manager also allows users to manage Cisco Jabber, a cloud-based service for instant messaging, voice and video communications, desktop sharing, and conferencing.

"The vulnerability is due to the presence of a default SSH private key, which is stored in an insecure way on the system," Wednesday's advisory stated. "An attacker could exploit this vulnerability by obtaining the SSH private key. For example, the attacker might reverse engineer the binary file of the operating system. This will allow the attacker to connect by using the support account to the system without requiring any form of authentication. An exploit could allow the attacker to gain access to the system with the privileges of the root user."

Read 2 remaining paragraphs | Comments

Operation Dragonfly Imperils Industrial Protocol

Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be focused on espionage (at least for now), and the scope of the attack appears to be considerably broader than that of Stuxnet.

The various elements associated with Operation Dragonfly draw comparison with Operation Shady RAT; in which at least the first phase targeted specific individuals via email. Beyond the specifics of the operation, however, Operation Dragonfly raises very significant concerns regarding the safety of systems that comprise our critical infrastructure, and in particular regarding the ever-growing supply chain.

This threat was covered in detail in the recently published book “Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure,” coauthored by Raj Samani and Eric Knapp, and edited by Joel Langill. The espionage from Dragonfly could lead to another attack. In the book the authors write: “the SCADA and automation systems within the grid also provide a blueprint to the inner workings of the grid operations. This is valuable intellectual property that could be used for malicious purposes ranging from the influence of energy trading to the development of a targeted, weaponized attack against the grid infrastructure or against the grid operator.”

One of the primary tools leveraged in Operation Dragonfly is Havex. The Havex remote access tool (RAT) can be traced back to (at least) mid-2012 and is not necessarily exclusive to this attack or campaign or actor. Havex is closely related to the SYSMain RAT, and may even be a derivative. We have also observed them used in conjunction. The Trojan is distributed via spear phishing, watering-hole attacks, and by inclusion in exploit kits (such as LightsOut). This family takes advantage of OLE for Process Control (OPC) servers.

The method by which the Havex RAT targeted industrial control systems owners was clever. In addition to spear phishing, the control system vendors’ websites were used as watering holes, ensuring that the delivery of the RAT was highly focused. The next stage, the enumeration of OPC servers, is also clever and very concerning. The malware focuses enumeration on OPC Classic, which lacks the security features of newer OPC variants, and indicates that the attacker is knowledgeable about industrial security—a niche that, to some, benefited from “security through obscurity.” The biggest concern, therefore, is that once again we’re seeing malware targeting an industrial protocol.

In “Applied Cyber Security” the authors wrote, “Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of [a variety of critical systems].

“Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of substation automation, dynamic load management, fault isolation, and even protection systems.”

By specifically targeting OPC Classic, the attacker is likely to discover more vulnerable legacy systems. OPC is extremely common, and can interface with a variety of key systems within almost every industrial environment, from almost every sector. From a network design perspective, OPC uses a wide range of ports; unless OPC is tunneled, firewalls allowing OPC are as open as Swiss cheese. Although there’s still a lot to learn about Havex, this event should inspire asset owners to harden OPC servers, and to assess their networks with this type of attack in mind. Inspection and enforcement of OPC using application-layer firewalls is a good start. Without an industry-wide effort to stem the inherent vulnerabilities in OPC, Havex could prove itself to be another devastating “industrial” RAT—alongside DisktTrack (a.k.a. Shamoon), Duqu, Stuxnet, and Gauss—capable of remote command of control systems. That is something that no one wants to see happen.

For more information, please refer to “Applied Cyber Security and the Smart Grid.”

The post Operation Dragonfly Imperils Industrial Protocol appeared first on McAfee.

Cisco Releases Security Advisory for Unified Communications Domain Manager

Original release date: July 02, 2014

Cisco has released a security advisory to address multiple vulnerabilities in Cisco Unified Communications Domain Manager, some of which may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system. 

 The following updates are available: 

  •    Cisco Unified CDM Application Software 8.1.4 and later.
  •    Cisco Unified CDM Platform Software 4.4.2 and later.

Users and administrators are encouraged to review the Cisco Security Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.